fortypoundhead.com

Hardening Windows Server

Posted On 2013-11-23 by dwirch
Keywords:
Tags: Tip Tutorial Security Windows Server 2012 Windows Server 2008 Windows
Views: 873


This guide is intended to provide basic systems administration instruction for hardening “out-of-the-box” installations of Windows Server.  Even though current versions of Windows Server provides a better security model than previous versions of Windows servers, the attack surface area can be reduced further.

The first section of this document will list services which can be safely disabled, followed by a short list of registry items that should be safeguarded.

Disabled Unused Services

DHCP Client  

Gain: Security
Explanation: DHCP is used to auto configure a computers IP settings. Most servers will have a static IP address so this service is unnecessary.

DNS Client

Gain: Security

Explanation: The Domain Name System Client service caches the result of domain name lookups and registers the server with its parent DNS server. Turning this off will slow DNS lookups but could also be used against us in a DNS cache poisoning attack. Note that turning this service off still allows the computer to do DNS lookups, the results just won’t be stored in a local cache on the local machine.

Distributed Link Tracking Client   

Gain: Security

Explanation: Distributed links are things like shell shortcuts and OLE links. This service will track if a linked file has been moved/renamed.  Linked files are more common on a desktop OS, so this can be safely disabled.

Human Interface Device Access

Gain: Security

Explanation: Allows keyboard/mouse/other hot buttons and other multimedia devices to interact with windows

IP Helper

Gain: Security

Explanation: IP Helper provides IPv6 connectivity over an IPv4 network.   Our servers are strictly IPv4 at the moment, so no IPv6 support is necessary.

Print Spooler

Gain: Security, Performance

Explanation: No server should have printers installed, unless the server in question is a print server.

Windows Error Reporting Service

Gain: Security

Explanation: This service facilitates the notification and reporting of errors to Microsoft.

Windows Remote Management

Gain: Security

Explanation: WinRM is a remote management protocol running over web services

Secondary Login

Gain: Security

Explanation: This service allows the "run as" command to run a service as a different user.


IPv6, LAN Properties

Gain: Security

Explanation: If you are not using IPv6 in your environment, this item can be safely removed / disabled in the LAN properties page for each NIC in the server.

Also modify the following registry entry, restarting after modification:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters]
Parameter: DisabledComponents
Value: FF

Remote Registry

Gain: Security

Explanation:This service allows registry access to authenticated remote users. Even though this is blocked by the firewall and ACLs this service should be turned off if you have no reason to allow remote registry access.

Registry Lockdown

Disable AutoRun for CD-ROM drives.

Gain: Security
Find this key key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom\AutoRun

Change the value to : 0 (REG_DWORD)

Secure SNMP Service

Gain:
Only allow these accounts to access the keys mentioned:

Administrators – Full Control
System – Full Control

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities

Startup Keys

Gain:
Secure the registry keys below with this access:

Administrators and System - Full Control
Authenticated Users – Read Also set auditing for Everyone on these keys; check all checkboxes under Failed and the “Set Value” checkbox under Successful.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\Software\Microsoft\DrWatson (Leave the permissions for Terminal Server User, if exists)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg


 

 


About the Author

dwirch has posted a total of 172 articles.

 


Comments On This Post

No comments on this post yet!


Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.


Your IP address is:23.20.157.174

Before you can post, you need to prove you are human. If you log in, this test goes away.


Beat With A Stick List Returns: By request, BWASL has returned to the site. Free your rage by telling the world about something that really grinds your gears. Add your beating.



Recent Forum Posts

BWASL returns
dwirch posted on May 13, 2017 at about 15:24 in Site News

BWASL returns
dwirch posted on May 13, 2017 at about 8:46 in Site News

Job Spammer: Balashankar Bose Bose
dwirch posted on May 11, 2017 at about 10:05 in Spammers

Job Spammer: Bharti Jigyasi
dwirch posted on May 11, 2017 at about 7:58 in Spammers

List of Shady Characters
dwirch posted on April 25, 2017 at about 16:39 in Webmaster Stuff

Job Spammer: Bilal Uddin
dwirch posted on April 25, 2017 at about 11:00 in Spammers