Five ways to harden Windows Server

Windows Server 2003 can be made impressively secure if you shut down certain services, ports and accounts.

Hackers often gain access to servers through unused (not configured or secured) ports and services, such as Internet Information Services (IIS). To limit entry points, server hardening includes blocking unused ports and protocols as well as disabling services that are not required. Microsoft's latest release of Windows Server 2008 may be on the streets, but the majority of organizations will still rely on Server 2003 for as long as Microsoft supports it. While Server 2003 may not be the latest and greatest, you can ensure a better security posture by taking some easy--but essential--steps to harden your system.

1. Think security from the very start

Building a hardened server means implementing secure procedures from the initial installation. New machines should be installed on an isolated network, well protected from possible hostile traffic until the operating system is hardened.

During the first few steps of the setup, you will be asked to choose between FAT (file allocation table) or NTFS (new technology file system). Choose NTFS for all volumes. FAT is the original file system Microsoft designed for early operating systems. NTFS was introduced with Windows NT and provides a number of security features FAT does not, including access control lists (ACLs) and file system journaling, which logs changes before committing them to the main file system. Next, apply the latest Service Pack (SP2) and any available hotfixes. While many of the patches in the Service Pack are relatively old, they cover a number of known vulnerabilities that can be exploited in threats, such as denial-of-service attacks, remote code execution and cross-site scripting.

2. Configure your security policy

Now you're ready to get down to serious work. The easiest way to harden Windows Server 2003 is to utilize the Server Configuration Wizard (SCW), which can take you through the creation of a security policy based upon that particular server's role on the network (see Figure 1, below).

The SCW is different from the Configure Your Server Wizard. SCW does not install server components, but detects ports and services, and configures registry and audit settings. The SCW isn't installed by default, so you must add it through the Control Panel's Add/Remove Programs applet. Choose the Add/ Remove Windows Components button and select the Security Configuration Wizard. Once installed, the SCW will be accessible from the Administrative Tools.

FIGURE 1: The Server Configuration Wizard allows you to set roles, client features, services and ports, and administration options. Selecting these options enables the appropriate ports and services.

The security policies created through SCW are XML files that configure services, network security, specific registry values, audit policy and, if applicable, IIS. Through the configuration interface, new security policies can be created, and existing policies can be edited or applied to other servers on the network. In the event a new policy creates conflict or instability, it can be rolled back.

SCW covers all the bases of Server 2003 security. The wizard begins with the Security Configuration Database, which contains information about all the roles, client features, administration options, services and ports. There is also an extensive knowledge base for applications. This means that when an application is required by a selected server role--client features such as automatic updates or administrative processes like backups--the Windows Firewall will open the requisite ports. When the application is closed, the ports will be automatically blocked.

Security settings for network and registry protocols as well as Server Message Block (SMB) security signatures increase protection for critical server features. Outbound Authentication settings determine the level of authentication required in order to connect with external resources.

The final steps of the SCW cover the auditing policy (see Figure 2, above). By default, Server 2003 only audits successful activities, but for a hardened system, both successful and failed activities should be audited and logged. Once the wizard is completed, the security policy can be stored as an XML file that can be immediately applied to the server, saved for later use or applied to other servers. Need to backtrack on servers that weren't hardened on installation? SCW can be installed and run on existing servers as well.

FIGURE 2: The Server Configuration Wizard is also where you set audit policy. Both successful and failed activities should be audited and logged.

3. Disable or delete unnecessary accounts, ports and services

During installation, three local user accounts are automatically created--Administrator, Guest and Help-Assistant, which is installed with a Remote Assistance session. The Administrator account holds the keys to the kingdom. It can assign user rights and access control. Although this master account cannot be deleted, it should be disabled or renamed to make it more difficult for hackers to gain access. Instead, you should assign administrative rights to an individual user or a group object. This makes it much harder for a hacker to figure out which user has administrative rights. This is also critical to auditing processes. Imagine an IT department in which anyone can log on to the server using a single administrative account and password. Major security problem. It's best to just not use the Administrator account at all.

Similarly, the Guest and HelpAssistant accounts provide an easy target to those who know their way around Server 2003. Disable them through the Control Panel under the Administrative Tools menu with the Computer Management option. Right-click the user account you want to change, then click Properties. Be certain these accounts are disabled on the network, as well as locally.

Open ports are high-risk areas, There are 65,535 available ports and your server doesn't need all of them. A firewall, included with SP1, allows administrators to disable unnecessary TCP and UDP ports. Ports are divided into three distinct ranges: well-known ports (0-1023), registered ports (1024-49151) and dynamic/private ports (49152-65535). The known ports are the critical ones required for OS function. The registered ports are those able to be used by only that service or application. The rest are the Wild West.

By obtaining a list of ports and their associated services and applications, administrators can determine which ones are required for critical functions. For instance, to prevent any telnet or FTP traffic, the known ports associated with these applications can be blocked. Similarly, known software and malware have known associated ports, all that can be blocked to create a more secure server posture. Best practice is to close all ports not in use. Using the free Nmap tool ( or is a great way to determine which ports are open, listening and blocked on a machine. SCW closes all ports by default and then opens them as the security policy is set.

