DOCSLIB.ORG

Windows Server 2003 Security Guide Microsoft Solutions for Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Windows Server 2003 Security Guide Microsoft Solutions for Security Microsoft Solutions for Security Windows Server 2003 Security Guide Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e – mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e – mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2003 Microsoft Corporation. All rights reserved. Microsoft and Visual Basic are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Acknowledgements The Microsoft Solutions for Security group (MSS) would like to acknowledge and thank the team that produced the Windows Server 2003 Security Guide. The following people were either directly responsible, or made a substantial contribution to the writing, development, and testing of this solution. Authors Reviewers Kurt Dillard Rich Benack José Maldonado Rob Cooper Brad Warrender Duane Crider Mike Greer Content Contributors Robert Hensing William Dixon Chad Hilton Eric Fitzgerald Andrew Mason Stirling Goetz Joe Porter Ian Hellen Joel Scambray Jesper Johansson Ben Smith Kirk Soluk Jeff Williams Testers Gaurav Singh Bora Contributors Ignacio Avellaneda Kenon Bliss Ganesh Balakrishnan Paresh Gujar Shelly Bird Vince Humphreys Derick Campbell Ashish Java Sean Finnegan Editors Joanne Kennedy Reid Bannecker Jeff Newfeld Wendy Cleary Rob Oikawa John Cobb Vishnu Patankar Kelly McMahon Keith Proctor Jon Tobey Bill Reid Program Manager Sandeep Sinha Chase Carpenter Bomani Siwatu Graham Whiteley At the request of Microsoft, The Center for Internet Security (CIS) and the United States Department of Commerce National Institute of Standards and Technology (NIST) participated in the final review of these Microsoft documents and provided comments, which were incorporated into the published versions. Microsoft would also like to thank the Siemens Workplace Architecture Team as well as National Broadband LLC for their invaluable input and participation in the Early Adopter Program for this guide. Table of Contents Introduction to the Windows Server 2003 Security Guide ............................................................... 1 Overview....................................................................................................................................... 1 Executive Summary ..................................................................................................................... 2 Who Should Read This Guide......................................................................................................3 Get Secure Stay Secure............................................................................................................... 4 Scope of this Guide ...................................................................................................................... 5 Content Overview......................................................................................................................... 6 Skills and Readiness .................................................................................................................. 10 Requirements ............................................................................................................................. 11 Style Conventions ...................................................................................................................... 12 Summary .................................................................................................................................... 13 Configuring the Domain Infrastructure...........................................................................................15 Overview..................................................................................................................................... 15 Domain Policy ............................................................................................................................ 31 Account Policies ......................................................................................................................... 32 Password Policy ......................................................................................................................... 33 Account Lockout Policy .............................................................................................................. 38 Kerberos Policy .......................................................................................................................... 41 Security Options ......................................................................................................................... 42 Summary .................................................................................................................................... 44 Creating a Member Server Baseline.............................................................................................. 47 Overview..................................................................................................................................... 47 Windows Server 2003 Baseline Policy....................................................................................... 51 Audit Policy................................................................................................................................. 52 User Rights Assignments........................................................................................................... 64 Security Options ......................................................................................................................... 76 Event Log ................................................................................................................................. 100 System Services....................................................................................................................... 103 Additional Registry Settings ..................................................................................................... 139 Additional Security Settings...................................................................................................... 144 Summary .................................................................................................................................. 149 Hardening Domain Controllers..................................................................................................... 151 Overview................................................................................................................................... 151 Audit Policy Settings................................................................................................................. 153 User Rights Assignments......................................................................................................... 154 Security Options ....................................................................................................................... 159 Event Log Settings ................................................................................................................... 160 System Services....................................................................................................................... 161 Additional Security Settings...................................................................................................... 164 Summary .................................................................................................................................. 175 Hardening Infrastructure Servers................................................................................................. 177 Overview................................................................................................................................... 177 Audit Policy Settings................................................................................................................. 178 User Rights Assignments......................................................................................................... 179 Security Options ....................................................................................................................... 180 Event Log Settings ................................................................................................................... 181 System Services......................................................................................................................
