Windows Server 2003 has hit the streets. The question I hear most often is how to lock down this new network operating system. As always, security is most effective when designed into an infrastructure from the beginning. So, before you even think about installing the software onto hardware, take the time to design your network and include security as a key element of that design.
I agree that Windows Server 2003 has the potential to be more reliable in the realm of security than its predecessor. However, its track record has not been established. Thus, I would not place mission critical functions on Windows Server 2003 for at least a few more months. At this point, I'd deploy Windows Server 2003 in a test environment. If it passed the muster of your organization's security policy, then I'd consider deploying it as a member server in your existing domain. If you are eager to upgrade fully to Windows Server 2003, then I hope you are able to avoid the pitfalls many experience with new operating systems.
The point of this tip is to direct you to a great article by Roberta Bragg hosted by the Microsoft Certified Professional Magazine Online Web site entitled
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
"Securing Windows 2003 the First Time". I highly recommend this article as a refresher for security professionals or as a clue-in for those new to the security arena.
Some of the excellent suggestions Roberta poses include:
- Maintain physical security over your computer at all times, including removing unnecessary drives (such as floppy and CD-ROM).
- Rename the system folder to something non-typical.
- Don't attempt to download updated setup files during initial installation.
- Select a computer name that does not imply the system's role.
- Disable Automatic Updates on domain controllers.
- Disable Remote Assistance and Remote Access on domain controllers and all non-remote access systems.
- Define strong passwords for built-in accounts.
I'd like to throw in a few items that Roberta didn't include:
- Always test updates (including service packs and hot fixes) before deploying on production systems.
- Most of the aspects of your organization's security policy for Windows 2000 Server can be applied directly to Windows Server 2003.
- Take the time to learn about all the new features of Windows Server 2003. The Microsoft Web site at www.microsoft.com/windows2003/ has many documents discussing the new features. Pay close attention to anything related to security and or remote or network access.
- Security is more than just software configuration. You must also keep physical issues and user training up to snuff.
- On a network, you will need more than just a new network operating systems to keep your environment secure. Don't overlook routers, firewalls, anti-virus, auditing tools, vulnerability scanners, network scanners/sniffers, etc.
About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
For more information on this topic, visit these resources:
- Solution Center: Windows Server 2003 security solutions
- Web Security Tip: Web security benefits from Windows Server 2003
- Web Security Tip: The first security update for Windows Server 2003
This was first published in June 2003