Windows Server 2003 Security Compliance Management Toolkit

The Windows Server 2003 Security Compliance Management Toolkit provides you with you with an end-to-end solution to help you plan, deploy, and monitor the security baselines of servers running Windows Server 2003 Service Pack 2 (SP2) in your environment.

This Solution Accelerator includes the Windows Server 2003 Security Guide and the GPOAccelerator tool to provide you with prescriptive information and automated tools to establish and deploy your security baseline. This toolkit also provides you with 6 DCM Packs to use with the desired configuration management (DCM) feature in Microsoft® System Center Configuration Manager 2007 SP1. Use this functionality to help you monitor the implementation of your security baseline for Windows Server 2003 SP2.

The Windows Server 2003 Security Compliance Management Toolkit is part of the Security Compliance Management Toolkit series.

The Windows Server 2003 Security Guide offers a choice of preconfigured security baselines for the following two different environments:

* Enterprise Client. This security baseline is best for most organizations in which functionality is evenly balanced with security.
* Specialized Security – Limited Functionality. This security baseline is best for organizations in which concern for security is so great that a significant loss of functionality is acceptable. For example, military and security agency organizations operate in this type of environment.

Included in the Download

The Windows Server 2003 Security Compliance Management Toolkit includes the following components:

* Security guide – The updated security guide for Windows Server 2003. The guidance provides you with best practices and information about automated tools to help you plan and deploy your security baseline.
* Attack Surface Reference workbook – A resource that lists the changes introduced as server roles are installed on computers running Windows Server 2003.
* Security Baseline Settings workbook – A resource that lists the prescribed settings for each of the preconfigured security baselines that the guide recommends.
* Security Baseline XML – An XML file that allows customers to consume the data defined in the Security Baseline Settings workbook.
* GPOAccelerator tool – A tool that you can use to create all the Group Policy objects (GPOs) you need to deploy your chosen security configuration.
* INF Files – INF files for Windows Server 2003.
* Baseline Compliance Management Overview – An overview that includes best practices about how to monitor security baselines for computers running Windows Server 2003.
* DCM Configuration Pack User Guide – A step-by-step prescriptive user guide about how to use the Configurations Packs in Configuration Manager 2007 SP1.
* DCM Configuration Packs – The toolkit includes 6 DCM Configuration Packs for you to use with the DCM feature in Configuration Manager 2007 SP1.

Download: Here

Windows Server 2003 Security

Windows Server 2003 has some of the following features to help protect your corporate enviroment:

There is now forest trust that allows you to authenticate other companies in your WAN thru Active Directory, this simplifies some security issues for security and network administrators.

Kerberos is now availiable through Windows Server 2003 to allow for better and more secure authentication.

Credential Manager allows secure storage for usernames and passwords as well as certificates. You can now delegate what services can access other resources on your network.

.NET password is now integrated with Active Directory aloowing SSO or single sign on.

RBAC or Remote Based Access Control you can assign more efficient restrictions to manage access to information.

Systems administrators can disallow software to run, with the Software Restrcition Policy. In Windows 2003 you can audit system alerts and even set up audits of individual users!

Account Management logs IP addresses and even calls for Logon and Logoff events.

You can now log security events in real time and export them to a SQL database to anaylze later.

PKI or Public Key Infrastructure is is system of digital certificates and CA or Certificate Authorities to verify you are who you really say you are. This is great for ecommerce systems, think E-Bay. You want to know if your really giving your credit card information to E-Bay or E-fake.

Windows Server 2003 now helps with Wireless 802.1x., you can enable PEAP which is protected EAP for authentication. I suggest using WPA in conjuction. he encrytpion protocl they use is called EFS.EFS uses AES-256 which is very strong encryption. There should be security in depth applied.Two form authentication should be applied such as biometrics and passwords.Take a look at RSA secure ID cards.

Source: http://www.anyarticles.com/Computers-and-Technology/Software/Windows-Server-2003-Security.html

Security Improvements for Windows Server 2008

While fundamentally changing the design of the operating system, the Windows Server 2008 team has also included several features designed to eliminate security breaches and malware infestations, as well as capabilities meant to protect corporate data from leakage and interception. Let's take a look at some of the improvements.

