S 3.108 Windows Server 2003
Description
The Windows Server 2003 software package is the successor product to the Windows 2000 Server operating system. Windows Server 2003 is available in the Standard Edition,Enterprise Edition, Web Edition, and Datacenter Edition. The Standard Edition of Windows Server 2003 is the most widely used version. The Web Edition is a subset of the Standard Edition, and the Enterprise Edition contains additional functions only needed in large-scale environments or when there are special requirements. These functions include, among others, fail-over cluster, full terminal server, network-based UDDI databases, unlimited VPN and RADIUS client connections, new certificate services, and the Windows System Resource Manager (WSRM). A 64-bit version of each of these editions is also available, and the functionality available in the 64-bit versions is not much different from the functionality available in the 32-bit versions.
Scope of the module
The Windows Server 2003 module generally applies to the functions available in the Standard Edition including Service Pack 1. However, it can also be applied without any problem to the Web Edition and Enterprise Edition versions. Other editions such as the Data Center Edition and the Windows Small Business Server 2003 contain additional, application-specific functionality that is not examined in this module.
Due to the wide range of possible applications, the scope of this module must be limited, and each application scenario must be examined individually. On the one hand, Windows Server 2003 can be used as a pure platform for additional server applications purchased separately, and on the other hand, Windows Server 2003 can form a complete system in certain areas due to the large number of applications included in the software package.
Some functions only need to be activated for certain application scenarios of Windows 2003 Server systems. General aspects for such application scenarios are explained in this module. These aspects include the Network Load Balancing (NLB), High Availability Cluster, Application Server, Role Based Access Control (RBAC), Certificate Service (PKI) as well as Routing and RAS functions.
If the Windows Server 2003 performs the role of a domain controller in an Active Directory overall structure, then the module S 5.16 Active Directory must be applied in accordance with the modelling instructions.
This module does not examine additional packages available for free from Microsoft that are not included in the standard software package. These packages include, for example, Windows SharePoint Services (WSS), Windows Software Update Service (WSUS), Rights Management Service (RMS), and the Microsoft Shared Computer Toolkit.
The following components in the standard software package are also not examined since their use requires a wide range of specific aspects that are not universally applicable to be taken into account:
- Windows Media Services
- Terminal Server
Threat scenario
The following typical threats to the IT-Grundschutz of a server-based network running on the operating system Windows Server 2003 are assumed to exist:
Organisational Shortcomings
| T 2.7 | Unauthorised use of rights |
| T 2.19 | Inadequate key management for encryption |
| T 2.111 | Exposure of login data relating to change of service providers |
| T 2.114 | Inconsistent security settings for SMB, RPC, and LDAP under Windows Server |
| T 2.115 | Inappropriate handling of standard security groups in Windows server 2003 and higher |
| T 2.116 | Data loss relating to copying or moving data in Windows server 2003 or higher |
Human Error
| T 3.9 | Improper IT system administration |
| T 3.38 | Errors in configuration and operation |
| T 3.48 | Incorrect configuration of Windows computers |
| T 3.56 | Incorrect integration of IIS into the system environment |
| T 3.81 | Inappropriate use of security templates for Windows Server 2003 and higher |
Technical Failure
| T 4.13 | Loss of stored data |
| T 4.22 | Software vulnerabilities or errors |
| T 4.54 | Loss of protection via the encrypting file system EFS |
| T 4.55 | Data loss relating to password resets in Windows Server 2003/XP and higher |
Deliberate Acts
| T 5.7 | Line tapping |
| T 5.52 | Misuse of administrator rights in Windows operating systems |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.79 | Unauthorised acquisition of administrator rights under Windows systems |
| T 5.83 | Compromising cryptographic keys |
| T 5.85 | Loss of integrity of information that should be protected |
| T 5.132 | Compromising RPD user sessions under Windows server 2003 and higher |
| T 5.133 | Unauthorized use of web-based administration tools |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
All considerations made for a Windows Server 2003 should be based on the safeguards contained in module S 3.101 General server. The general safeguards described there are explained in detail and expanded upon in this module.
Servers and clients form a functional unit. For this reason, module S 3.201 General clients and the operating system-specific modules based on it must be examined together with this module.
