This guide is intended to provide basic systems administration instruction for hardening “out-of-the-box” installations of Windows Server. Even though current versions of Windows Server provides a better security model than previous versions of Windows servers, the attack surface area can be reduced further.
The first section of this document will list services which can be safely disabled, followed by a short list of registry items that should be safeguarded.
Disabled Unused Services
DHCP Client
Gain: Security
Explanation: DHCP is used to auto configure a computers IP settings. Most servers will have a static IP address so this service is unnecessary.
DNS Client
Gain: Security
Explanation: The Domain Name System Client service caches the result of domain name lookups and registers the server with its parent DNS server. Turning this off will slow DNS lookups but could also be used against us in a DNS cache poisoning attack. Note that turning this service off still allows the computer to do DNS lookups, the results just won’t be stored in a local cache on the local machine.
Distributed Link Tracking Client
Gain: Security
Explanation: Distributed links are things like shell shortcuts and OLE links. This service will track if a linked file has been moved/renamed. Linked files are more common on a desktop OS, so this can be safely disabled.
Human Interface Device Access
Gain: Security
Explanation: Allows keyboard/mouse/other hot buttons and other multimedia devices to interact with windows
IP Helper
Gain: Security
Explanation: IP Helper provides IPv6 connectivity over an IPv4 network. Our servers are strictly IPv4 at the moment, so no IPv6 support is necessary.
Print Spooler
Gain: Security, Performance
Explanation: No server should have printers installed, unless the server in question is a print server.
Windows Error Reporting Service
Gain: Security
Explanation: This service facilitates the notification and reporting of errors to Microsoft.
Windows Remote Management
Gain: Security
Explanation: WinRM is a remote management protocol running over web services
Secondary Login
Gain: Security
Explanation: This service allows the “run as” command to run a service as a different user.
IPv6, LAN Properties
Gain: Security
Explanation: If you are not using IPv6 in your environment, this item can be safely removed / disabled in the LAN properties page for each NIC in the server.
Also modify the following registry entry, restarting after modification:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters]
Parameter: DisabledComponents
Value: FF
Remote Registry
Gain: Security
Explanation:This service allows registry access to authenticated remote users. Even though this is blocked by the firewall and ACLs this service should be turned off if you have no reason to allow remote registry access.
Registry Lockdown
Disable AutoRun for CD-ROM drives.
Gain: Security
Find this key key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom\AutoRun
Change the value to : 0 (REG_DWORD)
Secure SNMP Service
Gain:
Only allow these accounts to access the keys mentioned:
Administrators – Full Control
System – Full ControlHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities
Startup Keys
Gain:
Secure the registry keys below with this access:
Administrators and System – Full Control
Authenticated Users – Read Also set auditing for Everyone on these keys; check all checkboxes under Failed and the “Set Value” checkbox under Successful.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\UninstallHKEY_LOCAL_MACHINE\Software\Microsoft\DrWatson(Leave the permissions for Terminal Server User, if exists)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg