I need some help to find these controls below for Windows Server 2003:
Network services - Disable Microsoft networking: By default WindowsServer 2003 installs Microsoft Networking (File and Print services) whichprovides SMB/CIFS which is the native method for all Microsoft related APIcalls. Primarily this service is onlyused for backward compatibility or to provide networked resources. If the server is, for example, only providingweb services then Microsoft Networking can be disabled for that adapter. Tounbind File and print sharing and Client for Microsoft Networks from the LANconnection, uncheck the boxes for Internet Protocol.
SYSVOL permissions: SYSVOL permissionsshould be set as follows:
- NTFS permissions are not inherited and should be:-
Authenticated Users:Read, Read&Execute, List
Server Operators: Read,Read&Execute, List
- Share permissions should be:-
Maximum lifetime for user ticket renewal (Default: 7 days). This is the maximum period for which ticket renewal will continue (7 days by default), after which the user will need to re-enter their password to re-prove authenticity.
Maximum tolerance for computer clock synchronisation (Default: 5 mins). If longer, a replay attack might become possible
Ensure that the RASservice is stopped.
The requirement is forall countries to run w32time with default settings.
Time should beautomatically synchronized with the Active Directory root server.
To check that time issynchronizing correctly check the ‘System’ event log and look for events fromsource ‘w32time’. You should see informational messages stating that the serveris syncing with it’s time partner.
Please make sure you check for any ‘error’ or‘Warning’ messages from the ‘w32time’ source.
Permissions on the root drive:
The Everyone groupshould be removed and replaced with ‘Authenticated Users’ or specific usergroups on root drive partition(s).
FullControl access permissions:
Only Administratorsshould have FullControl access permissions.
Permissions for application executables:
Check that Sharepermissions are set to Read and NTFS permissions are set to “Read, Read andExecute, and List Folder Content”.
- Accounts:Change (Share permissions)Accounts:Change (NTFS permissions) is better than :-
- Everyone FullControl (Share permissions)Accounts:Change (NTFS permissions) which is better than :-
- AccountsChange (Share permissions)Everyone:FullControl (NTFS permissions) which is better than :-
- Everyone:FullControl (Share permissions)Everyone:Change (NTFS permissions)
Thanks in advance,