Initial Hardening or Securing and performance tweaking of a Windows Server 2003 – Part I

I am hereby mentioning a brief howto on securing a default Windows Server 2003. 90% of the sages at SupportSages are Unix fanatics and I am a rebel belonging to the rest of 10% But often we get requests on securing Windows Servers and hence I am hereby briefing the basic steps we should take to secure a windows server. As the lead sage says, security is a process which starts even before the installation of OS or designing a network and can’t be done in a day or two, just the initial hardening can be. So the steps mentioned here is just the initial hardening. I would love to add more based on suggestions of you. I will mention the fundamentals of troubleshooting and fixing the permission issues of windows in another post. This post is for a standalone server and not a member of an AD (Active Directory).

For all the TUI/CLI guys out there. did you MS Windows Server 2008 can run without a GUI. You just have to install Server Core. You now can command Windows to do what you want

Subscribe to MS’s Security bulletin list at http://technet.microsoft.com/hi-in/security/dd252948(en-us).aspx lists.

Disable all services you do not need

Distributed File System
Distributed Link Tracking Client
Distributed Link Tracking Server
Fax Service
Indexing Service
Netmeeting Remote Desktop Sharing
Print Spooler
Telnet

Sevices you may or may not disable, if not already disabled. Usually a server installation turns this off. Did you know out of 86 default installed services 43 of them are disabled by default.

ClipBook
Computer Browser (On a server do you want this ?)
Help and Support (Again, don’t you have other sages around you for this?)
IMAPI CD-Burning COM Service (Dont need this)
Messenger
Remote Registry
TCP/IP NetBIOS Helper

Harden the TCP/IP Stack

Just like you do in Linux by editing sysctl.conf, you can configure various TCP/IP parameters in the Windows registry in order to protect against network-level denial of service attacks including SYN flood attacks, ICMP attacks and SNMP attacks. You can configure registry keys to:

* Enable SYN flood protection when an attack is detected.
* Set threshold values that are used to determine what constitutes an attack.

Follow the HowTo at http://msdn.microsoft.com/en-us/library/aa302363.aspx

Renaming the Administrator and Guest Account to something else.

Follow the Howto @ http://support.microsoft.com/kb/816109

In that Howto, the AD Users and Computers Snap in is taken by selecting “Start”, “Programs”, “Administrative Tools”, and “Active Directory Users and Computers” or by simply typing dsa.msc in the Start -> Run.

Enabling HTTP Compression

This is not security related, but may improve performance. Took from a website and hence including here also. But remember that Horde error happening for Middle East which is described earlier in one of the posts can creep in.

Check out the URL http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d52ff289-94d3-4085-bc4e-24eb4f312e0e.mspx?mfr=true

DIsable parent paths (if enabled)

If we are doing monthly management of the server, even if the customer asks to enable parent paths, don’t do it on the server of a hosting firm. Lots of risks are there. Good thing is that in IIS 6.0 it is disabled by default. Ask the developers to use absolute path. If it is enabled, disable it. But on a live production server, if it is enable, before disabling the parent path communicate with the contact person for the firm as it may break websites using it.

• Start the Internet Services Manager (Start – Programs – Administrative Tools – Internet Services Manager
• Right click on the web site and select properties
• Select the ‘Home Directory’ tab
• Click the ‘Configuration’ button under the Application Settings
• Select the ‘App Options’ tab
• Uncheck the ‘Enable parent paths’ box and click Apply

Article  link here says how to enable it. http://support.microsoft.com/kb/q226474/ . But its for reference only.

Use Dedicated Application pools

Again performance related Always try to isolate websites using dedicated applicaiton pools. You can define it under IIS or in many control panels, it is just a click of the button or an option to be checked. Error in one dedicated pool will not affect other pool and hence othe websites. Also this will be helpful when troubleshooting / debugging issues as well.

Changing the RDC or Remote desktop port

Take registry using regedit and browse the hive keys to

HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > TerminalServer > WinStations > RDP-Tcp

and then change the Registry subkey PortNumber to a non-default, above 1024 one.

On Server 2008, in addition to changing the registry key above, you also need to create a new Inbound TCP rule in your windows firewall to allow connections on your new port.  You can then disable the existing remote desktop inbound rule (which is hard coded to port 3389) and / or add a new one to allow your port. Below command should work also.

netsh advfirewall firewall add rule name=”New Remote desktop” dir=in action=allow protocol=TCP localport=’NEW_PORT_NO’

Refer http://support.microsoft.com/kb/947709 for more help on writing firewall rules.

If working on a hacked or suspected hack system, keep the Security Identifier list available at http://support.microsoft.com/kb/243330 handy.

Lots of tools useful for forensics and daily auditing purposes will be coming on next post or even this post itself will get re-published. Till then read about IPTables equivalent in windows (oh..No..Kinda equivalent) http://support.microsoft.com/kb/813878

Related posts:

1. Monitor remote Windows server using Nagios on Linux
2. Override ‘Upload Files to Server Repository’ limit in Windows Machines / Plesk
3. How to recover forgotten plesk password from a Linux or Windows Dedicated or VPS server
4. Apache Performance Tuning (Part II/III) – Editing Apache for Performance
5. Apache Performance Tuning (Part III/III) – Measuring Apache’s Performance