Many people tell me they are surprised with how much effort I put into hardening Windows Server 2003–the last hardening document I wrote for a client was 112 pages long. That’s not 112 pages of writing, policy, and how-to’s, that’s 112 pages of nothing but settings. The process itself involves the modification, removal, or locking down of over 5,000 Registry keys and system files.

Windows server hardening doesn’t get as much attention now as it did back in the days of Windows 2000. That is because, for the most part, Windows Server 2003 is fairly secure right out of the box. In fact, plenty of times I have placed my own Windows 2003 servers on the Internet after doing nothing else besides installing patches and configuring the firewall. And even without patches it will probably be okay for a while as long as you configure the firewall correctly.

So why so much effort to harden Windows 2003? Well the fact is that although Windows Server 2003 starts with a secure baseline, there is still a huge attack surface that needs addressing. If we don’t address these things, sooner or later some of them will come back to haunt us.

Here are some examples of things that should be addressed on a server:

• There are many file extensions mapped to rarely-used client programs. NetMeeting, for example, registers the extensions .323, .nmw, .wht, .cnf, .iii, .uls.
• There are many system components installed by default, such as AppleTalk or Netware support that many servers never use;
• There are many client applications and components installed by default that really shouldn’t be installed on a server such as DirectPlay, Image Acquisition, Media Player, Speech Engines, MS Agent, etc.
• There are many things in Windows enabled for participating in a domain, but are not necessary for a standalone server;
• There are thousands of files installed by default that clutter the Windows directory and will never be legitimately accessed on a server;
• There are many NTFS permissions that could be set tighter than they already are;
• There are many settings, such as storing LM hashes, that still are not secure by default.

So while a default Windows 2003 installation is probably secure enough for many of the threats of today, there’s still a long way to go to start addressing the threats of tomorrow.

Since I mentioned NetMeeting, I really think it has no place on a server but there’s no way to uninstall it. This is what I do:

Delete these files:

%SystemRoot%\Help\conf.chm
%SystemRoot%\Help\conf.hlp
%SystemRoot%\Help\conf1.chm
%SystemRoot%\Help\nmchat.chm
%SystemRoot%\Help\nmwhiteb.chm
%SystemRoot%\System32\ConfLnk.dll
%SystemRoot%\System32\Confcp.dll
%SystemRoot%\System32\ft32.exe
%SystemRoot%\System32\ils.dll
%SystemRoot%\System32\imsconf.dll
%SystemRoot%\System32\isrdbg32.dl
%SystemRoot%\System32\mnmdd.dll
%SystemRoot%\System32\mnmsrvc.exe
%SystemRoot%\System32\msconf.dll
%SystemRoot%\System32\msg723.acm
%SystemRoot%\System32\msh261.drv
%SystemRoot%\System32\msh263.drv
%SystemRoot%\System32\msiprt.dll
%SystemRoot%\System32\nac.dll
%SystemRoot%\System32\nmevtmsg.dll
%SystemRoot%\System32\nmmkcert.dll
%SystemRoot%\System32\nmpgmgrp.exe
%SystemRoot%\System32\rrcm.dll
%SystemRoot%\System32\ulclient.dll
%SystemRoot%\System32\ulsvc.exe
%SystemRoot%\System32\xmsconf.ocx
%SystemRoot%\inf\msnetmtg.inf

Then delete these registry keys:

