Microsoft Security Compliance Manager (SCM): Windows Server 2003 SP2 Security Compliance Baseline Release Notes

The Windows Server 2003 SP2 Security Compliance Baseline is integrated with the [[Microsoft Security Compliance Manager (SCM)]] tool. To access the Windows Server 2003 SP2 Security Guide included with this baseline, download SCM 2.5.

SCM 2.5 is a free tool from the Microsoft Solution Accelerators Team that enables you to quickly configure and manage your computers, traditional datacenter, and private cloud using Group Policy and Microsoft System Center Configuration Manager. The entire Windows Server 2003 SP2 Security and Compliance Baseline package is available through SCM 2.5. The tool is designed to provide you with an end-to-end solution to help you plan, deploy, and monitor security baselines for computers running Windows operating systems, and other Microsoft products in your environment.

See the SCM Getting Started wiki for information about installing SCM 2.5 and to orient you with the tool’s console and integrated Help guidance.

These release notes are carefully and closely monitored. The SCM engineering team regularly improves the tool and maintains this article to share the latest release information and known issues. Any changes that you make will be evaluated and then quickly accepted, refined, or reverted. Because this is a wiki, additions or refinements to these release notes might have been made by community members.

Please direct questions and comments about SCM 2.5 to secwish@microsoft.com.

 

Download and Online Locations

• To learn more about this product baseline, see the Windows Server 2003 SP2 Security Baseline page in the TechNet Library
• To download the Security Compliance Manager tool, visit the Microsoft Download Center

Baseline Components

The Windows Server 2003 SP2 Security and Compliance Baseline available in SCM 2.5 includes the following components:

 

• Attachments
  • Windows Server 2003 SP2 Security Guide.docx (version 4.0)
  • Windows Server 2003 SP2 Attack Surface Reference.xlsx
  • WS2003SP2_IT_GRC_MCA_MP.cab
• Baselines
  • Windows Server 2003 SP2 Certificate Services Server Security Compliance v1.0
  • Windows Server 2003 SP2 DHCP Server Security Compliance v1.0
  • Windows Server 2003 SP2 Domain Security Compliance v1.0
  • Windows Server 2003 SP2 Domain Controller Security Compliance v1.0
  • Windows Server 2003 SP2 File Server Security Compliance v1.0
  • Windows Server 2003 SP2 Internet Authentication Services Security Compliance v1.0
  • Windows Server 2003 SP2 Member Server Security Compliance v1.0
  • Windows Server 2003 SP2 Print Security Compliance v1.0
  • Windows Server 2003 SP2 Web Security Compliance v1.0

Version History

Version 1.0 of the Windows Server 2003 SP2 Security and Compliance Baseline (September 27, 2011).

Version 1.0 of the Windows Server 2003 Security Baseline (April 2003).

Known Issues

The following are known issues for the Windows Server 2003 SP2 Security Compliance Baseline:

• None for version 1.0 of the of the Windows Server 2003 SP2 Security and Compliance Baseline.

Version 1.0 of the Windows Server 2003 Security Baseline:

• The setting "MSS: (TCPMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" is mentioned in previous toolkits for Windows XP and Windows Server 2003. However, this setting does not apply to the security baselines for these operating systems. (February,12 2009)
• The compliance check results for the setting "Domain controller: LDAP server signing requirements" may not be correct for computers running Windows Server 2003 SP2. (June 6, 2008)
• Managing Bastion Hosts After Lockdown. Ensure that the bastion hosts and the High Security - Bastion Host.inf Security Template are configured to enable the functionality your environment requires before applying the security settings. The recommended configuration included in this guide disables many system services, making it very difficult to manage or reconfigure bastion hosts that have been locked down. For example, the Windows Installer service is disabled, making it impossible to reconfigure a bastion host using the Add or Remove Programs applet in Control Panel. Administrators can work around some of these limitations by temporarily enabling and restarting services as required. Restart the bastion host after completing any management tasks to ensure the Bastion Host Local Policy (BHLP) takes effect. (April 2003)