I have read this guide from cover to cover, and I can assure you, if you are serious about locking down Windows Server 2003, you will want to get your hands on this well down security guide. Although it is not highly granular, it will provide you with the most details released to date, on how to secure Windows Server 2003. The purpose of this article is to make you aware of its existence, cover its high points and contents and show you how to get it.
For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com
How to get the Security Guide
Well, like I said, it's free. You can't get it any better than that. Here is the download link:
Once you download it from the splash page, simple run the executable and install the guide on to your local disk drive. Now, you can access it via PDF format so make sure you have Adobe Acrobat installed. You can get a new version here:
Once you have it installed, you only need to open it up and either read it from there or print it out. It is roughly 300 pages (the core guide), but that is not all you get! I will list it out in the next section, but I think you will be highly surprised about the amount of items you get with this download. Lets take a look.
Windows Server 2003 Security Guide Contents
Now that you have it downloaded, you will be quite surprised about the amount of stuff you just downloaded for free. Basically, you have a 300-page guide on how to lock down and harden Windows Server 2003, its services and then you have a whole bunch of tools, templates and so on to get the work done. We will cover each grouping of items separately, but in a nutshell, know that you have basically everything you need here to lock down the basic Windows Server 2003 system, and any of the services you may install on it. The Windows Server 2003 Security Guide provides guidance to assist in hardening Domain Controllers, Infrastructure servers, File servers, Print servers, IIS servers, IAS servers, Certificate Services, and bastion hosts as well as others. The Windows Server 2003 Security Guide focuses on providing a set of easy to understand guidance, tools, and templates to help secure Windows Server 2003 in many environments. While the product is extremely secure from the default installation, there are a number of security options that can be further configured based on specific requirements. This guidance not only provides recommendations, but also the background information on the risk that the setting is used to mitigate as well as the impact to an environment when the option is configured. You will also see that this guide comes with 12 chapters full of detailed info. Lets look at the contents now. First off, the guide is in its first revision. The current guide is Windows Server 2003 Security Guide V1.0 and it was released April 24, 2003. Please check the readme.txt file if you are unsure what version you have, but since this is so new, you probably wont see a revision anytime soon unless there are any mistakes or issues found within it. The guide is very new and only about a month old from release. Folder contents of the Windows_Server_2003_Security_Guide.exe (from when you download and run the executable) are as follows:
Windows Server 2003 Security Guide.pdf
This is the main guide. Your hardening and security information will be here. This PDF is jam packed with great information that you cannot afford to miss out on if you are trying to deploy a secure Windows Server 2003 system. The chapters are as follows:
- Chapter 1: Introduction to the Windows Server 2003 Security Guide
- Chapter 2: Configuring the Domain Infrastructure
- Chapter 3: Creating a Member Server Baseline
- Chapter 4: Hardening Domain Controllers
- Chapter 5: Hardening Infrastructure Servers
- Chapter 6: Hardening File Servers
- Chapter 7: Hardening Print Servers
- Chapter 8: Hardening IIS Servers
- Chapter 9: Hardening IAS Servers
- Chapter 10: Hardening Certificate Services Servers
- Chapter 11: Hardening Bastion Hosts
- Chapter 12: Conclusion
These chapters are specific to what you want to do. For instance, if you want to lock down and secure a Domain Controller, you would look at chapter 4. This chapter will step you through that process quite easily. Be aware that most of what you will be doing is applying templates (also contained within the guide's contents) to do most of the work. The best chapter I thought was chapter 8 where you can focus on IIS. IIS needs to be secured as much as possible especially if it is publicly accessible over the Internet. Pay close attention to this chapter if that is the case. Also in the guide is testing, delivering and supporting portions of the guide - all of which provide specific information to you either help you understand the test environment that was used to create the guide (you can create the same test lab), or the support options you have available to you as well as the delivery portion where you will look at general information intended for business planners, information technology architects or project managers regarding the Microsoft recommended best practices for coordinating and implementing this or any solution. You can find all three of these guides displayed as follows:
- Testing the Windows Server 2003 Security Guide.pdf
- Delivering the Windows Server 2003 Security Guide.pdf
- Supporting the Windows Server 2003 Security Guide.pdf
Windows Server 2003 Security Guide Extras
Now that you are familiar with what the guide has to offer, lets look at some of the other added items you will receive. (Remember... all for nothing!). For one, you will receive sample packet filters and a traffic map. Sample Scripts and lockdown templates are also available for your use. You can find all of these within the folder created when you ran the Guides executable. One of the most important items I found in the package was the sample project plan. It is such an important part of the design and implementation phase of any network or systems project... you need a plan. Even when deploying security, you will need a plan; there is no way to get around it sometimes if you want things to move smoothly. Here you will find a few more documents within:
- Windows Server 2003 Security Guide Implementation Vision Scope.doc
- Windows Server 2003 Security Guide Implementation Functional Specification.doc
- Windows Server 2003 Security Guide Implementation.mpp
All of these can be great assets to deploying the solutions in this security guide, especially the sample project plan already incorporated in, all filled out and ready to go. You can see this in figure 1.
Figure 1: WBS for Deploying Windows Server 2003 Security
Other extras you can find are sample scripts, templates as well as other tools to help you implement secure solutions to your Windows systems. You have as seen in figure 2 (below), checklists you can follow that also map to the chapter you are working in within the security guide. In other words, in chapter 11 you cover the hardening of Bastion Host servers (Servers located on a DMZ segment that are publicly accessible), and as you see in the figure, the checklist corresponds to that same chapter. Its one big kit that helps you lock down and protect your systems.
Figure 2: Hardening Checklists Available
In sum, we haven't even skimmed the surface as to what this kit has to offer, but this is for you to explore. I just wanted to make sure that you all knew this was out there before you start dumping massive cash on books covering the same content... you have a huge guide here free of charge for you to use.