Check-list of secured Windows Server:
- Regularly install updates to the operating system and installed software.
- Use software from trusted sources
- Properly configure the firewall
- Rename the administrator account
- Use multiple administrator accounts
- Use a user account with limited rights
- Restrict file and folder sharing, enable password protection
- Enable prompting for a password to log in when exiting idle mode, as well as disconnecting sessions when idle
- Use the Security Configuration Wizard
- Correctly configure security policies
- Use local security policies
- Protect Remote Desktop Service (RDP)
- Configure Terminal Services Gateway
- Install the TS gateway service
- Installing an SSL certificate
- It remains only to configure group policies
- Isolate server roles. Disable unused services
The issue of server security has been and will be relevant. Let's consider the basic rules for ensuring the security of servers running OS of the Window Server family.
Regularly install updates to the operating system and installed software.
In everyday life, there is an opinion that Windows does not need updates and it is generally better to turn them off, allegedly “so that the system does not go dumped”. This is one of the biggest mistakes. It is important to install updates in a timely manner, especially critical ones. This task is simplified by a special utility, which can be found on the official website of Windows Update.
It is also important to keep installed related software up to date, including DBMS, various frameworks, and so on.
Use software from trusted sources.
We recommend you to make sure the source is reliable, before downloading the installation package of software, including Open Source. It often happens that a resource visually similar to the official website distributes already compromised software (Fishing). A file with malicious code may be added to the installation package.
Properly configure the firewall.
It is important to understand that the server is accessible from the Internet. For this reason, the OS must be protected by any device acting as a firewall. If there are no such devices, then the Windows Firewall will be the last hope for protection against unauthorized connections to the server.
The fewer TCP / UDP ports available from the outside, the less likely it is to attack the server. In this matter, it is important to understand what you need to block. If we are talking about a web server, then TCP ports 80 and 443 must be left available (the service listens on these ports by default).
These were public ports, but do not forget that there are ports, access to which must be provided according to the “white” list principle, i.e. only to a certain group of people. Ports example:
- 3389 - RDP (Remote Desktop Protocol);
- 135-139 - NetBIOS;
- 445 - Samba (sharing files and folders);
- 5000 - 5050 - FTP in the passive mode;
- 1433 - 1434 - SQL ports;
- 3306 - standart port for MySQL;
- 53 - DNS
It's not hard to create a rule. Open Start menu→ Control Panel → System and Security → Administrative Tools → Windows Firewall with Advanced Security.
In the program window, right-click on "Rules for incoming connections". In the context menu that opens, select "Create Rule...".
Rename the administrator account.
Use multiple administrator accounts.
If several people are administering the server, you should create an individual account for each. Such a measure will allow you to track down the culprit in what happened.
Use a user account with limited rights.
It is not always necessary to use an account with administrative rights to perform everyday tasks. We recommend you to create an account with limited rights. If the account is compromised, the attacker will have to try to get administrator rights and do some bad things will be much complex for him. Also, such a measure can help save the server from its own actions.
In case of unauthorized access under the administrator account, the attacker will have full access to the system.
Restrict file and folder sharing, enable password protection.
We strongly recommend you to do not share connections to anonymous users or users without a password. Even if the files stored in folders are of no value, nothing prevents an attacker from replacing your file with a file with malicious content. The consequences of such change can be very different.
In addition to using password protection, we recommend restricting different users in the level of access to both files and folders (read, write, change).
Enable prompting for a password to log in when exiting idle mode, as well as disconnecting sessions when idle.
When using a physical server (not remote or virtual), it is recommended that you enable the user password prompt on wakeup. This setting is configured in the control panel: Control Panel → All Control Panel Items → Power Options.
It is also important to set user inactivity limits, and “upon return” request a password. This will exclude the possibility of another person logging in on behalf of the user if he left or forgot to close the RDP session. To configure this item, use the secpol.msc local policy setting.
Use the Security Configuration Wizard.
(SCW – Security Configuration Wizard) allows you to create XML files of security policies, which can later be transferred to other servers. These policies include not only service usage rules, but also general system settings and Firewall rules.
Correctly configure security policies.
In addition to the initial configuration of Active Directory group policies, they should be periodically reviewed and reconfigured. This is one of the main ways to ensure the security of the Windows infrastructure.
For the convenience of managing group policies, you can use not only the gpmc.msc utility built into Windows Server, but also the (SCM-Security Compliance Manager).
, utility offered by Microsoft.
Use local security policies.
In addition to using Active Directory group security policies, you should also use local policies that affect the rights of both remote users and local accounts.
To manage local policies, you can use the appropriate "Local Security Policy" snap-in, called by the secpol.msc command from Start -> Run (Windows key + R).
Protect Remote Desktop Service (RDP).
- Block RDP connections for users with a blank password.
The presence of users without passwords is unacceptable, but if this cannot be avoided, then you can at least disable the connection to RDP. To do this, open Start → Administrative Tools.
In the directory that opens, run the Local Security Policy.
In the Local Security Policies window, on the left, select Local Policies → Security Options. In the main part of the window, we find "Accounts: Limit local account use of blank passwords to console logon only".
Select this item by double-clicking and move the switch to the “Disabled” position. Press the "OK" button.
Change default RDP TCP port.
Replacing the TCP port numbers of standard services with other values may well increase the security of the server, the main thing is not to forget the new port number.
To change a port:
- Open the Windows Registry Editor - Windows + R
- Just in case, we create a backup copy of the registry (File → Export)
- Expand the branch HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp and, in the right part of the window, find the PortNumber parameter.
