The Windows Server 2003 Security Guide page contains:

Topics on this Page
downGuide Content
downDownloads and Resources
downGive Us Your Feedback

Security Guide Overview

Downloads

Feedback to Solution Team

Updated April 23rd, 2003

The Windows Server 2003 Security Guide focuses on providing a set of easy to understand guidance, tools, and templates to help secure Windows Server 2003 in many environments. While the product is extremely secure from the default installation, there are a number of security options that can be further configured based on specific requirements. This guidance not only provides recommendations, but also the background information on the risk that the setting is used to mitigate as well as the impact to an environment when the option is configured.

The material explains the different requirements to secure three distinct environments, as well as what each prescribed server setting addresses in terms of client dependencies. The three environments considered are called Legacy Client, Enterprise Client, and High Security.

  • The Legacy Client settings are designed to work in an Active Directory domain running on Windows Server 2003 domain controllers with Windows 98, Windows NT 4.0, and later client computers and member servers.
  • The Enterprise Client settings are designed to work in an Active Directory domain running on Windows Server 2003 domain controllers with Windows 2000, Windows XP, and later client computers and member servers.
  • The High Security settings are also designed to work in an Active Directory domain running on Windows Server 2003 domain controllers with Windows 2000, Windows XP, and later client computers and member servers. However, the High Security settings are so restrictive that many applications may not function, performance of the servers may be noticeably slower, and managing the servers will be more challenging.


    If your browser does not support inline frames, click here to view on a separate page.

    These levels of hardening guidance are provided for a baseline member server as well as a group of distinct server roles. The documents included as part of this guidance are discussed below.

Guide Content Back to Top

The content for this guidance is broken into several different guides to ease usability. These include the Security Guide, a Companion Guide called Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, a test guide, a delivery guide, and a support guide.

Windows Server 2003 Security Guide

The Windows Server 2003 Security Guide consists of 12 chapters. Each chapter builds on the end – to – end process required to implement and secure Windows Server 2003 in your environment. The first few chapters describe building the foundation for hardening the servers in your organization, the remaining chapters document the procedures unique to each server role.

Chapter 1: Introduction to the Windows Server 2003 Security Guide

This chapter introduces the Windows Server 2003 Security Guide, and includes a brief overview of each chapter.

Chapter 2: Configuring the Domain Infrastructure

This chapter explains how the domain environment will be constructed as a baseline in order to provide guidance to secure a Windows Server 2003 infrastructure. The chapter first focuses on domain – level security settings and countermeasures. High level descriptions of the Microsoft Active Directory® service design, the organizational unit (OU) design, and domain policy are included.

Chapter 3: Creating a Member Server Baseline

This chapter explains security template settings and additional countermeasures for the server roles covered in the guide in all three environments. The chapter largely focuses on establishing a baseline for the server role hardening recommendations discussed later in the guide.

Chapter 4: Hardening Domain Controllers

The domain controller server role is one of the most important roles to secure in any Windows Server 2003 Active Directory environment. This chapter is devoted to explaining the security considerations behind the recommended Domain Controller Group Policy.

Chapter 5: Hardening Infrastructure Servers

In this chapter, the Infrastructure server role is defined as either a Dynamic Host Control Protocol (DHCP) server or a Windows Internet Name Service (WINS) server. Details are provided on the areas in which the Infrastructure servers in your environment can benefit from security settings that are not applied by the Member Server Baseline Policy (MSBP).

Chapter 6: Hardening File Servers

This chapter focuses on the File server role and the difficulties related to hardening servers designated for it. This chapter details any areas in which File servers can benefit from security settings not applied by the Member Server Baseline Policy (MSBP).

Chapter 7: Hardening Print Servers

Print servers are the focus of this chapter. Again, the most essential services for these servers require use of Windows NetBIOS – related protocols. This chapter details the areas in which Print server security settings can be strengthened in ways that are not applied by the Member Server Baseline Policy (MSBP).

Chapter 8: Hardening IIS Servers

Sections in this chapter provide the detail on a variety of security hardening settings that should be implemented to enhance the security of IIS servers in your environment. The importance of security monitoring, detection, and response is emphasized to ensure that these servers stay secure.

Chapter 9: Hardening IAS Servers

Internet Authentication Servers (IAS) provide Radius services, a standards – based authentication protocol designed for verifying identity of clients accessing networks remotely. This chapter details any areas in which IAS Servers can benefit from security settings not applied by the Member Server Baseline Policy (MSBP).

Chapter 10: Hardening Certificate Services Servers

Certificate Services provide the cryptographic and certificate management services needed to build a public key infrastructure (PKI) in your server environment. This chapter details any areas in which Certificate Services servers will benefit from security settings not applied by the Member Server Baseline Policy (MSBP).

Chapter 11: Hardening Bastion Hosts

Bastion hosts are servers that are accessible to clients from the Internet. Details are provided on any areas in which Bastion Hosts can benefit from security settings not applied by the Member Server Baseline Policy (MSBP), or the methods used to apply those settings in an Active Directory – based domain environment.

Chapter 12: Conclusion

The concluding chapter of this guide recaps the important points of the material in a brief overview of everything discussed in the previous chapters.

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP

The purpose of this guide is to provide a reference to many of the security settings available in the current versions of the Microsoft® Windows® operating systems. This is a companion guide for the Windows Server 2003 Security Guide.

For each setting discussed in this guide, information is provided regarding the threat that the setting was designed to prevent, the different countermeasures that can be applied, and the potential impact of configuring these options.

Test Guide

This document enables an organization implementing the Windows Server 2003 Security Guide to test its implementation of the solution. The actual experience of the Windows Server 2003 Security Guide Test Team is captured in this document.

This document describes the Scope, Objectives, and Strategy used for testing the Windows Server 2003 Security Guide. The Test environment, Test case details, Release Criteria, and Test Results are included in this document.

Delivery Guide

This Guide provides general information intended for business planners, IT architects or project managers regarding recommended methodologies for implementing this solution as well as the tasks necessary to deploy this solution, the types of resources, skill-sets and probable costs required. This information will be delivered via pointers to general solution frameworks as well as tools delivered specifically for the Securing solution.

Support Guide

The audience for this document is delivery teams who are implementing the Windows Server 2003 Security Guide and customers who are supporting and maintaining the solution.

The document is designed to provide information about how the software components in the solution are supported, including escalation paths, support offerings and resources, and support levels.

Downloads and Resources Back to Top