Operating System File Protection

A new feature currently known as operating system file protection ensures the integrity of the boot process for your servers. Windows Server 2008 creates a validation key based on the kernel file in use, a specific hardware abstraction layer (HAL) for your system, and drivers that start at boot time. If, at any subsequent boot after this key is created, these files change, the operating system will know and halt the boot process so you can repair the problem.

Operating system file protection also extends to each binary image that resides on the disk drive. OS file protection in this mode consists of a filesystem filter driver that reads every page that is loaded into memory, checking its hashes, and validating any image that attempts to load itself into a protected process (processes that are often the most sensitive to elevation attacks). These hashes are stored in a specific system catalog, or in an X.509 certificate embedded within a secure file on the drive. If any of these tests result in failure, OS file protection will halt the process to keep your machine secure. This is active protection against problematic malware.

BitLocker

The need for drive encryption has been a popular topic in a lot of security channels lately, and in both Windows Vista and Windows Server 2008 Microsoft has risen to the call by developing a feature called BitLocker. BitLocker is designed especially for scenarios where a thief may gain physical access to a hard drive. Without encryption, the hacker could simply boot another operating system or run a hacking tool and access files, completely bypassing the NTFS filesystem permissions. The Encrypting File System in Windows 2000 Server and Windows Server 2003 went a step farther, actually scrambling bits on the drive, but the keys to decrypt the files weren't as protected as they should have been. With BitLocker, the keys are stored within either a Trusted Platform Module (TPM) chip on board your system, or a USB flash drive that you insert upon boot up.

BitLocker is certainly complete: when enabled, the feature encrypts the entire Windows volume including both user data and system files, the hibernation file, the page file, and temporary files. The boot process itself is also protected by BitLocker—the feature creates a hash based on the properties of individual boot files, so if one is modified and replaced by, for example, a Trojan file, BitLocker will catch the problem and prevent the boot. It's definitely a step up from the limitations of EFS, and a significant improvement to system security over unencrypted drives.

Device Installation Control

Another security problem plaguing businesses everywhere is the proliferation of the USB thumb drive. No matter how securely you set your permissions on your file servers, no matter how finely tuned your document destruction capabilities are, and no matter what sort of internal controls you have on "eyes-only" documentation, a user can simply pop a thumb drive into any open USB port and copy data over, completely bypassing your physical security. These drives often contain very sensitive information that ideally should never leave the corporate campus, but they're just as often found on keychains that are lost, inside computer bags left unattended in an airport lounge, or in some equally dangerous location. The problem is significant enough that some business have taken to disabling USB ports by pouring hot glue into the actual ports. Effective, certainly, but also messy.

In Windows Server 2008, an administrator will have the ability to block all new device installs, including USB thumb drives, external hard drives, and other new devices. You can simply deploy a machine and allow no new devices to be installed. You'll also be able to set exceptions based on device class or device ID—for example, to allow keyboards and mice to be added, but nothing else. Or, you can allow specific device IDs, in case you've approved a certain brand of product to be installed, but no others. This is all configurable via Group Policy, and these policies are set at the computer level.

Windows Firewall with Advanced Security

The Windows Firewall version included with Windows Server 2003 Service Pack 1 was exactly the same as that included in Windows XP Service Pack 2. Microsoft bundled that firewall with Service Pack 1 as a stopgap measure—deploy this firewall now, Microsoft said, so you will be protected, and we will work to improve the firewall in the next version of Windows.

The new Windows Firewall with Advanced Security combines firewall and IPsec management into one convenient MMC snap-in. The firewall engine itself has been rearchitected to reduce coordination overhead between filtering and IPsec. More rules functionality has been enabled, and you can specify explicit security requirements such as authentication and encryption very easily. Settings can be configured on a per-AD computer or user group basis. Outbound filtering has been enabled; there was nothing but internal filtering in the previous version of Windows Firewall. And finally, profile support has been improved as well—on a per-computer basis, there is now a profile for when a machine is connected to a domain, a profile for a private network connection, and a profile for a public network connection, such as a wireless hotspot. Policies can be imported and exported easily, making management of multiple computers' firewall configuration consistent and simple.

