RE: Binding Windows Services to Specific Addresses Only

The only thing with using SCW in such a way is that if you are doing
multi-tier web applications, SCW can break things. Even more so if you are
doing anything with non-default configurations.

My list was looking more towards principles rather than focusing on the
technical accomplishment of those points.

SCW is an excellent starting point for default services however I would
advise being careful applying it after a custom web application and also
MAKE SURE you have a lab environment or developer test with the SCW
configuration after it is applied. Build in time in your project schedule,
if applicable, for someone with appropriate experience to troubleshoot.

-W

Wayne S. Anderson

-----Original Message-----
From: Devin Ganger [mailto:DevinG@xxxxxxxxxx]
Sent: Friday, May 09, 2008 11:43 AM
To: wfrazee@xxxxxxxxxx; 'Steve Friedl'; 'Christian Koerner'
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Binding Windows Services to Specific Addresses Only

This is a great list, Wayne!

However, I've got one addition for you.

Wayne S. Anderson wrote:

3) Immediately review the service configuration and default
accounts. If you don't need them, disable them, or in the
case of services at least set them to manual so they do not
run by default. With Windows default accounts, make sure that
the steps that you can take, you have.

<snip>

With the services, take the most restrictive approach possible.
Remember, if something doesn't start, we can always restart
whatever was stopped so its ok if something now fails to start.
We just make the necessary adjustments and restart it and we
know not to stop that particular service again ;) You ARE
building the security for this server while it is in a build
or pre-production stage..... right? You should be able to risk
causing other service failures while you determine what services
are necessary.

Don't forget that with Windows Server 2003 SP1 and later, the OS includes a
great tool for automating a lot of this work for you -- the Security
Configuration Wizard. You'll need to go into Add/Remove Programs, Add/Remove
Windows Components to ensure that it's installed on the system, but once you
do -- it's a great tool that allows you to define and manage security policy
for multiple systems.

--
Devin L. Ganger, Exchange MVP Email: deving@xxxxxxxxxx
3Sharp Phone: 425.882.1032
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/

Relevant Pages

  • Re: Security Configuration Wizard after SP2
    ... Microsoft MVP: Windows Server ... On setting up a new server, I installed Windows 2003 R2 and ran the SCW to ...
    (microsoft.public.windows.server.general)
  • Security Configuration Wizard & GPO
    ... I have read SCW is only compatible with Windows Server 2003 SP1. ... policy to a GPO. ...
    (microsoft.public.windows.server.general)
  • RE: Binding Windows Services to Specific Addresses Only
    ... Hence " SCW is an excellent starting point for default services" in my ... Any time that you put security measures in place, you need to plan in time ... Wayne S. Anderson ... Binding Windows Services to Specific Addresses Only ...
    (Focus-Microsoft)
  • Re: W2000 security
    ... time-wasting background processes and that reduces the attach surface. ... but the reality was that all the hype about the SCW turned out to be nonsense. ... BUT they forgot the WHOLE of their o/s was badly designed and the WHOLE of IE is badly designed in the context of security, and having this mish-mash of a browser that hooks directly into the o/s and a "Windows Media Player" that can't be uninstalled on a PRODUCTION SERVER MACHINE and is flawed from day one, and guess what?? ... I could design a better security model in my lunch hour. ...
    (microsoft.public.security)
  • Re: W2000 security
    ... claimed SCW did not deliver but then made reference to IE, ... BUT they forgot the WHOLE of their o/s was badly designed and the WHOLE of ... IE is badly designed in the context of security, ... "Windows Media Player" that can't be uninstalled on a PRODUCTION SERVER ...
    (microsoft.public.security)