For all profiles, the recommended state for this setting is any value that does not contain the term "guest". Interactive logon: Number of previous logons to cache in case domain controller is not available. Network access: Do not allow storage of credentials or.
NET Passports for network authentication. For all profiles, the recommended state for this setting is Classic - local users authenticate as themselves.
System objects: Strengthen default permissions of internal system objects e. Symbolic Links. System cryptography: Force strong key protection for user keys stored on the computer. For all profiles, the recommended state for this setting is Highest protection, source routing is completely disabled. There are different kinds of updates: patches tend to address a single vulnerability; roll-ups are a group of packages that address several, perhaps related vulnerability, and service packs are updates to a wide range of vulnerabilities, comprised of dozens or hundreds of individual patches.
Be sure to peek into the many Microsoft user forums after an update is released to find out what kind of experience other people are having with it. Keep in mind that the version of the OS is a type of update too, and using years-old server versions puts you well behind the security curve. If your production schedule allows it, you should configure automatic updates on your server. Unfortunately, the manpower to review and test every patch is lacking from many IT shops and this can lead to stagnation when it comes to installing updates.
If at all possible, the updates should be staggered so test environments receive them a week or so earlier, giving teams a chance to observe their behavior. Optional updates can be done manually, as they usually address minor issues. Each application should be updated regularly and with testing. A time difference of merely 5 minutes will completely break Windows logons and various other functions that rely on kerberos security. Servers that are domain members will automatically have their time synched with a domain controller upon joining the domain, but stand alone servers need to have NTP set up to sync to an external source so the clock remains accurate.
Domain controllers should also have their time synched to a time server, ensuring the entire domain remains within operational range of actual time. If anonymous internet clients can talk to the server on other ports, that opens a huge and unnecessary security risk.
The Windows firewall is a decent built-in software firewall that allows configuration of port-based traffic from within the OS. On a stand alone server, or any server without a hardware firewall in front of it, the Windows firewall will at least provide some protection against network based attacks by limiting the attack surface to the allowed ports. That said, a hardware firewall is always a better choice because it offloads the traffic to another device and offers more options on handling that traffic, leaving the server to perform its main duty.
Whichever method you use, the key point is to restrict traffic to only necessary pathways. Make sure RDP is only accessible by authorized users. By default, all administrators can use RDP once it is enabled on the server. Additional people can join the Remote Desktop Users group for access without becoming administrators. Telnet should never be used at all, as it passes information in plain text and is woefully insecure in several ways.
Same goes for FTP. Windows server has a set of default services that start automatically and run in the background. Many of these are required for the OS to function, but some are not and should be disabled if not in use. Following the same logic as the firewall, we want to minimize the attack surface of the server by disabling everything other than primary functionality.
Older versions of MS server have more unneeded services than newer, so carefully check any or ! Important services should be set to start automatically so that the server can recover without human interaction after failure.
For more complex applications, take advantage of the Automatic Delayed Start option to give other services a chance to get going before launching intensive application services. You can also set up service dependencies in which a service will wait for another service or set of services to successfully start before starting.
Dependencies also allow you to stop and start an entire chain at once, which can be helpful when timing is important. Finally, every service runs in the security context of a specific user. This configuration may work most of the time, but for application and user services, best practice dictates setting up service specific accounts, either locally or in AD, to handle these services with the minimum amount of access necessary. This keeps malicious actors who have compromised an application from extending that compromise into other areas of the server or domain.
Microsoft provides best practices analyzers based on role and server version that can help you further harden your systems by scanning and making recommendations. Although User Account Control UAC can get annoying, it serves the important purpose of abstracting executables from the security context of the logged in user.
This prevents malware from running in the background and malicious websites from launching installers or other code. Leave UAC on whenever possible. The tips in this guide help secure the Windows operating system, but every application you run should be hardened as well. Common Microsoft server applications such as MSSQL and Exchange have specific security mechanisms that can help protect them against attacks like ransomware such as WannaCry , be sure to research and tweak each application for maximum resilience.
Finally, you need to make sure that your logs and monitoring are configured and capturing the data you want so that in the event of a problem, you can quickly find what you need and remediate it. Logging works differently depending on whether your server is part of a domain. Domain logons are processed by domain controllers, and as such, they have the audit logs for that activity, not the local system.
Check the max size of your logs and scope them to an appropriate size. Log defaults are almost always far too small to monitor complex production applications.
As such, disk space should be allocated during server builds for logging, especially for applications like MS Exchange. Consider a centralized log management solution if handling logs individually on servers gets overwhelming. Like a syslog server in the Linux world, a centralized event viewer for Windows servers can help speed up troubleshooting and remediation times for medium to large environments.
If there is a UT Note for this step, the note number corresponds to the step number. The CIS document outlines in much greater detail how to complete each step. UT Note - The UT Note at the bottom of the page provides additional detail about the step for the university computing environment. Confidential - For systems that include Confidential data , required steps are denoted with the! All steps are recommended.
Other - For systems that include Controlled or Published data , all steps are recommended, and some are required denoted by the! Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.
It includes updates for additional Microsoft products, just like Microsoft Update, and provides additional administrative control for software deployment. Microsoft Baseline Security Analyzer This is a free host-based application that is available to download from Microsoft. In addition to detailing missing patches, this tool also performs checks on basic security settings and provides information on remediating any issues found. Upguard This is a compliance management tool that ensures basic patching and compliance is being consistently managed this product is fairly inexpensive and can integrated with Splunk.
Configuring the minimum password length settings is important only if another method of ensuring compliance with university password standards is not in place. The Information Resources Use and Security Policy requires passwords be a minimum of 8 characters in length. It is strongly recommended that passwords be at least 14 characters in length which is also the recommendation of CIS. If this option is enabled, the system will store passwords using a weak form of encryption that is susceptible to compromise.
This configuration is disabled by default. For further password protections: 1. Update Active Directory functional level to R2 or higher. Implement MS KBs and Instead of the CIS recommended values, the account lockout policy should be configured as follows:. Any account with this role is permitted to log in to the console. By default, this includes users in the Administrators, Users, and Backup Operators groups.
It's unlikely that non-administrative users require this level of access and, in cases where the server is not physically secured, granting this right may facilitate a compromise of the device. The text of the university's official warning banner can be found on the ISO Web site.
You may add localized information to the banner as long as the university banner is included. Logon information for domain accounts can be cached locally to allow users who have previously authenticated to do so again even if a domain controller cannot be contacted. By default 10 accounts will be cached locally, but there is a risk that in the event of a compromise an attacker could locate the cached credentials and use a brute force attack to discover the passwords. Therefore, it is recommended that this value be reduced so that fewer credentials will be placed at risk, and credentials will be cached for shorter periods of time in the case of devices that are logged into frequently by multiple users.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff microsoft. Office Office Exchange Server. Not an IT pro? Windows Server TechCenter. Sign in. United States English. Ask a question. Quick access.
0コメント