Windows Server 2008 Hardening guide

Greetings All:

I am looking for a decent Windows Server 2008 R2 hardening, specifically with IIS in mind. I need to through a server up by Tuesday for a developer and they want it hardened as good as possible. I am thinking of following an old 2003 guide I had and using the Mastering 2008 and IIS 7 book to help fill some gaps. Anyone have any other resources (free if possible).

I was finally about to track down the old security guide:
iase.iiie.disa.mil/stigs/downloads/.../windows_server_2008_security_guide.pdf

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

veritas_libertas

Have you looked at these?

Amazon.com: Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization (9781597492805): Aaron Tiensivu: Books

Amazon.com: Windows Server 2008 Security Resource Kit (PRO - Resource Kit) (9780735625044): Jesper M. Johansson: Books

kriscamaro68

Bl8ckr0uter wrote: »

Greetings All:

I am looking for a decent Windows Server 2008 R2 hardening, specifically with IIS in mind. I need to through a server up by Tuesday for a developer and they want it hardened as good as possible. I am thinking of following an old 2003 guide I had and using the Mastering 2008 and IIS 7 book to help fill some gaps. Anyone have any other resources (free if possible).

I was finally about to track down the old security guide:
iase.iiie.disa.mil/stigs/downloads/.../windows_server_2008_security_guide.pdf

Check this site out: CIS Benchmark Audit Tools

If you become a member which is free then you can get access to their benchmark tool and scoring sheet on hardening.

HTH

rwmidl

IIS 7 security guide/STIG isn't slated for release until March of this year:

DoD Security Guides and Tools - Frequently Asked Questions

That being said, you may want to utilize the general web server configuration guide

http://iase.disa.mil/stigs/downloads/zip/unclassified_web_server_v7r1_stig.zip

for 2008 R2 it looks like the guide should be out sometime soon, but in the mean time the 2008 guide will be your best bet. I wouldn't use the 2003 guide, as I know we found a big change in the 2003 guide defined quite a few services, whereas 2008/Win 7 only defined a few (M$ and DISA are saying leave most "as is"). Also on the services front, just google "Black Viper" as he has done a really good job defining services needed depending on what "level" of server you need.

dynamik

Good advice on CIS and DISA.

Also check out:

Download details: Microsoft Security Compliance Manager

Secure Windows Server

(specifically Configure Web Server Security (IIS 7))

Bl8ckr0uter

Awesome suggestions guys!

Bl8ckr0uter

So I am configuring a server based on the DISA STIG for 2k8. I don't have the gpo accelerator installed on this machine. Is there a way to show the MSS policies without using the gpo accelerator.