Hardening Windows Server
This guide is intended to provide basic systems administration instruction for hardening “out-of-the-box” installations of Windows Server. Even though current versions of Windows Server provides a better security model than previous versions of Windows servers, the attack surface area can be reduced further.
The first section of this document will list services which can be safely disabled, followed by a short list of registry items that should be safeguarded.
Disabled Unused Services
Explanation: DHCP is used to auto configure a computers IP settings. Most servers will have a static IP address so this service is unnecessary.
Explanation: The Domain Name System Client service caches the result of domain name lookups and registers the server with its parent DNS server. Turning this off will slow DNS lookups but could also be used against us in a DNS cache poisoning attack. Note that turning this service off still allows the computer to do DNS lookups, the results just won’t be stored in a local cache on the local machine.
Distributed Link Tracking Client
Explanation: Distributed links are things like shell shortcuts and OLE links. This service will track if a linked file has been moved/renamed. Linked files are more common on a desktop OS, so this can be safely disabled.
Human Interface Device Access
Explanation: Allows keyboard/mouse/other hot buttons and other multimedia devices to interact with windows
Explanation: IP Helper provides IPv6 connectivity over an IPv4 network. Our servers are strictly IPv4 at the moment, so no IPv6 support is necessary.
Gain: Security, Performance
Explanation: No server should have printers installed, unless the server in question is a print server.
Windows Error Reporting Service
Explanation: This service facilitates the notification and reporting of errors to Microsoft.
Windows Remote Management
Explanation: WinRM is a remote management protocol running over web services
Explanation: This service allows the "run as" command to run a service as a different user.
IPv6, LAN Properties
Explanation: If you are not using IPv6 in your environment, this item can be safely removed / disabled in the LAN properties page for each NIC in the server.
Also modify the following registry entry, restarting after modification:
Explanation:This service allows registry access to authenticated remote users. Even though this is blocked by the firewall and ACLs this service should be turned off if you have no reason to allow remote registry access.
Disable AutoRun for CD-ROM drives.
Find this key key:
Change the value to : 0 (REG_DWORD)
Secure SNMP Service
Only allow these accounts to access the keys mentioned:
Administrators – Full Control
System – Full Control
Secure the registry keys below with this access:
Administrators and System - Full Control
Authenticated Users – Read Also set auditing for Everyone on these keys; check all checkboxes under Failed and the “Set Value” checkbox under Successful.
HKEY_LOCAL_MACHINE\Software\Microsoft\DrWatson (Leave the permissions for Terminal Server User, if exists)
About the Author
dwirch has posted a total of 172 articles.
Comments On This Post
No comments on this post yet!
Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.
Or you can drop a note to the administrators if you're not sure where you should post.