SOP TITLE: BASELINE SECURITY DOCUMENT

NAME TITLE SIGNATUR DATE

E
Author

Reviewer

Authoriser

Effective Date:
Review Date:

SECURITY BASELINE DOCUMENTS CHECKLIST

Security baseline is the process of enhancing security through a variety of means which
results in a much more secure server/Client operating environment. This is due to the
advanced security measures that are put in place during the server/Client
hardening process.

BEST SECURITY RECOMMENDATION EXPLANATION STATUS REMARK

MAINTAINED AN INVENTORY
RECORD FOR EACH SERVER THAT
CLEARLY DOCUMENTS ITS
BASELINE CONFIGURATION AND
RECORD EACH CHANGE TO THE
SERVER.
 THOROUGHLY TEST AND VALIDATE
EVERY PROPOSED CHANGE TO
SERVER HARDWARE OR SOFTWARE
BEFORE MAKING THE CHANGE IN
ORGANIZATION SECURITY THE PRODUCTION ENVIRONMENT.

REGULARLY PERFORM A RISK

ASSESSMENT.USE THE RESULT TO
UPDTAE YOUR RISK MANAGEMENT
PLAN AND MAINTAIN A
PRIORITIZED LIST TO ALL SERVERS
TO ENSURE THAT SECURITY
VULNERABILITIES ARE FIXED IN A
TIMELY MANNER.

KEEP ALL SERVERS AT THE SAME

REVISION LEVEL.

PROETCT NEWLY INSTALLED

MACHINE FROM HOSTILE
NETWORK TRAFFIC UNTIL THE
OPERATING SYSTEM IN INSTALLED
AND HARDENED. HARDEN EACH
NEW SERVER IN A DMZ NETWORK
THAT IS NOT OPEN TO THE
INTERNET.

SET A BIOS/FRIMWARE PASSWORD

TO PROETCT FROM
UNAUTHORIZED CHANGES TO THE
WINDOWS SERVER PREPARATION SERVER STARTUP SETTINGS.

DISABLE AUTOMATIC
ADMINISTRATIVE LOGON TO THE
RECOVERY CONSOLE

CONFIGURE THE DEVICE WITH

BOOT ORDER TO PREVENT
UNAUTHORIZED BOOTING FROM
ALTERNATE MEDIA.
 ENSURE ALL APPROPRIATE
PATCHES, HOTFIXES AND SERVICE
PACKS ARE APPLIED PROMPTLY.
SECURITY PATCHES KNOWN
VULNERABILITIES THAT ATTACKERS
COULD OTHERWISE EXPLOIT TO
COMPROMISE A SYSTEM. AFTER
YOU INSTALL WINDOWS SERVER,
IMMEDIATELY UPDATE IT WITH
LATEST PATCHES VIA WSUS OR
SCCM.

WINDOWS SERVER INSTALLATION

ENABLE AUTOMATIC
NOTIFICATION OF PATCH
AVAILABILITY. WHENEVER A
PATCH IS RELEASED, IT SHOULD BE
ANALYZED, TESTED AND APPLIED
IN TIMELY MANNER USING WSUS
OR SCCM.

ENSURE YOUR ADMINISTRATIVE

AND SYSTEM PASSWORDS MEET
PASSWORD BEST PRACTICE
COMPLEXITY. IN PARTICULAR,
VERIFY THAT PRIVILEDGE
ACCOUNT PASSWORDS ARE NOT A
BASED ON A DICTIONARY WORD
AND AT LEAST 15 CHARACTER
LONG, WITH LETTERS, NUMBERS,
SPECIAL CHARACTERS AND
INVISIBLE (CTRL ^) CHARACTERS
THROUGHOUT.

ENSURE THAT ALL PASSWORDS

ARE CHANGED EVERY 90 DAYS.

USER ACCOUNT SECURITY CONFIGURE ACCOUNT LOOKOUT

HARDENING GROUP POLICY ACCORDING TO
ACCOUNT LOOKOUT BEST
PRACTICES.

DISABLE GUEST ACCOUNTS. DON

NOT ALLOW “EVERYONE”
PERMISSIONS TO APPLY TO
ANONYMOUS USERS.
 PROMPTLY DISABLE OR DELETE
UNUSED USER ACCOUNTS.

ENABLE THE WINDOWS FIREWALL

IN AL PROFILES (DOMAIN,
PRIVATE, PUBLIC) AND CONFIGURE
IT TO BLOCK INBOUND TRAFFIC BY
DEFAULT.

PERFORM PORT BLOCKING AT THE

NETWORK LEVEL. PERFORM
ANALYSIS TO DETERMINE WHICH
PORTS NEED TO BE OPEN AND
RESTRICT TO ALL OTHER PORTS.

RESTRICT THE ABILITY TO ACCESS

EACH COMPUTER FROM THE
NETWORK TO AUTHENTICATED
USERS ONLY.

DENY GUEST ACCOUNTS THE

ABILITY TO LOG ON AS A SERVICE,
A BATCH JOB, LOCALLY OR VIA
NETWORK SECURITY RDP.
CONFIGURATION

REMOVE ENABLE LMHOSTS

LOOKUP, (USED TO ENABLE
DOMAIN NAME RESOLUTION
UNDER WINDOWS WHEN OTHER
METHODS SUCH AS WINS FAILS)

DISABLE NETBIOS OVER TCP/IP. (IT

PROVIDES NETBIOS
PROGRAMMING INTERFACE OVER
THE TCP/IP PROTOCOL. IT EXTENDS
THE REACH OF NETBIOS CLIENT
AND SERVER PROGRAMS TO THE
WIDE AREA NETWORK)

DO NOT ALLOW TO SHARE TO BE

ACCESSED ANONYMOUSLY.
 REMOVE FILE AND PRINT SHARING
FROM THE NETWORK SETTINGS.
FILE AND PRINT SHARING COULD
ALLOW ANYONE TO CONNECT TO
SERVER AND ACCESS CRITICAL
DATA WITHOUR REQUIRING A
USER ID OR PASSWORD.

