|
The Microsoft Windows 2003 Server SRR targets conditions
that undermine the integrity of security,
contribute to inefficient security operations
and administration, or may lead to interruption
of production operations. Sites are required
to secure the Microsoft Windows Server 2003
operating system in accordance with DOD Directive
8500.1, Section 4.18 (and related footnote).
The checks in this document were developed
from DOD guidelines specified in the above
reference, as well as the Windows Server 2003
security guides published by the Microsoft
Corporation. Additionally, the review ensures
the site has properly installed and implemented
the Windows 2003 Server operating system and
that it is being managed in a way that is
secure, efficient, and effective. The items
reviewed are based on standards and requirements
published by DISA in the Security Handbook
and other DoD Policy and regulations. The
results of the SRR scripts will coincide with
the Windows 2003 Server SRR Checklist with
the following: F- Finding, N/F- Not A Finding,
N/A- Not Applicable, MR -Manual Review, or
NR - Not Reviewed.
This document is designed to instruct the reviewer on how
to assess Windows 2003 Server configurations
in a Windows NT 4, Windows 2000, or Windows
2003 domain. In addition, the security settings
recommended can also be used to configure
Group Policy in a Windows 2000 or Windows
2003 Active Directory environment
The Windows 2003 Server Security Checklist is composed
of five major sections and five appendices:
- Section 1: This section contains summary information
about the sections and appendices that comprise
the Windows Server 2003 Security May 30, 2007s scope. Supporting documents
consulted are listed in this section.
- Section 2: This section is the matrix that allows the
reviewer to document vulnerabilities discovered
during the SRR process. The entries in this
table, sorted by Potential Discrepancy Item
(PDI), are mapped to procedures - referenced
by paragraph number - in Sections 3, and 5.
- Section 3: This section contains the administrative issues
that are discussed between the reviewer and
the System Administrator or the Information
Assurance Officer (IAO). The interview outlined
in this section may be performed independent
of the technical review discussed in Sections
4 and 5. - Section 4: This section contains
summary information for running the Gold Disk.
- Section 5: This section documents the procedures that
instruct the reviewer on how to perform an
SRR manually, and to interpret the program
output for vulnerabilities. Each procedure
maps to a PDI tabulated in Section 2.
- Appendix A: This appendix documents the allowed Access
Control Lists (ACLs) for file and registry
objects. The tables contained in this section
are referenced in Sections 4 and 5.
- Appendix B: This appendix contains checks for IAVM compliance
to be done against a Windows Server 2003 machine.
- Appendix C: This section contains disclaimer information
about the use of the Gold Disk.
- Appendix D: This appendix documents the procedures for
using the 'John the Ripper' password integrity
utility.
- Appendix E: This appendix documents the procedures for
using Microsoft's Group Policy Results command
line tool to determine the source policy for
specific settings.
|
