Click here to get back home

hisecweb.inf hardening
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
hisecweb.inf hardening James Butler 06-05-2005
Posted by James Butler on June 5, 2005, 8:57 pm
Please log in for more thread options
 Although, Windows 2003 claim to be secure by default, I don't trust that
statement, I still see services running that shouldn't.

I am trying to find the best way to harden Win2003 servers, should I use the
AD to apple hisecweb.inf file to the host, or should I just manually start
turning off services. How do I secure Stand alone servers such as public web
server, does inf file exist for it. Since these public servers are not
member of the forest, how does one apply the inf file.


Where can I find info on what hisecweb.inf actually does to a server ?



Posted by Steven L Umbach on June 5, 2005, 4:11 pm
Please log in for more thread options
 Windows 2003 is much more secure by default than Windows 2000 was. Any
operating system [particularly non consumer] will still need hardening from
a default installation once the specific use of the computer is determined.
I would recommend that you read the free Windows 2003 Server Security Guide
and the Threats and Countermeasures Guide available at the first link below.
They will give you excellent info on how to harden your server. The Windows
2003 Server Security Guide starts with a server baseline configuration and
then has additional chapters for specific server roles. I would not
recommend applying any security template to a production computer without
thoroughly testing on a non production like configured computer and going
through the security template to see exactly what changes are made the
impact they may have or you may end up securing the computer from authorized
users. Windows 2003 also lets you use secedit to create a "rollback"
security template for a computer but it must be created before you apply the
template. The Microsoft Baseline Security Analyzer should also be used in
the process to harden computers. If you want to see exactly what
hisecweb.inf does then use the Security Configuration and Analysis mmc
snapin tool to do an analysis on one of your computers to see the changes it
implements. The links below may help. --- Steve

http://www.microsoft.com/technet/security/prodtech/windowsserver2003.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b1007de8-a11a-4d88-9370-25e244560587.mspx
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx

--- works same on W2003.


> Although, Windows 2003 claim to be secure by default, I don't trust that
> statement, I still see services running that shouldn't.
>
> I am trying to find the best way to harden Win2003 servers, should I use
> the
> AD to apple hisecweb.inf file to the host, or should I just manually start
> turning off services. How do I secure Stand alone servers such as public
> web
> server, does inf file exist for it. Since these public servers are not
> member of the forest, how does one apply the inf file.
>
>
> Where can I find info on what hisecweb.inf actually does to a server ?
>




Posted by Roger Abell [MVP] on June 5, 2005, 4:48 pm
Please log in for more thread options
You are not misguided in questioning statements claiming security.
After all, the only really, really secure system is an unusable one.

For the W2k3 that you have you should look at using the new security
configuration wizard to define the needed roles for the machine and
let it provide you will a starting point on the hardening of that machine.
There has been a couple years spend in dev and templating for this,
so after you have identified what the machine should be able to do you
will in fact not have extraneous services (some third-party exempted
depending on choices you make for unrecogized services) running,
you should have a firewall that is reasonably configured for inbound,
unsolicitied packets, etc..

The guide that Steve mention is a requirement for use of the templates.
These templates are not intended to be used off-the-shelf. These are
examples to provide you with starting points to define what is appropriate
for your environment.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
> Although, Windows 2003 claim to be secure by default, I don't trust that
> statement, I still see services running that shouldn't.
>
> I am trying to find the best way to harden Win2003 servers, should I use
> the
> AD to apple hisecweb.inf file to the host, or should I just manually start
> turning off services. How do I secure Stand alone servers such as public
> web
> server, does inf file exist for it. Since these public servers are not
> member of the forest, how does one apply the inf file.
>
>
> Where can I find info on what hisecweb.inf actually does to a server ?
>




Posted by Jason Wasser on June 22, 2005, 9:53 am
Please log in for more thread options
James,

You can use the Local Security Policy MMC snap-in to setup the
hisecweb.inf security template. Right-click on the security policy and
click Import. It should take you right to c:\windows\system32\security
which has all the inf security templates. Like the other guys said it's
best to use the other tools first to see what is going to be applied
before you just turn it on. The higher the security you set the more
likely things will start breaking.

James Butler wrote:
> Although, Windows 2003 claim to be secure by default, I don't trust that
> statement, I still see services running that shouldn't.
>
> I am trying to find the best way to harden Win2003 servers, should I use the
> AD to apple hisecweb.inf file to the host, or should I just manually start
> turning off services. How do I secure Stand alone servers such as public web
> server, does inf file exist for it. Since these public servers are not
> member of the forest, how does one apply the inf file.
>
>
> Where can I find info on what hisecweb.inf actually does to a server ?
>


Similar ThreadsPosted
Server Hardening July 5, 2005, 9:34 am
Security Hardening May 16, 2007, 9:00 pm
Lockdown/Hardening Tool March 21, 2006, 3:53 pm
Hardening Windows Registry August 2, 2006, 10:31 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap