Published: December 31, 2003 | Updated: April 26, 2006

The Windows Server 2003 Security Guide provides specific recommendations about how to harden computers that run Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1) in three distinct enterprise environments—one in which older operating systems such as Windows NT® 4.0 and Windows® 98 must be supported, one in which Windows 2000 is the earliest version of the Windows operating system in use, and one in which concern about security is so great that significant loss of client functionality and manageability is considered an acceptable tradeoff to achieve maximum security. These three environments are respectively referred to as the Legacy Client (LC), Enterprise Client (EC), and Specialized Security – Limited Functionality (SSLF) environments throughout this guide.

Guidance about how to harden computers in these three environments is provided for a group of distinct server roles. The countermeasures that are described and the tools that are provided assume that each server will have a single role. If you need to combine roles for some of the servers in your environment, you can customize the security templates that are included in the downloadable version of the guide to create the appropriate combination of services and security options. The server roles that are referenced in this guide include the following:

• Domain controllers that also provide DNS services
• Infrastructure servers that provide WINS and DHCP services
• File servers
• Print servers
• Web servers that run Microsoft Internet Information Services (IIS)
• Internet Authentication Services (IAS) servers
• Certificate Services servers
• Bastion hosts

Significant efforts were made to make this guidance well organized and easily accessible so that you can quickly find the information that you need and determine which settings are suitable for the computers in your organization. Although this guide is intended for enterprise customers, much of the information that it contains is appropriate for organizations of any size.

To gain the most benefit from this material, you will need to read the entire guide. You may also want to refer to the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available at http://go.microsoft.com/fwlink/?LinkId=15159.

This guide comprises thirteen chapters and four appendices.

Chapter 1: Introduction to the Windows Server 2003 Security Guide

This chapter provides an executive overview of the Windows Server 2003 Security Guide and includes a brief overview of each chapter. It also describes the Legacy Client, Enterprise Client, and Specialized Security – Limited Functionality environments and the computers that run in them.

Chapter 2: Windows Server 2003 Hardening Mechanisms

This chapter provides an overview of the main mechanisms that are used to harden Windows Server 2003 with SP1 in this guide—the Security Configuration Wizard (SCW) and Active Directory Group Policy. It explains how SCW provides an interactive framework to create, manage, and test security policies for Windows Server 2003–based computers that serve in different server roles. It also evaluates the capabilities of SCW within the context of the three environments that are described in Chapter 1.

The next part of this chapter provides high-level descriptions of Active Directory design, organizational unit (OU) design, Group Policy objects (GPOs), administrative group design, and domain policy. These topics are discussed in the context of the three environments that are described in Chapter 1 to provide a vision of an ideal secure end-state environment.

This chapter concludes with a detailed examination of how this guide combines the best features of SCW and traditional GPO-based approaches to harden Windows Server 2003 with SP1.

Chapter 3: The Domain Policy

This chapter explains security template settings and additional countermeasures for the domain-level policies in the three environments that are described in Chapter 1. This chapter does not focus on any specific server role, but on the specific policies and settings that are useful for top-level domain policies.

Chapter 4: The Member Server Baseline Policy

This chapter focuses on how to establish a Member Server Baseline Policy (MSBP) for the server roles that are discussed later in the guide.

Chapter 5: The Domain Controller Baseline Policy

The domain controller server role is one of the most important roles to secure in any Active Directory environment with computers that run Windows Server 2003 with SP1. Any loss or compromise of a domain controller could seriously affect client computers, servers, and applications that rely on domain controllers for authentication, Group Policy, and a central lightweight directory access protocol (LDAP) directory. In the three environments that are defined in the guide, the domain controllers also provide DNS services.

Chapter 6: The Infrastructure Server Role

In this chapter, the infrastructure server role is one that provides DHCP or WINS services. Details are provided about how the Windows Server 2003 with SP1 infrastructure servers in your environment can benefit from security settings that are not applied by the Member Server Baseline Policy (MSBP).

Chapter 7: The File Server Role

This chapter focuses on how to harden computers that function as file servers and why it is a challenge to harden such servers. The most essential services that file servers provide require Windows NetBIOS-related protocols and the Server Message Block (SMB) and Common Internet File System (CIFS) protocols. The SMB and CIFS protocols are typically used to provide access for authenticated users, but when improperly secured they can also disclose rich information to unauthenticated users or attackers. Because of this threat, these protocols are often disabled in high-security environments. This chapter describes how file servers that run Windows Server 2003 with SP1 can benefit from security settings that are not applied by the MSBP.

Chapter 8: The Print Server Role

This chapter focuses on print servers. Like file servers, the most essential services that print servers provide require Windows NetBIOS–related protocols and the SMB and CIFS protocols. As stated earlier, the SMB and CIFS protocols are often disabled in high-security environments. This chapter describes how Windows Server 2003 with SP1 print server security settings can be strengthened in ways that are not applied by the MSBP.

