none
Stacking baselines

    Question

  • I want to harden a standalone web server in a DMZ running Windows 2008 Standard R2 SP1 - I know I should use core server, but that's a different topic. When using SCM v2, I see that there is a baseline for "Web Server Security Compliance" but it only contains services. Is it safe to assume that I should be stacking baselines in order to maximize hardening? For example, should I use LocalGPO to apply "Web Server Security Compliance" as well as "Member Server Security Compliance" and maybe "Domain Security Compliance" with the understanding that everything won't apply since the web server is a standalone server and not part of a domain? It just seems that "Web Server Security Compliance" isn't enough. Thanks in advance.
    Tuesday, November 29, 2011 1:11 PM

Answers

  • Read the "Security Design" and "GPO Design for Security Policies" sections of chapter 2, they discuss this exact topic. So you should apply the account/password policy, the member server policy, and the web server policy. You also ought to take a close look at chapter 7 about additional web server hardening considerations.
    Kurt Dillard http://www.kurtdillard.com
    • Proposed as answer by Kurt DillardModerator Wednesday, November 30, 2011 7:00 PM
    • Marked as answer by ajbuck Monday, December 05, 2011 3:02 PM
    Wednesday, November 30, 2011 7:00 PM
    Owner

All replies

  • aj,

    Yes, that's the way the baselines are intended to be used. This is discussed in detail in the security guide for each product, so I suggest that you read the one for Windows Server 2008 R2 SP1, its in the 'documents/attachments' folder under the product in SCM.

    Kurt


    Kurt Dillard http://www.kurtdillard.com
    Tuesday, November 29, 2011 2:39 PM
    Owner
  • Great, thanks for the response Kurt - at least I'm on the right track! Do you, or anyone, have any recommendations on which baselines should be stacked for a standalone, internet-facing web server? I read through the Windows 2008 Server R2 security guide a couple times and don't see any recommendations.
    Tuesday, November 29, 2011 2:59 PM
  • Read the "Security Design" and "GPO Design for Security Policies" sections of chapter 2, they discuss this exact topic. So you should apply the account/password policy, the member server policy, and the web server policy. You also ought to take a close look at chapter 7 about additional web server hardening considerations.
    Kurt Dillard http://www.kurtdillard.com
    • Proposed as answer by Kurt DillardModerator Wednesday, November 30, 2011 7:00 PM
    • Marked as answer by ajbuck Monday, December 05, 2011 3:02 PM
    Wednesday, November 30, 2011 7:00 PM
    Owner
  • Thanks for your help Kurt!
    Monday, December 05, 2011 3:02 PM