Latest posts by Leos Marek (see all)
- Security options in Windows Server 2016: Accounts and UAC - Fri, Sep 13 2019
- User rights assignment in Windows Server 2016 - Fri, Aug 23 2019
- Windows Server security features and best practices - Thu, Aug 1 2019
Whether your organization is a small business with several servers and PCs or a national company working for the government with thousands of servers, securing your IT infrastructure is a crucial task. Data loss, espionage, or denial-of-service attacks can have major or even devastating affects. Despite this, a lot of organizations (and administrators) do not change the default system configuration, such as the administrator account, or "everyone" permissions. Such settings are well known for cybercriminals and thus are primary targets of attacks.
In this post, I want to introduce you the tools, features, and best practices you can use to make your Windows Server installation more secure. Some of them may not be applicable to your organization or not available in your Windows edition. You need to find a balance between security, functionality, and user satisfaction. Make sure to test all modifications properly before applying them in a production environment.
Getting started ^
Securing your server environment is not only about changing settings or installing a feature. Hardening starts with documentation, preparation, and server installation.
Documentation is a very important part of a secure environment. If you have a system you don't know about, you are already at risk. The server may not have updated security patches or may be running an outdated software version, which malware can exploit. Maintain documentation for each server (the hostname, IP address, role, responsible person, etc.) and the software installed. Record all changes to the server.
In an ideal situation, you should prepare newly installed servers in a DMZ network before hardening them. This will prevent the system from infection by malicious code, which might already be in your network. Properly configure the boot device order and set a BIOS/UEFI password to prevent unauthorized changes. If you have hardware with UEFI, you should install servers in UEFI mode and enable secure boot.
Right after a new server installation, make sure to update it with the latest approved security patches and install antivirus and anti-spyware software. Do not leave this for the next day.
If you already have created a Group Policy Object (GPO) with your tested security settings, make sure to apply it to the server. If not, you can use Microsoft security baselines to create it. Security baselines are a group of recommended security settings available as GPO backups, which you may download, edit, test, and use. You can obtain them as part of the MS Security Compliance Toolkit.
Enable BitLocker whenever you can. Physical security is not always under your complete control; for example, in small remote offices, multiple people have access to the server. Someone could pull out an unencrypted hard drive from the server and read sensitive data. The same goes for virtual machine VMDK/VHD files. For example, an administrator with malicious intentions could download and easily read them.
Application whitelisting ^
By allowing your users to run only approved applications, you are greatly reducing the risk of executing malicious code and thus infecting your environment. Two features are available for this purpose: AppLocker and Device Guard.
AppLocker has been around for a while, it is relatively easy to configure and deploy via GPO. You can allow software from a specific publisher, path, file hash, version, and so on.
Device Guard is a relatively new technology introduced in Windows Server 2016. It brings even more control over allowed applications. In short, using Package Inspector, you create a custom catalog file from your existing server with needed applications installed. You then sign and deploy the catalog via GPO. As a result, this allows only binaries specified in the catalog file to run.
Both can work in Audit (only log events) or Enforcement mode (actually block events), and you can deploy both together. There's more information in this post by Wolfgang.
Credential Guard and Remote Credential Guard ^
Introduced in Windows Server 2016, Credential Guard is a technology to protect in-memory hashes and Kerberos tickets. It uses UEFI secure boot and virtualization-based security (VBS) technology to run an isolated process (lsaiso.exe) to store the credentials and is not accessible by the OS, other applications, or tools like Mimikatz. Follow this guide by Timothy to learn how to deploy Credential Guard via GPO.
As the name suggests, Remote Credential Guard helps protect credentials over Remote Desktop Connection sessions. It requires Windows 10 or Windows Server 2016 as well as Active Directory membership and use of Kerberos authentication. It does not support NT LAN Manager (NTML). Enabling this feature requires registry modification on the server side.
User account control (UAC) ^
Do not turn off UAC. For highly critical servers, you should move the UAC slider to the top: Always notify. The few extra clicks you have to make while trying to install a new application or change system settings might prevent compromising your system.
Windows Firewall ^
The same as with UAC, many administrators tend to turn off Windows Firewall. You already have firewalls all over your network, right? Well, hardware firewalls usually don't protect traffic on the same LAN segment. Always have Windows Firewall turned on for all profiles and allow only required traffic. Deny all other inbound traffic. You can deploy configuration by GPO.
Audit logs and backups ^
Audit logs are important for reverse engineering. The Security log usually logs malicious activity, like logon attempts. The default log size in Windows can only take few hours or days. Increase the size of your log files and apply proper retention. Ideally, collect events from at least critical systems to a syslog server or a security information and event management (SIEM) application.
Backups are also important part of security best practices. If ransomware compromises your system, or someone physically steals it, you need to have working backup to restore your data. Make sure you back up critical systems and also test the restore process.
Use the least privilege principle ^
The last but definitely not least point to cover today is the least privilege principle. One of the most common security issues concerns users having more privileges than they need to perform their jobs. Another common issue is using elevated (Administrator or even Domain Admin) privileges for normal work, like reading emails or browsing the internet. If such an account is compromised, the attacker already has elevated access.
There are three general system layers:
- Power: Servers such as domain controllers
- Data: Servers like for files, printing, or applications
- Access: User workstations
As such, a best practice is to prevent higher-layer accounts connecting to lower-layer devices. For example, you shouldn't use an account with Domain Admin permissions to connect to standard servers and especially not to user workstations. You don't need Domain Admin permissions to help a user fix his Outlook. If such a station is already compromised, you are giving away your Domain Admin credentials.
I hope the information in this article helped you gain an overview of the most basic security principles and built-in features available in Windows Server. Many of them are easy to implement with no extra cost and can greatly increase your environment security. The next time, I will focus on the default settings you should change in Windows Server to make it more secure.