How to Secure a Windows Server

Following are recommended steps to be taken to secure your sensitive data stored on a Windows 2000 or higher server. Because each environment is different, your server administrator should test the following steps before implementing on a production server! Most enterprise-wide servers have highly trained professionals managing them, so some or all of the following steps may already be implemented. If your network administrator is not able or willing to implement any of the following steps, simply state the reason in the accompanying form to describe your security plan.

Physical Security of a Server on a Network

1. Secure the server on which your sensitive data resides in a locked room to which only authorized users have access.

Controlling Access to the Data

1. Restrict access to your sensitive data to project personnel using the security features available via the operating system (e.g., login via userid/password and NTFS permissions).
2. Require strong passwords.
   • You can run L0phtcrack or other password "recovery" systems to look for bad passwords.
   • You can use Administrative Tools, Local Security Policy to enable password complexity (Windows 2000, Windows XP).
   • Note vulnerabilities for accounts with no passwords or weak passwords.
3. On the workstation from which the sensitive data will be accessed, enable a password protected screen saver and activate after three minutes of inactivity.
4. Install encryption software for directories containing secure data. Windows 2000 encryption is free and works well. Additional encryption software applications can be found here.
5. Configure your analysis software to point temporary work files to the encrypted sensitive data directory. 
6. Install and periodically run a secure erasure program. This program should be run after the secure data has been removed from the server at the end of the contract period. (Shred 2 is inexpensive and works well.)
7. Do not copy or move your sensitive data out of the secured directory for any reason.

Protecting the Data from Unauthorized Access Across the Wire

The following are additional minimum steps you should take to secure your sensitive data on a server running Windows 2000 or higher if the server is connected to the Internet or a network. For detailed security for Windows Servers, consult the SANS and Microsoft Security guides.

1. Do NOT install IIS or MS SQL server on a Windows computer that will house sensitive data.
2. Turn off all unneeded services (the following list is provided as an example, and may not be a complete list for your environment. Be sure to test these items before implementing on a production server!)
   • IIS
   • Peer Web Services
   • RAS
   • Gopher
   • FTP
   • IP Forwarding
   • Simple TCP/IP Services
   • SNMP
   • Disable unneeded network protocols (e.g., IPX or NetBEUI)
3. If you operate in an IP only environment, disable NetBIOS over TCP/IP.
4. Replace the Everyone group with the Authenticated Users group for the Access this Computer from the Network user right (User Manager-->Policies-->User Rights).
5. Disable the Guest account.
6. Replace group Everyone with the appropriate group(s) on critical system folders, files, and registry keys.
7. Restrict Share permissions to only those groups that need access (default access control on new shares is Everyone Full Control).
8. Remove, disable, or rename administrative shares (c$, d$, admin$).
9. Restrict/Prevent anonymous access and enumeration of accounts and shares.
   • For more information on NULL sessions and their vulnerabilities, see this SANS document.
10. Create a new userid for administrative purposes and add this userid to the Local Administrator's group. Disable the original administrator userid. (For more tips on securing the administrator account, refer to the Microsoft document, The Administrator Accounts Security Planning Guide .)
11. Protect the administrative password: using the resource kit, run
    • passprop /complex /adminlockout
12. Use Windows Update or Microsoft Baseline Security Advisor to keep system patches up to date. (Consider subscribing to the Microsoft Security Notification Service.)
13. Install application (e.g., Internet Explorer) security patches.
14. Install antivirus software and keep the virus definition files updated.
15. Secure performance data.
16. Enable auditing:
    • Audit Login success and failure.
    • Audit failed attempts at exercising user privileges.
    • Audit system events such as shutdowns.
    • Move log files out of the default location and secure with NTFS permissions (%system-root%\system32\config\*.evt).
    • Restrict access to the log files to administrator only.
    • Check your logs often!
17. Disable or remove Windows Scripting Host.
18. Use a corporate, hardware, or personal (software) firewall:
    • Hardware: Linksys Instant Broadband EtherFast Cable/DSL Router
    • Software personal firewall
      • ZoneAlarm or ZoneAlarm Pro
      • Tiny Personal Firewall
      • Sygate Personal Firewall