VCU Server Hardening Checklist
Windows
2003 Server
The hardening checklists are based on the Center for Internet Security (CIS) comprehensive benchmark checklists. The VCU Security Team has distilled the CIS lists down to the most critical steps for your systems with a focus on the configuration issues specific to the computing environment at VCU.
How to
Use the Checklist
Print the checklist and check off each item you complete to ensure that you cover critical steps for securing your server. If you need to make an exception to any of the steps, fill in the Exceptions box provided at the bottom of the checklist, and depending on the criticality of the system and the step, you will need to get approval from the Chief Information Officer. See VCU Note items for those steps that are critical and cannot be altered without approval.
Explanation
of the Checklist
Step – this is the step number in the procedure. If there is a VCU Note for this step, the note number corresponds to the step number.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do
to harden
the respective system
CIS - Reference number in the Center
for Internet
Security Windows
Server 2003 Benchmark (PDF, Requires VCU eID login.) The CIS
document
outlines in much greater detail how to complete each step.
VCU Note - The VCU Note at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include Category I Data required steps are denoted with the ! symbol. All steps are required.
Cat II/III - For systems that include Category II or III Data, all steps are recommended, and some are required (denoted by the !).
Min Std - This column links to the
specific
requirement for the university in the Minimum Security Standards for
Systems
document.
|
|
MAC
Address |
|
|
||||||
|
|
IP
Address |
|
|
||||||
|
|
Machine
Name |
|
|
||||||
|
|
Asset
Tag |
|
|
||||||
|
|
Administrator
Name |
|
|
||||||
|
|
Date |
|
|
||||||
|
Preparation
and Installation |
|||||||||
|
Step |
√ |
To
Do |
CIS |
VCU Note |
Cat I |
Cat II/III |
Min Std |
||
|
1 |
|
If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened. |
|
§ |
! |
|
5.1 |
||
|
2 |
|
Consider using the Security Configuration Wizard to assist in hardening the host. |
|
§ |
|
|
|
||
|
Service
Packs and Hotfixes |
|||||||||
|
3 |
|
Install the latest service packs and hotfixes from Microsoft. |
|
§ |
! |
! |
5.2 |
||
|
4 |
|
Enable automatic notification of patch availability. |
|
§ |
! |
! |
5.3 |
||
|
Auditing
and Account Policies |
|||||||||
|
5 |
|
Configure Audit policy as described. |
2.2.1 |
|
! |
|
6.1 |
||
|
6 |
|
Set minimum password length. |
2.2.2.3 |
§ |
! |
|
|
||
|
7 |
|
Enable Password Complexity. |
2.2.2.4 |
§ |
! |
|
|
||
|
8 |
|
Configure event Log Settings. |
2.2.4 |
§ |
! |
|
6.1 |
||
|
Security
Settings |
|||||||||
|
9 |
|
Disable anonymous SID/Name translation. |
3.1.1 |
|
! |
|
|
||
|
10 |
|
Do not allow Anonymous Enumeration of SAM Accounts and Shares. |
3.1.2 |
|
! |
|
|
||
|
11 |
|
Do not allow Anonymous Enumeration of SAM Accounts and Shares. |
3.1.3 |
|
! |
|
|
||
|
12 |
|
Disable the guest account. |
3.2.1.2 |
|
! |
|
5.12 |
||
|
13 |
|
Digitally Encrypt of Sign Secure Channel Data (Always). |
3.2.1.18 |
|
|
|
5.6 |
||
|
14 |
|
Digitally Encrypt Secure Channel Data (When Possible). |
3.2.1.19 |
|
! |
|
5.6 |
||
|
15 |
|
Digitally Sign Secure Channel Data (When Possible). |
3.2.1.20 |
|
! |
|
5.6 |
||
|
16 |
|
Place the University warning banner in the Message Text for Users Attempting to log on. |
3.2.1.26 |
§ |
! |
|
5.10 |
||
|
17 |
|
Disable the sending of unencrypted password to connect to Third-Party SMB Servers. |
3.2.1.35 |
|
! |
|
5.6 |
||
|
18 |
|
Do not allow Everyone permissions to apply to anonymous users. |
3.2.1.41 |
|
! |
|
5.12 |
||
|
19 |
|
Do not allow any named pipes to be accessed anonymously. |
3.2.1.42 |
|
! |
|
5.12 |
||
|
20 |
|
Restrict anonymous access to Named Pipes and Shares. |
3.2.1.45 |
|
! |
|
5.12 |
||
|
21 |
|
Ensure that no shares can be accessed anonymously. |
3.2.1.46 |
|
! |
|
5.12 |
||
|
22 |
|
Choose "Classic" as the sharing and security model for local accounts. |
3.2.1.47 |
|
! |
|
5.12 |
||
|
Additional
Security Protection |
|||||||||
|
23 |
|
Disable or uninstall unused services. |
4.1 |
§ |
! |
|
5.4 |
||
|
24 |
|
Disable or delete unused users. |
|
|
! |
|
5.4 |
||
|
25 |
|
Configure User Rights to be as secure as possible. |
4.2 |
§ |
! |
|
|
||
|
26 |
|
Ensure all volumes are using the NTFS file system. |
4.3.1 |
§ |
! |
|
|
||
|
27 |
|
Use the Internet Connection Firewall or other methods to limit connections to the server. |
4.3.3 |
§ |
! |
|
5.5 |
||
|
28 |
|
Configure file system permissions. |
4.4.1 |
§ |
! |
|
|
||
|
29 |
|
Configure registry permissions. |
4.4.2 |
§ |
! |
|
|
||
|
Additional
Steps |
|||||||||
|
30 |
|
Set the system date/time and configure it to synchronize against campus time servers. |
|
§ |
! |
|
|
||
|
31 |
|
Install and enable anti-virus software. |
|
§ |
! |
! |
3.1 |
||
|
32 |
|
Install and enable anti-spyware software. |
|
§ |
! |
|
3.2 |
||
|
33 |
|
Configure anti-virus software to update daily. |
|
§ |
! |
|
3.3 |
||
|
34 |
|
Configure anti-spyware software to update daily. |
|
§ |
! |
|
3.3 |
||
|
35 |
|||||||||