Windows Server Hardening Checklist
While deploying servers in their default state can be the fastest way to get them operational, it falls significantly short in terms of security. Out of the box, servers are optimized for ease of use — which often comes at the expense of security.
This caveat is particularly important for Windows Server systems because of the vital role they play in the Microsoft ecosystem, including both authentication and authorization. By investing a little extra time configuring your Windows Server systems securely, you can dramatically reduce your attack surface.
To help, this guide offers an extensive checklist of Windows Server hardening best practices. First, we’ll cover Windows Server itself: users, features, roles, services and so on. But then we’ll provide Windows hardening guide for a variety of other aspects of the IT environment that also impact Windows Server security and availability, such as network and firewall configuration, application and service configuration, access management, and auditing policies. Finally, we’ll offer a solution that dramatically streamlines the process of server hardening.
Server Preparation
Server hardening begins even before you install the operating system. To provide a firm foundation for server security, take the following steps:
- Establish and maintain a detailed inventory of all your servers.
- Isolate new servers from network and internet traffic until they are fully hardened.
- Secure the BIOS/firmware with a robust password.
- Disable automatic administrative logon to the recovery console.
- Configure device boot order to prevent booting from alternate media.
Update Windows Server Installation and Keep It Updated
After installing the Windows Server operating system, immediately update it with the latest patches to mitigate known vulnerabilities. Updates can be downloaded straight from Microsoft or through Window Server Update Services (WSUS) or System Center Configuration Manager (SCCM).
To help keep your servers secure, enable automatic notification of patch availability and install updates promptly. However, before deploying any patch, hotfix or service pack, make sure to thoroughly test it to ensure it works properly in your specific environment.
User Account Security Hardening
As soon as a server is deployed and up-to-date on security patches, proceed to user security configuration to mitigate the risk of unauthorized access. Key user configuration best practices include the following:
- Disable the guest account on each server.
- Either rename the local Administrator account or disable it and create a new account with a unique name.
- Minimize both the membership and permissions of built-in groups like Local System (NT AUTHORITY\System), Network Service (NT AUTHORITY\NetworkService), Administrators, Backup Operators, Users and Everyone. For example, to prevent unrestricted remote access to your servers, be sure to change the default setting granting the ‘Access this computer from the network’ right to the Everyone group.
- Ensure that the passwords of system and administrator accounts adhere to best password practices. In particular, require these passwords to be at least 15 characters long and use a mix of letters, numbers and special characters, and to be changed every 90–180 days.
- Configure an account lockout policy according to account lockout best practices.
- Disable anonymous SID/Name translation.
- Promptly disable or delete unused user accounts.
- Require server administrators to log on using a local administrator account rather than a privileged domain account to limit the risk of domain-wide issues or compromises.
Feature and Role Configuration
Another important best practice to harden Windows servers is to remove any features and roles that are not necessary for the server's intended purpose. This strategy reduces the attack surface and also makes the server easier to manage.
Application and Service Configuration
Similarly, minimize the number of applications, services and protocols that are installed on each server. In particular, do not install any additional web browsers on the server and restrict web access for all users.
Limiting the applications and services running on a server reduces its attack surface and also simplifies update and patch management.
Network Configuration
The configuration of your network dramatically impacts the security of your Windows servers. Here are some key network configuration practices you should follow.
- Isolate the server from untrusted networks or segments using VLANs, subnetting or other network segregation techniques. This strategy limits the server's exposure to potential threats.
- Ensure that DNS and hostname configurations are accurate to prevent DNS-related manipulation.
- Implement IP restrictions and filtering rules to control which IP addresses or ranges can communicate with the server. This helps limit unauthorized access and exposure to attacks.
- If remote administration is required, limit RDP access to specific IP addresses or networks to help prevent unauthorized access.
- Disable both NetBIOS over TCP/IP and LMHosts lookup unless they are required for legacy software or hardware.
Firewall Configuration
To help safeguard your Windows servers from unauthorized access and malicious traffic, follow these firewall configuration best practices:
- Enable the Windows firewall.
