AnsweredAssumed Answered

Help me to find some PC controls for WinServer2003

Question asked by Maique Griebler on Jun 21, 2012
Latest reply on Mar 5, 2015 by Tim White

Dear Community,

 

I need some help to find these controls below for Windows Server 2003:

 

Network services - Disable Microsoft networking: By default WindowsServer 2003 installs Microsoft Networking (File and Print services) whichprovides SMB/CIFS which is the native method for all Microsoft related APIcalls.  Primarily this service is onlyused for backward compatibility or to provide networked resources.  If the server is, for example, only providingweb services then Microsoft Networking can be disabled for that adapter. Tounbind File and print sharing and Client for Microsoft Networks from the LANconnection, uncheck the boxes for Internet Protocol.

 

SYSVOL permissions: SYSVOL permissionsshould be set as follows:

  • NTFS permissions are not inherited and should be:-

Administrators:FullControl

LocalSystem:FullControl

Authenticated Users:Read, Read&Execute, List

Server Operators: Read,Read&Execute, List

  • Share permissions should be:-

Administrators:FullControl

Authenticated Users:FullControl

Everyone: Read


Kerberos Policy:

Maximum Lifetime for service ticket (Default: 600 mins)
Maximum lifetime for user ticket renewal (Default: 7 days). This is the maximum period for which ticket renewal will continue (7 days by default), after which the user will need to re-enter their password to re-prove authenticity.
Maximum tolerance for computer clock synchronisation (Default: 5 mins). If longer, a replay attack might become possible

 

Dial-in/Remote Access:

Ensure that the RASservice is stopped.

 

Time Service:

The requirement is forall countries to run w32time with default settings.

Time should beautomatically synchronized with the Active Directory root server.

To check that time issynchronizing correctly check the ‘System’ event log and look for events fromsource ‘w32time’. You should see informational messages stating that the serveris syncing with it’s time partner. 

Please make sure you check for any ‘error’ or‘Warning’ messages from the ‘w32time’ source.


Permissions on the root drive:

The Everyone groupshould be removed and replaced with ‘Authenticated Users’ or specific usergroups on root drive partition(s).


FullControl access permissions:

Only Administratorsshould have FullControl access permissions.

Check that net Share+NTFS access does not giveusers FullControl permissions over folders otherwise users could take ownershipof the folder and assign permissions to other users. The maximum access grantedto users should be Change access.

 

Permissions for application executables:

Check that Sharepermissions are set to Read and NTFS permissions are set to “Read, Read andExecute, and List Folder Content”.

 

Access model:

  • Accounts:Change (Share permissions)Accounts:Change (NTFS permissions) is better than :-
  • Everyone FullControl (Share permissions)Accounts:Change (NTFS permissions) which is better than :-
  • AccountsChange (Share permissions)Everyone:FullControl (NTFS permissions) which is better than :-
  • Everyone:FullControl (Share permissions)Everyone:Change (NTFS permissions)

 

Thanks in advance,

Outcomes