Approach to security hardening the Microsoft Server Stack

So you just deployed your brand new Microsoft infrastructure hosting your critical application, be it in the Public Cloud, leased infrastructure or in your own datacenter. You configured all your servers and application and are ready to publish it for external access (either authenticated or anonymous).

Microsoft Server products are established in the corporate, intranet networks, but still relatively less existent in the internet/extranet space.

How do you approach hardening of the Microsoft Server stack? What process do you follow? What tools do you use? How do you test and validate your setup?

This blog post aims to give you a few general hints and guidelines how you can with a few simple steps, increase your Windows Server security.

General approach

The approach we have used with success with many of our customers boils down to 3 main things:

  • Holistic (‘360’) approach to security. Examples: even if you have top notch security configuration on your servers, but the servers are not physically secure, any person can crack the password/encryption given enough time with the machine. Security must be implemented at all layers
  • Technology is one thing, but you also need to take care of the people (their knowledge, skills, team work) and process (procedures in place that ‘shape’ the proper people behaviour)
  • Verify/test! Even if you plan and execute the most security plan, you need to verify by running extensive tests (e.g. penetration/attack surface analysis) – ideally before and after applying your security plan

Technical details

Below I provide several points which are worth taking into account when building your security plan.

For hardware security ensure:

For Windows Server stack security hardening do not forget:

  • Up-to-date kernel (ensure responsive patching procedure)
  • Enable ONLY required roles and services
  • Once this is done, disable unused services – e.g. for a standalone (or domain-joined) web server we were able to disable 42 base windows services w/o any impact on the functionality of the webserver
  • Unbind unnecessary protocols from the network interfaces – most often you will only TCPIP (v4 or v6) and (if you need it) file and printer sharing
  • Disable netbios on your TCPIP properties of network connection
  • Change the default RDP port (http://support.microsoft.com/kb/306759) and enforce Network Level Authentication (NLA)
  • Enable and configure Windows Firewall – you can disable most out-of-the box enabled rules (except RDP – if you use it, and not some other remote connectivity tool) and your application traffic
  • Optimize your security via local or domain group policy (follow links below for guidance on recommended settings, esp. CIS) – definitely focus on enforcing NTLMv2, password/account policies, user rights assignment and audit policies
  • Enable UAC
  • Enable IE Enhanced Security Configuration, or even disable IE and other programs via Software Restriction Policies in GPO
  • Ensure only 2-3 people (with dedicated accounts) are members of local administrators
  • Rename the default administrator account and create a decoy administrator account (http://technet.microsoft.com/en-us/library/cc700835.aspx)
  • Ensure you are able to get the most out of your auditing, with tools like Dell/Quest ChangeAuditor (http://www.quest.com/changeauditor/)
  • Harden your TCPIP stack – disable automatic admin shares (e.g. C$), disable SSLv2, you might want to decrease default TTL, Disable ICMP redirect. The TCPIP stack since WS2008 is much more secure by default than 2003, but you still can make a few tweaks
  • And much more… Contact us if you are interested in securing your Microsoft-based business applications :)

In the area of network, take into account:

Tools and links

These are the tools I found quite useful:

Category: Architecture

Leave a Reply