News
Seven days of Black Friday madness — great deal from Serverspace!
Serverspace Black Friday
DF
June 29, 2022
Updated June 7, 2023

Secured Windows Server Checklist

Windows

Check-list of secured Windows Server:

The issue of server security has been and will be relevant. Let's consider the basic rules for ensuring the security of servers running OS of the Window Server family.

Regularly install updates to the operating system and installed software.

In everyday life, there is an opinion that Windows does not need updates and it is generally better to turn them off, allegedly “so that the system does not go dumped”. This is one of the biggest mistakes. It is important to install updates in a timely manner, especially critical ones. This task is simplified by a special utility, which can be found on the official website of Windows Update.

It is also important to keep installed related software up to date, including DBMS, various frameworks, and so on.

Use software from trusted sources.

We recommend you to make sure the source is reliable, before downloading the installation package of software, including Open Source. It often happens that a resource visually similar to the official website distributes already compromised software (Fishing). A file with malicious code may be added to the installation package.

Properly configure the firewall.

It is important to understand that the server is accessible from the Internet. For this reason, the OS must be protected by any device acting as a firewall. If there are no such devices, then the Windows Firewall will be the last hope for protection against unauthorized connections to the server.

The fewer TCP / UDP ports available from the outside, the less likely it is to attack the server. In this matter, it is important to understand what you need to block. If we are talking about a web server, then TCP ports 80 and 443 must be left available (the service listens on these ports by default).

These were public ports, but do not forget that there are ports, access to which must be provided according to the “white” list principle, i.e. only to a certain group of people. Ports example:

  • 3389 - RDP (Remote Desktop Protocol);
  • 135-139 - NetBIOS;
  • 445 - Samba (sharing files and folders);
  • 5000 - 5050 - FTP in the passive mode;
  • 1433 - 1434 - SQL ports;
  • 3306 - standart port for MySQL;
  • 53 - DNS

It's not hard to create a rule. Open Start menu→ Control Panel → System and Security → Administrative Tools → Windows Firewall with Advanced Security.

Windows Server Manager

In the program window, right-click on "Rules for incoming connections". In the context menu that opens, select "Create Rule...".

Creating a rule

 

Rename the administrator account.

Use multiple administrator accounts.

If several people are administering the server, you should create an individual account for each. Such a measure will allow you to track down the culprit in what happened.

Use a user account with limited rights.

It is not always necessary to use an account with administrative rights to perform everyday tasks. We recommend you to create an account with limited rights. If the account is compromised, the attacker will have to try to get administrator rights and do some bad things will be much complex for him. Also, such a measure can help save the server from its own actions.

In case of unauthorized access under the administrator account, the attacker will have full access to the system.

Restrict file and folder sharing, enable password protection.

We strongly recommend you to do not share connections to anonymous users or users without a password. Even if the files stored in folders are of no value, nothing prevents an attacker from replacing your file with a file with malicious content. The consequences of such change can be very different.

In addition to using password protection, we recommend restricting different users in the level of access to both files and folders (read, write, change).

Enable prompting for a password to log in when exiting idle mode, as well as disconnecting sessions when idle.

When using a physical server (not remote or virtual), it is recommended that you enable the user password prompt on wakeup. This setting is configured in the control panel: Control Panel → All Control Panel Items → Power Options.

It is also important to set user inactivity limits, and “upon return” request a password. This will exclude the possibility of another person logging in on behalf of the user if he left or forgot to close the RDP session. To configure this item, use the secpol.msc local policy setting.

Use the Security Configuration Wizard.

(SCW – Security Configuration Wizard) allows you to create XML files of security policies, which can later be transferred to other servers. These policies include not only service usage rules, but also general system settings and Firewall rules.

Correctly configure security policies.

In addition to the initial configuration of Active Directory group policies, they should be periodically reviewed and reconfigured. This is one of the main ways to ensure the security of the Windows infrastructure.

For the convenience of managing group policies, you can use not only the gpmc.msc utility built into Windows Server, but also the (SCM-Security Compliance Manager).

