System Lockdown Policy

1.0 Overview
This system lockdown policy is an internal IT policy and defines a general process that should be used to lock down servers and workstations.

2.0 Purpose
This policy is designed to minimize risk to organizational resources and data by establishing a process for increasing the security of servers and workstations by stopping unneeded services and testing for vulnerabilities.

3.0 Server Lockdown and Hardening
This section describes a general process used to lock down servers. When they are initially installed and configured. Types of servers or equipment that need hardening include but are not limited to file sharing servers, email servers, Web servers, FTP servers, DNS servers, DHCP servers, Database servers, Domain controllers, Directory servers, Network devices such as firewalls, routers, and switches.

  1. List services that will be required to run on the server. Examples include:
    1. DNS
    2. HTTP
    3. SMTP
    4. POP3
  2. List services that are running on the server and turn off any that the administrator is sure are not needed.
  3. Do a port scan on the server - Use a security tool to test and determine any ports that the server is responding to.
  4. Shut down any services that are not on the required list of services for the server. Especially remember to shut down services listed in Appendix A - Services Recommended for Shutdown
  5. Remove any unnecessary programs, services, and drivers from the server especially those not loaded by default on the server.
  6. Patch the server with the latest patches and patch all services running on the server.
  7. Disable or change the password of any default accounts on the server or related to any operating services.
  8. Be sure all passwords used to access the system or used by services on the system meet minimum requirements including length and complexity parameters.
  9. Be sure all users and services have minimum required rights and do not have rights to items not needed.
  10. Be sure file share and file permissions are as tight as possible.
  11. Perform a vulnerability assessment scan of the server.
  12. Patch or fix any vulnerabilities found.
  13. Where appropriate, install and run additional security programs such as:
    1. Anti-virus - Install and perform latest update of software and virus definitions.
    2. Firewall
    3. Intrusion detection software - Some approved host based intrusion detection software is recommended to be run on all servers.
    4. Honeypot
    5. Change of system and system files detection
    All this software should have the latest updates installed.
  14. Set security parameters on all software such as where anti-virus programs will scan, how often it will scan, and how often it will get virus definition updates.
  15. Enable audit logging to log any unauthorized access.
  16. Perform another vulnerability assessment scan of the server, and fix any discrepancies.
  17. Take additional account management security measures including:
    1. Disable the guest account
    2. Rename default administrator accounts
    3. Set accounts for minimum possible access
    4. Be sure all accounts have passwords meeting minimum complexity and length rules.
  18. Test the server to be sure all desired services are operating properly.

4.0 Enforcement
Since locking down servers is critical to the security of the organization and everyone, this policy must be enforced by management through review and auditing.




Appendix A - Services Recommended for Shutdown

  1. File and Printer Sharing for Microsoft Networks - Uninstallation of this service is recommended. This service is not needed unless you want to share a printer on your local computer or share folders on your local computer with other computers.
  2. Messenger - Disable this service in the Services applet of Administrative Tools. This service has some serious security bugs and problems and has very little use for managing the network.
  3. Remote registry service - This service should be set to manual or disabled since it allows people from remote locations to modify your registry. It is a serious security risk and should only be run if required by network administrators. Set this service to manual or disabled in the Services applet of Administrative Tools.
  4. Secondary Logon service - If it is not necessary for lower privileged users to use the "Run As" command to run commands that only administrators or power users can run, this service should be disabled.
  5. Universal Plug and Play Device Host service - It broadcasts unnecessary information about the computer running the service. It may be used by MSN messenger. This service is a high security risk and should be disabled unless dependent services are required.
  6. Wireless Zero Configuration service - Used to support wireless connections. If you are not using wireless, this should be disabled. This service is a high security risk and should be disabled unless needed.
  7. Computer Browser - For home users and most organizational users, this service can be disabled. Running this service is a moderate security risk.
  8. NetMeeting Remote Desktop sharing - A person on a remote computer can access your desktop to help you. This service may be used by network administrators to help users with tasks. Normally this service should be disabled unless needed. Running this service is a moderate security risk.
  9. Remote Desktop Help Session Manager service - A person on a remote computer can access your desktop to help you. This service may be used by network administrators to help users with tasks. Normally this service should be disabled unless needed. Running this service is a moderate security risk.
  10. Network DDE Service - Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. It allows two running programs to share the same data on the same computer or on different computers. Running this service is a moderate security risk. Normally this service should be disabled unless needed.
  11. Network DDE DSDM Service - Manages DDE network shares. Running this service is a moderate security risk. Normally this service should be disabled unless needed.
  12. NT LM Security support provider - Used for backward compatibility with older Microsoft operating systems. Running this service is a moderate security risk. Normally this service should be disabled unless needed or set to manual.
  13. SSDP Discovery service - Allows the computer to connect with networked plug and play devices on the network. This service does not support internal PnP devices. This service should be disabled unless the computer needs to connect to external networked plug and play devices.
  14. Telnet service - The telnet service allows a terminal connection to or from a remote computer but sends passwords in the clear. Running this service is a moderate security risk. Normally this service should be disabled unless needed or set to manual.
  15. Terminal services - Allows a remote connection from a remote computer usually used by network administrators to help users. Running this service is a moderate security risk. Normally this service should be disabled unless needed or set to manual. This service is commonmly used by system administrators to administer servers remotely.
  16. Alerter service - The alerter service allows system administrators to send messages to selected users. This service should be disabled unless specifically needed.

Types of servers that need hardening (This list is not inclusive of all devices that should be hardened):

  1. File sharing
  2. Email Servers
  3. Web servers
  4. FTP servers
  5. DNS servers
  6. DHCP servers
  7. Database servers
  8. Domain controllers
  9. Directory servers
  10. Network devices such as firewalls, routers, and switches

For more information about Windows services see http://www.computersecuritytool.com/windows_services_home.html