Securing a Windows 2003 server

Hello,

I'm getting ready to deploy a website on a Windows Server 2003 box.
I've been looking around for ways to make this server as secure as
possible, by settings in Windows Server 2003 and by 3rd party
anti-virus and software firewall. The server will be running crystal
reports enterprise 9, sql server 2000 and will be scaning emails for
content. If any of you have any suggestions (aside from moving to a
linux server, not an option ), it would be greatly appreciated.

thanks,
che

This should keep you busy reading for a while. They are documents to
download. I suspect they are in Word format but I haven't downloaded them
myself.

Windows Server 2003 Deployment Kit: Deploying Internet Information Services
(IIS) 6.0
http://www.microsoft.com/downloads/d...4-596edd039eb9

BTW - Linux isn't more secure ..some just think it is,...it is kinda like a
"religion" with Prophets, Preachers, and Heretics.

If hackers spent as much time beating on Linux/Apache as they do Windows/IIS
there would have been just as many vulnerabilities found,....but they
aren't, so those things go unoticed.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Allan Palmer" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> Hello,
>
> I'm getting ready to deploy a website on a Windows Server 2003 box.
> I've been looking around for ways to make this server as secure as
> possible, by settings in Windows Server 2003 and by 3rd party
> anti-virus and software firewall. The server will be running crystal
> reports enterprise 9, sql server 2000 and will be scaning emails for
> content. If any of you have any suggestions (aside from moving to a
> linux server, not an option ), it would be greatly appreciated.
>
> thanks,
> che

Aside for the checklists you may find off of
microsoft.com/security
or
microsoft.com/technet/security
look for the security and hardening guides
downloadable from the MS website

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Allan Palmer" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> Hello,
>
> I'm getting ready to deploy a website on a Windows Server 2003 box.
> I've been looking around for ways to make this server as secure as
> possible, by settings in Windows Server 2003 and by 3rd party
> anti-virus and software firewall. The server will be running crystal
> reports enterprise 9, sql server 2000 and will be scaning emails for
> content. If any of you have any suggestions (aside from moving to a
> linux server, not an option ), it would be greatly appreciated.
>
> thanks,
> che

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> This should keep you busy reading for a while. They are documents to
> download. I suspect they are in Word format but I haven't downloaded them
> myself.
>
> Windows Server 2003 Deployment Kit: Deploying Internet Information
> Services
> (IIS) 6.0
> http://www.microsoft.com/downloads/d...4-596edd039eb9
>
> BTW - Linux isn't more secure ..some just think it is,...it is kinda like
> a
> "religion" with Prophets, Preachers, and Heretics.
>
> If hackers spent as much time beating on Linux/Apache as they do
> Windows/IIS
> there would have been just as many vulnerabilities found,....but they
> aren't, so those things go unoticed.
>

They do not need to hammer on it, as they can access the source
and know where to go, assuming they can see something there . . .

Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4

>
> "Allan Palmer" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) m...
>> Hello,
>>
>> I'm getting ready to deploy a website on a Windows Server 2003 box.
>> I've been looking around for ways to make this server as secure as
>> possible, by settings in Windows Server 2003 and by 3rd party
>> anti-virus and software firewall. The server will be running crystal
>> reports enterprise 9, sql server 2000 and will be scaning emails for
>> content. If any of you have any suggestions (aside from moving to a
>> linux server, not an option ), it would be greatly appreciated.
>>
>> thanks,
>> che
>
>

In article <eqXpT#(E-Mail Removed)>, "Roger Abell [MVP]"
<(E-Mail Removed)> wrote:
>They do not need to hammer on it, as they can access the source
>and know where to go, assuming they can see something there . . .

Oh, I don't know - in many ways, it's easier to hammer on the outside than
to look at the source. You can find a buffer overflow, generally, much
quicker by passing in huge buffers than by poring line-by-line through the
code and trying to figure out where it might be possible.

