Install Security Configuration Wizard through Add and remove windows components which detect ports and services and configure registry and audit settings according to the server!s role" #isa$le unnecessary services $ased on the server role % &emove unused firewall rules and limit e'isting firewall rules" % #efine restricted audit policies" (or Configuring the Secuirty )olicy wizard *o to Start --> Programs --> Administrative Tools --> secuirty Configuration Wizard. Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad
2. Disable or Delete necessary accounts: Attac-ers often gain access to servers through unused ports and services" So $loc- the unused ports protocols and $y disa$ling services that are not re.uired" #uring installation $y default the Administrator *uest and Help Assistant are created" As a security e'pertise the administrator account should $e disa$led to ma-e it more difficult for an attac-er to gain access" /oth *uest and Help Assistant accounts should $e disa$led at all times" (or #isa$ling or deleting the accounts0 *o to Start -->!rograms --> Administrative Tools --> Server "anager Configuration --> #ocal sers and $rou!s --> users %ig&t clic' on t&e user --> !ro!erties --> c&ec' for t&e account is disabled Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad 3. ninstall necessary a!!lications or roles: 1he num$er of applications installed on the servers should $e role related" It is a good idea to test these applications out in a separate environment $efore deploying them on the production networ-" Some applications ma-e use of service $ac-doors which can sometimes compromise the overall security of the server" (elarc Advisor: It displays the installed software and hardware missing patches fi'es anti2 virus status" It is free of cost and can $e used for personal government to loo- at their products which include many more features for managing security on multiple computers" (or uninstalling the unnecessary application0 *o to start --> !rograms --> Administrative tools --> Server manager --> %oles --> Clic' remove roles
Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad 4. Configure t&e )indo)s *++, fire)all: Windows 2008 server comes with a $uilt in firewall called the Windows (irewall with Advanced Security" As a security $est practice all servers should have its own host $ased firewall" /i2 directional firewall which filters the out$ound traffic as well as in$ound traffic" I)S3C encryption configurations are integrated into one interface" 4sing the advance rules you can $uild the firewall rules using Windows Active #irectory o$5ects source 6 destination I) addresses and protocols" (or configuring the windows 2008 firewall0 *o to Start --> Control Panel --> Windo)s -ire)all --> C&ange Settings Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad 5. Configure Auditing: T&e follo)ing events s&ould be logged and audited. Audit account logon events Audit account management Audit directory service access Audit logon events Audit o$5ect access Audit policy change Audit privilege use Audit process trac-ing Audit system events (or Configuring the Auditing0 *o to Start --> Control Panel --> Administrative Tools --> #ocal Secuirty !olicy --> Secuirty Setting --> #ocal !olicies --> Audit !olicies Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad 6. Disable necessary s&ares: 4nnecessary shares create a threat to critical servers" So it is necessary to disa$le the unnecessary shares" 1his can $e done using the following command0 7et share 1his will display a list of all shares on the server" If there is a need to use a share system and security administrators should configure the share as a hidden share and harden all 71(S and Share permissions" C08#ocuments and Settings9net share Share name &esource &emar- 2222222222222222222222222222222222222222222222222222222222222222222222222222222 A#:I7; C08WI7#<WS &emote Admin C; C08 #efault share I)C; &emote I)C In order to create a hidden share put a ; =#ollar> sign after the share name" 1he share will still $e accessi$le? however it will not $e easily listed through the networ-" 3'ample0 Accounting; Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad 7. Configure .ncry!tion: According to industry standards the servers re.uire host sensitive information to ma-e use of the encryption system" Windows Server 2008 provides a $uilt in whole dis- encryption feature called /it@oc-er #rive 3ncryption =/it@oc-er> which protects the operating system and data stored on the dis-" 1o install /it@oc-er select it in Server :anager or type the following at a command prompt0 C:/Server"anagerCmd -install (it#oc'er 0restart (or Configuring the 3ncryption on 2008 server0 *o to Start --> Programs --> Administrative Tools --> Server "anager --> -eatures --> (it loc'er = It will $e accessed only when active directory gets installed in windows server 2008> 8. !dates and Patc&es: 4pdates and )atches are -ey elements for hardening a server" 1he system and security e'pertise should $e constantly updating and patching their servers gainst vulnera$ilities" Administrators should periodically chec- the vendorAs we$sites for updates" Windows Server 4pdate Services =WS4S> provides a software update service for :icrosoft Windows operating systems and other :icrosoft software" (or updating *o to0 Start B9 Windows 4pdate 1"a'e sure Automatic !dates is turned 23 4 Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad 9. Antivirus and 3et)or' Access Point13AP4: Anti Cirus software is one of the $asic and crucial step for hardening a server" Windows Server 2008 comes with a 7etwor- Access )rotection=7A)> which helps to defense against viruses from spreading out into the