Wiki Home

Security Checklists


Namespace: WIN_COM_API
A place to list and link to security checklists.

Windows XP
http://nsa2.www.conxion.com/winxp/guides/wxp-1.pdf
http://www.uksecurityonline.com/husdg/windowsxp/wxpp2.php
http://www.labmice.net/articles/winxpsecuritychecklist.htm
Win 2 K
  • http://www.labmice.net/articles/securingwin2000.htm
  • http://www.microsoft.com/technet/security/tools/chklist/w2kprocl.asp
  • http://www.microsoft.com/technet/security/tools/chklist/w2ksvrcl.asp
    NT
  • http://www.windowsitlibrary.com/content/121/18/toc.html
    SQL Server
  • http://www.sqlsecurity.com/checklist.asp
    Exchange Server
  • http://www.imidev.galaxite.net/exc/security/contents.htm
  • http://archive.devx.com/upload/free/features/exchange/2000/10oct00/jh0010/jh0010.asp
  • http://www.slipstick.com and search on the term "security."
    IIS 5.0
  • http://www.microsoft.com/technet/security/iis5chk.asp

    Some other (not all mutually exclusive with the list above) ideas:

    Default permissions: everyone knows they are too loose. Typically, the IUSR_ account only needs RX access to actual web folders, plus specific permissions for IUSR_ necessary for your web applications. You must have had RWXD on the \inetpub\scripts\ folder to allow the hacker to copy cmd.exe in there.

    Default directory structures: Everyone knows the default paths C:\inetpub\wwwroot\ and C:\Winnt\System32\. That's the problem. I typically use a different drive letter and path structure for my webroot, and also a different directory name for the windows directory. The bad guy can't acces what he can't find or guess.

    Default IIS virtuals and scriptmappings: These are also in the category of "everyone knows them", plus some of the better known exploits involve these (the MDAC exploit, the very recent ISAPI printers exploit). I remove everything I don't need.

    Special tools, utilities: Like cmd.exe, edit.exe, xcopy.exe, etc. You know, all the little command-line utilities we use. Windows NT doesn't care where these are, so move them to a new location, and I change their ACL so that only specific user groups can use them (and making sure that SYSTEM can't use them). Note that W2K is self-healing and will put them back. But the ACL stuff will work.

    Also see:
  • http://www.cert.org/ (computer security research and coordination center)
  • http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 (a script that will check if you are missing any hotfixes)
  • www.securityfocus.com
  • www.microsoft.com/technet/security/sectour.asp
  • http://www.yourwindow.to/information-security/ (a glossary of security terms)
  • http://www.microsoft.com/technet/security/tools/chklist/iis4cl.asp
  • http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/chklist/iischk.asp
  • http://www.microsoft.com/technet/security/tools/tools/locktool.asp
  • http://www.microsoft.com/technet/security/tools/chklist/iis5cl.asp
    Microsoft IE
    Microsoft provides a rudimentary Web page that explains IE security. The page includes settings for SSL and security zones. The most important thing to remember about IE security is to load the many available patches.
  • http://www.microsoft.com/technet/security/tools/chklist/iecl.asp
    Contributors: Lauren Clarke PhilConnolly DaveTeske (via http://west-wind.com/wwthreads/), Steven Black

    Category Checklists
  • ( Topic last updated: 2006.08.15 07:49:47 AM )