Hardening Windows Server 2008

Hardening Windows Server 2008
1. Configure a Secuirty Policy:

Install Security Configuration Wizard through Add and remove windows components which
detect ports and services and configure registry and audit settings according to the server!s role"
#isa$le unnecessary services $ased on the server role
% &emove unused firewall rules and limit e'isting firewall rules"
% #efine restricted audit policies"
(or Configuring the Secuirty )olicy wizard *o to Start --> Programs --> Administrative Tools
--> secuirty Configuration Wizard.
Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad

2. Disable or Delete necessary accounts:
Attac-ers often gain access to servers through unused ports and services" So $loc- the unused
ports protocols and $y disa$ling services that are not re.uired" #uring installation $y default the
Administrator *uest and Help Assistant are created" As a security e'pertise the administrator
account should $e disa$led to ma-e it more difficult for an attac-er to gain access" /oth *uest and
Help Assistant accounts should $e disa$led at all times"
(or #isa$ling or deleting the accounts0 *o to Start -->!rograms --> Administrative Tools -->
Server "anager Configuration --> #ocal sers and $rou!s --> users
%ig&t clic' on t&e user --> !ro!erties --> c&ec' for t&e account is disabled
3. ninstall necessary a!!lications or roles:
1he num$er of applications installed on the servers should $e role related" It is a good idea to
test these applications out in a separate environment $efore deploying them on the production
networ-" Some applications ma-e use of service $ac-doors which can sometimes compromise
the overall security of the server"
(elarc Advisor: It displays the installed software and hardware missing patches fi'es anti2
virus status" It is free of cost and can $e used for personal government to loo- at their products
which include many more features for managing security on multiple computers"
(or uninstalling the unnecessary application0 *o to start --> !rograms --> Administrative tools
--> Server manager --> %oles --> Clic' remove roles

