Windows Server Security Best Practices

By
Anusthika Jeyashankar
-
0
Windows Server Security Best Practices

Having a really good approach to maintaining a secure, stable environment is important to keep the ecosystem safe from data breaches, whether we are deploying hundreds of Windows servers into the cloud or building physical servers manually for a small firm. The following checklist can help enterprises to improve the security of the servers and environment at a starting point. Since cyber security technology is always improving, it is critical for businesses to maintain and upgrade their security systems on a regular basis.

learn to stay safe online

Reduce the permissions granted to users:

  • Access to user accounts should be restricted.
  • Only allow trustworthy accounts to access sensitive information.
  • Manage user directory account security concerns, such as AD Account Security.
  • Elevated access should only be granted when absolutely necessary.
  • Delete the OS users who are no longer needed.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

Manage Server Access:

  • Don’t forget about the physical security of the server. Allow only trustworthy employees, and keep the employees aware and well-trained.
  • Manage who has access to the servers by limiting access to critical apps and system files to administrators.

Admin Access Should Be Restricted:

  • Limit membership to admin users/groups
  • Create multiple admin accounts, each with a different level of access.
  • Administrative tasks should be limited on dedicated servers.

Network Configuration:

  • Production servers should have a static IP so clients can reliably find them. This IP address should be in a firewall-protected segment.
  • Configure at least two DNS servers for redundancy, and use nslookup from the command prompt to double-check name resolution.
  • Ensure that the server has a valid A record for the desired name in DNS, as well as a PTR record for reverse lookups. Because DNS updates might take several hours to propagate across the internet, production addresses should be set up well ahead of a go live window.
  • Disable any network services that will not be used by the server, such as IPv6. This is dependent on your environment, and any changes should be thoroughly tested before being implemented.

Also Read: Latest Cyber Security News – Hacker News !

Patch the Vulnerabilities:

  • Keep your browsers and plugins up to date.
  • Update the operating system and other apps on a regular basis.

Remote Access/SSH Configuration:

  • RDP should only be accessible through a VPN. Allowing it to be accessed via the internet does not guarantee that it will be hacked, but it does provide potential hackers with another way into your server.
  • Ensure that only authorised users have access to RDP. Once RDP is enabled on the server, it is available to all administrators by default. Without becoming administrators, more persons can join the Remote Desktop Users group for access.
  • If Powershell and SSH are employed, they should be carefully locked down and only accessible through a VPN.
  • Telnet should never be used since it sends data in plain text and is insecure in a multitude of situations. FTP is the same way. When possible, use SFTP or SSH (through a VPN) to avoid using unencrypted connections.

Reduce the Attack Surface:

  • Reduce the amount of unneeded software on your servers.
  • Install the applications on the windows server core.
  • Remove all operating system components that aren’t needed.
  • Services that aren’t required should be disabled.
  • In the Component/Feature Management, add what you need and remove what you don’t.

Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST

Minimize the impact on the environment:

  • Install applications on an intranet or use a centralized server to distribute them.
  • Examine External User Access Options, such as requiring VPN and/or Reverse Proxy for external network connections and limiting direct access to sensitive servers and data.
  • Make use of IP filtering.
  • Consider IIS hosting, which might include IP address range restrictions/whitelisting, client certificate authentication, and other authorization rules.

Configuration of NTP:

  • A time discrepancy of even 5 minutes will completely break Windows logons and several other operations that rely on Kerberos authentication.
  • When a server joins a domain, it’s time is automatically synced with a domain controller, but stand-alone servers must have NTP set up to sync with an external source in order for the clock to be correct.
  • Domain controllers should also have their time synchronised with a time server, ensuring that the entire domain is in-sync with the current time.

Monitor the servers:

  • Periodically review logs for suspicious activity like unknown authentications, user access activity & changes, privilege elevation & usage.
  • Maintain server logging and monitor it on a regular basis.
  • Mirror logs should be saved to a separate log server.
  • Perform server scans and audits to look for viruses and hacks.

Limiting Communication Establishment:

  • For your communications, use the best data encryption protocols and cipher suites, and disable insecure protocols.
  • Minimize open network ports.

Additional Credential Hardening / Protection:

  • Use reliable, well-known, and well-tested security software, such as anti-virus and anti-malware, and keep it up to date.
  • Strong passwords should be used, especially for administrative credentials.
  • Change credentials on a regular basis and don’t reuse them, as well as private keys if possible.
  • Change the names of your normal accounts to something other than ‘admin’ or ‘guest.’
  • Lock accounts after three failed login attempts, as these may be unauthorised efforts to get access, and be careful when implementing LDAP/AD directory lockout settings, as some configurations may become lockout problematic.

Also Read: Threat Hunting using Proxy Logs – Soc Incident Response Procedure

Configuration of the Firewall:

  • Only the web server’s web ports (80 and 443) are accessible from the internet. If anonymous internet clients may communicate with the server through other ports, it creates a significant and unneeded security risk.
  • If the server contains further administrative services, such as remote desktop (RDP), they should only be accessible over a VPN connection, preventing unauthorised users from using the port. 

Backup:

  • Maintain proper backups and, whenever possible, employ non-elevated account privileges.
  • Keep the server clocks in-sync to avoid Time Drift.

Conclusion:

Whether it is on-premise or physical server securing it is really an important one. The above points will help to harden the security.

Previous articleAnatomy of the Infamous EMPIRE Powershell Framework
Next articleAnatomy of the Crimson RAT
Anusthika Jeyashankar
Anusthika Jeyashankar
https://www.socinvestigation.com
Ambitious Blue Teamer; Enthused Security Analyst

LEAVE A REPLY

Please enter your comment!
Please enter your name here