Scribd
Upload
260 views3 pages

Server Security Setup Checklist

This document provides a checklist for securing servers, whether Windows 2000/2003, Linux, or other systems. It includes steps like enabling firewalls, disabling unnecessary services and accounts, applying patches, and configuring password and logon policies. The checklist aims to guide administrators in thoroughly securing servers when initially setting them up or installing new software.

Uploaded by

castnh
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
260 views3 pages

Server Security Setup Checklist

This document provides a checklist for securing servers, whether Windows 2000/2003, Linux, or other systems. It includes steps like enabling firewalls, disabling unnecessary services and accounts, applying patches, and configuring password and logon policies. The checklist aims to guide administrators in thoroughly securing servers when initially setting them up or installing new software.

Uploaded by

castnh
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 3

Server Setup Checklist

This checklist should be completed when installing a new server. It should also be reviewed when new software packages are installed.

When setting up a Windows 2000/2003 server:


Before connecting to the network: Verify that all disks are formatted with NTFS. Verify that all accounts have passwords that meet the password standards in the security program ( characters minimum! both alpha and numeric characters". #dditionally! all passwords should be changed from vendor supplied defaults. $isable unnecessary services. # list of services and their purposes is available at http%&&www.microsoft.com&windows'(((&techinfo&howitworks&management&w'ks ervices.asp. The )enter for Internet Security benchmarks also contain information on *indows '((+ services (see the link below to download the benchmarks". It is the responsibility of the system administrator to determine what services should be disabled. Some infre,uently used services to consider are% #lerter! $istributed -ink Tracking! $istributed Transaction )oordinator! Fa. Service! Inde.ing Service! Internet )onnection Sharing! /essenger! Net/eeting 0emote $esktop Sharing! 1oS 0SV2! 0emote #ccess #uto )onnection /anager! 0emote #ccess )onnection /anager! 0emote 0egistry Service! 0outing and 0emote #ccess! Smart )ard! Smart )ard 3elper! Telnet! 4ninterruptible 2ower Supply. $isable or delete any unnecessary user accounts. 0emove all unnecessary file shares. Verify permissions on all shares that are necessary. )onfirm that firewall rules have been applied at the core firewall. )onfirm that the local host firewall is enabled and configured if it e.ists. If not adding to ACS/Ad in/!eleCo Servers "# the following ust also $e done:

0estrict authentication methods to NT-/v' only. This can be done by setting the registry key 35678-9)#-8/#)3IN6:System:)urrent)ontrolSet:control:-S#:-/)ompat ibility-evel (reg8dword" to +. $isable anonymous SI$&Name translation. This can be done by setting the registry key 35678-9)#-8/#)3IN6:System:)urrent)ontrolSet:control:-S#:Turn9ff#n onymous;lock (reg8dword" to <. $isable anonymous enumeration of S#/ accounts. This can be done by setting the registry key 35678-9)#-8/#)3IN6:System:)urrent)ontrolSet:control:-S#:0estrict#n onymous (reg8dword" to '.

$isable the guest account. 0ename the administrator account. 0ename the guest account. )onfigure password policies ( characters minimum! both alpha an numeric characters" )onfigure account lockout policies (lockout after = failed attempts! reset after =( minutes" )onfigure log file policies (see NIST checklist for recommendations" )onfigure screen saver to lock the screen within +( minutes of inactivity. )onfigure a logon message.

After connecting to the network #pply all security patches. If patches cannot be applied due to software incompatibilities or other conflicts! it is the responsibility of the system administrator to understand the vulnerability and implement appropriate measures to mitigate the vulnerability. Install anti>virus software. )onfigure it to automatically update definitions. #pply an appropriate configuration for cleaning&,uarantine&deletion of infected files! and configure notification of infections. 0eview a /;S#&Nmap&Nessus scan of host for any potential problems.

When setting up a #%I& st'le server ()inu*+ ,-.#&+ /BS0+ 1ac "S &+ etc23:
Verify that all accounts have passwords that meet the password standards in the security program ( characters minimum! + character classes minimum". #dditionally! all passwords should be changed from vendor supplied defaults. )heck to see if the ;astille hardening program (http%&&www.bastille>linu..org&" supports your 9S. )urrently supported 9Ses include 32>4?! /ac 9S ?! and 0ed 3at -inu.. If you 9S is supported run the hardening program to improve security on the system. 0eview the )enter for Internet Security ;enchmark for your system@s 9S. These benchmarks are available at the link below. *hile reviewing the benchmarks make changes as appropriate to improve the security of your system. In most cases it should be possible to achieve a score of A&<( or greater on the )IS benchmark. )onfigure password policies )onfigure screen saver to lock the screen within +( minutes of inactivity. )onfigure a logon message. )onfirm that firewall rules have been applied at the core firewall. )onfirm that the local host firewall is enabled and configured if it e.ists. #pply all vendor supplied patches&updates. If patches cannot be applied due to software incompatibilities or other conflicts! it is the responsibility of the system

administrator to understand the vulnerability and implement appropriate measures to mitigate the vulnerability. 0eview a Nmap&Nessus scan of host for any potential problems

Sa ple )ogon 1essage:


************* UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED NOTICE TO USERS *************

This computer is the private property of SUNY College at Oneonta. It is for authorized use only. Users (authorized and unauthorized) have no explicit or implicit expectation of privacy. The College reserves the right to monitor its use as necessary to ensure its stability, availability, and security. During monitoring information may be examined, recorded, copied and used for authorized purposes. Use of this computer system, authorized or unauthorized, constitutes consent to this policy and the policies and procedures set forth by the College. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. *******************************************************************************

Additional securit' resources/checklists:


/icrosoft *indows '((( Server ;aseline Security )hecklist B http%&&www.microsoft.com&technet&archive&security&chklist&w'ksvrcl.msp. NIST )omputer Security 0esource )enter checklists > http%&&csrc.nist.gov&checklists&repository&category.html )enter for Internet Security ;enchmark&Tool downloads > http%&&www.cisecurity.org&sub8form.html

You might also like