dir logo Navigation Header Scranton

Server Policy Requirements

Minimimal Requirements

for Installation, Security, and Configuration for all Server Based Systems

*** Any new server based systems being setup should not be connected to the campus network until the system is ready to have all Microsoft Updates applied to it. ***

  1. All server based systems should have the disk file system configured as NTFS for security reasons.

  2. The administrators group should be assigned (full control) NTFS permissions on all hard disks. The (everyone group) should be removed from NTFS security permissions for all hard disks.

  3. The administrator account should have a password that is complex. The administrator account should be renamed. The administrator account should have its description deleted and the account should only be used in emergencies. An additional administrator account should be created for daily use and for backup purposes.

  4. It is advisable to copy the i386 and printers directory's to the local system. This will alleviate having to put in the windows 2000 CD-ROM when a change is made to the server and the printers directory will help if there are any local or network printers connected to the server.

  5. Under Administrative Tools select Local Security Policy - within the Local Security Settings, expand Account Policies and then select Password Policy on the left pane. Double click on (maximum password age) on the right hand pane and change it to zero. The default setting is 42 days and if this is not changed all users of the system will be prompted to change their password. This will allows users to keep their same password rather than being prompted for a new password at some specified interval.

    1. It is suggested that passwords be changed regularly (60 - 90 days) for all administrator based accounts.

  6. While in the Local Security Settings Windows - Expand Local Policies in the left pane and then expand Users Right Assignment in the left pane and double click on "Access this computer from the network" in the right pane and deselect the check box that corresponds to the "Everyone" group. Then click OK. Also expand Security Options in the left pane and then double click on the "Additional restrictions for anonymous connections" in the right pane and on the local policy setting pull down menu; select "No access without explicit anonymous permissions". Click OK and close the local security settings window.

  7. Under Administrative Tools, select Computer Management. Select disk management, in the lower right hand portion of the window is the currently installed drives for the system. It is recommended to change the drive letter for the CD-ROM to Z: as this allows for the maximum number of drive letters to be used for hard disks and multiple partitions.

    1. To change the drive letter - select the CD-ROM drive that is in the lower right portion of the Computer Management screen. Then right click and select from the menu options (change drive letter and path) then select edit - then use the pull down menu to select Z: for the new drive letter and click OK when you're done.

  8. By default IIS (Internet Information Server) is loaded on all Windows 2000 servers. If you are not going to be using the server as web or FTP server, then IIS should be uninstalled immediately.

    1. This can be done by going to Start menu, select Settings, then select Control Panel. Once in Control Panel, select Add/Remove Programs by double clicking the icon. Once in the Add/Remove Programs screen, select from the left side bar menu - Add/Remove Windows Components. Once the Windows Components screen appears - scroll down the menu and uncheck or deselect the box associated with (Internet Information Services - IIS). Click next, the finish and then close all other windows and reboot the server.

  9. If IIS loaded and is a part of your required configuration then you must immediately disable Anonymous FTP. This keeps all rouge users from using your server as drop box for unwanted information and using your disk space without your knowledge.

    1. To disable anonymous FTP - under Administrative Tools, select Internet Services Manager. Then expand the server name to expose the Default FTP site, the Default Web site and the Administration Web site. Right click on the Default FTP site and select properties. Go to the Security Accounts tab and uncheck or deselect the checkbox that states (allow anonymous connections); you will be prompted about if you want to proceed and you will click YES and then click OK.

    2. If IIS is part of your required server configuration you must check and make sure NNTP and SMTP are not loaded on the server. This can be done by going to Add/Remove Programs and selecting on the left side pane the Add/Remove Windows Components and then select the (Internet Information Services - IIS) in the main menu. Then click on the Details button and then in the (Internet Information Services - IIS) window make sure that both check boxes for SMTP and NNTP services are either unchecked or deselected. Follow the previous procedures in Item 8a for making changes in the Add/Remove Windows Components.

  10. Under Administrative Tools, select Event Viewer. All logs within the Event Viewer should be changed to overwrite as needed. This will allow the logs to keep the most pertinent and current information without filling up and running out of space.

    1. To change all logs to the new setting - right click on any log (application, system or security) and select the radio button that states (overwrite events as needed).

  11. There are several services that should be disabled to prevent problems or rogue users from trying to access or exploiting your server. Some of the services that should be disabled per Microsoft's Baseline Security Policy are: alerter, computer browser, fax service, file replication, license logging service, messenger, netmeeting remote desktop sharing, network DDE, network DDE DSDM, Qos admission control, smart card, smart card helper, telephony and utility manager. There are others but these are some that will keep the server from being exploited.

    1. The above listed services can be disabled by going into Administrative Tools and selecting Services. Find the appropriate services and double click on it. Then on the Startup Type pull down menu - select disabled and then click Apply and then click OK. Do this for all appropriate services.

  12. Install all Microsoft Critical Updates and Service Packs. It is recommended that you start with the latest service pack and then install the latest browser and then update the browser. Lastly apply all other critical updates that are remaining. Once this is done you may update any Windows Updates and then any Driver Updates. Always remember when installing any device drivers to do them one at a time and reboot the server to detect any failures.
  13. Disable the Automatic Updates from Microsoft once service pack 3 or later has been installed.

    1. This can be done by going to Settings, Control Panel and then double clicking on Automatic Updates. Once the Automatic Updates window is open, deselect or uncheck the checkbox that states: "Keep my computer up to date. With setting enabled, Windows Update software maybe automatically updated prior to applying any other updates."

  14. Always apply the minimum security permissions as needed, never the opposite. When implementing any access to your server it is recommended that you start with Read permissions and increase the permission setting until you get the desired effect. This practice is used when you are unaware how an application will respond over the network and with your users.
  15. Installing Terminal Services is recommended for secure remote connections with your server. This provides a secure communications path for you to remotely access you server and perform any maintenance that maybe required from time to time.
  16. To install Terminal Services you must go to Add/Remove Programs and select Add/Remove Windows Components. From the menu box scroll through the list and select the check box next to Terminal Service and then click Next. On the next screen - make sure that Remote Administration Mode is the selected radio button and then click Next and finally click Finish and Reboot the server. Once the server has rebooted then go to Administrative Tools and select Terminal Service Configuration - in the left pane - click on Server settings and change Active Desktop to Disabled in the right pane. Then click on Connections within the left pane - and in the right pane - right click on RDP-tcp and select Properties. On the General Tab select High for the Encryption Level pull down menu. Under the Settings Tab - select the check box for Override User Settings and in the "End a Disconnected Session" - set the pull down menu to 1 minute; for the "Active Session Limit" pull down menu - select Never; and for the "Idle Session Limit" pull down menu - select 15 minutes. Then select the check box for Override User Settings and for "When Session Limit is Reached or Connection Broken" - select the "Disconnect from Session" radio button. On the Environment Tab select the check box for Disable Wallpaper. Click Apply and then OK to finish.

    1. A valid and registered copy of anti-virus software must be installed on any server and configured to get the latest virus dat files on a daily basis. At this time Network Associates is our current anti-virus provider. The Netshield product is our current server anti-virus product.




________________________________________________________________________

DIR NavBar
DIR
• Microsoft
   Windows Support
• Computing
   Policies
• Computer Sales
• Desktop utilities
• DIR Staff
• Hardware
   Services
• Software
   Services