Security |
This section outlines some of the steps you should take to secure a Windows 2000 Server that is running IIS 5.0 on the Internet. Note that this document does not take into consideration firewalls or proxy servers. It also assumes the company has a security policy in place.
You will notice that this list is quite small, because most of the work is performed by Security Configuration and Analysis.
Server Name | Manufacturer | |||
Asset # | Location | |||
Setup Date | Set up by |
Read your corporate security policy. | Configure hardware to meet security policy. | ||
Read the IIS 5.0 Resource Guide “Security” section. | Check http://www.microsoft.com/security. |
Apply latest Service Pack and hot-fixes from ftp.microsoft.com. | Format hard disk(s) to NTFS. | ||
Review appropriate Secure Configuration Template settings. | Apply appropriate Secure Configuration Template settings. | ||
Turn off NTFS 8.3 name generation. | Set appropriate NTFS DACLs. | ||
Set system start time to zero seconds. | Set domain controller type to: _____. | ||
Remove OS/2 subsystem. | Remove POSIX subsystem. | ||
Remove all net shares. | Disable Guest account. | ||
Check user accounts, group membership, and privileges. | Set a very strong password for Admin account (at least nine characters). | ||
Unbind NetBIOS from TCP/IP. | Disable IP routing. |
Install minimal Internet services required. | Set appropriate authentication methods. | ||
Set appropriate virtual directory permissions and partition Web application space. | Place executable content in Execute (X)-only location. | ||
Set IP address/DNS address restrictions. | Validate executable content for trustworthiness. | ||
Set up SSL if appropriate. | Enable Logging. | ||
Map Client Auth Certificates to Windows accounts if appropriate. | Set Indexing Service to only index documentation. | ||
Lock down Microsoft Certificate Services ASP enrollment pages with DACLs. | Disable or remove all sample applications. |
Regularly run a security scanner on your Web server, by using software from one of the companies listed at http://backoffice.microsoft.com/securitypartners/.
You should regularly update the ERD.
To update the ERD