Microsoft Solutions for Security and Compliance Windows Server 2003 Security Guide April 26, 2006 © 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-Non Commercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. Table of Contents iii Contents Chapter 1: Introduction to the Windows Server 2003 Security Guide ............. 1 Overview....................................................................................................1 Executive Summary .....................................................................................1 Who Should Read This Guide.........................................................................2 Scope of this Guide......................................................................................2 Chapter Summaries .....................................................................................3 Chapter 1: Introduction to the Windows Server 2003 Security Guide .............4 Chapter 2: Windows Server 2003 Hardening Mechanisms ............................4 Chapter 3: The Domain Policy..................................................................4 Chapter 4: The Member Server Baseline Policy ...........................................4 Chapter 5: The Domain Controller Baseline Policy .......................................5 Chapter 6: The Infrastructure Server Role .................................................5 Chapter 7: The File Server Role................................................................5 Chapter 8: The Print Server Role ..............................................................5 Chapter 9: The Web Server Role ..............................................................5 Chapter 10: The IAS Server Role..............................................................6 Chapter 11: The Certificate Services Server Role ........................................6 Chapter 12: The Bastion Hosts Role..........................................................6 Chapter 13: Conclusion...........................................................................6 Appendix A: Security Tools and Formats....................................................7 Appendix B: Key Settings to Consider .......................................................7 Appendix C: Security Template Setting Summary .......................................7 Appendix D: Testing the Windows Server 2003 Security Guide .....................7 Tools and Templates...............................................................................7 Skills and Readiness ....................................................................................8 Software Requirements ................................................................................8 Style Conventions........................................................................................8 Summary ...................................................................................................9 More Information ...................................................................................9 Chapter 2: Windows Server 2003 Hardening Mechanisms ............................ 11 Overview..................................................................................................11 Hardening with the Security Configuration Wizard ..........................................11 Creating and Testing Policies .................................................................12 Deploying Policies ................................................................................13 iv Windows Server 2003 Security Guide Apply the Policy with the SCW GUI....................................................13 Apply the Policy with the Scwcmd Command-line Tool..........................13 Convert the SCW Policy to a Group Policy Object.................................14 Hardening Servers with Active Directory Group Policy .....................................14 Active Directory Boundaries...................................................................14 Security Boundaries ........................................................................15 Administrative Boundaries ...............................................................15 Active Directory and Group Policy...........................................................17 Delegating Administration and Applying Group Policy ...........................17 Administrative Groups .....................................................................18 Group Policy Application ..................................................................19 Time Configuration .........................................................................19 Security Template Management........................................................20 Successful GPO Application Events ....................................................21 Sever Role Organizational Units ........................................................21 OU, GPO, and Group Design ..................................................................25 Process Overview ......................................................................................25 Create the Active Directory Environment .................................................26 Configure Time Synchronization .............................................................26 Configure the Domain Policy ..................................................................27 Create the Baseline Policies Manually Using SCW ......................................28 Test the Baseline Policies Using SCW ......................................................30 Convert the Baseline Policies to GPOs .....................................................30 Create the Role Policies Using SCW.........................................................31 Test the Role Policies Using SCW............................................................31 Convert the Role Policies to GPOs ...........................................................32 Summary .................................................................................................32 More Information .................................................................................33 Chapter 3: The Domain Policy ....................................................................... 35 Overview..................................................................................................35 Domain Policy ...........................................................................................35 Domain Policy Overview........................................................................36 Account Policies ........................................................................................36 Password Policy.........................................................................................36 Password Policy Settings .......................................................................37 Enforce password history .................................................................38 Maximum password age ..................................................................38 Table of Contents v Minimum password age ...................................................................39 Minimum password length ...............................................................39 Password must meet complexity requirements....................................40 Store password using reversible encryption ........................................41 How to Prevent Users from Changing a Password Except When Required.............................................................................................41 Account Lockout Policy ...............................................................................42 Account Lockout Policy Settings .............................................................42 Account lockout duration .................................................................42 Account lockout threshold................................................................43 Reset account lockout counter after...................................................44 Kerberos Policies .......................................................................................44 Security Options........................................................................................44 Security Options Settings ......................................................................45 Microsoft network server: Disconnect clients when logon hours expire ...........................................................................................45 Network Access: Allow anonymous SID/NAME translation.....................45 Network Security: Force Logoff when Logon Hours expire .....................46 Summary .................................................................................................46 More Information .................................................................................47 Chapter 4: The Member Server Baseline Policy ............................................. 49 Overview..................................................................................................49 Windows Server 2003 Baseline Policy ...........................................................52 Audit Policy ..............................................................................................52 Audit account logon events....................................................................54