, utility offered by Microsoft.

Use local security policies.

In addition to using Active Directory group security policies, you should also use local policies that affect the rights of both remote users and local accounts.

To manage local policies, you can use the appropriate "Local Security Policy" snap-in, called by the secpol.msc command from Start -> Run (Windows key + R).

Protect Remote Desktop Service (RDP).

  1. Block RDP connections for users with a blank password.

The presence of users without passwords is unacceptable, but if this cannot be avoided, then you can at least disable the connection to RDP. To do this, open Start → Administrative Tools.

Windows Administartive tools

In the directory that opens, run the Local Security Policy.

Local Security Policy

In the Local Security Policies window, on the left, select Local Policies → Security Options. In the main part of the window, we find "Accounts: Limit local account use of blank passwords to console logon only".

Limit local account use of blank passwords

Select this item by double-clicking and move the switch to the “Disabled” position. Press the "OK" button.

Disable Local security setting

Change default RDP TCP port.

Replacing the TCP port numbers of standard services with other values may well increase the security of the server, the main thing is not to forget the new port number.

To change a port:

  1. Open the Windows Registry Editor - Windows + R
  2. Just in case, we create a backup copy of the registry (File → Export)
  3. Expand the branch HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp and, in the right part of the window, find the PortNumber parameter.
  4. Port number
  5. Open the option by double-clicking the mouse. In the window that opens, select the Calculation system: Decimal, specify a new port value, click the “OK” button and close the registry editor window.

Changing Port Number

In order to be able to connect to the server, we create an appropriate rule for the Windows Firewall. Right-click on "Inbound Rules" and select "New Rule" from the context menu.

New rule for Windows Firewall

In the “Wizards” window, select “For Port

Choosing "For Port"

Then select “TCP Protocol”, “Specific Local Ports” and specify a new port number.

Select a new port

As a next step is to select "Allow the connection"

Allow connection

We configure for which networks the rule will apply, we mark the necessary ones with daws.

Put all ticks

At the final step, specify the name of the rule and a description for it.

Select a name and optionally a description for your rule

Reboot the server to apply the changes.

To connect to a remote desktop, we now use an IP address or a domain name, and specify the port through a colon.

Checking new rule

Configure Terminal Services Gateway.

The “TS (Remote Desktop Services) Gateway” service allows you to secure a remote desktop connection by using the HTTPS(SSL) protocol, thereby saving the system administrator from having to set up a VPN. The tool is able to comprehensively control access to machines, as well as set authorization rules and requirements for remote users, for example:

  • Users or groups of users who are allowed to connect to internal network resources;
  • Network resources to which users can connect;
  • Whether client computers should have Active Directory membership;
  • Whether clients need to use smart card or password based authentication, or can use one of the above authentication methods.

The operation logic of the Remote Desktop Gateway requires the use of a separate machine. However, it does not prohibit the use of a standalone virtual machine.

Install the TS gateway service.

Open Server Manager.

Open a Server Manager

Select "Add roles and features"

Creating a rule

At the “Installation type” stage, select “Install roles and features".

Select role

The next step is to select the current server.

Select a server

Server role - Remote Desktop Service.

Choosing a Remote Desktop

Let's move on to the role service. Select "Remote Desktop Gateway".

Install Remote Desktop Gateway

We proceed to the confirmation stage, click the "Install" button.

Accept installing

Installing an SSL certificate.

After installing the role, in the Server Manager window, select Tools → Remote Desktop Services → Remote Desktop Gateway Manager.

Remote Desktop Gateway Manager

In the window that opens, in its left part, click on the server icon. In the main part of the window, select "View and change certificate properties".

Properties

In the “Properties” window that opens, go to the “SSL Certificate” tab. Select the item "Create a self-signed certificate", click the button "Create and import a certificate".

SSL Sertificate

If you have a previously created certificate, you can use one of the options below, depending on who issued it.

In the new window, check the settings. If everything is correct, click “OK”.

