133
be configured to rename administrator accounts in the three environments defined in this guide. This
setting is a part of the Security Options settings in Group Policy.
Never configure a service to run under the security context of a domain account unless absolutely
necessary. If a server is physically compromised, domain account passwords can be easily obtained
by dumping Local Security Authority (LSA) secrets.
2.10.6.2
Blocking Ports with IPSec Filters
Internet Protocol Security (IPSec) filters can provide an effective means for enhancing the level of
security required for servers. This guide recommends this optional guidance for the High Security
environment defined in this guide to further reduce the attack surface of the server. For more
information on the use of IPSec filters, see Chapter 11, "Additional Member Server Hardening
Procedures" in Microsoft’s “Windows Solution for Security: Threats and Countermeasures: Security
Settings in Windows Server 2003 and Windows XP”
.
The following table lists all of the IPSec filters
that can be created on print servers in the High Security environment defined in this guide.
Important:
For Legacy Client and Enterprise Client environments, HP does not recommend blocking
ports with IPSec filters.
All of the rules listed in the table above should be mirrored when they are implemented. This ensures
that any network traffic coming into the server will also be allowed to return to the originating server.
The table above represents the base ports that should be opened for the server to perform its role-
specific functions. These ports are sufficient if the server has a static IP address. Additional ports may
need to be opened to provide for additional functionality. For example, port 515 would need to be
opened on print servers hosting LPR printers. Opening additional ports will make the print servers
within the network easier to administer, however, they may greatly reduce the security of these
servers.
