Security for Win2003 Servers

newcomer

Distinguished
Jul 25, 2002
4
0
18,510
Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I am planning to setup two Win2003 Servers. One Proxy (in DMZ zone) the
other is Web/Appl Server.Both of the Servers will not setup as Domain
Controller. Below is my query.

1. What security or policy template should I put on both servers?(e.g IIS,
ISA)
2. How do I harden the OS?

I have come out some policy as stated below but not sure is it correct. Need
advice.

Proxy Server
High Security– Bastion Host.inf
ISA

Web/App Server
Legacy Client – MemberServer Baseline.inf
Enterprise Client – IISServer.inf

Best regrads,
NewComer
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

It seems you have found the W2k3 hardening guide, which is good.
I do not understand you choices for the IIS box. In is in the DMZ,
so normally this means you would want to use as much of the bastion
guidance as possible. Even if it is a domain member, I do not understand
the choice of the legacy template. When MS placed an exposed IIS 6 on
the network for the open hack contest, they did very little beyond common
sense config to that W2k3 and then added IPsec in filter mode (allow no
traffic, except allow inbound tcp 80/443 - in your case also allow specific
port+ip as needed for time, dns, mgmt, app tier)

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"NewComer" <NewComer@discussions.microsoft.com> wrote in message
news:7B8FFD3D-B68F-4C68-BB4E-62D9610A53FE@microsoft.com...
> Hi,
>
> I am planning to setup two Win2003 Servers. One Proxy (in DMZ zone) the
> other is Web/Appl Server.Both of the Servers will not setup as Domain
> Controller. Below is my query.
>
> 1. What security or policy template should I put on both servers?(e.g IIS,
> ISA)
> 2. How do I harden the OS?
>
> I have come out some policy as stated below but not sure is it correct.
> Need
> advice.
>
> Proxy Server
> High Security- Bastion Host.inf
> ISA
>
> Web/App Server
> Legacy Client - MemberServer Baseline.inf
> Enterprise Client - IISServer.inf
>
> Best regrads,
> NewComer
>
 

newcomer

Distinguished
Jul 25, 2002
4
0
18,510
Archived from groups: microsoft.public.win2000.security (More info?)

My servers will not setup as Domain or Domain Member only normal server (Can
I setup this way?).To my understanding, the Proxy Server should install with
ISA in Win2K but do not know whether Win2003 Server need to install ISA or
is bastion replaced ISA server.

Proxy server
1. Does ISA need to install in win2003 Proxy server or Bastion has replace
ISA server? or Proxy need both ISA and Bastion.

Web/App server
1. Will I need Legacy Client - MemberServer Baseline.inf, if my web/app
server is not a Domain member, Domain controller, just normal stand alone
server.

Base on my setup,in your opion what will you use the security template or
policy for server as stated below. Please advices


Proxy server
1.
2.
3.

Web/Appl Server
1.
2.
3.



"Roger Abell [MVP]" wrote:

> It seems you have found the W2k3 hardening guide, which is good.
> I do not understand you choices for the IIS box. In is in the DMZ,
> so normally this means you would want to use as much of the bastion
> guidance as possible. Even if it is a domain member, I do not understand
> the choice of the legacy template. When MS placed an exposed IIS 6 on
> the network for the open hack contest, they did very little beyond common
> sense config to that W2k3 and then added IPsec in filter mode (allow no
> traffic, except allow inbound tcp 80/443 - in your case also allow specific
> port+ip as needed for time, dns, mgmt, app tier)
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "NewComer" <NewComer@discussions.microsoft.com> wrote in message
> news:7B8FFD3D-B68F-4C68-BB4E-62D9610A53FE@microsoft.com...
> > Hi,
> >
> > I am planning to setup two Win2003 Servers. One Proxy (in DMZ zone) the
> > other is Web/Appl Server.Both of the Servers will not setup as Domain
> > Controller. Below is my query.
> >
> > 1. What security or policy template should I put on both servers?(e.g IIS,
> > ISA)
> > 2. How do I harden the OS?
> >
> > I have come out some policy as stated below but not sure is it correct.
> > Need
> > advice.
> >
> > Proxy Server
> > High Security- Bastion Host.inf
> > ISA
> >
> > Web/App Server
> > Legacy Client - MemberServer Baseline.inf
> > Enterprise Client - IISServer.inf
> >
> > Best regrads,
> > NewComer
> >
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Sorry I did not notice your reply sooner.
I think there is some confusion here.

