PROXY SERVER CHECKLIST

MICROSOFT PROXY SERVER SECURITY CHECKLIST

The following checklist provides a baseline configuration for Microsoft Proxy Server. It does not specify organizational security policy. This must be determined individually by each organization. Deviation from this checklist should be justified by the organization's requirements, and documented in the Comments Section.

Procedure Yes No N/A Comments

Install MS Proxy Server in an NTFS partition separate from the NT Server OS

Enable IP Forwarding check box in the Network application should not be selected.

Use NTFS volumes.

Run only the services you need.

The host server should be a standalone member server, not a domain controller.

In the TCP/IP Configuration, references to DNS servers and to gateways should be removed.

The FTP server in IIS should be disabled or not installed at all.

Unbind unnecessary services from the NIC.

Check permissions on network shares.

No other applications should run on the host server.

All network drive mappings on the host server should be disabled.

Enable auditing.

Limit the membership of the Administrator group.

Enforce strict account policies

Disable the following external TCP/IP ports:
47
137-139

Install all approved Service Packs and patches.

WinSock Proxy Service

Service tab Limit the configuration of the LAT to the range Of addresses in the internal network
Permissions tab Enable access control; Grant access to protocols Necessary for operating the Organization
Logging tab Logging enabled; Regular logging selected; Log to File selected; Automatically open new log (daily) selected
Filtering tab Apply the Organization filtering policy

Web Proxy Service

Service tab Limit the configuration of the LAT to the range Of addresses in the internal network; Internet publishing not enabled
Permissions tab Enable access control for all protocols; Access granted to selected users
Logging tab Logging enabled; Regular logging selected; Log to File selected; Automatically open new log (daily) selected
Filtering tab Apply the Organization filtering policy

B. Use the Administrator's Handbook to determine how to perform the verification.

Procedure	Yes	No	N/A	Comments

Install MS Proxy Server in an NTFS partition separate from the NT Server OS
Enable IP Forwarding check box in the Network application should not be selected.
Use NTFS volumes.
Run only the services you need.
The host server should be a standalone member server, not a domain controller.
In the TCP/IP Configuration, references to DNS servers and to gateways should be removed.
The FTP server in IIS should be disabled or not installed at all.
Unbind unnecessary services from the NIC.
Check permissions on network shares.
No other applications should run on the host server.
All network drive mappings on the host server should be disabled.
Enable auditing.
Limit the membership of the Administrator group.
Enforce strict account policies
Disable the following external TCP/IP ports: 47 137-139
Install all approved Service Packs and patches.

WinSock Proxy Service
Service tab Limit the configuration of the LAT to the range Of addresses in the internal network Permissions tab Enable access control; Grant access to protocols Necessary for operating the Organization Logging tab Logging enabled; Regular logging selected; Log to File selected; Automatically open new log (daily) selected Filtering tab Apply the Organization filtering policy

Web Proxy Service
Service tab Limit the configuration of the LAT to the range Of addresses in the internal network; Internet publishing not enabled Permissions tab Enable access control for all protocols; Access granted to selected users Logging tab Logging enabled; Regular logging selected; Log to File selected; Automatically open new log (daily) selected Filtering tab Apply the Organization filtering policy