Load more

Recommended publications
  • By Sebastiano Vigna and Todd M. Lewis Copyright C 1993-1998 Sebastiano Vigna Copyright C 1999-2021 Todd M
    ne A nice editor Version 3.3.1 by Sebastiano Vigna and Todd M. Lewis Copyright c 1993-1998 Sebastiano Vigna Copyright c 1999-2021 Todd M. Lewis and Sebastiano Vigna Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the Free Software Foundation. Chapter 1: Introduction 1 1 Introduction ne is a full screen text editor for UN*X (or, more precisely, for POSIX: see Chapter 7 [Motivations and Design], page 65). I came to the decision to write such an editor after getting completely sick of vi, both from a feature and user interface point of view. I needed an editor that I could use through a telnet connection or a phone line and that wouldn’t fire off a full-blown LITHP1 operating system just to do some editing. A concise overview of the main features follows: • three user interfaces: control keystrokes, command line, and menus; keystrokes and menus are completely configurable; • syntax highlighting; • full support for UTF-8 files, including multiple-column characters; • 64-bit
    [Show full text]
  • Efficient, Dos-Resistant, Secure Key Exchange
    Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols∗ William Aiello Steven M. Bellovin Matt Blaze AT&T Labs Research AT&T Labs Research AT&T Labs Research [email protected] [email protected] [email protected] Ran Canetti John Ioannidis Angelos D. Keromytis IBM T.J. Watson Research Center AT&T Labs Research Columbia University [email protected] [email protected] [email protected] Omer Reingold AT&T Labs Research [email protected] Categories and Subject Descriptors While it might be possible to “patch” the IKE protocol to fix C.2.0 [Security and Protection]: Key Agreement Protocols some of these problems, it may be perferable to construct a new protocol that more narrorwly addresses the requirements “from the ground up.” We set out to engineer a new key exchange protocol General Terms specifically for Internet security applications. We call our new pro- Security, Reliability, Standardization tocol “JFK,” which stands for “Just Fast Keying.” Keywords 1.1 Design Goals We seek a protocol with the following characteristics: Cryptography, Denial of Service Attacks Security: No one other than the participants may have access to ABSTRACT the generated key. We describe JFK, a new key exchange protocol, primarily designed PFS: It must approach Perfect Forward Secrecy. for use in the IP Security Architecture. It is simple, efficient, and secure; we sketch a proof of the latter property. JFK also has a Privacy: It must preserve the privacy of the initiator and/or re- number of novel engineering parameters that permit a variety of sponder, insofar as possible.
    [Show full text]
  • Network Access Control and Cloud Security
    Network Access Control and Cloud Security Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-17/ Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-1 Overview 1. Network Access Control (NAC) 2. RADIUS 3. Extensible Authentication Protocol (EAP) 4. EAP over LAN (EAPOL) 5. 802.1X 6. Cloud Security These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 7th Ed, 2017. Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-2 Network Access Control (NAC) AAA: Authentication: Is the user legit? Supplicant Authenticator Authentication Server Authorization: What is he allowed to do? Accounting: Keep track of usage Components: Supplicant: User Authenticator: Network edge device Authentication Server: Remote Access Server (RAS) or Policy Server Backend policy and access control Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-3 Network Access Enforcement Methods IEEE 802.1X used in Ethernet, WiFi Firewall DHCP Management VPN VLANs Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-4 RADIUS Remote Authentication Dial-In User Service Central point for Authorization, Accounting, and Auditing data ⇒ AAA server Network Access servers get authentication info from RADIUS servers Allows RADIUS Proxy Servers ⇒ ISP roaming alliances Uses UDP: In case of server failure, the request must be re-sent to backup ⇒ Application level retransmission required TCP takes too long to indicate failure Proxy RADIUS RADIUS Network Remote Access User Customer Access ISP Net Server Network Server Ref: http://en.wikipedia.org/wiki/RADIUS Washington University in St.
