Securing Your Windows 2003 Server System

Overview

If your server is running Windows 2003 Server Edition, you need to make a few changes to help keep your server and client machines safe. This page is written with the assumption that you're a system administrator running an on-campus server; some of the following resources may not be available from off campus.

Essentials

• Keep your system and software up to date:
  This is one of the easiest, most effective things you can do to keep your computer secure. You can either update manually with Windows Update, or configure your systems to download updates automatically from the campus WSUS server, which provides critical Microsoft patches from an on-campus location. You can choose whether the WSUS server prompts you to confirm installations or whether patches are automatically installed.
  

• Install antivirus software:
  The vast majority of viruses are designed to affect Windows systems. The University of Illinois at Urbana-Champaign provides free site-licensed antivirus software that is configured to automatically update itself and protect your system.
  
  If you are a campus system administrator, you can also use ePolicy Orchestrator to coordinate distributing antivirus updates from your server to the client machines that you supervise. More information about ePolicy Orchestrator is available from the CITES Security Services Archive and requires Bluestem authentication to identify yourself as a campus system or network administrator. The list is maintained through Contact Manager. If you need to be added to the list of people authorized for access to the archive, but aren't listed in Contact Manager, contact securitysupport@uiuc.edu.

• Install anti-spyware software:
  Many of the nuisance-level problems afflicting Windows computers are caused by spyware rather than viruses. Spyware can cause effects ranging from a noticeable slowing of your computer to pop-ups and hijacked web browsers; spyware can also be malicious, reporting personal information from credit cards to passwords to other unauthorized websites. Fortunately, the campus has site-licensed anti-spyware software for students, faculty, and staff. For more information, see the CITES Anti-spyware pages.

• Install Service Pack 1 (SP1) and the Security Configuration Wizard (SCW):
  Microsoft's Service Pack 1 offers several security enhancements and tools for Windows 2003 Server administrators. The two most significant enhancements are the inclusion of a server firewall and the Security Configuration Wizard (which must be installed after Service Pack 1). To install SCW after installing Service Pack 1, go to Add or Remove Programs -> Add/Remove Windows Components and select the Security Configuration Wizard check box. After this, the Security Configuration Wizard will be available in the Administrative Tools section of the Control Panel.

  The Security Configuration Wizard provides a centralized way to check your server's security, to make changes as required (including managing the firewall), and to roll back changes if anything doesn't behave as expected. The graphical user interface allows you to administer one server, and a command line option (scw.exe) allows you to create group policy objects which can be used on many computers.

• Use "Manage Your Server" to enable only the services you need
  Windows 2003 Server introduces a more secure method of controlling access to your server. By default, all of the potential server services are turned off until you enable them. The "Manage Your Server" tool, found in Programs -> Administrative Tools, provides a central location to track which services are enabled. It provides roles for your server -- for example, a DNS server role, a web server role, an email server role -- and allows you to decide how many of these roles are enabled.

• Use both campus firewall and server firewall protection:
  A properly configured server firewall can be very effective in reducing the amount of network traffic that is allowed to reach your server and systems connected to it. With the release of Windows Server 2003's Service Pack 1 (described above), you can enable and administer a firewall on your server with a few clicks. You can also take advantage of campus firewall protection by joining your server to one of the available firewall groups; see Campus Firewalls for more information.

• Choose a good password:
  Any computer that will have multiple users or be attached to a network needs to have good password protection for each user. Password tips and advice can be found in the CITES Guide to Passwords.
  
  In many versions of Windows, a user name can have a blank password, which allows anyone to log in to the computer simply by clicking. Make sure that all user accounts on the machine have passwords to protect access to your computer.

More security

These steps can be done offline to increase basic security before you connect to the network. These are presented in order from simplest to most complex; you can start at the top of the list and work your way down.

• Use the Microsoft Baseline Security Analyzer (MBSA) to detect and correct common security misconfigurations
  Microsoft provides a tool called the Microsoft Baseline Security Analyzer (MBSA) to assist with detecting potential security flaws and correcting them. The MBSA tool checks for issues such as missing patches, user accounts without passwords, available updates to installed Microsoft software, and more.

• Disable the guest account:
  Right-click on My Computer and select Manage. In the Local Users & Groups view, make sure the Guest account is disabled. (There should be a small red X over the corner of the icon; right-click and make sure the "Account is disabled" box is checked.)

• Don't give out too many "administrator" group memberships:
  The Administrator account is the most powerful account on a Windows system. Most users shouldn't log in with administrator privileges for everyday work; the administrator privileges should be reserved for actions such as installing software and patching the system.
  
  If only the administrator and guest accounts have been created on the computer, you'll want to create an individual user name so that you can have a regular account for daily use without administrator privileges.
  
  Right-click on My Computer and select Manage. In the Local Users & Groups view, open the Users folder, and make sure most of the user names don't belong to the Administrators group.
  
  However, make sure that the administrator account does still have administrator privileges; it's important that at least one user has that ability at all times.

• Verify that all disk partitions are formatted as NTFS:
  If necessary, use the Convert utility to nondestructively convert your FAT partitions to NTFS.

• Disable unnecessary services and accounts:
  Because each service and account represents a potential entry point to your computer, disabling the features you don't use will greatly diminish your exposure to security risks. Remember, you can always enable a service later if you decide you really do need it. You can enable and disable services with the Manage Your Server tool described above.