Scott Hanselman

Windows Server 2003, and something called...being a Security Expert

March 3, '03 Comments [2] Posted in Web Services | ASP.NET
Sponsored By

Windows Server 2003, and something called security.

I must admit, the Microsoft security push is more than just marketing mojo.  Take a look at Windows Server 2003. 

  • There are over 20 services that are not started by default. 
  • IIS isn't installed by default (a good thing). 
  • When you install IIS, front page server extensions aren't installed by default. 
  • IIS6 has been recompiled with the /GS switch to prevent many buffer overrun attacks. (ok, it makes me a little uncomfortable to hear MS say "we've prevented buffer overruns that we don't even know are there!", but it's still better than no /GS)
  • Web sites run as Network Service by default (including ASP.NET web sites), and Network Service has pretty restricted permissions.
  • No network authentication for accounts with blank passwords.
  • MS stopped production for 2 months and examining every single line of code, documented and fixed a bunch of threats.

[Sean 'Early' Campbell & Scott 'Adopter' Swigart's Radio Weblog]

I'm a huge MSFT fan, and I'm very excited about Windows Server 2003.  But for it to be truly secure, to the point where I can use it in a Financial arena, it still needs an Security Expert to lock it down and really harden it.  It's not completely locked down by default.  This is why we need to be completely aware of what it does and doesn't.  And certainly the same goes for Linux.  Linux is fairly locked to start, but it depends on the distro. 

Here's a just a few things to think about removing or locking down with a Windows Server 2003 default install.  I want people to go into this with their eyes OPEN.   We have extensive security lock down checklists, and a team of specialists (I'm mean that they live and breathe this), as everyone should have for every OS within their company. 

This is only about 5% of the things that we do to truly lock down a Windows Server 2003 box for hosting a Web Application:

  • Remove SMTP service
  • Remove Update Root Certificates
  • Disable Alerter
  • Disable Applicaiton Layer Gateway Service
  • Disable Automatic Updates (I'm surprised that someone let that go in enabled!)
  • Disable Computer Browser
  • Disable File Replication
  • Disable Help and Support
  • Disable Indexing
  • Disable Messenger
  • Disable Remote Registry
  • Disable Volume Shadow Copy
  • Disable Window Audio
  • Disable Windows Image Acquisition (what were they thinking for a Server OS?)
  • Disable Wireless Configuration

No doubt, Windows Server 2003 ships more locked down than Windows 2000, but don't let yourself get lulled into a sense of security.  You can't just install and go.  Slammer was a perfect example that the software is only 1% of it, and the other 99% was knowing how to configure and update it. 

Eyes open my friends!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb
Wednesday, 05 March 2003 08:11:39 UTC
Question: Do the administrative staff log onto the Windows 2003 boxes least privileged? If so, do they every have to login interactively as an admin and why?
Wednesday, 05 March 2003 21:14:11 UTC
Depends on what the Admin staff is doing! Most of this work can be done as an Admin but remotely with Script and WMI or with MMC.
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.