    [Show full text]
  • Windows - Run/Kör Kommando
    Windows - Run/Kör kommando Accessibility Controls - access.cpl Network Connections - ncpa.cpl Add Hardware Wizard - hdwwiz.cpl Network Setup Wizard - netsetup.cpl Add/Remove Programs - appwiz.cpl Notepad - notepad Administrative Tools - control admintools Nview Desktop Manager - nvtuicpl.cpl Automatic Updates - wuaucpl.cpl Object Packager - packager Bluetooth Transfer Wizard - fsquirt ODBC Data Source Administrator - odbccp32.cpl Calculator - calc On Screen Keyboard - osk Certificate Manager - certmgr.msc Opens AC3 Filter - ac3filter.cpl Character Map - charmap Password Properties - password.cpl Check Disk Utility - chkdsk Performance Monitor - perfmon.msc Clipboard Viewer - clipbrd Performance Monitor - perfmon Command Prompt - cmd Phone and Modem Options - telephon.cpl Component Services - dcomcnfg Power Configuration - powercfg.cpl Computer Management - compmgmt.msc Printers and Faxes - control printers Control Panel - control panel Printers Folder - printers Date and Time Properties - timedate.cpl Private Character Editor - eudcedit DDE Share - ddeshare Quicktime (If Installed) - QuickTime.cpl Device Manager - devmgmt.msc Regional Settings - intl.cpl Direct X Control Panel -directx.cpl Registry Editor - regedit Direct X Troubleshooter - dxdiag Registry Editor - regedit32 Disk Cleanup Utility - cleanmgr Remote Desktop - mstsc Disk Defragment - dfrg.msc Removable Storage - ntmsmgr.msc Disk Management - diskmgmt.msc Removable Storage Operator Requests - ntmsoprq.msc Disk Partition Manager - diskpart Resultant Set of Policy (XP Prof)
    [Show full text]
  • Cygwin User's Guide
    Cygwin User’s Guide Cygwin User’s Guide ii Copyright © Cygwin authors Permission is granted to make and distribute verbatim copies of this documentation provided the copyright notice and this per- mission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this documentation under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this documentation into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the Free Software Foundation. Cygwin User’s Guide iii Contents 1 Cygwin Overview 1 1.1 What is it? . .1 1.2 Quick Start Guide for those more experienced with Windows . .1 1.3 Quick Start Guide for those more experienced with UNIX . .1 1.4 Are the Cygwin tools free software? . .2 1.5 A brief history of the Cygwin project . .2 1.6 Highlights of Cygwin Functionality . .3 1.6.1 Introduction . .3 1.6.2 Permissions and Security . .3 1.6.3 File Access . .3 1.6.4 Text Mode vs. Binary Mode . .4 1.6.5 ANSI C Library . .4 1.6.6 Process Creation . .5 1.6.6.1 Problems with process creation . .5 1.6.7 Signals . .6 1.6.8 Sockets . .6 1.6.9 Select . .7 1.7 What’s new and what changed in Cygwin . .7 1.7.1 What’s new and what changed in 3.2 .
    [Show full text]
  • Pipe and Filter Architectural Style Group Number: 5 Group Members: Fan Zhao 20571694 Yu Gan 20563500 Yuxiao Yu 20594369
    Pipe and Filter Architectural Style Group Number: 5 Group Members: Fan Zhao 20571694 Yu Gan 20563500 Yuxiao Yu 20594369 1. Have its own vocabulary for its components and connectors? (define) The Pipe and Filter is an architectural pattern for stream processing. It consists of one or more components called filters. These filters will transform or filter ​ ​ data and then pass it on via connectors called pipes. These filters, which merely ​ ​ consume and produce data, can be seen as functions like sorting and counting. All of these filters can work at the same time. Also, every pipe connected to a filter has its own role in the function of the filter. When data is sent from the producer (pump), it ​ ​ goes through the pipes and filters, and arrives the destination (sink). The pump can ​ ​ be a static text file or a keyboard input. The sink can be a file, a database or a computer screen. 2. Impose specific topological constraints? (diagram) Figure 1 shows a basic structure of Pipe and Filter architecture style. In this example, there are five filters and eight pipes. Each filter will get input from one or more pipes and pass it via pipes. The combination of several filters and pipes can be regarded as a “big” filter. Figure 2 is an specific example using Pipe and Filter architecture style. This example demonstrates a simple process of making sandwiches. To begin with, the first 4 filters can work simultaneously for preparation. Once they are done, the 5th filter can get the output and combine them together. Next, a following filter will add sauce to it and pass it to customer through a pipe.
