7.5 Mejoras de seguridad de Windows 2003 Server

7.5.1 Cambios en las políticas de Seguridad por defecto para mejorar la misma

• Created Secure Root ACL.

• Stronger ACL to stop access to root directory (c:\).

• Changed default share ACL from Everyone:F to Everyone:R.

• Changed DLL Search Order to start in system directory.

• Hardened Internet Explorer.

• Increased restrictions on Anonymous users.

• Anonymous users are no longer members of “Everyone” by default.

• Disabled Anonymous SID\Name translation on servers; this is NOT the default on Domain Controllers.

• Put limits on blank passwords.

• Local accounts that have blank passwords cannot be used to remotely connect to a machine.

• Set LanManCompatibilityLevel=2 on Servers\DCs by default.

• By default Windows Sever 2003 will not emit insecure LanMan responses.

• Required SMB Packet signing on DCs.

• Provides integrity checking for client-DC SMB communications.

• Required that secure channel communications be signed or encrypted.

• Modified LDAP Signing.

• Affects the wldap32.dll LDAP bind initialization sequence so that signing is requested even if the client doesn’t ask for it. This doesn’t kick in if TLS\SSL is used.

• Object Case Insensitivity

• Protects against canonicalization type attacks.

• Stopped allowed paths leakage.

• Eliminates unnecessary information disclosure pertaining to system config.

• Restricted remote execution of console apps to admins only.

• Defense in depth.

• Improved auditing for Domain Controllers.

• Improved convert story.

• Proper coverage for profile directory and optional components.

• Fixed Profile Directory issues.

7.5.2 Se crean dos nuevas cuentas de usuario para correr servicios en baja prioridad

Servicios que corren bajo el “servicio local”

• Alerter

• Application Layer Gateway Service

• Remote Registry

• Smart Card

• Smart Card Helper

• SSDP Discovery Service

• TCP/IP NetBIOS Helper

• Telnet

• UPS

• Universal Plug and Play

• Web Client

• Windows Image Acquisition

• WinHTTP Web Proxy Auto-Discovery Service

Servicios que corren bajo el “Servicio de Red”

• DHCP Client

• Distributed Transaction Coordinator

• DNS Client

• License Logging

• Performance Logs and Alerts

• RPC Locator

7.5.3 Servicios deshabilitados por defecto

• IIS not installed by default

• Alerter

• Clipbook

• Distributed Link Tracking Server

• Human Interface Device Access

• Imapi CDROM Burning Service

• ICF\ICS

• Intersite Messenging

• License Logging

• Messenger

• NetMeeting Remote Desktop Sharing

• Network DDE

• Network DDE DSDM

• Routing and Remote Access

• Telnet

• Terminal Service Session Discovery

• Themes

• WebClient

• Windows Image Acquisition (WIA)

• The Kerberos KDC is also disabled by default, and then automatically enabled upon DCPromo.

Estudio del Open/Free (GNU/Linux) como plataforma de servicios de red en entornos empresariales
Daniel Caraballo - Mario Madera - Marcelo Odin
Tutor: Ariel Sabiguero Yawelak
2004 - 2005.