Basic Rules of Windows Server Security

While Windows Server is considered to be secure out-of-the-box, like any part of your IT infrastructure, it needs to be patched, monitored and configured to ensure that it is not exposed for a targeted attack. Let’s go through some of the tools and best
practices that can help you keep Windows Server protected.

Configure Baseline Security

To keep the attack surface to a minimum, Windows Server’s modular design allows you to add server roles and features as required. Nevertheless, Windows Server is configured to provide interoperability and backwards compatibility with legacy systems out-of-the-box, and though this is convenient and makes Windows Server easier to use, it can leave systems vulnerable.

Small businesses that have limited IT resources can use the Security Configuration Wizard (SCW) to lock down Windows Server. SCW is installed by default in Windows Server 2012 R2, and can be found on the Tools menu in Server Manager. The wizard creates security policies based on a series of questions you answer about your server, which then can be applied to the local device, or converted to a Group Policy Object (GPO) and used to configure one or more servers if you have Active Directory.

Microsoft’s free Security Compliance Manager (SCM) tool comes bundled with a series of templates for securing Windows Server and client devices. SCM gives administrators more control over the settings applied than SCW, and allows you to create custom security baselines, and compare settings between templates.

Separate Administrative Duties and Least Privilege Security

Virtualization technologies make it easier than ever to separate out server roles, so you should make sure that domain controllers don’t host other server roles or applications, and are never used to perform everyday administration tasks. Installing server roles and applications on separate servers gives you more control over administrative privileges, and helps to improve security by ensuring access to critical systems can be appropriately restricted.

In a similar vein, domain administrator accounts should only be used where absolutely necessary. Using domain administrator accounts to manage workstations for example, makes it considerably easier for an attacker to get access to those credentials, at which point you can consider your entire Windows infrastructure owned.

Monitoring and Auditing

Windows Server has built-in tools for monitoring and auditing, such as Event Viewer and some handy PowerShell cmdlets. While using custom views in Event Viewer is useful for getting an overview of server events, and PowerShell an option if you have the time and resources to create your own solution, the best way to ensure that Windows Server stays secure, and to monitor configuration changes, is to deploy a third-party change auditing solution.

Auditing solutions provide critical and detailed information about who changed what, when and where, and includes “before” and “after” configuration data so you can easily understand what has changed. Reporting features allow you to easily understand the changes that are occurring across your Windows Server estate, including applications such as Active Directory and Exchange, and in different easy-to-read formats using pre-configured reports included with the software, so that you can get started quickly. They also go beyond the auditing capabilities native to Windows Server to help better secure your systems by pulling information from a wider variety of sources, and have extra features such as user activity video recording.

For more tips on Windows Server security, see the May issue of “SysAdmin Magazine”.