CONFIGURE REGISTRY
PERMISSION. PROTECT THE
REGISTRY FROM ANONYMOUS
ACCESS. DISALLOW REGISTRY
ACCESS IF NOT REQUIRED.

REGISTRY SECURITY
CONFIGURATION SET MAXCACHED SOCKETS
(REG_DWORD) TO 0
SET SMBDEVICEENABLED
(REG_DWORD) TO 0
DELETE ALL VALUE DATA INSIDE
THE NULLSESSIONPIPES KEY.
DELETE ALL VALUE DATA INSIDE
THE NULLSESSIONSHARES KEY.

DISABLE UNNEEDED SERVICES.

MOST SERVERS HAVE THE
DEFAULT INSTALL OF THE
OPERATING SYSTEM, WHICH
OFTEN CONTAINS EXTRANEOUS
SERVICESTHAT ARE NOT NEEDED
FOR THE SYSTEM TO FUNCTION
AND THAT REPRESENT A SECURITY
VULNERABILITY. THEREFORE, IT IS
CRITICAL TO REMOVE ALL
UNNECESSARY SERVICES FROM
SYSTEM.

REMOVE UNNEEDED WINDOWS

COMPONENT. ANY UNNECESSARY
WINDOWS COMPONENTS SHOULD
BE REMOVED FROM CRITICAL
SYSTEMS TO KEEP THE SERVER IN A
SECURE STATE.

IF THE WORKSTATION HAS

SIGNIFICANT RANDOM-ACCESS
MEMORY (RAM), DISABLE THE
 WINDOWS SWAPFILE. THIS WILL
INCREASE PERFORMANCE AND
SECURITY BECAUSE NO SENSITIVE
DATA CAN BE WRITTEN TO THE
HARD DRIVE.

GENERAL SECURITY SETTINGS

DO NOT USE AUTORUN.
OTHERWISE, UNTRUSTED CODE
CAN BE RUN WITHOUT THE DIRECT
KNOWLEDGE OF THE USER; FRO
EXAMPLE, ATTCAKERS MIGHT PUT
A CD INTO THE MACHINE AND
CAUSE THEIR OWN SCRIPT TO
RUN.

ENASURE ALL VOLUMES ARE

USING THE NTFS FILE SYSTEM.

CONFIGURE LOCAL FILE/FOLDER

PERMISSION. ANOTHER
IMPORTANT BUT OFTEN
OVERLOOKED SECURITY
PROCEDURE IS TO LOOK DOWN
THE FILE-LEVEL PERMISSION FOR
THE SERVER. BY DEFAULT,
WINDOWS DOES NOT APPLY
SPECIFIC RESTRICTION ON ANY
LOCAL FILES OR FOLDER; THE
EVERYONE GROUP IS GIVEN FULL
PERMISSIONS TO MOST OF THE
MACHINE. REMOVE THIS GROUP
AND INSTEAD GRANT ACCESS TO
FILES AND FOLDERS USING ROLE
BASED GROUP BASED ON THE
LEAST PRIVILEDGE PRINCIPLE.

SET THE SYSTEM DATE/TIME AND

CONFIGURE IT TO SYNCHRONIZE
AGAINST DOMAIN TIME SERVERS.

CONFIGURE A SCREEN SAVER TO

LOCK THE CONSOLE SCREEN
AUTOMATICALLY IF IT IS LEFT
UNATTENDED.
 ENABLE AUDIT POLICY ACCORDING
TO AUDIT POLICY BEST PRACTICES.
WINDOWS AUDIT POLICY DEFINE
WHAT TYPES OF EVENTS ARE
AUDIT POLICY SETTINGS WRITTEN IN THE SECURITY LOGS
OF YOUR WINDOWS SERVER.

CONFIGURE THE EVENT LOG

RETENTION METHOD TO
OVERWRITE AS NEEDED AND SIZE
UPTO 4 GB

INSTALL AND ENABLE ANTI VIRUS

SOFTWARE. CONFIGURE IT TO
SOFTWARE SECURITY GUIDE UPDATE DAILY

INSTALL AND ENABLE ANTI –

SPYWARE SOFTWARE. CONFIGURE
IT TO UPDATE DAILY.

HARD DRIVE ENCRYPTION IS A

TECHNOLOGY THAT ENCRYPTS THE
DATA STORED ON A HARD DRIVE
USING STANDARD BIT
ENABLE ENCRYPTION TECHNOLOGY ALGORYTHMS. DATA ON AN
(FOR CLIENTS ONLY) ENCRYPTED HARD DRIVE CANNOT
BE READ BY ANYONE WHO DOES
NOT HAVE ACCESS TO THE
APPROPRIATE KEY OR PASSWORD.

DATA LOSS PREVENTION IS A SET

OF TOOLS AND PROCESSES USED
ENABLE DATA LOSS PREVENTION TO ENSURE THAT SENSITIVE DATA
(FOR CLIENTS ONLY) IS NOT LOST, MISUSED, OR
ACCESSED BY UNAUTHORIZED
USERS.

DATA BACKUP IS TO SAVE

DATA BACKUP TECHNOLOGY IMPORTANT FILES IF A SYSTEM
CRASHED OR HARD DISK FAILURE
OCCURS.