Home » Securing Microsoft Terminal Services First Web Edition

Chapter 9: Windows Server Security Policy

Posted May 2nd, 2008 by roddyr

 

Chapter 9: Windows Server Security Policy
 
 
Chapter Overview:
This chapter introduces a tier 3 Windows Server Security Policy that defines an organization’s Windows server security and minimum server standards. The implementation of a Windows Server Security Policy improves the security posture of a Windows server environment while satisfying regulatory mandates. Security is improved by implementing the policy’s minimum security standards, which are used by employees as a baseline security configuration for all Windows servers. A baseline security configuration can be audited for compliance and easily modified to meet evolving business and regulatory needs.
 
Windows operating system security is a critical element in securing Terminal Server which is a Windows service that relies on the security of the underlying Windows operating system. Windows server and desktop operating systems have integrated operating system and networking functions. This architecture provides a wide variety of security configurations to secure both the operating system and networking functions. A properly secured Windows server operating system and integrated networking functions provide a secure foundation for Terminal Server.
 
Many organizations develop, test and support a single generic server build which becomes a baseline for all of their servers. This strategy with a Windows Server Security Policy provides a high level of assurance that all newly provisioned servers meet minimum security standards. As new servers are provisioned and their respected roles, such as Terminal Server, web server, mail server, and so forth, are configured, policy will govern the configuration and management of each individual server role.
 
The following example Windows Server Security Policy defines an organization’s Windows server security and minimum server standards. This policy is intended for informational purposes only.
 
Windows Server Security Policy
 
Purpose
The purpose of this policy is to define standards for the baseline configuration of <Company Name>’s Windows servers. Before any servers are placed on the production network, standard processes shall be executed to ensure that the servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use and disruptions in service.
 
Scope
This policy is specifically for all Windows servers on the internal network and will be reviewed in conjunction with the other IT infrastructure policies.
 
Policy
 
General Guidelines
  • The operating system installation media will come from an approved source.
  • All production servers will be located in a secure facility.
  • Server role configurations are governed by the <Server Role Name> Security Baseline.
  • All servers deployed into production will be registered in the asset management system. The machine name, server role, operating system, IP address, physical location (building/room) and name of contact person will be included.
  • Before any server is put into production, a baseline will be taken in accordance with the Security Technical Implementation Guides (STIGS) WINDOWS 2003/XP/2000 ADDENDUM Version 5, Release 1, Section 2.1. The baseline will be attached to the server’s properties in the asset management system.
  • When a server is decommissioned, it must be properly sanitized in compliance with the Media Disposal Policy.
  • Any server identified as compromised will be subject to the practices of the IT Intrusion Response Plan.
  • Logon banners will be displayed before any user signs on to a server as described in Appendix C.
 
Windows Server Configuration Guidelines
  • The local administrator account will be renamed.
  • Guest Accounts will be disabled.
  • All unnecessary Windows services will be disabled.
  • All unnecessary network services will be disabled.
  • Screensaver password will be set.
  • Audit logging will be enabled via Group Policy.
  • Log properties will be configured in accordance with <Company Name>’s Log Configuration Standards.
  • Virus software will be installed and updated.
 
Patch Update Guidelines
  • All patches will be tested in the lab environment before they are deployed on production systems.
  • High-priority updates will be applied as needed in accordance with <Company Name>’s Change Management Policy.
  • Non-critical fixes will be applied on a Quarterly basis in accordance with <Company Name>’s Change Management Policy.
 
File System Guidelines
  • All servers will be configured in accordance with the Security Technical Implementation Guides (STIGS) WINDOWS 2003/XP/2000 ADDENDUM Version 5, Release 1, Section 7.1 and Windows Server 2003 Checklist 5.1.6 Appendix A / A.3.
 
Review Guidelines
  • When a new server is deployed, a server deployment checklist will be completed and submitted to InfoSec for approval. The checklist will be entered into the asset management system. (Appendix A)
  • On a weekly basis, a baseline review will be preformed on all production servers in accordance with the Security Technical Implementation Guides (STIGS) WINDOWS 2003/XP/2000 ADDENDUM Version 5, Release 1, Section 2.1. Any irregularities will be promptly submitted to InfoSec.
  • On a bi-annual basis, production server services will be audited, documented and reviewed by InfoSec. (Appendix B)
 

Appendix A

Server Deployment Checklist
 
This checklist will be completed and submitted to InfoSec when installing and configuring a new server.
 
After connecting to the network:

Action
Notes
Status
Place the server in the applicable production OU.
 
 
Force Group Policy update by executing “gpupdate /force.”
 
 
Execute “gpresult” to validate that the server role GPO is applied.
 
 
Once the GPO is applied, execute “gpresult > <Server Name>gpresult.txt” and attach the file to server’s properties in the asset management system.
 
