Windows
Server contains built-in support for security templates, which can help
to standardize security settings across servers and aid in their
deployment. A security template
is simply a text file formatted in such a way that specific security
settings are applied uniformly. For example, the security template could
force a server to lockdown Windows Firewall ports, or not attempt to
use down-level (and less secure) methods of authentication across the
network.
Application of a
security template is straightforward and can be accomplished by applying
a template directly to an OU, site, or domain via a Group Policy Object
(GPO). Security templates can be enormously useful in making sure that
all servers have the proper security applied, but they come with a large
caveat. Often, the settings defined in a template can be made too
strict, and security templates that are too strong for a server can
break application or network functionality. It is therefore critical to
test all security template settings before deploying them to production.
Shutting Off Unnecessary Services
Each service that runs,
especially those that use elevated system privileges, poses a particular
security risk to a server. Although the security emphasis in Windows
Server reduces the overall threat, there is still a chance that one of
these services will provide entry for a specialized virus or determined
hacker. A great deal of effort has been put into the science of
determining which services are necessary and which can be disabled.
Windows Server simplifies this guessing game with an enhanced Services
MMC snap-in.
As shown in Figure 1,
the Services console not only shows which services are installed and
running but also gives a reasonably thorough description of what each
service does and the effect of turning it off. It is wise to audit the
Services list on each deployed server and determine which services are
necessary and which can be disabled. Many services such as the Print
Spooler, Telephony, and others are unnecessary on a SharePoint server
and simply create more potential security holes. Finding the happy
medium is the goal because too many running services could potentially
provide security holes, whereas shutting off too many services could
cripple the functionality of a server.