HKCR\.323
HKCR\.NMW
HKCR\.WHT
HKCR\.cnf
HKCR\.iii
HKCR\.uls
HKCR\CLSID\{068B0701-718C-11d0-8B1A-00A0C91BC90E}
HKCR\CLSID\{085C06A0-3CAA-11d0-A00E-00A024A85A2C}
HKCR\CLSID\{19FF8A00-9447-11cf-8796-444553540000}
HKCR\CLSID\{30E7F2A0-EC4C-11ce-8865-00805F742EF6}
HKCR\CLSID\{53D22820-D7E8-11CF-AD0A-0080C7137C82}
HKCR\CLSID\{8ED14CC0-7A1F-11d0-92F6-00A0C922E6B2}
HKCR\Chat
HKCR\ConferenceLink
HKCR\Internet Audio
HKCR\MIME\Database\Content Type\application/x-iphone
HKCR\MIME\Database\Content Type\text/h323
HKCR\MIME\Database\Content Type\text/iuls
HKCR\T126_Whiteboard
HKCR\TypeLib\{53D22821-D7E8-11CF-AD0A-0080C7137C82}
HKCR\Whiteboard
HKCR\callto
HKCR\h323file
HKCR\iiifile
HKCR\ulsfile
HKCU\AppEvents\Schemes\Apps\Conf
HKCU\AppEvents\Schemes\Apps\Internet Audio
HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
HKCU\SOFTWARE\Microsoft\Conferencing
HKCU\SOFTWARE\Microsoft\User Location Service
HKLM\SOFTWARE\Classes\AppID\{5CE55CD8-5179-11D2-931D-0000F875AE17}
HKLM\SOFTWARE\Classes\Applications\msconf.dll
HKLM\SOFTWARE\Classes\CLSID\{068B0700-718C-11d0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\CLSID\{068B0800-718C-11d0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\CLSID\{07970B30-A4DA-11D2-B724-00104BC51339}
HKLM\SOFTWARE\Classes\CLSID\{0F1BE7F8-45CA-11d2-831F-00A0244D2298}
HKLM\SOFTWARE\Classes\CLSID\{3E9BAF2D-7A79-11d2-9334-0000F875AE17}
HKLM\SOFTWARE\Classes\CLSID\{466D66FA-9616-11D2-9342-0000F875AE17}
HKLM\SOFTWARE\Classes\CLSID\{507708CC-A74A-11d2-9351-0000F875AE17}
HKLM\SOFTWARE\Classes\CLSID\{8C3ADF99-CCFE-11d2-AD10-00C04F72DD47}
HKLM\SOFTWARE\Classes\CLSID\{A4AD47C0-20EA-11D0-8796-444553540000}
HKLM\SOFTWARE\Classes\H323MSP.H323MSP
HKLM\SOFTWARE\Classes\H323MSP.H323MSP.1
HKLM\SOFTWARE\Classes\Interface\{053BBEFB-B3BA-11D2-9358-0000F875AE17}
HKLM\SOFTWARE\Classes\Interface\{068B0701-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0702-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0704-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0705-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0710-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0711-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0712-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0720-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0721-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0722-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0723-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0724-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0725-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0726-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0727-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0728-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0729-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B072A-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B072B-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0732-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0734-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0741-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0742-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0743-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0744-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0745-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0780-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0801-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0803-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0805-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0810-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0822-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{068B0823-718C-11D0-8B1A-00A0C91BC90E}
HKLM\SOFTWARE\Classes\Interface\{07970B30-A4DA-11D2-B724-00104BC51339}
HKLM\SOFTWARE\Classes\Interface\{16153670-A4DA-11D2-B724-00104BC51339}
HKLM\SOFTWARE\Classes\Interface\{34871E81-D33A-11D2-92C7-00C04F68D5AE}
HKLM\SOFTWARE\Classes\Interface\{3E9BAF2C-7A79-11D2-9334-0000F875AE17}
HKLM\SOFTWARE\Classes\Interface\{43DB3A8E-A440-11D2-934A-0000F875AE17}
HKLM\SOFTWARE\Classes\Interface\{507708C5-A74A-11D2-9351-0000F875AE17}
HKLM\SOFTWARE\Classes\Interface\{5572984E-7A76-11D2-9334-0000F875AE17}
HKLM\SOFTWARE\Classes\Interface\{57E03C63-A719-11D2-9351-0000F875AE17}
HKLM\SOFTWARE\Classes\Interface\{6EC88CF8-A41B-11D2-9349-0000F875AE17}
HKLM\SOFTWARE\Classes\Interface\{711EC740-6867-11D2-A9A8-00C04FD91A6F}
HKLM\SOFTWARE\Classes\Interface\{97799F9C-A969-11D2-9355-0000F875AE17}
HKLM\SOFTWARE\Classes\Interface\{AF9A9EAF-41BC-11D2-930E-0000F875AE17}
HKLM\SOFTWARE\Classes\Interface\{E65DC590-A4D9-11D2-B724-00104BC51339}
HKLM\SOFTWARE\Classes\Interface\{F7C10EC0-A4D9-11D2-B724-00104BC51339}
HKLM\SOFTWARE\Classes\Interface\{FB7045F0-A4DC-11D2-B724-00104BC51339}
HKLM\SOFTWARE\Classes\Mslablti.MarshalableTI
HKLM\SOFTWARE\Classes\Mslablti.MarshalableTI.1
HKLM\SOFTWARE\Classes\NetMeeting.App
HKLM\SOFTWARE\Classes\NetMeeting.App.1
HKLM\SOFTWARE\Classes\TypeLib\{5CE55CD7-5179-11D2-931D-0000F875AE17}
HKLM\SOFTWARE\Classes\TypeLib\{E36489BB-45C9-11D2-831F-00A0244D2298}
HKLM\SOFTWARE\Classes\TypeLib\{E36489BC-45C9-11D2-831F-00A0244D2298}
HKLM\SOFTWARE\Clients\Internet Call
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
HKLM\SOFTWARE\Microsoft\Conferencing
HKLM\SOFTWARE\Microsoft\Internet Audio
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{466d66fa-9616-11d2-9342-0000f875ae17}
HKLM\SOFTWARE\Microsoft\Tracing\h323msp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\System Programs
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\H323TSP
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetMeeting
HKLM\SYSTEM\CurrentControlSet\Control\Video\{8B6D7859-A639-4A15-8790-7161976D057A}
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MNMDD
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft H.323 Telephony Service Provider
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\mnmsrvc
HKLM\SYSTEM\CurrentControlSet\Services\mnmdd
HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvc
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\CONF.EXE

As you can see, there’s quite a bit of junk there for something you won’t use on a server.

Related posts

• No related posts.