As a Windows Server administrator, it is critical that you perform an initial hardening of your newly installed Windows Server. Whether you are deploying a single server or a few hundred servers, having a proper method for securing your environment will be crucial and save you a couple of headaches along the way.
Best practices are often different depending on the setup and environment, but here are a few general tips on how to go by that.
|User Accounts||Secure credentials|
|Networking||Secure network communications|
|Feature and Roles||Install only what is needed, remove the rest|
|Windows Updates||Patching vulnerabilities|
|Firewall||Reduce server footprint from the outside|
|Remote Access||Secure remote access, limit access|
|Services||Minimize attack surface|
|Logging and Monitoring||Know what is happening|
|Other||Securing other applications|
Recent versions of Windows Server will force to come up with complex passwords for user accounts by default. This is the recommended way and make sure to always do this on a regular basis by changing passwords every now and then.
Make sure to rename or disable the local Administrator account that's created on installation. Create a separate administrator account for managing your server and a separate account for non-administrative tasks. If you have an Active Directory environment, you can create a separate user account for administrative purposes and put it in the Administrators group.
Using your non-administrative account, you may want to run certain tasks or applications as an Administrator using "Run as" and entering the administrator password as required. This is similar to "sudo" in Linux.
You may also want to check your security groups and make sure every account is where it is supposed to be assigned. For example, domain accounts in the Remote Desktop users group.
You may also want to check if the local "Guest" account is also disabled. Built-in accounts aren't usually secure and are popular targets for attacks.
A password policy should be set in your environment to make sure accounts cannot be compromised. If you have an Active Directory environment, you should set this policy at the domain level. A good password policy should consist of the following requirements:
Complexity and length requirements - How strong the password must be
Password expiration - How long the password is valid
Password history - How long until previous passwords can be reused
Account lockout - How many failed password attempts before the account is suspended
A good network configuration will go a long way to prevent any headaches in the future. It is also important to secure network aside from securing servers to prevent any attacks on your infrastructure.
Production servers should be assigned a static IP. These should be also protected behind a firewall. At least 2 DNS servers should be configured for redundancy. Make sure you are able to lookup the domain properly by testing it using online DNS tools or the built-in "nslookup" command from the command line.
Ensure that the proper DNS records are setup for your servers if necessary. Make sure A records and PTR records are in place. It will take hours for any changes to propagate so make sure to plan these in advance before going live.
If IPv6 is not implemented in your infrastructure, disable it. Disable any unneeded network services as well as these will only take up server resources. Depending on your environment, you need to test these changes first before implementing in your production environment.
Feature and Roles
Make sure to only install the features or roles you really need. For example, .NET Framework with IIS. Remove everything else that is not needed. This will only extend or widen the attack surface of your server. Servers are to be designed with necessity in mind and be lean to make necessary parts function as smoothly as possible.
One of the best ways to keep your server secure is through Windows Updates. This does not mean installing all available updates though. You need to see what updates are really needed for your servers and this depends on the software installed and the roles that are assigned to the server.
Make sure to thoroughly test any update first before installing to ensure that there are no compatibility issues. Although critical updates should be applied immediately in production as soon as they are released.
Updates can bring a wide range of patches or just a single patch. More information on this can be found in Microsoft's forums. Make sure to research thoroughly first what these updates bring.
Updates should be installed on a specific schedule, you should not install updates while production is at peak usage. Make sure to check for updates in other Microsoft products as well as these will be visible in the Windows Update screen.
You should configure your firewall depending on the what type of services your server will be serving to users. For example, if your server will act as a web server only, then you should restrict connections from the outside to ports 80 and 443 only. Opening other ports can increase the attack surface dramatically.
For management purposes such as SSH and RDP, these should be accessible internally only. If connecting over the internet, a VPN should be in place for accessing these servers from the internet.
The built-in firewall of Windows Server is sufficient enough to protect your server from network-based attacks. A hardware firewall in front of the servers however, is a much more efficient and recommended setup. It can offload traffic and processing thereby saving your server processing power so it can perform its intended purpose.
Whichever method you end up using, the key point there is to only restrict traffic to the necessary pathways.
As stated earlier in the firewall section, remote access should be limited internally by authorized users only. I recommend creating a separate group for people with remote access rights if you have implemented Active Directory.
Aside from the Remote Desktop Protocol, there is also the Secure Shell (SSH) and Powershell that can be used to remotely manage servers. If possible, like RDP, these should be accessible only through a VPN and by authorized users. Telnet should never be used at all as this protocol sends input in plain text. The same goes for the File Transfer Protocol (FTP). If possible, use SFTP. Avoid any form of unecrypted communication whatsoever.
Windows Server by default enables a lot of services. Some of these should be disabled as necessary. These services start automatically and run in the background therefore potentially reducing performance as your server workload gets larger.
We want to minimize the attack surface by disabling unneeded services. Critical services should be set to start automatically so no human intervention is required. Setting dependencies can also help with performance. This allows a service to wait for another service to start first before starting itself.
Every service runs in the security context of a specific user. For default services, this is usally the "Local System" or "Network Service" accounts. Most of the time this will do. But certain best practices dictate that setting up specific accounts for certain types of services will increase security. This can also help mitigate any attacks using services.
Logging and Monitoring
Make sure you setup some form of logging and monitoring system on your environment. This will allow for easier troubleshooting in case of problems. Make sure to review logs occasionally as these can show any security or performance issues that may be present and need to addressed.
Have enough space for your logs as well. Adequate space is required to store a larger amount of logs at larger time period. These should be backed up as part of your company's backup policy as well so you can clean up old ones to make room for new logs.
Microsoft does provide some best practices analyzers for certain roles if you have those installed in your server. Take time to go through those in securing your Windows Server servers. Each application can have different procedures for hardening that software.
It is recommended to leave UAC enabled as well. It serves the important purpose of abstracting executables from the security context of the logged in user. This means that even when you’re logged in as an admin, UAC will prevent applications from running as you without your consent.
With these in mind, you should have the basics of securing your new Windows Server.