Planning and design
If the general planning phase for the server usage is complete and you have decided to use the Windows Server 2003 operating system, then subconcepts for the server usage must be created that take all applicable general concepts and policies into account. The general planning methodology to follow is explained in S 2.315 Planning the use of servers.
The specific recommendations for the subject areas named in module S 2.315 can be found in safeguards S 4.276 Planning the use of Windows Server 2003 and S 2.364 Planning of administration for Windows 2003 and higher.
During the planning phase, important decisions need to be made regarding basic infrastructure services. This is significantly based on S 5.152 Exchange of information and resources using peer-to-peer services. The planned roles and the information from the Resources for IT-Grundschutz (see DNS/WINS/DHCP as Infrastructure Services under Windows Server 2003 in Resources for Windows Server 2003) are integrated into the decision-making process when designing the infrastructure services.
You must also decide which server communication protocols will be used (S 4.277 Protection of SMB, LDAP, and RPC communication under Windows Servers, S 5.131 Protection of IP protocols under Windows Server 2003).
Additional system functions can increase the level of security of the server, for example WebDAV and the Encrypting File System (EFS) (see S 5.132 Secure use of WebDAV under Windows Server 2003, S 4.278 Secure use of EFS under Windows Server 2003), network load balancing (NLB), IPSec, user authentication using smart cards, and other functions. S 6.99 Regular backup of important system components for Windows Server and S 4.279 Advanced security aspects for Windows Server 2003 should also be taken into account in this context.
In all steps mentioned, the basic principles in S 5.10 Restrictive granting of access rights and S 5.9 Logging on the server are to be taken into account. Specific aid is included in S 2.370 Administration of access rights under Windows Server 2003 and higher and S 2.365 Planning of system monitoring under Windows Server 2003. The recommendations given there for the operation of the server should therefore be taken into account when planning authorisation concepts.
During the planning phase for the server, a security policy should be created and/or existing guidelines expanded. In all steps mentioned, critical aspects as well as individual solutions and procedures may arise depending on the type of usage and user data. These aspects are to be collected, and then you decide which aspects need to be added to the security policy based on the individual situation and organisational structure of the company or government agency. Then, considerations on the aspects of security policies to be added are made on the basis of the individual situation and the organisational structure of the company or the government agency. Safeguard S 2.316 Defining a security policy for a general server illustrates a suitable approach for this.
Purchasing
After finishing the conceptual planning and the defining the purchasing criteria for a server (see S 2.317 Criteria for the procurement of servers), a suitable licence model is to be selected based on the number of the servers to be purchased. The Resources for IT-Grundschutz will help you make this selection (see Selection of suitable licensing methods for Windows XP/Server 2003 in Resources for Windows Server 2003).
Implementation
After planning the security-related safeguards for Windows Server 2003, these safeguards must be realised when implementing, installing, and configuring the Windows Server 2003 system.
To guarantee an appropriate level of security, the following conditions must be taken into account when implementing (and also later on when operating) a Windows Server 2003 system:
- The functionality is to be reduced to only those functions planned to be used which are absolutely necessary (also on the clients accessing the server) to minimise the number of possible points of attack and the number of (potential) vulnerabilities (S 4.285 De-installation of unnecessary client functions of Windows Server 2003 as well as S 4.286 Use of software restriction policies under Windows Server 2003 and S 4.284 Handling of services under Windows Server 2003 and higher).
- The configuration is to be optimised in terms of security and fulfilling the task of the server (hardening the server) so that only the level of downward compatibility and openness of the system actually necessary is provided (S 4.282 Secure configuration of the IIS base component under Windows Server 2003 as well as S 4.283 Secure migration of Windows NT 4 Server and Windows 2000 Server to Windows Server 2003 and S 4.48 Password protection under Windows systems).
- Up-to-date and appropriate documentation must be produced which provides the security process with the best possible level of support.
The safeguard S 4.280 Secure basic configuration of Windows Server 2003 contains explanations of a series of small functions as well as basic methods for implementation that can be used to meet the conditions stated above.