Network Access Protection

Viruses and malware are often stopped by software defenses before they can run within a user's session, but the ultimate protection would be if they never even got access to the network. In Windows Server 2008, Microsoft has created a platform whereby computers are examined against a baseline set by the administrator, and if a machine doesn't stack up in any way against that baseline, that system can be prevented from accessing the network—quarantined, as it were, from the healthy systems until the user is able to fix his broken machine. This functionality is called Network Access Protection.

NAP can be broken down into three key components:

Health policy validation
Health policy compliance
Limited access

Source:computingtech.blogspot.com/2008/05/windows-server-2008-security.html

Understanding the Roles of Server 2003 Security Policies

Windows domains rely on policy-based security mechanisms, but Windows security policy deployment can be confusing to the uninitiated. What's the difference between the local security policy, domain security policy and domain controller security policies? When and how do you use each? How do you use site GPOs and OU GPOs for best security, and how do they all interact together? What security policy tools are included with the operating system and how is each used? This article will provide an overview of the roles of Server 2003 security policies and how to use them to secure your systems and network.

Policy-based Security: What does it Mean?

A security policy can be defined as a set of rules and practices that govern how an organization manages and protects its assets (which can include facilities, equipment, infrastructure or information). IT security focuses on the protection of:

• Computer systems/software
• Network connectivity
• Sensitive or confidential information

Policy-based security, then, begins by defining the organization’s philosophy and priorities in regard to protection of the above. This is the management definition of “security policy.” Application of the rules and practices outlined in the policy statement is then accomplished via the technical definition of “security policy.”

In this context, a security policy is a template used to select and configure the various security mechanisms supported by the operating system or application. Modern Windows operating systems support many different types of security policies, which are configured through the Group Policy interface.

Server 2003 Security Policies

Security policies that can be configured through the Server 2003 GUI and command line tools include:

• Account policy: allows you to define password requirements (length, complexity, maximum age, history), lockout parameters (number of permitted logon attempts, duration of lockout) and Kerberos key policies (how long the keys are valid).
• Audit policy: allows you to set up security auditing and define which events will be logged (for example, failed/successful logon attempts, access to specific resources, etc.).
• Cryptographic policy: allows you to control the algorithms used by TLS/SSL.
• Domain policy: allows you to add and remove computers and create trusts between domains.
• Firewall policy: allows you to set standard policies for Windows Firewall for all the computers within a domain or OU.
• IPsec policy: allows you to configure the use of Internet Protocol Security (IPsec) to encrypt data in transit over the network.
• EFS policy: allows you to define whether EFS can be used to encrypt files and folders on NTFS partitions.
• Disk quota policy: allows you to enable/disable and define defaults for disk quotas, and specify what happens when a quota limit is reached.
• PKI policy: allows you to define support for PKI policies regarding auto-enrollment for digital certificates issued by the Windows Server 2003 certification authority.
• Smart card usage policy: allows you to require smart cards to be used for Windows logon to provide multi-factor authentication.

Group Policy Objects

Security settings can be applied through Group Policy Objects (GPOs) at various levels of the Active Directory hierarchy. A GPO is essentially a collection of policy settings that affect users and computers, and which is associated with an Active Directory container object (site, domain, OU) or local computer. One GPO can be linked to multiple containers or multiple GPOs can be linked to a single container. Group policies are inherited by child objects and are applied from highest to lowest. Group policies are processed in the following order:

• Local GPO (applies to the local computer only). This is accessed via the Local Security Policy interface described above.
• Site GPO (applies to all users and computers in all domains in the site). These are accessed and edited through the Group Policy tab on the Properties sheet of a site, which you access by right clicking the site in the Active Directory Sites and Services administrative tool.
• Domain GPO (applies to all users and computers in the domain). These are accessed via the Active Directory Users and Computers tool or the Group Policy Management console as described above.
• OU GPO (applies to all users and computers in the OU, and in any OUs nested within the OU). These are accessed through the Group Policy tab on the Properties sheet of the OU, which you access by right clicking the OU in the Active Directory Users and Computers MMC.
  

As you can see, Group policy applies to all the users and computers in the container to which the GPO is linked. It does not affect security groups, but you can filter Group Policy according to security groups by setting a group’s permissions on the GPO.