You can obtain information about which ports do what online (e.g., at

FIGURE 3: Unneeded services--Telnet in this example--can be disabled through the Control Panel's Administrative Tools menu.

The most effective way to harden a server is to not install any applications that are not relevant to its operations and to turn off unneeded services. While having an email client or productivity tools on a server might be convenient for administrators, they should not be installed if they do not directly relate to the server's functionality. More than 100 services can be disabled in Windows Server 2003. For example, DHCP services are included in the base installation. However, if you are not going to utilize the system as a DHCP server, disabling tcpsvcs.exe will prevent the service from initializing and functioning. Keep in mind, though, that not all services can be disabled. For example, although the Remote Procedure Call (RPC) service was exploited by the Blaster worm, it cannot be disabled since it allows other system processes to communicate internally and across the network. To shut down unneeded services, access the Services interface through the Control Panel's Admin- istrative Tools menu. Double-click on the service to open the Properties dialog box and choose Disabled in the Startup Type box (see Figure 3, above).

4. Set up appropriate access control to the physical machine and logical components

From the moment you hit the power button until the operating system starts and all services are active, there's still wiggle room for nefarious activity. Regard-less of the operating system, a well-hardened machine starts with password protected BIOS/firmware. Also at the BIOS level, the device boot order should be set up to prevent unauthorized booting from alternative media.

Do this by accessing the BIOS setup by pressing the F2 key immediately after powering on the computer. Alt-P moves you through the settings pages for the BIOS. Under the Boot Order page, set the first option to Internal HDD. On the System Security page, there are options for Primary, Administrative and Hard disk passwords.

Similarly, autorun capabilities for external media, including CD-ROM, DVD and USB drives, should be disabled. Set the Autorun value to 0 in the registry under HKEY_LOCAL_MACHINESYSTEMCurrent ControlSetServicesCdrom (or other device names). Autorun could automatically launch applications for malicious intent on portable media. It's an easy way to install a Trojan, backdoor, keylogger, listener, etc. (see Figure 4, below).

The next line of defense is how users log on to the system. Although alternative technologies for authentication, such as biometrics, tokens, smart cards and single-use passwords, are options for securing a Win-dows Server 2003, most administrators log on to their server, either locally or remotely, by using a combination of their user name and a password. All too often, that's the default password, and that's begging for trouble (and please, don't substitute the default choice of old with @55w0rd!).

This should go without saying, but if you are relying on passwords, use a strong policy: minimum of eight characters, including a combination of capital letters, numbers and non-alphanumeric characters, enforced changes at regular intervals and not using the same password within a certain time period.

A strong password policy, plus multifactor authentication, is only the start. Thanks to the ACLs provided by the NTFS, each user can be assigned varying degrees of rights to multiple aspects of a server. Appropriate settings for access control on file and print share permissions should be configured based upon groups instead of "Everyone." This can be done on the server or through Active Directory.

Equally important is ensuring that only properly authenticated users have permission to access and edit the registry. The bottom line is to limit user access only to those services and applications required.

5. You're never finished

Protecting your critical servers is a continuing process. Don't assume the job is complete once you've made a server as tough a nut to crack as possible.

Follow these practices to make sure all your good work wasn't for naught:

  • Institute a strong audit and logging policy. Protection from unwanted or unintended actions on a server is the primary goal of hardening, but to ensure the actions taken are up to task, set up comprehensive event logs and a strong audit policy.

    With the advent of regulatory compliance, a strong audit policy should be part of a hardened Windows Server 2003. Successful and failed account login and management attempts, along with privilege use and policy change, should be initialised.

    Windows Server 2003 creates the following types of logs: application, security, directory service, File Replication Service and DNS server. These can all be monitored through the Event Viewer, which also provides extensive information about the hardware, software, and system problems. Within each log entry, the Event Viewer displays five types of events: error, warning, information, success audit and failure audit.

  • Create a baseline backup. After you've taken the initiative and time to harden your Windows Server 2003, the final step is to create a Level 0/full backup of the machine and the System State. Plan on storing this backup for the life of the server as a forensic baseline to refer to when a security incident occurs. Be certain to maintain baseline backups of your server after major software upgrades and operating system updates as well.

  • Keep an eye on accounts. Managing accounts for server security is an ongoing process. User accounts should be regularly reviewed and any non-active, duplicate, shared, general or test accounts should be deleted.

  • Keep patches up-to-date. Hardening is a continuing process that doesn't end with SP2. To keep abreast, enable Automatic Updates through the System menu in the Control Panel. In the Automatic Updates tab, choose Automatically download the updates, and set the server to install them on a schedule that won't interfere with server functions, as most critical updates require the server to be restarted.

This story first appeared in Information Security magazine.

Read more on Security policy and user awareness