    [Show full text]
  • Lecture 12: Security Systems Using Public Keys 11.1 PGP 11.2 SSL/TLS 11.3 IPSEC Stallings: Ch 16,17
    T-79.4501 Cryptography and Data Security Lecture 12: Security systems using public keys 11.1 PGP 11.2 SSL/TLS 11.3 IPSEC Stallings: Ch 16,17 1 Pretty Good Privacy • Email encryption program • Bottom–up approach to the distribution of trust • Each user acts as his/her own CA and signs the public keys of other users • User can accept authenticity of a public key based on recommendation by a third trusted user • RSA public key encryption used for distribution of session keys *) • Digital signatures produced by RSA or DSA signature algorithms • Hash functions are MD5 and SHA-1 • Symmetric encryption performed using IDEA in CFB mode (self- synchronising stream cipher) • Public keys held in ”Key-ring” • Revocation of public keys is a problem *) A data encryption protocol, where the data is encrypted using symmetric encryption, and the symmetric encryption key is encrypted using public key encryption, is called as ”hybrid encryption” 2 1 Secure Sockets Layer /Transport Layer Security • SSL (by Netscape) adds security to the TCP level of the Internet Protocol stack • Reliable end-to-end service. • TLS developed by IETF is basically equivalent to SSL v 3.1 Structure: SSL SSL Change SSL Handshake Cipher Spec Alert HTTP Protocol Protocol Protocol SSL Record Protocol TCP IP • Hypertext Transfer Protocol (Web client/server interaction) can operate on top of SSL (https://...) 3 SSL Record Protocol Application data fragment compressed fragment MAC added encrypted SSL record header appended 4 2 SSL Record Protocol Crypto • The MAC is similar to HMAC (indeed, an early version of HMAC) with the difference that OPAD and IPAD fields are concatenated to the key data (not xored as in HMAC).
    [Show full text]
  • Digital Filter Graphical User Interface
    University of Southern Maine USM Digital Commons Thinking Matters Symposium Archive Student Scholarship Spring 2018 Digital Filter Graphical User Interface Tony Finn University of Southern Maine Follow this and additional works at: https://digitalcommons.usm.maine.edu/thinking_matters Recommended Citation Finn, Tony, "Digital Filter Graphical User Interface" (2018). Thinking Matters Symposium Archive. 135. https://digitalcommons.usm.maine.edu/thinking_matters/135 This Poster Session is brought to you for free and open access by the Student Scholarship at USM Digital Commons. It has been accepted for inclusion in Thinking Matters Symposium Archive by an authorized administrator of USM Digital Commons. For more information, please contact [email protected]. By Tony Finn Digital Filter Graphical User Interface EGN 402 Fall 2017 Problem Statements - Digital FIR (finite impulse response) filter design Results requires tedious computations, with each requiring Illustrated in Figure 3 is the final design of the user interface, truncation of an impulse response (seen in Figure 1.) one will find buttons to change design type and filter type as - In order to obtain the desired effects from a filter, one well as clickable buttons to give the user feedback or an output. may need to try multiple filters, so many computations - Play Original Audio: emits the input audio as is; unfiltered. would be necessary. - Play Filtered Audio: emits the input audio with the designed Therefore the desire to simplify the digital filter design filter applied. process is necessary to provide users an easier, more intuitive method for design. - Return Filtered Audio: returns the filtered audio. - Print Filter: returns the filter specifications.
    [Show full text]
  • Logs & Event Analysis and Password Cracking
    Logs & Event Analysis and Password Cracking MODULE 6 Page 1 of 29 Contents 6.1 Learning Objectives ............................................................................................................. 4 6.2 Introduction .......................................................................................................................... 4 6.3 Windows registry ................................................................................................................. 5 6.3.1 Registry and forensics ................................................................................................... 5 6.3.1.1 System information ................................................................................................ 5 6.4 Windows event log file ........................................................................................................ 9 6.4.1 Windows Event Log File Format .................................................................................. 9 6.4.2 Reading from Windows event log file ........................................................................ 11 6.4.3 Using Microsoft log parser ......................................................................................... 11 6.4.4 Understanding Windows user account management logs .......................................... 13 6.4.5 Understanding Windows file and other object Access sets ........................................ 14 6.4.6 Auditing policy change ..............................................................................................
