Threats and Countermeasures
Chapter 1: Introduction to Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP
The purpose of this guide is to provide you with a reference to security settings that provide countermeasures for specific threats against current versions of the Microsoft® Windows® operating systems. This guide is a companion for two other publications that are available from Microsoft:
Many of the countermeasures that are described in this guide are not intended for specific computer roles in the companion guides, or in some cases for any roles at all. These countermeasures help assure compatibility, usability, manageability, availability, or performance. Although often stated, it is nonetheless worth repeating that security and functionality are the opposite extremes of a continuum; the greater the level of security, the lower the level of functionality, and vice versa. There are exceptions, and some security countermeasures actually help to improve functionality, but for the most part this adage holds true. The chapter structure of this guide is similar to the way the major setting sections display in the user interface of the Group Policy Object Editor. Each chapter begins with a brief explanation of what is in the chapter, followed by a list of subsection headers, each of which corresponds to a setting or group of settings. (These settings are listed in the Microsoft Excel® workbook that is described later in this chapter.) Each subsection includes a brief explanation of what the countermeasure does, and includes the following three additional subsections:
For example, Chapter 2, "Domain Level Policies," begins with the following sections: Account Policies
This pattern is repeated throughout this guide. Settings that are closely related are presented in a single section. For example, in Chapter 5, "Security Options," four settings are all placed into the “Microsoft network client and server: Digitally sign communications (four related settings)” section. These settings include the following:
Although many Group Policy settings are documented in this guide, those that are intended to help organizations manage their environments are not documented. This guide only examines the settings and features in Microsoft Windows Server™ 2003 with SP1 and Windows XP with SP2 that can help organizations secure their enterprises against specific threats. Settings and features that were added subsequent to those Service Packs, or functionalities that may be added by software released after those Service Packs, are not discussed in this guide. Also, management features and those security features that are not configurable by administrators are not described in this guide. The information that is provided within this guide should help you and your organization understand the countermeasures that are available in current versions of the Windows operating system, but for prescriptive guidance about what settings to use for specific scenarios please refer to the two companion guides:
The Microsoft Excel workbook "Windows Default Security and Services Configuration" (included with this guide) documents the default settings. The first worksheet ("Windows Server 2003 Defaults") details all of the default Group Policy settings that are available in Windows Server 2003. This worksheet includes the following columns:
"Effective Default Setting" means the actual setting that is in effect on the system if no security settings have been changed. The effective setting on a system is determined by the Group Policy engine when it processes Group Policy during the computer's startup. The engine assigns setting precedence as described in the "Group Policy Application" section of Chapter 2, "Windows Server 2003 Hardening Mechanisms" in the Windows Server 2003 Security Guide. To make the spreadsheets easier to read, additional columns were inserted to illustrate the hierarchy of objects within the Group Policy Editor. Columns A through G represent one level each of the hierarchy. For example, Computer Configuration appears in column A, and Security Settings appears in column C. Column I was also inserted to make the spreadsheets easier to read. The second worksheet ("Windows Server 2003 System Services") lists all of the services that are available in Windows Server 2003. This worksheet includes the following columns:
The format of the additional worksheets ("Windows XP Defaults" and "Windows XP System Services") is similar to these two worksheets. They provide information about the security settings and services in Windows XP. On This Page
Chapter SummariesWindows Server 2003 with SP1 and Windows XP with SP2 provide the most dependable versions of these operating systems to date, with improved security and privacy features. This guide consists of twelve chapters, and chapters 2 through 6 discuss the procedures that help create a secure environment. Each chapter builds on an end-to-end process that helps secure computers that run these operating systems. Chapter 1: Introduction to Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XPThis chapter includes an overview of the guide, descriptions of the intended audience, the problems that are discussed in the guide, and the overall intent of the guide. Chapter 2: Domain Level PoliciesThis chapter discusses the Group Policy settings that are applied at the domain level: password policies, account lockout policies, and Kerberos authentication protocol policies. Collectively, these policies are referred to as Account policies. Chapter 3: Audit PolicyThis chapter discusses the use of Audit policies to monitor and enforce your security measures. It describes the various settings and provides examples of how audit information is modified when the settings are changed. Chapter 4: User RightsThis chapter discusses the various logon rights and privileges that are provided by the Windows operating systems, and provides guidance about which accounts should be assigned these rights. Chapter 5: Security OptionsThis chapter introduces the "Security Options" section of Group Policy and provides guidance about security settings for digital data signatures, Administrator and Guest account names, access to floppy disk and CD-ROM drives, driver installation behavior, and logon prompts. Chapter 6: Event LogThis chapter provides guidance about how to configure the settings that relate to the various event logs on Windows Server 2003 and Windows XP computers. Chapter 7: System ServicesWindows XP and Windows Server 2003 include a variety of system services. Many of these services are configured to run by default, but others are not present unless you install specific components. This chapter lists the various services that come with the operating systems and provides specific recommendations about which ones to leave enabled and which ones can be safely disabled. Chapter 8: Software Restriction PoliciesThis chapter provides a brief overview of the software restriction policy mechanism, which was introduced in Windows XP and Windows Server 2003. It provides links to additional resources about how to design and use software restriction policies. Chapter 9: Windows XP and Windows Server 2003 Administrative TemplatesThis chapter lists the settings that are available through the Group Policy Administrative Templates. It does not examine every available setting, but focuses on those settings that relate to security. Chapter 10: Additional Registry EntriesThis chapter provides information about additional registry entries that are not listed in the Administrative Template file, but are present in the baseline security template. It provides instructions about how to modify the interface of the Security Configuration Editor to expose these entries in the user interface. It also provides additional registry entries that are available in Windows XP SP2 and Windows Server 2003 SP1. Chapter 11: Additional CountermeasuresThis chapter describes a number of additional security measures that may need to be applied to your computers. However, these countermeasures cannot be easily applied through Group Policy or other automated means. These countermeasures include securing accounts on member servers, NTFS settings, data and application segmentation, SNMP community name settings, disabling NetBIOS bindings, Terminal Services configuration, Dr. Watson, IPsec policies, and a pointer to more extensive guidance on the Windows Firewall. Chapter 12: ConclusionThe final chapter reviews the important points of the guide in a brief overview of everything that was discussed in the previous chapters. Tools and TemplatesA collection of files is included with the downloadable version of this guide to help your organization to evaluate, test, and implement the recommended countermeasures. These files are collectively referred to as tools and templates. The files are included in a .msi file within the self-extracting WinZip archive that contains this guide, which is available on the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=15160. When you execute the .msi file, the following folder structure will be created in the location you specify:
|
In This Article
|