- Configure each Windows firewall profile (Domain, Private and Public) to block inbound traffic by default. When inbound access is necessary for a server, limit it to essential protocols, ports and specific IP addresses.
- Open only required network ports; restrict or deny access for all other ports.
Network Time Configuration (NTP) Configuration
NTP is vital for ensuring accurate timestamps on events, which helps organizations guard against time-spoofing and replay attacks.
Designate a specific server as the primary timekeeper and configure it to sync with a trusted atomic clock source. Then establish a policy that mandates all servers and workstations to synchronize their time exclusively with that server.
Registry Configuration
Properly configuring registry settings and controlling changes to them is also vital to server security. Best practices include the following:
- If the Remote Registry service is not required, disable it. If it is needed, tightly control access to it.
- Disable the "NullSessionPipes" and "NullSessionShares" settings to limit anonymous access to network resources.
- Allow only authorized users and administrators to modify critical registry keys and subkeys.
Encryption
To enhance server security, it's advisable to enable and configure BitLocker drive encryption for the entire system drive, as well as any additional drives containing data. For more fine-grained data protection, consider utilizing Encrypting File System (EFS) to encrypt individual files.
To ensure data confidentiality and integrity across the network, you can implement IPsec for encrypting network traffic between servers.
Access Management
Access management is a critical component of Windows hardening checklist because it controls who can access which IT resources and what level of access they have. Access management best practices include the following:
- Enforce the principle of least privilege by granting users and processes the minimum rights necessary to perform their tasks. In particular, be very judicious about granting permissions to the Everyone group.
- Allow only authenticated users to access any computer from the network.
- Configure allowable encryption types for Kerberos authentication.
- Do not store LAN Manager hash values.
- Disable file and print sharing if it is not required.
- Disable the NTLMv1 protocol unless it is needed to support older technology.
Remote Access Configuration
Remote Desktop Protocol (RDP) is a common target for hackers so it should be enabled only if necessary. If RDP is enabled, set the RDP connection encryption level to high.
Moreover, grant remote access rights to only the specific users who require them, and use multifactor authentication (MFA) if possible to add an extra layer of protection.
General Security Hardening Practices
Consider implementing these general security best practices:
- Disable the use of removable media, such as USB sticks, to mitigate the risk of data exfiltration and malware injection.
- Display a legal notice like the following before the user logs in: “Unauthorized use of this computer and networking resources is prohibited.”
- Require Ctrl+Alt+Del for interactive logins, and configure a time limit to automatically terminate idle interactive sessions.
- If the server has ample RAM, consider disabling the Windows swap file to enhance performance and bolster security by preventing sensitive data from being written to the hard drive.
Windows Server Hardening Guide: Additional Recommendations
Other hardening recommendations include the following:
- Perform regular risk assessments and use them to update your risk management plan.
- Use an endpoint security solution to protect your servers and other machines. Windows Defender is included by default, but third-party solutions are also available. Consider anti-spyware protection as well.
- Install a data loss prevention (DLP) solution to help protect sensitive information against improper access and leakage.
- Monitor activity that could compromise server security. Native logs provides some insight; these logs can be reviewed using Windows Event Viewer. But for more comprehensive logging and monitoring capabilities, implement an enterprise auditing solution that offers not just monitoring but advanced features like user behavior analytics (UBA), real-time alerts and automated incident response.
How Netwrix Can Help
Netwrix Change Tracker dramatically simplifies Windows Server hardening and configuration management. In particular, it:
- Makes it easy to establish secure baseline configurations that conform to standards like those from the Center for Internet Security (CIS) and the US Department of Defense Security Technical Implementation Guide (STIG)
- Automatically detects deviations or drift away from your baseline configurations using system and file integrity monitoring (FIM) technology
- Coordinates with your IT service management (ITSM) solution to identify unexpected configuration changes and alerts administrators
- Speeds incident response by providing detailed information about changes
- Streamlines compliance audits with out-of-the-box reports covering NIST, PCI DSS, CMMC, STIG and NERC CIP.
Click here to edit