• Admin

Windows Server Hardening Process and checklist for securing your environment

Updated: Jul 9, 2019



Why and what is Server Hardening?

Server hardening has become one of the common topics that is being discussed in the current era.


Why do we need hardening of servers, when there are several vulnerabilities and exploits that has been discovered in a daily basis? Why it is so important?


Hardening is the process of implementing minimum security measures and best practices. Taking appropriate countermeasures in identifying and understanding security risk is a continuous process is hardening. The process of hardening is dynamic since the threats that has been targeted is been evolving.


Hardening process will help in below few states:

  • Saves money in long run

  • Eliminates entry points

  • Improves performance

  • Reduces the holes in security


Saves money in the long run

Hardening will free up more memory space, so you don’t have to spend more money on upgrading the memory.


Eliminates entry points

Removing unnecessary software, files and file sharing will reduce the number of access points to the server for an attacker.


Improves performance

As mentioned earlier, the hardening process will free up memory and disk spaces, which is more like cleaning up the server. The server will work more quickly and efficiently because it will not get slowed down or it does not encounter any struggling with less memory and space to operate.


Reduces the holes in security

Hardening provides various levels of security to prevent users and servers from getting hacked. It also removes unused or disabled files and programs which are often forgotten and that which provides a clocked access of the system to the attacker.


Basics in Hardening process

Here we discuss specifically about the Windows Server Platform. Server admins or security consultants harden mostly with the help of CIS (Center of Internet Security) benchmark comparing with the MBSS (Minimum Baseline Security Standard) standards recommended by the particular client.


There are few important checklists that has to be given priority in an order during the hardening process. They are as follows:

  • Organizational Security

  • Windows Server Preparation

  • Windows Server Installation

  • User Account Security Hardening

  • Network Security Configuration

  • Registry Security Configuration

  • General Security Settings

  • Audit Policy Settings

  • Software Security Guide

  • Finalization


Organizational Security

An organization who is concerned about the security should ought to maintain at-least below few measures:

  • Maintain a list of record for each server that clearly documents its baseline configuration and record each modification to the server.

  • Thoroughly check and validate every recommended modification to server software or hardware before applying the modification in the production server.

  • Regularly perform a risk assessment. Use the results to update the corporate risk management plan and maintain a prioritized list of all servers to confirm that the security vulnerabilities have been fixed in a timely basis.

  • Keep all servers at the same revision level to ensure best security practices.


Windows Server Preparation

  • Protect newly installed machines from hostile network traffic till the operating system is installed and hardened. Harden each and every new server in a Demilitarized Zone network that is not open to the internet.

  • Set a BIOS/firmware password to prevent unauthorized changes to the server startup settings.

  • Disable automatic administrative logon to the recovery console.

  • Configure the device boot in order to prevent unauthorized booting from alternate media.


Windows Server Installation

  • During the installation, ensure that the system doesn’t shuts down.

  • Use the Security Configuration Wizard to create a system configuration based on the particular role that is required.

  • Ensure that each and every appropriate patches, hotfixes and service packs are applied promptly. Security patches resolve known vulnerabilities that attackers might exploit to compromise a system. Once the Windows Server is installed, immediately update it with the latest patches via WSUS or SCCM.

  • Enable automatic notification of patch availability. Whenever a patch is released, it should be analyzed, tested and applied in a timely manner using WSUS or SCCM.


User Account Security Hardening

  • Ensure your administrative and system passwords meet password best practices. In particular, verify that privileged account passwords are not be based on a dictionary word and it has to be 15 characters long, with letters, numbers, special characters and invisible (CTRL ˆ) characters interspersed throughout. Ensure that all passwords are changed every 90 days.

  • Configure Account Lockout Group Policy

  • Disallow users from creating and logging in with Microsoft accounts.

  • Disable the guest account.

  • Do not allow anonymous users apply “everyone” permissions.

  • Do not allow anonymous enumeration of SAM accounts and shares.

  • Disable anonymous SID/Name translation.

  • Promptly disable or delete unused user accounts.


Network Security Configuration

  • Enable the Windows firewall in all profiles (domain, private, public) and configure it to block inbound traffic by default.

  • Perform port blocking at the network setting level. Perform an analysis to determine which ports need to be open and restrict access to all other ports.

  • Restrict the ability to access each computer from the network to Authenticated Users only.