Um... not that I've tried that myself, you understand... oh no.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place | (E-Mail Removed).
Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

I agree completely. The guide to securing IIS6 is a start, but isn't
everything you need.

This time around, the best guides for securing Windows Server 2003 are all
at www.microsoft.com/technet/security


"Roger Abell [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Aside for the checklists you may find off of
> microsoft.com/security
> or
> microsoft.com/technet/security
> look for the security and hardening guides
> downloadable from the MS website
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "Allan Palmer" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) m...
> > Hello,
> >
> > I'm getting ready to deploy a website on a Windows Server 2003 box.
> > I've been looking around for ways to make this server as secure as
> > possible, by settings in Windows Server 2003 and by 3rd party
> > anti-virus and software firewall. The server will be running crystal
> > reports enterprise 9, sql server 2000 and will be scaning emails for
> > content. If any of you have any suggestions (aside from moving to a
> > linux server, not an option ), it would be greatly appreciated.
> >
> > thanks,
> > che
>
>

"Alun Jones [MS MVP]" <(E-Mail Removed)> wrote in message
news:HyNkc.3985$(E-Mail Removed) ...
> In article <eqXpT#(E-Mail Removed)>, "Roger Abell [MVP]"
> <(E-Mail Removed)> wrote:
>>They do not need to hammer on it, as they can access the source
>>and know where to go, assuming they can see something there . . .
>
> Oh, I don't know - in many ways, it's easier to hammer on the outside than
> to look at the source. You can find a buffer overflow, generally, much
> quicker by passing in huge buffers than by poring line-by-line through the
> code and trying to figure out where it might be possible.
>
> Um... not that I've tried that myself, you understand... oh no.
>
> Alun.
> ~~~~
>

yea, right . . . :-)
I mean, yes as far as overflows are concerned.

--
Roger

> Texas Imperial Software | Find us at http://www.wftpd.com or email
> 1602 Harvest Moon Place | (E-Mail Removed).
> Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
> Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> Use a decent firewall, and configure it properly. Block off all ports
> your system doesn't need (what do you want ICMP for, for example - but
> most firewalls will leave it open by default).

One thing to add to this - block all OUTBOUND ports that are not needed
from all/specific machines. As an example, most corporate users don't
need outbound SMTP since their email server is all that needs it.

I was in a group-home the other day where the had a nice firewall, but
the ISP was going to shut-them down for spam. Turns out that they local
workstations were infected and sending spam directly from the
workstations and not using the sendmail server in their network - if the
firewall had been setup properly it would have blocked it.

--
--
(E-Mail Removed)
(Remove 999 to reply to me)

An 30 Apr 2004 07:33:58 -0700, sgrìobh (E-Mail Removed) (Allan
Palmer):

> Hello,
>
> I'm getting ready to deploy a website on a Windows Server 2003 box.
> I've been looking around for ways to make this server as secure as
> possible, by settings in Windows Server 2003 and by 3rd party
> anti-virus and software firewall. The server will be running crystal
> reports enterprise 9, sql server 2000 and will be scaning emails for
> content. If any of you have any suggestions (aside from moving to a
> linux server, not an option ), it would be greatly appreciated.
>
> thanks,
> che

Make sure it's up to date on windows fixes.

Plan for some amount of down time to install new fixes as they are
released.

Run the MS vulnerability analysis tools and fix everything they point
up.

Download the guides to securing systems avaiklable on the MS website.

Use a decent firewall, and configure it properly. Block off all ports
your system doesn't need (what do you want ICMP for, for example - but
most firewalls will leave it open by default).

Put some gateway-oriented AV software on the gateway behind the
firewall (if you have one).

If you can afford the compute power to do it, put local firewall
software on the server as well as having a separate firewall - and use
it to specify which applications are allowed to access which ports.

Don't run SQL Server under "local system" - run it as a user, with
only the privileges it needs.