Proxy Server is the prior product. ISA is the later product
that replaced Proxy. ISA includes proxy capabilities.
A product like this usually sits between the machines that
it screens and the open network. In other words, it would
ideally not be installed on the webserver itself.

The legacy template includes settings that are needed if
there are pre-Windows 2000 machines involved.
All of the templates are only guides from which one should
derive the settings that are appropriate to one's specific
situation, rather than taking one and applying it as is.
Also, the templates are not necessarily each self-complete.
That is, you may find that you want most of the settings of
a bastion host, but also need some settings not in that template
that are in another, such as for this special application server.

As a stand-alone machine, you should minimize the services,
etc.. following the checklist and guidance for IIS that you can
find on the MS website under security or technet/security
(not sure where they are this month, likely technet/security).
From the hardening guide you will want to pay special attention
to the guidance for a bastion and for (an IIS) application server
and derive an amalgam that fits your environment.

If you are to use proxying such as with an ISA install, look at
having this on a separate machine. Also, it is well worth looking
at configuring IPsec on the IIS in a filtering mode so that it will
drop all inbound packets except Tcp 80 and 443 (note: you will
need to adjust this, for example, Tcp/Udp 53 for DNS, ports for
time server sync, for SMTP emailing, for your management access,
etc.).

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"NewComer" <NewComer@discussions.microsoft.com> wrote in message
news:35CD3DA7-0820-43F1-A765-AF379B016179@microsoft.com...
> My servers will not setup as Domain or Domain Member only normal server
(Can
> I setup this way?).To my understanding, the Proxy Server should install
with
> ISA in Win2K but do not know whether Win2003 Server need to install ISA
or
> is bastion replaced ISA server.
>
> Proxy server
> 1. Does ISA need to install in win2003 Proxy server or Bastion has replace
> ISA server? or Proxy need both ISA and Bastion.
>
> Web/App server
> 1. Will I need Legacy Client - MemberServer Baseline.inf, if my web/app
> server is not a Domain member, Domain controller, just normal stand alone
> server.
>
> Base on my setup,in your opion what will you use the security template or
> policy for server as stated below. Please advices
>
>
> Proxy server
> 1.
> 2.
> 3.
>
> Web/Appl Server
> 1.
> 2.
> 3.
>
>
>
> "Roger Abell [MVP]" wrote:
>
> > It seems you have found the W2k3 hardening guide, which is good.
> > I do not understand you choices for the IIS box. In is in the DMZ,
> > so normally this means you would want to use as much of the bastion
> > guidance as possible. Even if it is a domain member, I do not
understand
> > the choice of the legacy template. When MS placed an exposed IIS 6 on
> > the network for the open hack contest, they did very little beyond
common
> > sense config to that W2k3 and then added IPsec in filter mode (allow no
> > traffic, except allow inbound tcp 80/443 - in your case also allow
specific
> > port+ip as needed for time, dns, mgmt, app tier)
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Server System: Security)
> > MCDBA, MCSE W2k3+W2k+Nt4
> > "NewComer" <NewComer@discussions.microsoft.com> wrote in message
> > news:7B8FFD3D-B68F-4C68-BB4E-62D9610A53FE@microsoft.com...
> > > Hi,
> > >
> > > I am planning to setup two Win2003 Servers. One Proxy (in DMZ zone)
the
> > > other is Web/Appl Server.Both of the Servers will not setup as Domain
> > > Controller. Below is my query.
> > >
> > > 1. What security or policy template should I put on both servers?(e.g
IIS,
> > > ISA)
> > > 2. How do I harden the OS?
> > >
> > > I have come out some policy as stated below but not sure is it
correct.
> > > Need
> > > advice.
> > >
> > > Proxy Server
> > > High Security- Bastion Host.inf
> > > ISA
> > >
> > > Web/App Server
> > > Legacy Client - MemberServer Baseline.inf
> > > Enterprise Client - IISServer.inf
> > >
> > > Best regrads,
> > > NewComer
> > >
> >
> >
> >