24/5 Sales: U.S. & Canada:1.866.321.7284
worldwide:1.415.869.7000

Contact Us

Windows 2003 Server Security Checklist

Filesystem Security

• Minimize NTFS permissions for EVERYONE
• At the logical drive level, reset and propagate the following permissions:
  • Full Control to Administrators
  • Full Control to CREATOR OWNER
  • Modify, Read/Execute, List Folder Contents, Read, Write to Authenticated Users
• Remove and propagate ALL permissions for Authenticated Users from System directory.
• Allow Authenticated Users Modify, Read/Execute, List Folder Contents, Read, and Write on:
  • \Documents and Settings\
  • \WINNT\Installer # hidden directory
  • \WINNT\System32\Config\
  • \WINNT\Repair

Network Security

• Disable unnecessary services. Common unnecessary services for servers include:
  • DHCP Client
  • Fax Service
  • Internet Connection Sharing
  • Intersite Message
  • Remote Registry Service
  • RunAs Service
  • Simple TCP/IP Services
  • Telnet
  • Utility Manager
• Un-install protocols such as IPX/SPX and NetBIOS unless required.

User Security

• Disable Guest account and assign strong password.
• Disable TsInternetUser account and assign a strong password.
• Rename the Administrator account.

TCP/IP Hardening

Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services add or modify the following keys:

Key: Tcpip\Parameters
Value: SynAttackProtect
Value Type: REG_DWORD
Parameter: 1

Key: Tcpip\Parameters
Value: EnableDeadGWDetect
Value Type: REG_DWORD
Parameter: 0

Key: Tcpip\Parameters
Value: EnablePMTUDiscovery
Value Type: REG_DWORD
Parameter: 0

Key: Tcpip\Parameters
Value: KeepAliveTime
Value Type: REG_DWORD
Parameter: 300,000

Key: Netbt\Parameters
Value: NoNameReleaseOnDemand
Value Type: REG_DWORD
Parameter: 1

Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control add or modify the following keys:

Key: Lsa
Value: RestrictAnonymous
Value Type: REG_DWORD
Parameter: 2

Key: SecurePipeServers
Value: RestrictAnonymous
Value Type: REG_DWORD
Parameter: 1

System Security

Uncheck "Hide file extensions for known file types."

Download and install all Critical Updates from http://windowsupdate.microsoft.com.

Download and run the Microsoft Baseline Security Analyzer (MBSA).