Tuesday, January 16, 2007

Protecting the Local SAM

The Local SAM on each member server is unique, so every member server must be considered when protecting the assets that reside on the server. The Local SAM contains both configurations and objects which are essential to consider when locking down access to the server. Within the Local SAM, you will want to consider the following areas for protection:

Account Policies - the account policies for the member server control the password policies and account lockout policies for all user accounts stored in the Local SAM. It is a best practice to ensure that the account policies meet or exceed the account policies established for the domain user accounts, which is configured on the domain controllers. By default member servers will have the same account policies as domain controllers, but it is very easy to modify this using a Group Policy Object (GPO).

User Accounts - there is always one user account active on each member server by default, which is the Administrator account. This account needs to be protected at all costs. If an attacker gains control of the server as this account, there is nothing that the attacker can’t do or access. Some best practice settings for protecting this account include: renaming it, not using it for anything but recovering the server, establishing a complex password/passphrase, and disabling it. All of these options are available through a GPO, except for establishing a complex password/passphrase. However, with tools like PolicyMaker (www.desktopstandard.com/policymaker), the password can be set using a GPO setting.

Groups - each member server comes with a suite of local groups. Some groups provide elevated privileges to perform administrative tasks on the server. These groups should be protected and configured properly, to ensure that only the proper users have membership in these groups. There is a GPO setting called “Restricted Groups,” which can control the membership in existing groups, as shown in Figure 1.



Figure 1: Restricted Groups controls the membership in existing groups on a member server

Again, PolicyMaker takes the control of local groups to a new level, allowing for the finite control of the members of the group, including a filter option to target only specific member servers.


http://www.windowsecurity.com/articles/Securing-Windows-Member-Servers.html