Security

Setting up a secure Windows server

Use Windows Server 2003. If there is a vendor requirement for Server 2000, please consult with LTS prior to buying the server or software.

  1. Base Requirements:
    1. Start with a clean install; do not upgrade from previous versions of the operating system, i.e.; do not upgrade a Server 2000 machine to Server 2003. Instead, completely reinstall the operating system and start fresh.
    2. Build your server offline or on the 10.64.xx.xx network. Do not build a Windows server on the 129.64.xx.xx network. It will be compromised before being fully patched.
      1. The base install and service pack installs can be done completely offline. Once the service packs are installed, the server can be connected to the network, but should not be registered.
      2. Windows update will work through the Brandeis Web proxy (donut.unet.brandeis.edu, port 3128), so that can be used to obtain all post-service pack hotfixes prior to registering the server on the 129.64.xx.xx network.
      3. The current service pack is SP1, and should be installed.
    4. Enable the Windows Firewall (in the Control Panel). Determine what services will need to accept inbound connections (file sharing, Web serving, etc), and what networks those services will need to talk to. If your Web server is only going to be accepting connections from on campus, restrict inbound connections on port 80 to 129.64.0.0/16. The principle of least privilege should be followed, and only those clients who you want to connect should be listed in the firewall rules.
    5. Register the server on the network at http://netinfo.unet.brandeis.edu/norm/addhost.php
    6. In the drop-down for "Disposition vis-a-vis DHCP," select the drop-down for NODHCP. This will create a static reservation for the server. On the server, statically assign the reserved IP address to the network adapter.
    7. Only install the software your server needs. If your server is not going to be a Web server, do not install IIS. If you server is just going to serve static pages, do not install the .Net framework components.
    8. Disable unwanted services. There are several services that you explicitly should not be running: DNS, DHCP, WINS. Those services in particular are network infrastructure, and should only be run on central LTS servers.
    9. Netstat: nao will show what processes are listening on what ports, giving you a list of pids and associated ports. Compare the output of that with tasklist /svc to determine what services may be talking to the network. Disable unneeded services that are talking to the network.
    10. Do not create your own Active Directory domain (the "dcpromo" command). If you are interested in particular Active Directory functionality, please contact LTS.
    11. Do not Web browse from a server. If an administrator needs to download software or patches, do so on another machine, and move the files over to the server (either via file sharing or a flash drive).
  3. Recommended configuration options:
    1. Joining the Brandeis Active Directory service is strongly recommended, particularly if the server is to be used for Windows file sharing. Joining the domain will remove the requirement for local management of users and passwords, reducing the complexity for end users of the system, and improving security.
    2. Consider changing the routing tables on your server. If your server does not need to speak to clients off campus, the default gateway and route can be removed, and explicit routes for the portions of campus your server needs to communicate with can be added. This will reduce the exposure of your server to the outside world.
    3. Use of Automatic Updates is strongly recommended. It is recommended that machines be set to download and install updates on a schedule. If Automatic Updates are not enabled, the administrator must stay up-to-date with Windows patching manually.
    4. Use of a backup solution is strongly recommended. The native Windows backup and restore client will likely be sufficient for a standalone server. The backup client has the ability to schedule regular backups (and can perform incremental or full backups). A schedule of nightly incremental backups and weekly full backups is recommended. Retention period for backups should be considered. A policy of keeping the previous four full backups and the previous seven incremental backups is recommended. Please arrange to store your backup files somewhere other than on the server itself. Storage of backup media should be done in a physically separate area, perhaps in a different building. If you need network storage for server backups, please contact LTS.
    5. Be aware of physical security and environment concerns. If your server contains sensitive information, house it in a secure room with minimal foot traffic. Make sure the environment is appropriate for computer operation, with moderate humidity and appropriate temperature.
This page was last modified on: Apr 19, 2007