Overview
This chapter explains the server hardening settings for securing infrastructure servers across the three environments defined in this guide. For the purposes of this guide, an infrastructure server refers to a server providing Dynamic Host Control Protocol (DHCP) services or Microsoft® Windows® Internet Name Service (WINS) functionality.
Most of the settings discussed are configured and applied using Group Policy. A Group Policy object (GPO) designed to compliment the Member Server Baseline Policy (MSBP) can be linked to the appropriate organizational units (OUs) containing the infrastructure servers to provide additional security based on the services these servers provide. A few of the settings discussed cannot be applied using Group Policy. In these cases, details for configuring these settings manually are provided. Details for creating and applying Internet Protocol Security (IPSec) filters that control the type of network traffic that can communicate with both types of infrastructure server outlined in this chapter is also provided.
To improve the usability of this chapter, only those settings that have been modified from the MSBP are included here. For information on settings in the MSBP, see Chapter 3, “Creating a Member Server Baseline.” For information on all default settings, see the
companion guide, Threats and Countermeasures: Security Settings in Windows Server
178
Audit Policy Settings
The Audit Policy settings for infrastructure servers in the three environments defined in this guide are configured via the MSBP. For more information on the MSBP, see Chapter 3, "Creating a Member Server Baseline." The MSBP settings ensure that all the relevant security audit information is logged on all infrastructure servers.
179
User Rights Assignments
The User Rights Assignments for infrastructure servers in the three environments defined in this guide are configured via the MSBP. For more information on the MSBP, see Chapter 3, "Creating a Member Server Baseline." The MSBP settings ensure that all appropriate User Rights Assignments are uniformly configured across infrastructure servers.
180
Security Options
The Security Options settings for infrastructure servers in the three environments defined in this guide are configured via the MSBP. For more information on the MSBP, see Chapter 3, "Creating a Member Server Baseline." The MSBP settings ensure that all the relevant Security Options are uniformly configured across infrastructure servers.
181
Event Log Settings
The Event Log settings for infrastructure servers in the three environments defined in this guide are configured via the MSBP. For more information on the MSBP, see Chapter 3, "Creating a Member Server Baseline."
182
System Services
This System Services settings section provides details on the prescribed system that should be either enabled or disabled on the infrastructure servers in your environment. These service settings are specified in the Infrastructure Server Incremental Policy. In order to minimize the possibility of a denial of service (DoS) attack, the GPO ensures these services are configured to start automatically. For a summary of the prescribed settings in this section, refer to the Windows Server 2003 Security Guide Settings Excel workbook included with this guide.
DHCP Server
Table 5.1: Settings
Service Name Member Server Default Legacy Client Enterprise Client High Security
DHCP Not installed Automatic Automatic Automatic
The DHCP service allocates Internet Protocol (IP) addresses and enables advanced configuration of network settings such as DNS servers and WINS servers to DHCP clients automatically. DHCP uses a client/server model. The network administrator establishes one or more DHCP servers that maintain Transmission Control
Protocol/Internet Protocol (TCP/IP) configuration information and provide it to clients. The DHCP Server service must be running for a DHCP server to assign IP address configuration to its clients. Using a group policy to secure and set the startup mode of a service grants access only to server administrators, therefore preventing the service from being configured or operated by unauthorized or malicious users. Group Policy will also prevent administrators from inadvertently disabling the service.
WINS
Table 5.2: Settings
Service Name Member Server Default Legacy Client Enterprise Client High Security
WINS Not installed Automatic Automatic Automatic
WINS enables network basic input/output system (NetBIOS) name resolution. The presence of the WINS servers is crucial for locating the network resources identified using NetBIOS names. WINS servers are required unless all domains have been upgraded to Microsoft Active Directory®, all computers on the network are running Windows 2000 or later, and no applications rely on WINS resolution for proper operation. The WINS Server service must be running for a WINS server to provide name resolution to its clients. Using a group policy to secure and set the startup mode of a service grants access only to server administrators, therefore preventing the service from being
configured or operated by unauthorized or malicious users. Group Policy will also prevent administrators from inadvertently disabling the service.
183
Additional Security Settings
The security settings applied through the MSBP provide a great deal of enhanced security for infrastructure servers. There are a few additional considerations that should be taken into account. These steps cannot be completed via Group Policy and should be performed manually on all infrastructure servers.