Chapter 9: The Web Server Role

This chapter describes how comprehensive security for Web sites and applications requires an entire IIS server (including each Web site and application that runs on the IIS server) to be protected from client computers in its environment. Web sites and applications must also be protected from other Web sites and applications that run on the same IIS server. Practices to ensure that these measures are achieved by the IIS servers that run Windows Server 2003 with SP1 in your environment are described in this chapter.

Chapter 10: The IAS Server Role

Internet Authentication Servers (IAS) provide Remote Authentication Dial-In User Services (RADIUS), a standards-based authentication protocol that is designed to verify the identity of clients who access networks remotely. This chapter describes ways in which IAS servers that run Windows Server 2003 with SP1 can benefit from security settings that are not applied by the MSBP.

Chapter 11: The Certificate Services Server Role

Certificate Services provide the cryptographic and certificate management services that are needed to build a public key infrastructure (PKI) in your server environment. This chapter describes ways in which Certificate Services servers that run Windows Server 2003 with SP1 will benefit from security settings that are not applied by the MSBP.

Chapter 12: The Bastion Host Role

Bastion host servers are accessible to client computers from the Internet. In this chapter, it is explained how these publicly exposed systems are susceptible to attack from a large number of users who can remain completely anonymous if they wish. Because many organizations do not extend their domain infrastructure to the Internet, this chapter focuses on how to harden stand-alone computers that run Windows Server 2003 with SP1 but do not belong to an Active Directory–based domain.

Chapter 13: Conclusion

The concluding chapter of this guide briefly summarizes the material that was presented in the previous chapters.

Appendix A: Security Tools and Formats

Although the Windows Server 2003 Security Guide focuses on how to use the SCW to create policies which are then converted to security templates and Group Policy objects, there are a variety of other tools and data formats that can be used to augment or replace this methodology. This appendix provides a short list of these tools and formats.

Appendix B: Key Settings to Consider

The Windows Server 2003 Security Guide discusses many security countermeasures and security settings, but it is important to understand a small number of them are particularly important. This appendix discusses the settings that will have the greatest impact on the security of computers that run Windows Server 2003 with SP1.

Appendix C: Security Template Setting Summary

This appendix introduces the Microsoft Excel® spreadsheet "Windows Server 2003 Security Guide Settings," which is included with the tools and templates in the downloadable version of the guide at http://go.microsoft.com/fwlink/?LinkId=14846. This spreadsheet provides a comprehensive master reference in a compact, usable form of all of the recommended settings for the three environments that are defined in the guide.

Appendix D: Testing the Windows Server 2003 Security Guide

The Windows Server 2003 Security Guide provides a significant amount of information about how to harden servers that run Windows Server 2003 with SP1, but the reader is constantly cautioned to test and validate all settings before they implement any settings in a production environment.

This appendix provides guidance about how to create a suitable test lab environment that can be used to help ensure successful implementation of the recommended settings in a production environment. It helps users to perform necessary validation and minimizes the amount of resources that are needed to do so.

Tools and Templates

A collection of security templates, scripts, and additional tools are included with the downloadable version of this guide to make it easier for your organization to evaluate, test, and implement the recommended countermeasures. The security templates are text files that can be imported into domain–based Group Policies or applied locally with the Microsoft Management Console (MMC) Security Configuration and Analysis snap-in. These procedures are detailed in Chapter 2, "Windows Server 2003 Hardening Mechanisms." The scripts that are included with this guide include scripts to create and link Group Policy objects as well as test scripts that are used to test the recommended countermeasures.

Related Resources

For additional information about the security settings prescribed in this guide, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP at http://go.microsoft.com/fwlink/?LinkId=15159 and the Windows XP Security Guide at http://go.microsoft.com/fwlink/?LinkId=14839.

Read other security solutions from the Microsoft Solutions for Security and Compliance (MSSC) team.

Give Us Your Feedback

The Microsoft Solutions for Security and Compliance (MSSC) team would appreciate your thoughts about this and other security solutions.

Have an opinion? Let us know on the Security Solutions Blog for the IT Professional.

Or e-mail your feedback to the following address: SecWish@microsoft.com. We respond often to feedback that is sent to this mailbox.

We look forward to hearing from you.

Consulting and Support Services

There are many services available to assist organizations in their security efforts. Use the following links to help you find the services you need:

For Microsoft Gold Certified Partners, Microsoft Certified Technical Education Centers, Microsoft Certified Partners, and products from independent software vendors (ISVs) using Microsoft technologies, search the Microsoft Resource Directory at http://go.microsoft.com/fwlink/?LinkId=43094.

To find consulting and support services appropriate for the needs of your organization, visit Microsoft Services at http://support.microsoft.com/msservices.