Utility programmes, referred to as Wizards, should be used for installation and configuration whenever possible. Settings should only be specified manually when absolutely necessary. This helps to prevent faulty configurations and makes it easier to document the procedures (e.g. "The wizard was configured using the default settings except for the following three settings..."). Administrative aids such as templates and scripts (S 2.366 Use of security templates under Windows Server 2003 and S 2.367 Use of commands and scripts under Windows Server 2003 and higher) help to standardise and document the procedures.
When the server is reinstalled or reconfigured, all steps mentioned up to now must be performed when installing and preparing the server for use. To establish a secure and reliable process for this purpose, S 4.281 Secure installation and preparation of Windows Server 2003 should be implemented.
Operation
During regular operations, it is particularly important to ensure up-to-date documentation, especially the documentation for handling administrative templates and for administering access rights (S 2.368 Handling of administrative templates under Windows Server 2003 and higher and S 2.370 Administration of access rights under Windows Server 2003 and higher).
Additional and more detailed information on maintaining the level of security on a Windows Server 2003 can be found in safeguard S 2.369 Regular security-relevant maintenance of Windows Server 2003 in addition to the safeguards mentioned in module S 3.101 General server (S 4.93 Regular integrity checking and S 5.8 Regular security checks of the network).
Disposal
To dispose of a Windows Server 2003 system properly, the safeguard recommendations described in module S 3.101 General server should generally be taken into account. In addition, safeguard S 2.371 Regulated deactivation and deletion of unused user accounts is to be taken into account when deactivating and/or deleting individual accounts.
Contingency Planning
Aspects relating to contingency planning for a Windows Server 2003 are the subject of safeguards S 6.99 Regular backup of important system components for Windows Server and S 6.76 Creation of a contingency plan for failure of a Windows network.
The bundle of security safeguards for Windows Server 2003 systems are presented in the following.
Planning and design
| S 2.232 | (C) | Planning the Windows CA structure in Windows 2000 and higher |
| S 2.364 | (A) | Planning of administration for Windows 2003 and higher |
| S 2.365 | (A) | Planning of system monitoring under Windows Server 2003 |
| S 4.276 | (A) | Planning the use of Windows Server 2003 |
| S 4.277 | (C) | Protection of SMB, LDAP, and RPC communication under Windows Servers |
| S 4.278 | (Z) | Secure use of EFS under Windows Server 2003 |
| S 4.279 | (Z) | Advanced security aspects for Windows Server 2003 |
| S 5.131 | (A) | Protection of IP protocols under Windows Server 2003 |
| S 5.132 | (B) | Secure use of WebDAV under Windows Server 2003 |
Implementation
| S 2.366 | (B) | Use of security templates under Windows Server 2003 |
| S 2.367 | (C) | Use of commands and scripts under Windows Server 2003 and higher |
| S 4.48 | (A) | Password protection under Windows systems |
| S 4.52 | (A) | Device protection under Windows NT/2000/XP |
| S 4.280 | (A) | Secure basic configuration of Windows Server 2003 and higher |
| S 4.281 | (A) | Secure installation and preparation of Windows Server 2003 |
| S 4.282 | (B) | Secure configuration of the IIS base components under Windows Server 2003 |
| S 4.283 | (B) | Secure migration of Windows NT 4 Server and Windows 2000 Server to Windows Server 2003 |
| S 4.284 | (B) | Handling of services under Windows Server 2003 and higher |
| S 4.285 | (A) | De-installation of unnecessary client functions of Windows Server 2003 |
| S 4.286 | (A) | Use of software restriction policies under Windows Server 2003 |
| S 5.90 | (Z) | Use of IPSec under Windows |
Operation
| S 2.368 | (C) | Handling of administrative templates under Windows Server 2003 and higher |
| S 2.369 | (A) | Regular security-relevant maintenance of a Windows Server 2003 |
| S 2.370 | (A) | Administration of access rights under Windows Server 2003 and higher |
| S 4.56 | (C) | Secure deletion under Windows operating systems |
Disposal
| S 2.371 | (A) | Regulated deactivation and deletion of unused user accounts |
Contingency Planning
| S 6.76 | (C) | Creation of a contingency plan for failure of a Windows network |
| S 6.99 | (A) | Regular backup of important system components for Windows Server |