Securing Your Windows 2003 Server System
Essentials
>>Keep your system up to date: This is one of the easiest, most effective things you can do to keep your computer secure. You can update with Windows Update.
>>Install antivirus software: The vast majority of viruses are designed to affect Windows systems. The University of Illinois at Urbana-Champaign provides free site-licensed antivirus software that is configured to automatically update itself and protect your system.
>>Install Service Pack 2 (SP2) and the Security Configuration Wizard (SCW): Microsoft's Service Pack 2 offers several security enhancements and tools for Windows 2003 Server administrators. The two most significant enhancements are the inclusion of a server firewall and the Security Configuration Wizard (which must be installed after Service Pack 2). To install SCW after installing Service Pack 2, go to Add or Remove Programs -> Add/Remove Windows Components and select the Security Configuration Wizard check box. After this, the Security Configuration Wizard will be available in the Administrative Tools section of the Control Panel.
The Security Configuration Wizard provides a centralized way to check your server's security, to make changes as required (including managing the firewall), and to roll back changes if anything doesn't behave as expected. The graphical user interface allows you to administer one server, and a command line option (scw.exe) allows you to create group policy objects which can be used on many computers.
>>Use "Manage Your Server" to enable only the services you need: Windows 2003 Server introduces a more secure method of controlling access to your server. By default, all of the potential server services are turned off until you enable them. The "Manage Your Server" tool, found in Programs -> Administrative Tools, provides a central location to track which services are enabled. It provides roles for your server -- for example, a DNS server role, a web server role, an email server role -- and allows you to decide how many of these roles are enabled.
>>Use server firewall protection: A properly configured server firewall can be very effective in reducing the amount of network traffic that is allowed to reach your server and systems connected to it. With the release of Windows Server 2003's Service Pack 1 (described above), you can enable and administer a firewall on your server with a few clicks.
>>Choose a good password: Any computer that will have multiple users or be attached to a network needs to have good password protection for each user. Password tips and advice can be found in the CITES Guide to Passwords.
n many versions of Windows, a user name can have a blank password, which allows anyone to log in to the computer simply by clicking. Make sure that all user accounts on the machine have passwords to protect access to your computer.
More security
These steps can be done offline to increase basic security before you connect to the network. These are presented in order from simplest to most complex; you can start at the top of the list and work your way down.
>>Use the Microsoft Baseline Security Analyzer (MBSA) to detect and correct common security misconfigurations: Microsoft provides a tool called the Microsoft Baseline Security Analyzer (MBSA) to assist with detecting potential security flaws and correcting them. The MBSA tool checks for issues such as missing patches, user accounts without passwords, available updates to installed Microsoft software, and more.
>>Disable the guest account: Right-click on My Computer and select Manage. In the Local Users & Groups view, make sure the Guest account is disabled. (There should be a small red X over the corner of the icon; right-click and make sure the "Account is disabled" box is checked.)
>>Don't give out too many "administrator" group memberships:
The Administrator account is the most powerful account on a Windows system. Most users shouldn't log in with administrator privileges for everyday work; the administrator privileges should be reserved for actions such as installing software and patching the system.
If only the administrator and guest accounts have been created on the computer, you'll want to create an individual user name so that you can have a regular account for daily use without administrator privileges.
Right-click on My Computer and select Manage. In the Local Users & Groups view, open the Users folder, and make sure most of the user names don't belong to the Administrators group.
However, make sure that the administrator account does still have administrator privileges; it's important that at least one user has that ability at all times.
>>Verify that all disk partitions are formatted as NTFS:
If necessary, use the Convert utility to nondestructively convert your FAT partitions to NTFS.
>>Disable unnecessary services and accounts: Because each service and account represents a potential entry point to your computer, disabling the features you don't use will greatly diminish your exposure to security risks. Remember, you can always enable a service later if you decide you really do need it. You can enable and disable services with the Manage Your Server tool described above.
reagards,
readermaniax
source: *www.cites.uiuc.edu/security/by_os/win2k3srv.html
