Security for Win2003 Servers

[Guest]

Hi,

I am planning to setup two Win2003 Servers. One Proxy (in DMZ zone) the
other is Web/Appl Server.Both of the Servers will not setup as Domain
Controller. Below is my query.

1. What security or policy template should I put on both servers?(e.g IIS,
ISA)
2. How do I harden the OS?

I have come out some policy as stated below but not sure is it correct. Need
advice.

Proxy Server
High Security– Bastion Host.inf
ISA

Web/App Server
Legacy Client – MemberServer Baseline.inf
Enterprise Client – IISServer.inf

Best regrads,
NewComer

 

[Roger Abell [MVP]]

It seems you have found the W2k3 hardening guide, which is good.
I do not understand you choices for the IIS box. In is in the DMZ,
so normally this means you would want to use as much of the bastion
guidance as possible. Even if it is a domain member, I do not understand
the choice of the legacy template. When MS placed an exposed IIS 6 on
the network for the open hack contest, they did very little beyond common
sense config to that W2k3 and then added IPsec in filter mode (allow no
traffic, except allow inbound tcp 80/443 - in your case also allow specific
port+ip as needed for time, dns, mgmt, app tier)

 

[Guest]

My servers will not setup as Domain or Domain Member only normal server (Can
I setup this way?).To my understanding, the Proxy Server should install with
ISA in Win2K but do not know whether Win2003 Server need to install ISA or
is bastion replaced ISA server.

Proxy server
1. Does ISA need to install in win2003 Proxy server or Bastion has replace
ISA server? or Proxy need both ISA and Bastion.

Web/App server
1. Will I need Legacy Client - MemberServer Baseline.inf, if my web/app
server is not a Domain member, Domain controller, just normal stand alone
server.

Base on my setup,in your opion what will you use the security template or
policy for server as stated below. Please advices


Proxy server
1.
2.
3.

Web/Appl Server
1.
2.
3.

 

[Roger Abell]

Sorry I did not notice your reply sooner.
I think there is some confusion here.

Proxy Server is the prior product. ISA is the later product
that replaced Proxy. ISA includes proxy capabilities.
A product like this usually sits between the machines that
it screens and the open network. In other words, it would
ideally not be installed on the webserver itself.

The legacy template includes settings that are needed if
there are pre-Windows 2000 machines involved.
All of the templates are only guides from which one should
derive the settings that are appropriate to one's specific
situation, rather than taking one and applying it as is.
Also, the templates are not necessarily each self-complete.
That is, you may find that you want most of the settings of
a bastion host, but also need some settings not in that template
that are in another, such as for this special application server.

As a stand-alone machine, you should minimize the services,
etc.. following the checklist and guidance for IIS that you can
find on the MS website under security or technet/security
(not sure where they are this month, likely technet/security).
From the hardening guide you will want to pay special attention
to the guidance for a bastion and for (an IIS) application server
and derive an amalgam that fits your environment.

If you are to use proxying such as with an ISA install, look at
having this on a separate machine. Also, it is well worth looking
at configuring IPsec on the IIS in a filtering mode so that it will
drop all inbound packets except Tcp 80 and 443 (note: you will
need to adjust this, for example, Tcp/Udp 53 for DNS, ports for
time server sync, for SMTP emailing, for your management access,
etc.).