If you can fit your applications around it (this can be hard for
applications developed without considering this point), don't allow
SQL Server authentication - only allow windows authentication for
access to SQL server.

Don't give SQL users who don't need it access to xp-cmdshell.

Go through all the configuration options of all the components and set
safe values.

Use AV software that provides frequent signature file updates (at
least one of the most popular products provides only weekly updates,
which isn't helpful when many new viruses achieve their maximum
penetration within two days of release) and frequent engine updates.

Set your AV stuff to scan all updates to ilestore (not just email) and
to scan all newly inserted removable media.

A Windows server can be made pretty secure provided you are careful
how you set it up. The big problem is that the default settings are
not very secure (they used to be hopelesslu insecure, but things are
getting better, so you have to go through them all and fix that.

Don't even consider switching to Linux - look at the CERT record for
server vulnerabilities and the lengths of the windows between a
vulnerability being known and a fix being available if you don't
underastand that comment.

M.

[my real email address has no no in it]

Hey there everyone,

thanks for the input, the resources you mentioned are fantastic. As
far as Anti-virus utilities, does anyone have any recomendations? I
see alot of people use Symantec AntiVirus Enterprise Edition. I was
doing some reading on it and it seems like the suite that i'll end up
with. has anyone had any feedback with this? good? bad? did it cause
viruses? give your dog fleas?

Thanks,
Allan

(E-Mail Removed) (Micheal MacThomais) wrote in message news:<(E-Mail Removed)>...
> An 30 Apr 2004 07:33:58 -0700, sgrìobh (E-Mail Removed) (Allan
> Palmer):
>
> > Hello,
> >
> > I'm getting ready to deploy a website on a Windows Server 2003 box.
> > I've been looking around for ways to make this server as secure as
> > possible, by settings in Windows Server 2003 and by 3rd party
> > anti-virus and software firewall. The server will be running crystal
> > reports enterprise 9, sql server 2000 and will be scaning emails for
> > content. If any of you have any suggestions (aside from moving to a
> > linux server, not an option ), it would be greatly appreciated.
> >
> > thanks,
> > che
>
> Make sure it's up to date on windows fixes.
>
> Plan for some amount of down time to install new fixes as they are
> released.
>
> Run the MS vulnerability analysis tools and fix everything they point
> up.
>
> Download the guides to securing systems avaiklable on the MS website.
>
> Use a decent firewall, and configure it properly. Block off all ports
> your system doesn't need (what do you want ICMP for, for example - but
> most firewalls will leave it open by default).
>
> Put some gateway-oriented AV software on the gateway behind the
> firewall (if you have one).
>
> If you can afford the compute power to do it, put local firewall
> software on the server as well as having a separate firewall - and use
> it to specify which applications are allowed to access which ports.
>
> Don't run SQL Server under "local system" - run it as a user, with
> only the privileges it needs.
>
> If you can fit your applications around it (this can be hard for
> applications developed without considering this point), don't allow
> SQL Server authentication - only allow windows authentication for
> access to SQL server.
>
> Don't give SQL users who don't need it access to xp-cmdshell.
>
> Go through all the configuration options of all the components and set
> safe values.
>
> Use AV software that provides frequent signature file updates (at
> least one of the most popular products provides only weekly updates,
> which isn't helpful when many new viruses achieve their maximum
> penetration within two days of release) and frequent engine updates.
>
> Set your AV stuff to scan all updates to ilestore (not just email) and
> to scan all newly inserted removable media.
>
> A Windows server can be made pretty secure provided you are careful
> how you set it up. The big problem is that the default settings are
> not very secure (they used to be hopelesslu insecure, but things are
> getting better, so you have to go through them all and fix that.
>
> Don't even consider switching to Linux - look at the CERT record for
> server vulnerabilities and the lengths of the windows between a
> vulnerability being known and a fix being available if you don't
> underastand that comment.
>
> M.
>
> [my real email address has no no in it]