Group Policy information for all but local policies is stored in Group Policy containers and in the Group Policy template. The Group Policy container is an area in the Active Directory. The Group Policy templates are folders located in the \Policies folder within the SysVol folder on the domain controllers. Each template folder contains a file named Gpt.ini in its root, which stores information about the GPO. The domain in which each GPO (except those for local policies) is stored is the storage domain. A GPO can be linked to domains other than the one in which it’s stored.

Via:windowsecurity.com

Securing Windows 2003 Server System

If your server is running Windows 2003 Server Edition, you need to make a few changes to help keep your server and client machines safe. This page is written with the assumption that you're a system administrator running an on-campus server; some of the following resources may not be available from off campus.

Essentials

• Keep your system and software up to date:
• This is one of the easiest, most effective things you can do to keep your computer secure. You can either update manually with Windows Update, or configure your systems to download updates automatically from the campus WSUS server, which provides critical Microsoft patches from an on-campus location. You can choose whether the WSUS server prompts you to confirm installations or whether patches are automatically installed.
• Install antivirus software:
• The vast majority of viruses are designed to affect Windows systems. The University of Illinois at Urbana-Champaign provides free site-licensed antivirus software that is configured to automatically update itself and protect your system.
• If you are a campus system administrator, you can also use ePolicy Orchestrator to coordinate distributing antivirus updates from your server to the client machines that you supervise. More information about ePolicy Orchestrator is available from the CITES Security Services Archive and requires Bluestem authentication to identify yourself as a campus system or network administrator. The list is maintained through Contact Manager. If you need to be added to the list of people authorized for access to the archive, but aren't listed in Contact Manager, contact securitysupport@uiuc.edu.
• Install anti-spyware software:
• Many of the nuisance-level problems afflicting Windows computers are caused by spyware rather than viruses. Spyware can cause effects ranging from a noticeable slowing of your computer to pop-ups and hijacked web browsers; spyware can also be malicious, reporting personal information from credit cards to passwords to other unauthorized websites. Fortunately, the campus has site-licensed anti-spyware software for students, faculty, and staff. For more information, see the CITES Anti-spyware pages.
• Install Service Pack 1 (SP1) and the Security Configuration Wizard (SCW):
• Microsoft's Service Pack 1 offers several security enhancements and tools for Windows 2003 Server administrators. The two most significant enhancements are the inclusion of a server firewall and the Security Configuration Wizard (which must be installed after Service Pack 1). To install SCW after installing Service Pack 1, go to Add or Remove Programs -> Add/Remove Windows Components and select the Security Configuration Wizard check box. After this, the Security Configuration Wizard will be available in the Administrative Tools section of the Control Panel.
• The Security Configuration Wizard provides a centralized way to check your server's security, to make changes as required (including managing the firewall), and to roll back changes if anything doesn't behave as expected. The graphical user interface allows you to administer one server, and a command line option (scw.exe) allows you to create group policy objects which can be used on many computers.
• Use "Manage Your Server" to enable only the services you need
• Windows 2003 Server introduces a more secure method of controlling access to your server. By default, all of the potential server services are turned off until you enable them. The "Manage Your Server" tool, found in Programs -> Administrative Tools, provides a central location to track which services are enabled. It provides roles for your server -- for example, a DNS server role, a web server role, an email server role -- and allows you to decide how many of these roles are enabled.
• Use both campus firewall and server firewall protection:
• A properly configured server firewall can be very effective in reducing the amount of network traffic that is allowed to reach your server and systems connected to it. With the release of Windows Server 2003's Service Pack 1 (described above), you can enable and administer a firewall on your server with a few clicks. You can also take advantage of campus firewall protection by joining your server to one of the available firewall groups; see Campus Firewalls for more information.
• Choose a good password:
• Any computer that will have multiple users or be attached to a network needs to have good password protection for each user. Password tips and advice can be found in the CITES Guide to Passwords.

In many versions of Windows, a user name can have a blank password, which allows anyone to log in to the computer simply by clicking. Make sure that all user accounts on the machine have passwords to protect access to your computer.

Source:cites.illinois.edu/security/by_os/win2k3srv.html