I believe Microsoft as a Windows 2008 Security guide and should be the first source of hardening actions for your systems.
Standard C:\ Drive: That depends, are you going to install applications on your c:\ drive or D:\ drive ( I always try and keep the OS drive as clean as possible) 2) Here are the current published security guides for Win2k8 along with the threats and countermeasures. http://technet.microsoft.com/en-us/library/dd349791.aspx http://www.microsoft.com/downloads/details.aspx?FamilyID=fb8b981f-227c-4 af6-a44b-b115696a80ac&DisplayLang=en 3) You can use the security guide to implement the tweaks you desire based on the security guide recommendations. Its going to vary from organization to organization. I think the service hardening, TCP stack hardening, IPSEC, DDOS, DOS, DEP, protections would be high on most peoples lists. 4) Roles: Look into ServerManager to Script out your roles upon installation, and keep them minimal for the installation you are going to run. 5) Firewall rules: Old adage Deny All to start and allow only what is needed for communications ( AD communications, DNS, WINS ( If you have it), RDP if you using it, backup software( Gotta find out what ports that is using) AV software and its update mechanism( find out) patching (Find out, you using WSUS, Patchlink, Shavlik, BIgFix, Manual intervention of the devine sneakernet?) HTH, hit me offline if you got more questions. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 -----Original Message----- From: Juned Shaikh [mailto:[email protected]] Sent: Thursday, April 23, 2009 12:00 AM To: NT System Admin Issues Subject: Win2k8-Gold Build Question Am sure many on these must have gone to similar exercise.. Finally got an approval to build a gold win2k8std-image for generic server rollout, but had to review and advice on all available guidelines and best practices. And I would like to tap on this vast knowledge pool of this list: Considering, I am building a gold VM - Win2k8 Std.. 1) What should be the standard C drive.. (base install itself gobbles over 10GB) 2) What are the current published and credible hardening guidelines? 3) What security template tweaks everyone on this list has done on their builds ? 4) What Roles and features should be part of standard build.. i.e. Powershell, Telnet client? 5) Firewall rules: Apart from allowing ICMP response and RDP.. what else should be allowed? I know it has many variations, but any pointers will be much appreciated. Thanks in advance, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
