How to Harden a Server
By Stephen Bucaro
To "harden" a server means to configure it in a way to enhance its security. One way to enhance
a servers security is to configure it so that it runs only the services and protocols that are
required for its role.
For example, a server being used as a web sever needs to run Hypertext Transfer Protocol (HTTP)
and Secure Sockets Layer Protocol (HTTPS). Other protocols such as Simple Mail Transport Protocol
(SMPT) and Telnet should not be running.
If the Telnet is left running unnecessarily, a hacker may be able to connect to the server and
launch an attack. If SMPT is left running unnecessarily, a hacker may be able to exploit
vulnerabilities in that protocol to launch an attack.
Security Configuration Wizard (SCW)
One reason system administrators tend to leave unnecessary services running and unnecessary
protocols installed is because it's difficult to identify which are necessary and which are not.
The SCW, built into Windows Server can be used to analyze a system and guide you through
the process of creating, editing, applying, or rolling back a security policy.
Start the SCW by selecting Start | Administrative Tools | Security Configuration Wizard.
The SCW will guide you through several screens where you can create, edit, and apply security policies.
The security policy that you create is an XML file that, when applied, configures services,
network security, specific registry values, and audit policy. After you create the file, you can view
it at c:\Windows\security\msscw\Policies\Text\test.xml.
If you prefer to determine security settings yourself, rather than be guided by the SCW, the
SCW provides an extensive database that you can browse to learn about the different security
settings. It indicates security settings for various server roles, client features, administration
options, service configurations, and firewall settings.
Keep the System Updated
Hackers are continuously probing servers searching for vulnerabilities that they can exploit.
When Microsoft learns of a vulnerability that has been discovered by hackers, they provide
patches and hotfixes to close the vulnerability. If the vulnerability is very serious, they release
the patch or hotfix as quickly as possible. Patches for less serious problems will be released
on the regularly scheduled second Tuesday of every month.
Many system administrators configure Automatic Update to install all updates as soon as
they're released. However, sometimes an update designed to fix one problem creates another problem.
By knowing that updates will be released on second Tuesday of every month, administrators
can plan for, and manage their deployment.
Some system administrators use a special service like System Center Configuration Manager
(SCCM) or Windows Server Update Services (WSUS) which allows them to
test the updates for compatibility with their systems and software and to selectively deploy
only the updates that will not cause problems on their systems.
Both of these applications are available at
Microsoft Download Center.