Creating a SSL

With a new window, the system will notify you of the successful creation of the certificate and give you the path to the file.

Created certificate

Go to the server properties window. Click "Apply".

Apply a new certificate

It remains only to configure group policies.

In the “Remote Desktop Gateway Manager” window, in the left column, expand the server branch, select “Policies”, then “Connection Authorization Policies”. In the right column of the same window, select “Create a new policyWizard”.

New policy in the RD Gateway Manager

In the new window, select "Create only a remote desktop connection authorization policy", click "Next".

Only RD CAP

Specify the desired name for the policy. We recommend that you enter the name in Latin.

A name for a new policy

The next step is to choose a convenient authentication method - a password or a smart-card. Leave only "Password" checked. Click the "Add Group..."

Adding a group

In the group selection window, click on the "Advanced" button.

Advanced

The window size will change. Click on the “Search” button. In the results found, select "Domain Admins" and click the "OK" button.

Adding a new group

In the group selection window, check the selected object names and click “OK”.

Check the selected group

The group has been added. To proceed to the next step, click the "Next" button.

At the next step, select the item “Enable device redirection for all client devices” and click “Next”.

Enable device redirection

Set up session timeouts. And actions after their expiration. We recommend disconnecting the session so that background user processes do not take up CPU time. Click "Next".

CPU time

At the last stage, we view the summary, click “Finish”.

Click Finish
To confirm the creation of the policy, click "Close".

Click Close

Set up a resource authorization policy.

The process is carried out similarly to the previous one.

In the Remote Desktop Gateway Manager window, expand the Policies → Connection Authorization Policies branch. In the right part of the window, select “Create a new policy” → “Wizard”.

New policy in the RD Gateway Manager

In the window that opens, select "Create only a remote desktop resource authorization policy", click the "Next" button.

Onlu RD RAP

 

The first step is to specify the desired name for the authorization policy. We strongly recommend that you specify the name in Latin. We press the “Next” button.

Name for new RD RAP

 

In the group selection window, click on the "Advanced" button.

Advanced

The window will resize. Press the "Search" button. In the search results, find "Domain Admins" and click the "OK" button.

Adding a new group

In the group selection window, check the selected object names and click “OK”.

Check the selected group

The group has been added. To proceed to the next step, click the "Next" button.

 

In the next step, we allow users to connect to any network resource. To do this, select the appropriate option and click the “Next” button.

Any networks

Set up allowed ports. If the port of the RDP server has not been changed, then leave 3389. Click “Next”.

Select a port

The final step is to check the settings and click the “Finish” button.

Finish

In the updated window, click "Close".

Close

Isolate server roles. Disable unused services.

At the stage of preliminary planning of the network architecture, one of the main tasks is to plan the risks in case of failure of any element of the network. There can be many reasons for this - from equipment failure to "hacking" from the outside. The more roles assigned to the server, the more severe the consequences will be if the server fails. To minimize risks and damage, you should, if possible, delineate server roles at the design stage. Disabling services and server roles that are needed will also have a positive effect on its operation.

The ideal case is that one server performs one specific function, such as a Domain Controller, or a file server, or a terminal server. In practice, such a separation of roles is difficult to achieve.

Role isolation can also be handled by virtual servers. Modern virtualization technologies offer a high level of performance and stability, while neither the administrator nor the user experiences any restrictions. Properly selected hardware and configured software parts can be a full-fledged replacement for a whole fleet of equipment.

Overview of Windows Nano Server.

Nano Server became a further development of Windows Server Core. This version of the distribution kit excludes the use of a graphical user interface. All management is focused on WMI - Windows Management Instrumentation, as well as Windows PowerShell. This Windows Server distribution has 92% fewer critical security recommendations. Nano Server is only available to Microsoft Software Assurance customers and cloud computing platforms such as Microsoft Azure and Amazon Web Services. Starting with Windows Server build 1709, Nano Server can only be installed inside a container host.

Vote:
4 out of 5
Аverage rating : 4.5
Rated by: 4
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
ITGLOBAL.COM NL
700 300
We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.