  • Do not grant any users the 'act as part of the operating system' right.

  • Deny guest accounts the ability to log on as a service, a batch job, locally or via RDP.

  • If RDP is utilized, set the RDP connection encryption level to high.

  • Remove Enable LMhosts lookup.

  • Disable NetBIOS over TCP/IP.

  • Remove ncacn_ip_tcp.

  • Configure both the Microsoft Network Client and the Microsoft Network Server to always digitally sign communications.

  • Disable the sending of unencrypted passwords to third-party SMB servers.

  • Do not allow any shares to be accessed anonymously.

  • Allow Local System to use computer identity for NTLM.

  • Disable Local System NULL session fallback.

  • Configure allowable encryption types for Kerberos.

  • Do not store LAN Manager hash values.

  • Set the LAN Manager authentication level to allow only NTLMv2 and refuse LM and NTLM.

  • Remove file and print sharing from network settings. File and print sharing could allow anyone to connect to a server and access critical data without a user ID or password.


Registry Security Configuration

  • Ensure that all administrators take the time to thoroughly understand how the registry functions and the purpose of various keys. Many of the vulnerabilities in the Windows operating system can be fixed by changing specific keys, as detailed below.

  • Configure registry permissions.Protect the registry from anonymous access. Disallow remote registry access if not required.

  • Set MaxCachedSockets (REG_DWORD) to 0.

  • Set SmbDeviceEnabled (REG_DWORD) to 0.

  • Set AutoShareServer to 0.

  • Set AutoShareWks to 0.

  • Delete all value data INSIDE the NullSessionPipes key.

  • Delete all value data INSIDE the NullSessionShares key.


General Security Settings

  • Disable unneeded services. Most servers have the default operating system installed, which often contains extraneous services that are not needed for the system to function and that represent a security vulnerability. Therefore, it is critical to remove all unnecessary services from the system.

  • Remove unneeded Windows components. Any unnecessary Windows components should be removed from critical systems to keep the servers in a secure state.

  • Enable the built-in Encrypting File System (EFS) with NTFS or BitLocker on Windows Server.

  • If the workstation has significant random-access memory (RAM), disable the Windows swap file. This will increase performance and security because no sensitive data can be written to the hard drive.

  • Do not use AUTORUN because, untrusted code could get run without the direct knowledge of the user; for example, attackers might put a CD into the machine and will make their own script run.

  • Display a legal notice like the following before the user logs in: “Unauthorized use of this computer and networking resources is prohibited…”

  • Require Ctrl+Alt+Del for interactive logins.

  • Configure a machine inactivity limit to protect idle interactive sessions.

  • Ensure all volumes are using the NTFS file system.

  • Configure Local File/folder permissions. Another important but often overlooked security procedure is to lock down the file-level permissions for the server. By default, Windows does not apply specific restrictions on any local files or folders; the Everyone group is given full permissions to most of the machine. Remove this group and instead grant access to files and folders using role-based groups based on the least-privilege principle. Every attempt should be made to remove Guest, Everyone and ANONYMOUS LOGON from the user rights lists. With this configuration Windows will be more secure.

  • Set the system date/time and configure it to synchronize against domain time servers.

  • Configure a screen saver to lock the console's screen automatically if it is left unattended.


Audit Policy Settings

  • Enable Audit policy according to audit policy best practices. Windows audit policy defines what types of events are written in the Security logs of your Windows servers.

  • Configure the Event Log retention method to overwrite as needed and size up to 4GB.

  • Configure log shipping to SIEM for monitoring.

  • Software Security Guide

  • Install and enable anti-virus software. Configure it to update daily.

  • Install and enable anti-spyware software. Configure it to update daily.

  • Install software to check the integrity of critical operating system files. Windows has a feature called Windows Resource Protection that automatically checks certain key files and replaces them if they become corrupted.


Finalization

  • Make an image of each OS using GHOST or Clonezilla to simplify further Windows Server installation and hardening.

  • Enter your Windows Server 2016/2012/2008/2003 license key.

  • Enter the server into the domain and apply your domain group policies.


Conclusion

The above checklist is just a small tip of server hardening iceberg. There are more procedures to be completed and each one of these are highly complex.

453 views
  • Facebook - White Circle
  • Twitter - White Circle
  • LinkedIn - White Circle
  • YouTube - White Circle

© 2019 Lakhshya CyberSecurity Labs Pvt Ltd