4. Configure t&e )indo)s *++, fire)all:
Windows 2008 server comes with a $uilt in firewall called the Windows (irewall with Advanced
Security" As a security $est practice all servers should have its own host $ased firewall" /i2
directional firewall which filters the out$ound traffic as well as in$ound traffic" I)S3C
encryption configurations are integrated into one interface" 4sing the advance rules you can $uild
the firewall rules using Windows Active #irectory o$5ects source 6 destination I) addresses and
protocols"
(or configuring the windows 2008 firewall0 *o to Start --> Control Panel -->
Windo)s -ire)all --> C&ange Settings
5. Configure Auditing:
T&e follo)ing events s&ould be logged and audited.
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit o$5ect access
Audit policy change
Audit privilege use
Audit process trac-ing
Audit system events
(or Configuring the Auditing0 *o to Start --> Control Panel --> Administrative Tools --> #ocal
Secuirty !olicy --> Secuirty Setting --> #ocal !olicies --> Audit !olicies
6. Disable necessary s&ares:
4nnecessary shares create a threat to critical servers" So it is necessary to disa$le the
unnecessary shares" 1his can $e done using the following command0 7et share
1his will display a list of all shares on the server" If there is a need to use a share system and
security administrators should configure the share as a hidden share and harden all 71(S and
Share permissions"
C08#ocuments and Settings9net share
Share name &esource &emar-
2222222222222222222222222222222222222222222222222222222222222222222222222222222
A#:I7; C08WI7#<WS &emote Admin
C; C08 #efault share
I)C; &emote I)C
In order to create a hidden share put a ; =#ollar> sign after the share name" 1he share will still $e
accessi$le? however it will not $e easily listed through the networ-" 3'ample0 Accounting;
7. Configure .ncry!tion:
According to industry standards the servers re.uire host sensitive information to ma-e use of the
encryption system" Windows Server 2008 provides a $uilt in whole dis- encryption feature
called /it@oc-er #rive 3ncryption =/it@oc-er> which protects the operating system and data
stored on the dis-" 1o install /it@oc-er select it in Server :anager or type the following at a
command prompt0
C:/Server"anagerCmd -install (it#oc'er 0restart
(or Configuring the 3ncryption on 2008 server0 *o to Start --> Programs -->
Administrative Tools --> Server "anager --> -eatures --> (it loc'er = It will $e accessed only
when active directory gets installed in windows server 2008>
8. !dates and Patc&es:
4pdates and )atches are -ey elements for hardening a server" 1he system and security
e'pertise should $e constantly updating and patching their servers gainst vulnera$ilities"
Administrators should periodically chec- the vendorAs we$sites for updates" Windows Server
4pdate Services =WS4S> provides a software update service for :icrosoft Windows
operating systems and other :icrosoft software"
(or updating *o to0 Start B9 Windows 4pdate 1"a'e sure Automatic !dates is turned 23 4
9. Antivirus and 3et)or' Access Point13AP4:
Anti Cirus software is one of the $asic and crucial step for hardening a server" Windows Server
2008 comes with a 7etwor- Access )rotection=7A)> which helps to defense against viruses
from spreading out into the networ-"
It uses a set of policies which cleans the affected machines and when they are healthy permits
them access to parts of the production networ-" 7A) consists of client server technology which
scans and identifies machines that don!t have the latest virus signatures service pac-s or
security patches"
(or updating the Antivirus *o to0 http://www.microsoft.com/security/default.aspx
1. #east Privilege:
:ost of the security threats are often caused $y high privileges $ared $y accounts" Server
services should not $e configured using enterprise wide administrator accounts" Script @ogic
Cloa- is a product which enhances the Windows 71 (ile System =71(S> $y providing
increased security more accurate audits"
(or @east )rivilege0 #ownload Scri!t #ogic Cloa' and install in your windows 2008 server which
enchance the Windows 71 file system Secuirty
11. Disable Automatic Services:
Here are all the services are disa$led that were set to automatic startup" /y disa$ling these
services you can limit attac- surface area which can prevent or limit e'ploitation of the server"
(or #isa$le Automatic services *o to0 Start --> run --> Services.msc --> Disable unneeded
services
12. Disable %emote %egistry:
1his service allows registry access to authenticated remote users" 3ven though this is $loc-ed
$y the firewall and AC@s this service should $e turned off if you have no reason to allow remote
registry access"
(or #isa$ling the remote registry *o to0 Start --> Control Panel --> Windo)s fire)all --> 23
If you have Corporate networ- follow the $elow steps0
Clic' Start 0 %3 --> 1ype DregeditD and press enter 229 7avigate to
56.78#2CA#8"AC593./System/CurrentControlSet/Control/SecureP i!eServers/
Select DwinregD and clic- 3dit Select D)ermissionsD
Select a!!ro!riate users:grou!s ; a!!ro!riate !ermission li'e <%ead< or <full Control<.
Clic' 26 and e=it.
13. Windo)s .rror %e!orting Service:
Windows 3rror &eporting =W3&> is a set of Windows technologies that capture software crash
data and support end2user reporting of crash information" 1hrough Win.ual services software
and hardware vendors can access reports in order to analyze and respond to these pro$lems"
W3& technologies are implemented in Windows E) Windows Server 200F and later"
*o to0 Start --> !rograms --> Administrative tools -> server manager -- > Configuration -->
#ocal users and grou!s.
14. .nable Web management Service:
3na$les remote management of the we$ server sites and applications on this machine" 1he
primary goal of enterprises that are currently using We$ Services is to derive a $usiness sense
out of this technology and drive their strategies $ased on that" 1his can only $e done when they
have proper control over We$ Services offered to their customers"
(or 3na$ling We$ :anagement Service *o to0 Start -> !rograms --> Administrative Tools -->
Server manager --> %oles --> Add roles --> C&ec' for 99S --> "anagement Tools --> C&ec' for
"anagement service.
15. se Secure Soc'et Tunnelling !rotocol1SSTP4 Service:
)rovides support for the Secure Soc-et 1unneling )rotocol =SS1)> to connect to remote
computers using C)7" If this service is disa$led users will not $e a$le to use SS1) to access remote
servers"
SS1) allows traffic to pass through firewalls that $loc- ))1) and @21)GI)sec traffic" It
encapsulates ))) traffic over the SS@ channel of the H11)S protocol =)ort HHF>" It allows clients
$ehind firewalls and 7A1 routers to connect to the C)7 server without the concern for typical
port $loc-ing issues"
(or using the SS1) service *o to0 start --> run --> services.msc --> secure soc'et tunnelling
!rotocol service --> Automatic
16. Certificate Pro!agation:
Smart Card certificate handling" :icrosoft has included many smart2card services in Cista $ut
pro$a$ly not too many people use them" #o not get these confused with memory cards they are
completely different things" Smart2cards are used sometimes for logging into vista instead of a
password"
(or Certificate )ropagation *o to0 Start --> run --> services.msc --> certificate !ro!agation
--> Automatic
17. .nable 3et#ogon:
:aintains a channel $etween computer and domain controller" 1he 7etlogon su$2-ey stores
information for the 7et @og2on service" 1he 7et @og on service verifies log2on re.uests and it
registers authenticates and locates domain controllers" Also to maintain $ac-ward compati$ility
7et @og2on manages replication of the user account data$ase to $ac- up domain controllers
running Windows 71 H"0 and earlier"
(or 3na$ling 7etlogon *o to0 Start --> run--> services.msc --> 3etlogon --> Automatic
18. S!ecial Administration Console 5el!er:
Allows administrators to remotely access a command prompt" 1he Special Administration Console
=SAC> can connect to a machine where this service is running" SAC can perform remote
management tas-s in case Windows on the machine stops functioning due to a Stop error
message"
1he SAC is an au'iliary 3mergency :anagement Services command2line environment with the
following main functions0
&edirect Stop error message e'planatory te't"
&estart the system"
<$tain computer identification information"
*o to0 Start --> run --> Services.msc --> s!ecial administration console &el!er -->
Automatic

Hardening Windows Server 2008

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hardening Windows Server 2008

Uploaded by

Copyright:

Available Formats

Hardening Windows Server 2008

1. Configure a Secuirty Policy:

You might also like