S 4.280 Secure basic configuration of Windows Server 2003 and higher
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
A secure basic configuration must be set up when preparing the server, when changing the server configuration, and when specifications and policies are changed. In addition, it is recommended to check the implementation of the settings regularly to detect incorrect settings made while performing daily administration tasks and prevent other effects.
The necessary settings are to be identified and documented, for example in the form of a checklist. The safeguards resulting from the Grundschutz modelling process should be taken into account in the checklist.
Standard security settings and security templates
The settings determined should be set using security templates and administrative templates, if possible (see S 2.368 Handling of administrative templates under Windows Server 2003 and higher). This increases the degree of standardisation and automation of the basic configuration. Furthermore, it is easier to check and revise the settings later on. The basic configuration can be documented with relatively little effort by exporting the templates and adding the exports to the documentation. Based on the documentation, a release process for the basic configuration can be established in the IT change management (see S 2.221 Change management).
The aspects mentioned assume that the Windows Server 2003 and Server 2008 default settings have not been changed arbitrarily. Standard group memberships should be left unchanged, and basic rights for internal system accounts (e.g. NT Authority) should not be changed. Default permissions in subcomponents such as WMI and the component services should be kept. Deviations should be planned and implemented in the form of checklists and templates, and reasons must be provided for the deviations, especially when a deviation could result in a lower security standard. The security templates supplied, mainly defltsv.inf (for servers) and defltdc.inf (for domain controllers), and found in the C:\WINDOWS\inf folder can serve as references for default settings. All settings are to be stored in the setup security.inf template (C:\WINDOWS\Security\Templates folder) after the setup program has finished. Under Windows Server 2008, only the security templates
- Defltbase.inf
- Defltsv.inf (for servers)
- Defltdc.inf (for domain controllers)
are available. These templates are only stored in the directory %systemroot%\inf of the Windows installation.
Additional information can be found in S 2.366 Use of security templates under Windows Server 2003.
Configuration of Windows Server 2008 should be made by using the central management tool Microsoft Security Compliance Manager for control and processing of template files (see safeguard S 2.491 Use of roles and security templates under Windows Server 2008 and S 4.416 Use of Windows Server Core).
Additional references include the configuration templates of the Security Configuration Wizard (Windows Server 2003 Service Pack 1 or higher), the Windows Default Security and Services Configuration.xls table (from Version 2.0 of the manufacturer document "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP"), the IT-Grundschutz safeguards, as well as other documentation supplied by the manufacturer.
Under Windows Server 2008 and higher, the settings of the document Windows Server 2008 Security Baseline Settings must be noted. This table is part of the Security Compliance Management Toolkit.
Some settings and specifications are listed in the sections below in this safeguard. They are not listed in any other safeguards for Windows Server 2003 or Windows Server 2008, but they do influence the security of the basic configuration. They should also be taken into account when creating the checklist.
Important security-related functions
Hard drive partitions should only be formatted using NTFS. Under some circumstances, the setup program of Windows Server 2003 and Windows Server 2008 may perform a conversion of the system partition during installation. On a production system, the subsequent conversion of FAT32 partitions should be avoided and NTFS should be selected right from the start instead.
Unencrypted data can be extracted from the swap file for main memory (referred to as the pagefile). The pagefile should be cleared automatically every time the server is shut down:
Start | Control Panel | Administrative Tools | open the Local Security Policy console | select the Local Policies node | Security Options | Shutdown: Clear virtual memory pagefile
Further potential risks are posed by the automatic hardware detection function (Plug & Play) and the Autorun functions (automatic program start) if the server is not adequately protected against unauthorised access. All connections not needed should be deactivated (for example in BIOS and in the Windows Device Manager). Consideration should also be given to removing or physically locking drives for removable data media. Alternatively, the use of removable media can be controlled using software tools from third party manufacturers. Up to and including Windows Server 2003, Windows itself does not offer sufficient means for this. Only since introduction of Windows Server 2008, can group policy objects be used to - at least partially - configure removable media (see S 4.52 Device protection under Windows NT/2000/XP).
The secure operation of several servers assumes the systems times are synchronised. It should be synchronised to the times of the other IT systems. The client available in the system for the Network Time Protocol (NTP) can be used to synchronise the clocks.
