Two incidents in a month prompted me to write this blog; Incidents where I spent so much time in troubleshooting why a certain product was not working the way it should. The culprit eventually turned out to be "Server hardening".

 

Modern Operating systems like Windows 2008  have significantly tightened permissions throughout the system. Therefore, extensive changes to default permissions is not necessary to secure the system. Server hardening (especially  without testing ) can result in increased management effort (cost ) due to unexpected & undocumented behavior which may be observed.

 

Additionally ACL changes may invalidate all or most of the in-depth & lengthy compatibility testing that is performed by Microsoft prior to shipping the product & change the fundamental behavior. You many never know it until you hit an issue where something stops working. Then spend a lot of time figuring out what broke.

 

If you do need to implement some custom changes, its should be tested thoroughly ( which is tough & lengthy )

 

In my opinion securing your server would start by not disabling the features which are enabled by default. It may be irritating but its there for a reason. ( IE Enhanced security, Firewall profiles, etc )

 

 

Further Reading,

 

have a look at the below book co-authored by the Steve Riley, where he covers all this kind of 'tweaks' which are so true in the field.  Personally, I have seen these myths believed as the gospel truth so many times. ( 2 last month )

http://technet.microsoft.com/en-us/library/cc512582.aspx

 

Some real world examples of broken services caused by un-tested server hardening.

http://blogs.technet.com/askperf/archive/2008/11/18/disabling-unnecessary-services-a-word-to-the-wise.aspx

http://blogs.technet.com/networking/archive/2008/09/11/don-t-be-that-guy-assault-by-security-template.aspx

 

The issue I observed was that exchange services on a freshly installed server were not starting.

Turned out that we were missing the database files, which was caused because the service did not have permissions to create the database file, which was due to the default permissions at the root of the volume being modified.

 

 

I first started writing this blog on 20th may 2010