It's 2003, and you might want to start the new year by checking the security of all your systems. Toward that effort, I've located several security checklists to assist you. The checklists cover Windows XP; Windows 2000; Windows NT; Microsoft IIS, SQL Server, Exchange Server, and Internet Explorer (IE); various UNIX systems; and Apache. Keep in mind that these are just a few of the many checklists available. To find more, use your favorite search engine.
LabMice.net hosts a "Windows XP Security Checklist."
The checklist is divided into three categories: basic, intermediate, and advanced. The items covered include user accounts, groups, passwords, hardware, ports, shares, risky subsystems, and risky features.
Microsoft also provides a security checklist for XP Home Edition and XP Professional. According to the related TechNet Web page, the checklists "outline the steps you should take to reach a baseline of security with Windows XP Home Edition and Windows XP Professional computers, either on their own or as part of a Windows NT or Windows 2000 domain." The checklists cover such matters as shares, policies, and accounts and passwords.
LabMice.net also hosts the "Windows 2000 Security Checklist," which provides the same thorough coverage provided in the LabMice.net XP security checklist.
If you have NT systems on your network, check out the NT security checklist that Windows IT Library hosts. Originally compiled by Rob Davis with the help of several others, the checklist includes information from Microsoft's Web site. The list addresses such concerns as protecting files and directories, NetBIOS, dangerous services, passwords and hashes, registry entries, resource sharing, auditing, caching, and memory paging.
Microsoft offers the Internet Information Server (IIS) 4.0 Baseline Security Checklist, which helps you better secure the popular Web server. The list discusses installing the minimum Internet services required, setting appropriate authentication methods, setting appropriate virtual directory permissions and partitioning Web application space, setting appropriate IIS log file ACLs, enabling logging, setting up Secure Sockets Layer (SSL), disabling or removing all sample applications, removing the IISADMPWD virtual directory, removing unused script mappings, and disabling Remote Data Services (RDS) support. Microsoft also provides a Web-based checklist form that helps you keep track of which configuration actions you've taken on a Web server. The form contains hotlinks that describe each item listed. The company also provides a lockdown tool for IIS. Finally, Microsoft offers a useful checklist for Internet Information Services (IIS) 5.0.
SQLSecurity.com provides the "SQL Server Security Checklist" to help you secure SQL Server installations. The extensive list covers such matters as service packs, protocols, user accounts, dropping dangerous procedures, deleting stored procedures, logging, alerts, groups and roles, and user logins.
The IMIBO Web site discusses Exchange Server security and offers sample code that shows you how Microsoft handles security inside the server. The site's information addresses subjects such as logons, directory objects, security descriptors, modifying access, and public folder access control.
DevX provides "Eight Tips to Secure Exchange." The tips cover areas such as ports, underlying OS services, server location, passwords, using communities, dial-up access, and administrative rights.
You can find additional information about Exchange Server and Outlook security at Slipstick Systems. At the Slipstick Web site, search on the term "security."
Microsoft provides a rudimentary Web page that explains IE security. The page includes settings for SSL and security zones. The most important thing to remember about IE security is to load the many available patches.
More Microsoft Security Tools and Checklists
For more complete access to Microsoft security checklists and tools, visit the company's TechNet Web site. The site includes items for most of Microsoft's enterprise products (although not for SQL Server).
CERT offers a "UNIX Security Checklist v2.0." The checklist covers the basic OS, major services, patches, and details about specific UNIX OSs. The checklist appendix lists security tools, commands, and five "essential" steps to secure your UNIX systems before you put them into operation.
Apache HTTP Server
If you're among the many people who run Apache HTTP server, you'll be happy to know that the Apache Server Project hosts a Web page, "Security Tips for Server Configuration." The content includes permissions on server root directories, server-side includes, Common Gateway Interface (CGI) in general, aliased CGI, dynamic content, system settings, and protecting server files.
Finally, Windows & .NET Magazine has published many in-depth articles that discuss how to better secure your systems. Be sure to use the Web site search engine to find material about the security topics most important to you.