S 4.285 De-installation of unnecessary client functions of Windows Server 2003

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

A standard Windows Server 2003 installation contains various functions that are referred to as client accessories in Windows XP. They are not needed on a server and should be uninstalled or, if this is impossible, at least disabled to reduce the number of points of attack, and in turn reduce the unnecessary risks associated with them.

Uninstall the programs in Start | All Programs | Accessories

• Log in to the server as an administrator
• Make a backup copy of the C:\WINDOWS\inf\sysoc.inf file, for example copy of sysoc.inf
• Change the following lines in C:\WINDOWS\inf\sysoc.inf and then save the file:
  
  OEAccess=ocgen.dll,OcEntry,oeaccess.inf,hide,7
  
  to
  
  OEAccess=ocgen.dll,OcEntry,oeaccess.inf,,7
  
  and change
  
  MultiM=ocgen.dll,OcEntry,multimed.inf,HIDE,7
  
  to
  
  MultiM=ocgen.dll,OcEntry,multimed.inf,,7
• Switch to Start | Control Panel | Software | Add/Remove Windows Components and disable the following checkboxes:
  • Accessories and Utilities / Multimedia / Audio Recorder
  • Accessories and Utilities / Multimedia / Media Player
  • Accessories and Utilities / Communication / Telephone

Note: The software options in step 4 only appear after performing steps 1 through 3.

Disable the Media Player, Outlook Express, and NetMeeting

The uninstall routines for the integrated Media Player, Outlook Express, and NetMeeting components do not completely remove the programs, and it is still possible to execute these programs unintentionally. For this reason, these programs should be disabled with the help of the software restriction policies (see S 4.286 Use of software restriction policies under Windows Server 2003).

If Active Directory and group policies are used, then the effectiveness of the settings on the individual server must be ensured by configuring the group policies correctly (see S 2.231 Planning of group policy under Windows).

Modifying the local software restriction policy:

• Open the local security policy via Start | Control Panel | Administrative Tools | Local Security Policy
• Switch to the Software Restriction Policies | Additional Rules folder
• Add new path rules with the security level set to Disallowed for the following paths:
  
  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%\NetMeeting
  
  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%\Outlook Express
  
  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%\Windows Media Player

If one of the disabled programs used to be loaded automatically when the operating system was started, then error messages may appear. The corresponding Autostart functions should be disabled, for example using msconfig.exe, before activating the policy.

Furthermore, Internet communication capabilities for Windows client components should be restricted. To do this, select Computer Configuration | Administrative Templates | System | Internet Communication Management | Internet Communication Settings in the local group policy (Start | Run... | gpedit.msc). All functions found here should be disabled. Only Automatic Root Certificate Update and Windows Update should remain enabled, and only if no other alternative procedure was specified for the server.

If there are other unneeded client applications and functions enabled on the server, then these applications must also be uninstalled or disabled.

Review questions:

• Are all services and programs not required on the Windows Server 2003 system uninstalled or disabled, in particular the client functions?