- Open the option by double-clicking the mouse. In the window that opens, select the Calculation system: Decimal, specify a new port value, click the “OK” button and close the registry editor window.
In order to be able to connect to the server, we create an appropriate rule for the Windows Firewall. Right-click on "Inbound Rules" and select "New Rule" from the context menu.
In the “Wizards” window, select “For Port”
Then select “TCP Protocol”, “Specific Local Ports” and specify a new port number.
As a next step is to select "Allow the connection"
We configure for which networks the rule will apply, we mark the necessary ones with daws.
At the final step, specify the name of the rule and a description for it.
Reboot the server to apply the changes.
To connect to a remote desktop, we now use an IP address or a domain name, and specify the port through a colon.
Configure Terminal Services Gateway.
The “TS (Remote Desktop Services) Gateway” service allows you to secure a remote desktop connection by using the HTTPS(SSL) protocol, thereby saving the system administrator from having to set up a VPN. The tool is able to comprehensively control access to machines, as well as set authorization rules and requirements for remote users, for example:
- Users or groups of users who are allowed to connect to internal network resources;
- Network resources to which users can connect;
- Whether client computers should have Active Directory membership;
- Whether clients need to use smart card or password based authentication, or can use one of the above authentication methods.
The operation logic of the Remote Desktop Gateway requires the use of a separate machine. However, it does not prohibit the use of a standalone virtual machine.
Install the TS gateway service.
Open Server Manager.
Select "Add roles and features"
At the “Installation type” stage, select “Install roles and features".
The next step is to select the current server.
Server role - Remote Desktop Service.
Let's move on to the role service. Select "Remote Desktop Gateway".
We proceed to the confirmation stage, click the "Install" button.
Installing an SSL certificate.
After installing the role, in the Server Manager window, select Tools → Remote Desktop Services → Remote Desktop Gateway Manager.
In the window that opens, in its left part, click on the server icon. In the main part of the window, select "View and change certificate properties".
In the “Properties” window that opens, go to the “SSL Certificate” tab. Select the item "Create a self-signed certificate", click the button "Create and import a certificate".
If you have a previously created certificate, you can use one of the options below, depending on who issued it.
In the new window, check the settings. If everything is correct, click “OK”.
With a new window, the system will notify you of the successful creation of the certificate and give you the path to the file.
Go to the server properties window. Click "Apply".
It remains only to configure group policies.
In the “Remote Desktop Gateway Manager” window, in the left column, expand the server branch, select “Policies”, then “Connection Authorization Policies”. In the right column of the same window, select “Create a new policy” → “Wizard”.
In the new window, select "Create only a remote desktop connection authorization policy", click "Next".
Specify the desired name for the policy. We recommend that you enter the name in Latin.
The next step is to choose a convenient authentication method - a password or a smart-card. Leave only "Password" checked. Click the "Add Group..."
In the group selection window, click on the "Advanced" button.
The window size will change. Click on the “Search” button. In the results found, select "Domain Admins" and click the "OK" button.
In the group selection window, check the selected object names and click “OK”.
The group has been added. To proceed to the next step, click the "Next" button.
At the next step, select the item “Enable device redirection for all client devices” and click “Next”.
Set up session timeouts. And actions after their expiration. We recommend disconnecting the session so that background user processes do not take up CPU time. Click "Next".
At the last stage, we view the summary, click “Finish”.
To confirm the creation of the policy, click "Close".
Set up a resource authorization policy.
The process is carried out similarly to the previous one.
In the Remote Desktop Gateway Manager window, expand the Policies → Connection Authorization Policies branch. In the right part of the window, select “Create a new policy” → “Wizard”.
In the window that opens, select "Create only a remote desktop resource authorization policy", click the "Next" button.
The first step is to specify the desired name for the authorization policy. We strongly recommend that you specify the name in Latin. We press the “Next” button.
In the group selection window, click on the "Advanced" button.
The window will resize. Press the "Search" button. In the search results, find "Domain Admins" and click the "OK" button.
In the group selection window, check the selected object names and click “OK”.
The group has been added. To proceed to the next step, click the "Next" button.
In the next step, we allow users to connect to any network resource. To do this, select the appropriate option and click the “Next” button.
Set up allowed ports. If the port of the RDP server has not been changed, then leave 3389. Click “Next”.
The final step is to check the settings and click the “Finish” button.
In the updated window, click "Close".
Isolate server roles. Disable unused services.
At the stage of preliminary planning of the network architecture, one of the main tasks is to plan the risks in case of failure of any element of the network. There can be many reasons for this - from equipment failure to "hacking" from the outside. The more roles assigned to the server, the more severe the consequences will be if the server fails. To minimize risks and damage, you should, if possible, delineate server roles at the design stage. Disabling services and server roles that are needed will also have a positive effect on its operation.
The ideal case is that one server performs one specific function, such as a Domain Controller, or a file server, or a terminal server. In practice, such a separation of roles is difficult to achieve.
Role isolation can also be handled by virtual servers. Modern virtualization technologies offer a high level of performance and stability, while neither the administrator nor the user experiences any restrictions. Properly selected hardware and configured software parts can be a full-fledged replacement for a whole fleet of equipment.
Overview of Windows Nano Server.
Nano Server became a further development of Windows Server Core. This version of the distribution kit excludes the use of a graphical user interface. All management is focused on WMI - Windows Management Instrumentation, as well as Windows PowerShell. This Windows Server distribution has 92% fewer critical security recommendations. Nano Server is only available to Microsoft Software Assurance customers and cloud computing platforms such as Microsoft Azure and Amazon Web Services. Starting with Windows Server build 1709, Nano Server can only be installed inside a container host.