networ-" It uses a set of policies which cleans the affected machines and when they are healthy permits them access to parts of the production networ-" 7A) consists of client server technology which scans and identifies machines that don!t have the latest virus signatures service pac-s or security patches" (or updating the Antivirus *o to0 http://www.microsoft.com/security/default.aspx Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad 1. #east Privilege: :ost of the security threats are often caused $y high privileges $ared $y accounts" Server services should not $e configured using enterprise wide administrator accounts" Script @ogic Cloa- is a product which enhances the Windows 71 (ile System =71(S> $y providing increased security more accurate audits" (or @east )rivilege0 #ownload Scri!t #ogic Cloa' and install in your windows 2008 server which enchance the Windows 71 file system Secuirty Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad 11. Disable Automatic Services: Here are all the services are disa$led that were set to automatic startup" /y disa$ling these services you can limit attac- surface area which can prevent or limit e'ploitation of the server" (or #isa$le Automatic services *o to0 Start --> run --> Services.msc --> Disable unneeded services Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad 12. Disable %emote %egistry: 1his service allows registry access to authenticated remote users" 3ven though this is $loc-ed $y the firewall and AC@s this service should $e turned off if you have no reason to allow remote registry access" (or #isa$ling the remote registry *o to0 Start --> Control Panel --> Windo)s fire)all --> 23 If you have Corporate networ- follow the $elow steps0 Clic' Start 0 %3 --> 1ype DregeditD and press enter 229 7avigate to 56.78#2CA#8"AC593./System/CurrentControlSet/Control/SecureP i!eServers/ Select DwinregD and clic- 3dit Select D)ermissionsD Select a!!ro!riate users:grou!s ; a!!ro!riate !ermission li'e <%ead< or <full Control<. Clic' 26 and e=it. 13. Windo)s .rror %e!orting Service: Windows 3rror &eporting =W3&> is a set of Windows technologies that capture software crash data and support end2user reporting of crash information" 1hrough Win.ual services software and hardware vendors can access reports in order to analyze and respond to these pro$lems" W3& technologies are implemented in Windows E) Windows Server 200F and later" *o to0 Start --> !rograms --> Administrative tools -> server manager -- > Configuration --> #ocal users and grou!s. Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad 14. .nable Web management Service: 3na$les remote management of the we$ server sites and applications on this machine" 1he primary goal of enterprises that are currently using We$ Services is to derive a $usiness sense out of this technology and drive their strategies $ased on that" 1his can only $e done when they have proper control over We$ Services offered to their customers" (or 3na$ling We$ :anagement Service *o to0 Start -> !rograms --> Administrative Tools --> Server manager --> %oles --> Add roles --> C&ec' for 99S --> "anagement Tools --> C&ec' for "anagement service. Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad 15. se Secure Soc'et Tunnelling !rotocol1SSTP4 Service: )rovides support for the Secure Soc-et 1unneling )rotocol =SS1)> to connect to remote computers using C)7" If this service is disa$led users will not $e a$le to use SS1) to access remote servers" SS1) allows traffic to pass through firewalls that $loc- ))1) and @21)GI)sec traffic" It encapsulates ))) traffic over the SS@ channel of the H11)S protocol =)ort HHF>" It allows clients $ehind firewalls and 7A1 routers to connect to the C)7 server without the concern for typical port $loc-ing issues" (or using the SS1) service *o to0 start --> run --> services.msc --> secure soc'et tunnelling Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad !rotocol service --> Automatic 16. Certificate Pro!agation: Smart Card certificate handling" :icrosoft has included many smart2card services in Cista $ut pro$a$ly not too many people use them" #o not get these confused with memory cards they are completely different things" Smart2cards are used sometimes for logging into vista instead of a password" (or Certificate )ropagation *o to0 Start --> run --> services.msc --> certificate !ro!agation --> Automatic Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad 17. .nable 3et#ogon: :aintains a channel $etween computer and domain controller" 1he 7etlogon su$2-ey stores information for the 7et @og2on service" 1he 7et @og on service verifies log2on re.uests and it registers authenticates and locates domain controllers" Also to maintain $ac-ward compati$ility 7et @og2on manages replication of the user account data$ase to $ac- up domain controllers running Windows 71 H"0 and earlier" (or 3na$ling 7etlogon *o to0 Start --> run--> services.msc --> 3etlogon --> Automatic 18. S!ecial Administration Console 5el!er: Allows administrators to remotely access a command prompt" 1he Special Administration Console =SAC> can connect to a machine where this service is running" SAC can perform remote management tas-s in case Windows on the machine stops functioning due to a Stop error message" 1he SAC is an au'iliary 3mergency :anagement Services command2line environment with the Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad following main functions0 &edirect Stop error message e'planatory te't" &estart the system" <$tain computer identification information" *o to0 Start --> run --> Services.msc --> s!ecial administration console &el!er --> Automatic Copyright + 20,0 Centre (or #evelopment of Advanced Computing Hydera$ad