Owners always have special permissions for their own objects. When an administrative user creates an object, the local "Administrators" security group is assigned as the owner by default. However, there is no ideal monitoring solution when groups are the owners of objects. Hard disk quotas are also controlled based on which user owns the file. When groups are assigned as the owners of files, confusing hard disk quotas and screening results will result (in Windows Server 2003 R2).
This problem should be solved primarily using suitable concepts that cover the areas of the monitoring settings, authorisations (e.g. the authorisation concept), and hard disk quotas (e.g. a subconcept for a file server).
If compatibility with Windows NT 4.0, Windows ME/98, or an earlier version is not needed, then consideration should be given to disabling the anonymous enumeration of shares:
Start | Control Panel | Administrative Tools | open the Local Security Policy console | select the Local Policies node | Security Options | set Network access: Set Do not allow anonymous enumeration of SAM accounts and shares to Enabled
Other security components
On original Windows Server installation data media, there is a restricted command line environment (Recovery Console) that can be started on the server as an alternative to the operating system. This environment can be used to manipulate the configuration of the installed Windows operating system. For authentication, the password of the predefined default Administrator account in the Windows Server installation is queried. This account works regardless of whether or not the account has been renamed or deactivated. The Recovery Console can also be installed directly on the hard disk, in which case the system responds as if another operating system were installed. In both cases, this results in a potential misuse of the boot procedure. The Recovery Console should not be installed without a reason, and its installation should be regulated in a policy. The security settings after a standard installation (Start | Control Panel | Administrative Tools | open the Local Security Policy console | select the Local Policies node | Security Options | Recovery Console) should be kept.
In a standard installation, the Internet Explorer Enhanced Security Configuration is enabled (Control Panel | Software | Windows Components). This component should only be deactivated if there is an Internet Explorer-based application (from a third party manufacturer) that is needed on the server but that is not compatible with the enhanced configuration.
The Windows firewall is loaded and enabled together with the TCP/IP protocol in Windows Server 2003 with Service Pack 1 and higher during the boot procedure, so that the TCP/IP protocol is better protected during the boot procedure. The Windows Firewall/Internet Connection Sharing service must be set to "Automatic" start mode to achieve this. It should be considered that the firewall on a Windows Server 2008 - contrary to Windows Server 2003 - filters the data flow in both directions, i.e also in the outward direction. This should be taken into account for any possibly required communication of applications.
After the boot procedure, the firewall functionality (not the service itself) is disabled again by default. If a security incident now occurs in the local network (spreading of malicious software or attacks from inside), the server will be unprotected. For this reason, consideration should be given to activating the Windows firewall in a secure basic configuration.
To accomplish this, the typical services and functions can be released in the local group policy (Start | Run... | gpedit.msc) (Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall) or the configuration can be set up using the Security Configuration Wizard (SCW) introduced with Windows 2003. The Windows firewall supports RPC services that run using the predefined Local System, Local Service, and Network Service accounts, for example for remote administration. Additional software with RPC services must be tested before being used in production.
Disabling unneeded functions
On a Windows Server system, basic and auxiliary functions are often enabled that are generally not needed. The following principle applies: Deactivate unneeded functions in order to minimise the number of points of attack and unnecessary risks. In this case, the flexibility of Windows Server 2003 may decrease while the time and expense for administration increases. In spite of this fact and for security reasons, deactivated functions should only be reactivated when corresponding reasoning is provided and the reactivation is documented.
You should carefully consider which functions are actually needed to use a Windows Server 2003 or Windows Server 2008 so that only these functions are activated. Information on the functions not needed are also included in the manufacturer's documentation "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP", Version 2.0 of 27 December 2005 or later, and in the stated Excel file Windows Default Security and Services Configuration.xls.
Note: Disabling too many services can place the system in an inoperable state. Corresponding tests must therefore be performed to maintain the availability of the system.
Documentation
The documentation of the basic configuration should meet the requirements specified by the change management. The documentation should contain the name, version number, and description of all templates used. It should be easy to see which templates are in effect on each server.
Review questions:
- Is there a checklist or another document that documents all required settings?
- If required, are there security templates and administrative templates for all required settings?
- Are the standard settings for group memberships, system-internal accounts, and authorisations unchanged?
- Is the system time synchronised with the time of the other IT systems in the information system?
- Is there a concept preventing groups becoming the owners of objects?
- Is there a policy for the recovery console?
- Are all unneeded functions disabled?
- Is there a documentation for the change management?
- Is the Microsoft Security Compliance Manager used for processing of security templates?