 
Confirm that anti-virus software is enabled, configured, and updated.
 
 
Run a MBSA scan from the host to audit for compliance.  
 
 
Run a Nmap scan against the host to audit for compliance.
 
 


Appendix B
Server services audit.
 

Service
Purpose
Installed
Disabled
Alerter
Alerter: Creates pop-up messages from the system when services fail to start (etc.). Requires Messenger service.
 
 
ClipBook Server
Clipbook Server: Serves up local clipbook pages to other Clipbook Viewers.
 
 
Computer Browser
Computer Browser: Allows for viewing of other computers and resources on the network. 
 
 
DHCP Client
DHCP client: will automatically contact the DHCP server (Port 67) to acquire the needed network configuration. 
 
 
Directory Replicator
Directory Replicator: When configured, will replicate files and directories to other machines.
 
 
Messenger
Messenger: Used to send messages to users or machines and sends messages from the Alerter service.
 
 
Net Logon
Net Logon: Part of the security subsystem, enabling user authentication as well as keeping domain security in sync.
 
 
Network DDE
Network DDE: Transport for Dynamic Data Exchange traffic, used by standard Office applications when sharing data over a network.
 
 
Network DDE DSDM
Network DDE DSDM: DDE Share Database Manager, used by Network DDE service.
 
 
Plug and Play
Plug and Play
 
 
 
Remote Procedure Call (RPC) Locator
Remote Procedure Call Locator: Used by RPC applications to register availability of resources, and by clients to find compatible RPC server applications.
 
 
Server
Server: Used to provide file and print resources to the network. 
 
 
SNMP Trap Service
SNMP Trap Service: Used by network administrators to monitor and to reach remote devices.
 
 
Spooler (unless you need to spool printing)
Spooler: Stores print jobs and queues them to be printed.
 
 
 
TCP/IP NetBIOS
Helper
NetBIOS Helper: Passes normal TCP/IP connection requests to the sockets interface to allow NetBIOS resolution.
 
 
Telephony Service
Telephony Service: Enables a telephony card or phone system to understand commands from an application via the operating system.
 
 
 
Workstation (Required for Raptor Firewall)
Workstation: Manages connections to network resources such as drive mappings, printer connections, etc.
 
 
Event Log
Event Log: Responsible for creating entries in the Event logs.
 
 
NT LM Security Support Provider
NT LM Security Support: The LSA handles all authentications before a user is allowed to access a resource.
 
 
 
Remote Procedure Call (RPC) Service
RPC (RPC) Service: Name service provider that maintains a database with available RPC services on the server, where local RPC services can register themselves. A client can then contact the RPC locator on the server to locate and access the wanted RPC service.
 
 
Schedule
Schedule: Used to run applications or batch/command files at specific times, using the "at" command.
 
 
UPS
UPS: Generic uninterruptible power supply service, which shuts the machine down during a power failure.
 
 

Appendix C.
Logon Message:
 
UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED
NOTICE TO USERS
 
This computer is the private property of <Company Name>.   It is for authorized use only.
 
<Company Name> reserves the right to monitor its use as necessary to ensure its stability, availability and security. During monitoring, information may be examined, recorded, copied and used for authorized purposes. Use of this computer system constitutes consent to this policy and the policies and procedures set forth by <Company Name>. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate.
 
*********************************************************
Policy Review
This policy will be reviewed bi-annually.
 
Compliance
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
 
Related Policies, Standards, and Guidelines
  • Security Technical Implementation Guides (STIGS) WINDOWS 2003/XP/2000 ADDENDUM Version 5, Release 1, Section 2.1.
  • Media Disposal Policy
  • Intrusion Response Plan
  • Change Management Policy
  • Log Configuration Standards
  • <Server Role Name> Baseline Configuration
 
 
This chapter reviewed a tier 3 Windows Server Security Policy. The example policy shows how organizations use thepolicy to define their Windows server security and minimum server standards. The policy defined General Guidelines, Windows Server Configuration Guidelines, Patch Update Guidelines, File System Guidelines, Review Guidelines and Appendixes that provide an authorized framework to provision Windows servers into a production environment.
 
  • Windows Server Security Policy defines an organization’s Windows server security and minimum server standards.
  • Windows server and desktop operating systems have integrated operating system and networking functions that provide a wide variety of security configurations to secure both the operating system and networking functions.
  • Many organizations develop, test and support a single, generic server build, which becomes a baseline for all of their servers.
  • As new servers are provisioned, policies govern the configuration and management of the server role.
 
The next chapter will review a Terminal Server Configuration Baseline.
 
Reference
Security Technical Implementation Guides (STIG) “Windows 2003/XP/2000 Addendum V5R1”

 

‹ Chapter 8: Windows Terminal Server StandardsupChapter 10: Terminal Server Installation Baseline ›