    [Show full text]
  • VSI Openvms Version 8.4-1H1 Installation and Upgrade Manual
    VSI OpenVMS Version 8.4-1H1 Installation and Upgrade Manual VSI OpenVMS Version 8.4-1H1 Installation and Upgrade Manual: Software Version: VSI OpenVMS Version 8.4-1H1 for HP Integrity Servers Publication date 5-May-2015 - Release Version 1.0 Copyright © 2015 VMS Software, Inc., (VSI), Bolton Massachusetts, USA Legal Notice Confidential computer software. Valid license from VSI required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for VSI products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. VSI shall not be liable for technical or editorial errors or omissions contained herein. HP, HP Integrity, HP Alpha, Proliant and Superdome are trademarks or registered trademarks of Hewlett Packard Development Company, L.P. Intel, Itanium and IA64 are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Java, the coffee cup logo, and all Java based marks are trademarks or registered trademarks of Oracle Corporation in the United States or other countries. Kerberos is a trademark of the Massachusetts Institute of Technology. Microsoft, Windows, Windows-NT and Microsoft XP are U.S. registered trademarks of Microsoft Corporation. Microsoft Vista is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries.
    [Show full text]
  • Microsoft Windows Common Criteria Evaluation Security Target
    Microsoft Common Criteria Security Target Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 version 1809 (October 2018 Update) Microsoft Windows Server 2019 (October 2018 Update) Security Target Document Information Version Number 0.05 Updated On June 18, 2019 Microsoft © 2019 Page 1 of 126 Microsoft Common Criteria Security Target Version History Version Date Summary of changes 0.01 June 27, 2018 Initial draft 0.02 December 21, 2018 Updates from security target evaluation 0.03 February 21, 2019 Updates from evaluation 0.04 May 6, 2019 Updates from GPOS PP v4.2.1 0.05 June 18, 2019 Public version Microsoft © 2019 Page 2 of 126 Microsoft Common Criteria Security Target This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs- NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
    [Show full text]
  • State of the Art :: Desktop Wallpapers
    State of the Art :: Desktop Wallpapers William Jon McCann 2008-05-29 About this Series About this Article Each article in this series will observe an aspect of design In this article we will observe the desktop wallpapers in contemporary graphical operating system products. (backgrounds) that are included by default in a selection of The intention is for these observations to serve as a well known products. baseline for discussion and facilitate consideration of the relationships between products. It is specifically not the aim of this series to provide analysis or make recommendations for action directly. Microsoft® Windows Windows ® XP – October 2001 Wallpapers Ascent Autumn Azul Bliss Crystal Follow Friend Home Moon Flower Power Purple Flower Radiance Red moon desert Ripple Stonehenge Tulips Vortec Space Wind Windows XP Notes: Location C:\WINDOWS\Web\Wallpaper Format JPEG, BMP Dimensions 800 × 600 License Proprietary Sources and Methods ● http://www.vanityfair.com/ontheweb/features/2007/02/autumn200702?printable=true&currentPage=all ● http://en.wikipedia.org/wiki/Bliss_(image) Windows Vista ® – January 2007 Windows Wallpapers Black and White img1 img2 img3 img4 ©Peter deLory ©Nicholas Veasey ©Jean-Francois Gate ©Alan Kearney The Image Bank Photographer's Choice Stone Taxi Getty Images Getty Images Getty Images Getty Images Light Auras img25 img26 img27 img28 img29 ©Microsoft 2006 ©Microsoft 2006 ©Microsoft 2006 ©Microsoft 2006 ©Microsoft 2006 Paintings img12 img13 img14 img15 ©Corbis ©Corbis ©Corbis ©Corbis Textures img8 img9 img5 img6 img7 ©Microsoft 2006 ©Chuck Kuhn Photography ©Microsoft Corp ©Microsoft Corp ©Darrell Gulin/Corbis The Image Bank Getty Images img10 img11 ©Rosemary Calvert ©Dana Menussi Stone Stone+ Getty Images Getty Images Vistas i i mg16 mg17 img18 img19 img20 ©Walter Bibikow ©Dr.
    [Show full text]