Plan a secure baseline installation.
Security just doesn't happen; it requires careful planning, meticulous attention to detail, and persistence. We've already talked a bit about the inherent security of Windows Server 2003 right out of the box, but what about client operating systems? Are they to be thought of as less secure? The answer: yes and no. Ultimately, the security of your servers and clients is what you make of it. To make them secure, you need a baseline ”a starting point. Once you know where you are starting from, you can better see where it is that you are going to. To that end, we examine the default security settings of Windows Server 2003 after a clean installation of a member server and the default security settings of Windows XP Professional after a clean installation. By default, these security settings are applied to every clean installation that is performed. By ensuring that only authorized personnel perform operating system installations, and perform them in a prescribed and consistent manner, you can ensure that these settings are applied uniformly across all new installations. Identifying Windows Server 2003 Default Security SettingsPlan a secure baseline installation.
The security you get out of Windows Server 2003 depends in part on how it is installed. Clean installations of Windows Server 2003 automatically receive the complete set of default configuration settings and thus are more secure (by default) than an upgrade installation. A computer that is upgraded to Windows Server 2003 is likely to inherit security settings that were present in the previous installation. This problem becomes even more acute when Windows NT 4.0 is upgraded to Windows Server 2003 due to the differences in the way Windows NT 4.0 handles the Registry and file system Discretionary Access Control Lists (DACLs). You might be tempted to assume that by applying the Default security template, Setup security.inf , to a computer that you can easily reset it to the security settings that it would have after a clean installation. This assumption is not always correct. The default security template is automatically created during the installation of Windows Server 2003 on a computer. It represents the current security configuration at that time: either new settings for a clean installation or the resulting settings after an upgrade installation. This security template cannot accurately be used to ensure security settings are uniform unless the same type of installation is being performed on the same type of hardware. This security template, as discussed in more detail in the next section of this chapter, can however be used to reset the computer back to a known state. This capability becomes important over time as you have the need to enforce security settings on computers that may have experienced some changes. EXAM TIP For a complete rundown on the security settings you can expect to find in Windows Server 2003 and Windows XP Professional in several different configurations, download "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP" from http://go.microsoft.com/fwlink/?LinkId=15160. You can identify the default security settings on a newly installed Windows Server 2003 member server through a variety of different means, such as the Local Group Policy console, the Local Security Policy console or the Resultant Set of Policy (RSoP) snap-in. Although the default security settings can be identified easily enough, they are presented in Table 1.1 for your reference. Table 1.1. Windows Server 2003 Member Server Default Security Settings
NOTE File System, Registry, and Services Information about the default settings of the file system, Registry, and services is not provided due to the large number of possible configurations of the hardware and operating system. Of course, the defaults listed in Table 1.1 can and will change depending on the final role of the server. The Default Domain Policy will be applied to all member servers in the domain, modifying the defaults previously listed. Servers that are promoted to domain controller status will also be subjected to the additional configuration contained in the Default Domain Controller Policy. The installation and configuration of various network services and applications may also lead to additional security configuration modifications. Recall, as you saw in Figure 1.1, that the final configuration of a computer is the cumulative total of all policies applied to it at all levels, unless they have been blocked. Identifying Windows XP Professional Default Security SettingsPlan a secure baseline installation.
You can identify the default security settings on a newly installed Windows XP Professional workstation through a variety of different means, such as the Local Group Policy console, the Local Security Policy console, or the Resultant Set of Policy (RSoP) snap-in. Although the default security settings can be identified easily enough, they are presented in Table 1.2 for your reference. Table 1.2. Windows XP Professional Default Security Settings
Of course, the defaults listed in Table 1.2 can and will change depending on the final role of the workstation. The Default Domain Policy will be applied to all workstations in the domain, modifying the defaults previously listed. The installation and configuration of various network services and applications may also lead to additional security configuration modifications. Recall, as you saw in Figure 1.1, that the final configuration of a computer is the cumulative total of all policies applied to it at all levels, unless they have been blocked. Selecting Secure Operating SystemsEvaluate and select the operating system to install on computers in an enterprise.
The enterprise operating systems of choice these days are Windows 2000, Windows XP Professional, and Windows Server 2003. Your choice depends on several factors, including budgetary issues, licensing, and specific role requirements. You should be aware of potential problems with legacy clients, such as Windows 95 and Windows NT 4.0, in newer Windows Active Directory domains. These legacy clients cannot participate fully in the Active Directory domain environment because they cannot utilize Group Policy Objects; you need to implement security settings on these computers through System Policies or direct editing of the Registry. Also, these legacy computers may not be able to communicate with Windows Server 2003 domain controllers due to the increased level of security of domain controller communications through server message block (SMB) signing. If your budget allows it, you will be best served by installing all Windows Server 2003 servers and all Windows XP Professional workstations. This combination provides the greatest amount of security configuration capability, including newer items such as wireless networking security, 802.1x configuration, and Software Restriction Policies. Also, the newly improved Certificate Services in Windows Server 2003 were designed to be used with Windows XP Professional clients. |