Security for Win2003 Servers

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I am planning to setup two Win2003 Servers. One Proxy (in DMZ zone) the
other is Web/Appl Server.Both of the Servers will not setup as Domain
Controller. Below is my query.

1. What security or policy template should I put on both servers?(e.g IIS,
ISA)
2. How do I harden the OS?

I have come out some policy as stated below but not sure is it correct. Need
advice.

Proxy Server
High Security– Bastion Host.inf
ISA

Web/App Server
Legacy Client – MemberServer Baseline.inf
Enterprise Client – IISServer.inf

Best regrads,
NewComer
3 answers Last reply
More about security win2003 servers
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    It seems you have found the W2k3 hardening guide, which is good.
    I do not understand you choices for the IIS box. In is in the DMZ,
    so normally this means you would want to use as much of the bastion
    guidance as possible. Even if it is a domain member, I do not understand
    the choice of the legacy template. When MS placed an exposed IIS 6 on
    the network for the open hack contest, they did very little beyond common
    sense config to that W2k3 and then added IPsec in filter mode (allow no
    traffic, except allow inbound tcp 80/443 - in your case also allow specific
    port+ip as needed for time, dns, mgmt, app tier)

    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCDBA, MCSE W2k3+W2k+Nt4
    "NewComer" <NewComer@discussions.microsoft.com> wrote in message
    news:7B8FFD3D-B68F-4C68-BB4E-62D9610A53FE@microsoft.com...
    > Hi,
    >
    > I am planning to setup two Win2003 Servers. One Proxy (in DMZ zone) the
    > other is Web/Appl Server.Both of the Servers will not setup as Domain
    > Controller. Below is my query.
    >
    > 1. What security or policy template should I put on both servers?(e.g IIS,
    > ISA)
    > 2. How do I harden the OS?
    >
    > I have come out some policy as stated below but not sure is it correct.
    > Need
    > advice.
    >
    > Proxy Server
    > High Security- Bastion Host.inf
    > ISA
    >
    > Web/App Server
    > Legacy Client - MemberServer Baseline.inf
    > Enterprise Client - IISServer.inf
    >
    > Best regrads,
    > NewComer
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    My servers will not setup as Domain or Domain Member only normal server (Can
    I setup this way?).To my understanding, the Proxy Server should install with
    ISA in Win2K but do not know whether Win2003 Server need to install ISA or
    is bastion replaced ISA server.

    Proxy server
    1. Does ISA need to install in win2003 Proxy server or Bastion has replace
    ISA server? or Proxy need both ISA and Bastion.

    Web/App server
    1. Will I need Legacy Client - MemberServer Baseline.inf, if my web/app
    server is not a Domain member, Domain controller, just normal stand alone
    server.

    Base on my setup,in your opion what will you use the security template or
    policy for server as stated below. Please advices


    Proxy server
    1.
    2.
    3.

    Web/Appl Server
    1.
    2.
    3.


    "Roger Abell [MVP]" wrote:

    > It seems you have found the W2k3 hardening guide, which is good.
    > I do not understand you choices for the IIS box. In is in the DMZ,
    > so normally this means you would want to use as much of the bastion
    > guidance as possible. Even if it is a domain member, I do not understand
    > the choice of the legacy template. When MS placed an exposed IIS 6 on
    > the network for the open hack contest, they did very little beyond common
    > sense config to that W2k3 and then added IPsec in filter mode (allow no
    > traffic, except allow inbound tcp 80/443 - in your case also allow specific
    > port+ip as needed for time, dns, mgmt, app tier)
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Server System: Security)
    > MCDBA, MCSE W2k3+W2k+Nt4
    > "NewComer" <NewComer@discussions.microsoft.com> wrote in message
    > news:7B8FFD3D-B68F-4C68-BB4E-62D9610A53FE@microsoft.com...
    > > Hi,
    > >
    > > I am planning to setup two Win2003 Servers. One Proxy (in DMZ zone) the
    > > other is Web/Appl Server.Both of the Servers will not setup as Domain
    > > Controller. Below is my query.
    > >
    > > 1. What security or policy template should I put on both servers?(e.g IIS,
    > > ISA)
    > > 2. How do I harden the OS?
    > >
    > > I have come out some policy as stated below but not sure is it correct.
    > > Need
    > > advice.
    > >
    > > Proxy Server
    > > High Security- Bastion Host.inf
    > > ISA
    > >
    > > Web/App Server
    > > Legacy Client - MemberServer Baseline.inf
    > > Enterprise Client - IISServer.inf
    > >
    > > Best regrads,
    > > NewComer
    > >
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Sorry I did not notice your reply sooner.
    I think there is some confusion here.

    Proxy Server is the prior product. ISA is the later product
    that replaced Proxy. ISA includes proxy capabilities.
    A product like this usually sits between the machines that
    it screens and the open network. In other words, it would
    ideally not be installed on the webserver itself.

    The legacy template includes settings that are needed if
    there are pre-Windows 2000 machines involved.
    All of the templates are only guides from which one should
    derive the settings that are appropriate to one's specific
    situation, rather than taking one and applying it as is.
    Also, the templates are not necessarily each self-complete.
    That is, you may find that you want most of the settings of
    a bastion host, but also need some settings not in that template
    that are in another, such as for this special application server.

    As a stand-alone machine, you should minimize the services,
    etc.. following the checklist and guidance for IIS that you can
    find on the MS website under security or technet/security
    (not sure where they are this month, likely technet/security).
    From the hardening guide you will want to pay special attention
    to the guidance for a bastion and for (an IIS) application server
    and derive an amalgam that fits your environment.

    If you are to use proxying such as with an ISA install, look at
    having this on a separate machine. Also, it is well worth looking
    at configuring IPsec on the IIS in a filtering mode so that it will
    drop all inbound packets except Tcp 80 and 443 (note: you will
    need to adjust this, for example, Tcp/Udp 53 for DNS, ports for
    time server sync, for SMTP emailing, for your management access,
    etc.).

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "NewComer" <NewComer@discussions.microsoft.com> wrote in message
    news:35CD3DA7-0820-43F1-A765-AF379B016179@microsoft.com...
    > My servers will not setup as Domain or Domain Member only normal server
    (Can
    > I setup this way?).To my understanding, the Proxy Server should install
    with
    > ISA in Win2K but do not know whether Win2003 Server need to install ISA
    or
    > is bastion replaced ISA server.
    >
    > Proxy server
    > 1. Does ISA need to install in win2003 Proxy server or Bastion has replace
    > ISA server? or Proxy need both ISA and Bastion.
    >
    > Web/App server
    > 1. Will I need Legacy Client - MemberServer Baseline.inf, if my web/app
    > server is not a Domain member, Domain controller, just normal stand alone
    > server.
    >
    > Base on my setup,in your opion what will you use the security template or
    > policy for server as stated below. Please advices
    >
    >
    > Proxy server
    > 1.
    > 2.
    > 3.
    >
    > Web/Appl Server
    > 1.
    > 2.
    > 3.
    >
    >
    >
    > "Roger Abell [MVP]" wrote:
    >
    > > It seems you have found the W2k3 hardening guide, which is good.
    > > I do not understand you choices for the IIS box. In is in the DMZ,
    > > so normally this means you would want to use as much of the bastion
    > > guidance as possible. Even if it is a domain member, I do not
    understand
    > > the choice of the legacy template. When MS placed an exposed IIS 6 on
    > > the network for the open hack contest, they did very little beyond
    common
    > > sense config to that W2k3 and then added IPsec in filter mode (allow no
    > > traffic, except allow inbound tcp 80/443 - in your case also allow
    specific
    > > port+ip as needed for time, dns, mgmt, app tier)
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Server System: Security)
    > > MCDBA, MCSE W2k3+W2k+Nt4
    > > "NewComer" <NewComer@discussions.microsoft.com> wrote in message
    > > news:7B8FFD3D-B68F-4C68-BB4E-62D9610A53FE@microsoft.com...
    > > > Hi,
    > > >
    > > > I am planning to setup two Win2003 Servers. One Proxy (in DMZ zone)
    the
    > > > other is Web/Appl Server.Both of the Servers will not setup as Domain
    > > > Controller. Below is my query.
    > > >
    > > > 1. What security or policy template should I put on both servers?(e.g
    IIS,
    > > > ISA)
    > > > 2. How do I harden the OS?
    > > >
    > > > I have come out some policy as stated below but not sure is it
    correct.
    > > > Need
    > > > advice.
    > > >
    > > > Proxy Server
    > > > High Security- Bastion Host.inf
    > > > ISA
    > > >
    > > > Web/App Server
    > > > Legacy Client - MemberServer Baseline.inf
    > > > Enterprise Client - IISServer.inf
    > > >
    > > > Best regrads,
    > > > NewComer
    > > >
    > >
    > >
    > >
Ask a new question

Read More

Security Servers Windows