Windows 2003 Server Security Checklist

Filesystem Security

  • Minimize NTFS permissions for EVERYONE
  • At the logical drive level, reset and propagate the following permissions:
    • Full Control to Administrators
    • Full Control to CREATOR OWNER
    • Modify, Read/Execute, List Folder Contents, Read, Write to Authenticated Users
  • Remove and propagate ALL permissions for Authenticated Users from System directory.
  • Allow Authenticated Users Modify, Read/Execute, List Folder Contents, Read, and Write on:
    • \Documents and Settings\
    • \WINNT\Installer # hidden directory
    • \WINNT\System32\Config\
    • \WINNT\Repair

Network Security

  • Disable unnecessary services. Common unnecessary services for servers include:
    • DHCP Client
    • Fax Service
    • Internet Connection Sharing
    • Intersite Message
    • Remote Registry Service
    • RunAs Service
    • Simple TCP/IP Services
    • Telnet
    • Utility Manager
  • Un-install protocols such as IPX/SPX and NetBIOS unless required.

User Security

  • Disable Guest account and assign strong password.
  • Disable TsInternetUser account and assign a strong password.
  • Rename the Administrator account.

TCP/IP Hardening

Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services add or modify the following keys:

Key: Tcpip\Parameters
Value: SynAttackProtect
Value Type: REG_DWORD
Parameter: 1

Key: Tcpip\Parameters
Value: EnableDeadGWDetect
Value Type: REG_DWORD
Parameter: 0

Key: Tcpip\Parameters
Value: EnablePMTUDiscovery
Value Type: REG_DWORD
Parameter: 0

Key: Tcpip\Parameters
Value: KeepAliveTime
Value Type: REG_DWORD
Parameter: 300,000

Key: Netbt\Parameters
Value: NoNameReleaseOnDemand
Value Type: REG_DWORD
Parameter: 1

Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control add or modify the following keys:

Key: Lsa
Value: RestrictAnonymous
Value Type: REG_DWORD
Parameter: 2

Key: SecurePipeServers
Value: RestrictAnonymous
Value Type: REG_DWORD
Parameter: 1

System Security

Uncheck "Hide file extensions for known file types."

Download and install all Critical Updates from http://windowsupdate.microsoft.com.

Download and run the Microsoft Baseline Security Analyzer (MBSA).