NIST Checklist Logo
NIST Security Configuration Checklists Repository
BETA
Browse Repository by
   Product Category
   Vendor
   Submitting
Organization

Our Sponsor
white space white space

Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Security Settings for Domain Controllers

Name Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Security Settings for Domain Controllers
Version Version 1.2
Status Final
Creation Date 2005-10-25
Revision Date 2005-10-25
Product Category Operating System
Vendor Microsoft Corporation
Product Windows Server 2003
Product Version Windows Server 2003
Product Role Domain Controller
Checklist Summary This document is a security benchmark for the Microsoft Windows Server 2003 operating system for domain controllers. It reflects the content of the Consensus Baseline Security Settings document developed by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), The National Institute of Standards and Technology (NIST), the General Services Administration (GSA), The SANS Institute, and the staff and members of the Center for Internet Security (CIS). Section 1 of this guide is a summary checklist of the configuration settings that constitute a Windows Server compliant computer system. Appendix A is a questionnaire that can be used to put the trade-offs into perspective for each of the settings involved. Section 2 of this guide is written to provide contextual descriptions of each requirement for this benchmark. It gives plain-text details of what the setting means, why it is restricted, and what the consequences of restricting that setting may be. It covers the same information as Section 1 in greater detail.
Known Issues This guide imposes changes that are best implemented in a managed environment. They are designed to limit communication between computers to positively identified and authorized personnel. Major systems should still function, but testing this benchmark in a controlled environment is essential. Settings at the Enterprise level are designed for domain controllers operating in a managed environment where interoperability with legacy systems is not required. It assumes that all operating systems within the enterprise are Windows 2000 or later, therefore able to use all possible security features available within those systems. In such environments, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended technical controls. Settings at the Specialized Security - Limited Functionality level are designed for domain controllers in which security and integrity are the highest priorities, even at the expense of functionality, performance, and interoperability. Therefore, each setting should be considered carefully and only applied by an experienced administrator who has a thorough understanding of the potential impact of each setting or action in a particular environment.
Target Audience This benchmark is intended for anyone using a Windows Server 2003 operating system who feels at all responsible for the security of that system. A security manager or Information Security Officer should certainly be able to use this guide and the associated tools to gather information about the security status of a network of Windows machines. The owner of a small business or home office can use this guide as a straightforward aid in enhancing his or her own personal network security. A Windows system administrator can use this guide and the associated tools to produce explicit scores that can be given to management to reflect where they currently stand, versus where they should stand with regard to security.
Target Operational Environment Enterprise, Legacy, Specialized Security - Limited Functionality
Checklist Installation Tools In a network environment, with a Windows 2000 or Windows 2003 Active Directory Domain, Group Policy can be used to apply nearly all the settings described herein. Administrators and users can also use the Local Security Policy editor of individual servers to lock down their environment. A method involving the use of the Microsoft Security Configuration and Analysis Utility to automatically install the WindowsServer2003-DC-Legacy-1.0.0.inf, WindowsServer2003-DCEnterprise-1.0.0.inf, and WindowsServer2003-DC-SpecSec-1.1.inf templates, which include the security settings contained in this benchmark, is described in documentation that accompanies the CIS Windows scoring tool.
Rollback Capability Not Available.
Testing Information Not Available.
NIAP/CMVP Status  
Regulatory Compliance   
Comments, Warnings, Disclaimer, Miscellaneous
 Refer to Known Issues.
Disclaimer Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations "as is" and "as available" without representations, warranties or covenants of any kind.
Product Support  
Submitting Organization/Authors The Center for Internet Security (CIS)
Point of Contact windows-feedback@cisecurity.org
Sponsor  
Licensing

Commercial use license

EDUCAUSE Member license

US Federal, state and local government agency license
Checklist Homepage http://www.cisecurity.org/
Download Package http://www.cisecurity.org/sub_form.html
Integrity sha1 (CIS_Win2003_DC_Benchmark_v1.2.pdf) =
bb1f68d11327baf71a2f36a969b4cc1d6ddde029

sha256 (CIS_Win2003_DC_Benchmark_v1.2.pdf) =
7e7b46b7aab43863f20b2ae72b06a04aae9e239
d0a14d24c5358d195fd2b5ad7
Change History

Version 1.2: 2005-10-25
Version 1.1: 2004-10-20
Version 1.0.2: 2004-10-14
Version 1.0: 2004-09-03
Dependency/Requirement  
References The Center for Internet Security - http://www.cisecurity.org The SANS Institute -
http://www.sans.org

National Security Agency Security Recommendation Guides -
http://nsa1.www.conxion.com

Department of Defense recommendations -
http://iase.disa.mil/stigs/index.html

Microsoft Windows Security -
http://www.microsoft.com/security

Windows XP Security Guide -
http://go.microsoft.com/fwlink/?LinkId=14839

Server 2003 Security Guide -
http://go.microsoft.com/fwlink/?LinkId=14845

Threats and Countermeasures Guide -
http://go.microsoft.com/fwlink/?LinkId=15159

Microsoft Directory Services Client for Windows 9x/Me -
http://www.microsoft.com/technet/
prodtechnol/ntwrkstn/downloads/utils/dsclient.mspx

The CIS Scoring Tool that accompanies this document uses the Microsoft Network Security Hotfix Checker (HfNetChk), which is licensed to Microsoft by Shavlik Technologies -
http://www.shavlik.com/

Windows NT Magazine article regarding editing the Registry -
http://www.microsoft.com/technet/prodtechnol/
winntas/tips/winntmag/inreg.mspx
NIST Identifier 1053


NIST and the checklist submitter do not guarantee or warrant the checklist's accuracy or completeness. NIST is not responsible for loss, damage, or problems that may be caused by using the checklist.

Last updated: November 17, 2006
Page created: October 28, 2004
Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to checklists@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration