November 6, 2017

10 Essential Baseline Security Hardening Considerations for Windows Server 2016

Increase your Windows server security by enabling the following features and configurations.

While Windows Server has numerous features and configuration options to provide enhanced security, these features are not enabled by default. Administrators have to configure these options properly to provide increased server security. Here are ten recommended baseline security hardening considerations for your Windows Server 2016. Your individual server set up may vary and require additional security considerations. These ten steps provide a baseline security setup and serve as a starting point for additional security hardening.

Windows Server Security Setup

1.Network Security

  • Set static IPs for servers. This ensures you are reaching the right server when making connections.
  • Segment your network. Hosts that are on the same subnet/Vlan will have an easier time masquerading as the server. Segmentation helps address that.
  • Add a network firewall.
    • Be sure to disable any services you are not using, such as IPv6.
    • Also disable any inbound traffic on ports that are not in use.
  • Use secondary DNS servers for load-balancing and redundancy.
    • Have more than one DNS server to allow for fall-back.
  • Each server should have (in DNS):
    • A record
    • PTR record

2.Configure Time Synchronization

  • Sync time on domain controllers to a stratum-one external time server.
    • Also sync time on non-domain servers to an external NTP server.
    • Relying on an external NTP server protects against NTP-based DDoS attacks.
  • Additionally, ensure servers are set to proper time zone (for logging etc.)

3.Ensure Windows Server is up to date with all patches installed

  • Where possible, upgrade all existing servers to the latest Windows Server.
    • Critical updates should be applied as soon as possible. Apply these updates in test environments first to confirm proper function, then in production if there are no compatibility issues.
  • Be sure to update any other Microsoft products in use, such as Exchange Server and SQL Server.
  • Update other third-party applications on a regular cadence, as well.

4. Configure Windows Firewall

  • Restrict traffic only to ports that need to be open for services. For example, web servers will need to provide access to TCP ports 80 and 443 to most users, but they do not need RDP access from all sources.
  • Restrict management access (e.g. RDP, WMI, etc) to only those IPs and networks belonging to system administrators.

5. Secure and Encrypt Remote Access

  • RDP should only be accessible by authorized administrators.
    • Prune Remote Desktop Users group.
  • Telnet and other unencrypted management protocols should be disabled across the whole environment.
  • Use only encrypted remote access:
    • SFTP
    • SSH (From VPN access)

6. Restrict Unnecessary Services

  • Disable unnecessary services.
  • Set up specific service accounts, locally or in Active Directory, for application and user services.
    • This way if applications are compromised, the attacker has limited user rights, not full system or privileged user rights.

7. Disable local administrators and secure administrator rights

  • At the very least, make a secure password for local admins.
  • Do not re-use admin passwords throughout the environment.
    • Change administrator passwords regularly to prevent password leaks from resulting in new breaches.
    • Enforce a strong password policy using these considerations:
    • Complexity and length
    • Expiration
    • Re-use policy
  • Enable Account lockout for repeated failed attempts.
  • Create a new account (in Active Directory, or locally if the environment does not use AD) and add it to the Administrators group.
    • Use a non-admin user account for normal business.
    • Use the “Run As” feature to run specific applications with Administrator privileges when necessary.
  • Disable local guest accounts.

8. Configure User Access Control (UAC)

  • These policy settings are located in Security SettingsLocal PoliciesSecurity Options in the Local Security Policy snap-in.

9. Uninstall Unnecessary Frameworks and Packages through Windows Features

  • Remove applications included in Windows Server by default but not be used in your environment.

10. Implement Activity Logging

  • Consolidate logs by collection logs to a central location.
  • Back up logs to prevent data loss.
  • Monitor and analyze logs to identify attackers, rogue devices, and suspicious usage patterns.

Remember that every business situation is unique, and depending on your organization’s risk profile, you may need to develop a much more robust security framework. However, the above security recommendations will serve as a good starting point for establishing a hardened security stature for Windows Server 2016.

For more in-depth hardening processes, see the Center for Internet Security at: https://www.cisecurity.org/cis-benchmarks/

About the Authors

Ben Dimick is a manager of information security at Tevora.

Jordan L. Wheeler is an information security associate at Tevora.