Microsoft unveils security aid

Microsoft Corp. released a guide recently designed to help systems administrators run Windows Server 2003 securely, and re-announced a similar guide for Windows 2000.

The Windows Server 2003 Security Guide and the Windows 2000 Security Hardening Guide for Windows 2000 Professional and Server editions give instructions on how to set up the software and how to mitigate various attack types, as well as other tips, said Michael Stephenson, lead product manager for Windows Server at Microsoft.

“We felt we needed to do a better job in helping our customers to better secure their products,” Stephenson said.

Microsoft found that a large majority of the security breaches its customers have suffered resulted from configuration mistakes. These included unpatched systems and unprotected admin accounts on servers, Stephenson said.

The guides walk administrators through the best practices for setting up a Windows Server system in a variety of configuration scenarios, including file server, Web server, domain controller and Domain Name System (DNS) server, Stephenson said.

Also, users are taught how to reduce the impact of various attack types and how to harden the system against those types of attacks. The guides provide details on countermeasures users can take to make their systems less susceptible. Access to the shutdown function on a domain controller should be very limited, for example.

Previously, Microsoft had released security white papers addressing specific security issues such as password management. This is the first time Microsoft has published comprehensive guides, according to Stephenson. The Windows 2000 Security Hardening Guide was first released in March. The guides are part of Microsoft’s Trustworthy Computing initiative, he said.

The next thing Microsoft will do is to automate security setup. In mid-2003, Microsoft will launch a security configuration wizard for Windows Server 2003 that will ask customers about their environment and, based on the answers, will set the configuration settings, Stephenson said.

The Windows Server 2003 Security Guide is available at

The Windows 2000 Security Hardening Guide is at