fortypoundhead.com

Hardening Windows Server

Posted On 2013-11-23 by dwirch
Keywords:
Tags: Tip Tutorial Security Windows Server 2012 Windows Server 2008 Windows
Views: 927


This guide is intended to provide basic systems administration instruction for hardening “out-of-the-box” installations of Windows Server.  Even though current versions of Windows Server provides a better security model than previous versions of Windows servers, the attack surface area can be reduced further.

The first section of this document will list services which can be safely disabled, followed by a short list of registry items that should be safeguarded.

Disabled Unused Services

DHCP Client  

Gain: Security
Explanation: DHCP is used to auto configure a computers IP settings. Most servers will have a static IP address so this service is unnecessary.

DNS Client

Gain: Security

Explanation: The Domain Name System Client service caches the result of domain name lookups and registers the server with its parent DNS server. Turning this off will slow DNS lookups but could also be used against us in a DNS cache poisoning attack. Note that turning this service off still allows the computer to do DNS lookups, the results just won’t be stored in a local cache on the local machine.

Distributed Link Tracking Client   

Gain: Security

Explanation: Distributed links are things like shell shortcuts and OLE links. This service will track if a linked file has been moved/renamed.  Linked files are more common on a desktop OS, so this can be safely disabled.

Human Interface Device Access

Gain: Security

Explanation: Allows keyboard/mouse/other hot buttons and other multimedia devices to interact with windows

IP Helper

Gain: Security

Explanation: IP Helper provides IPv6 connectivity over an IPv4 network.   Our servers are strictly IPv4 at the moment, so no IPv6 support is necessary.

Print Spooler

Gain: Security, Performance

Explanation: No server should have printers installed, unless the server in question is a print server.

Windows Error Reporting Service

Gain: Security

Explanation: This service facilitates the notification and reporting of errors to Microsoft.

Windows Remote Management

Gain: Security

Explanation: WinRM is a remote management protocol running over web services

Secondary Login

Gain: Security

Explanation: This service allows the "run as" command to run a service as a different user.


IPv6, LAN Properties

Gain: Security

Explanation: If you are not using IPv6 in your environment, this item can be safely removed / disabled in the LAN properties page for each NIC in the server.

Also modify the following registry entry, restarting after modification:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters]
Parameter: DisabledComponents
Value: FF

Remote Registry

Gain: Security

Explanation:This service allows registry access to authenticated remote users. Even though this is blocked by the firewall and ACLs this service should be turned off if you have no reason to allow remote registry access.

Registry Lockdown

Disable AutoRun for CD-ROM drives.

Gain: Security
Find this key key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom\AutoRun

Change the value to : 0 (REG_DWORD)

Secure SNMP Service

Gain:
Only allow these accounts to access the keys mentioned:

Administrators – Full Control
System – Full Control

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities

Startup Keys

Gain:
Secure the registry keys below with this access:

Administrators and System - Full Control
Authenticated Users – Read Also set auditing for Everyone on these keys; check all checkboxes under Failed and the “Set Value” checkbox under Successful.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\Software\Microsoft\DrWatson (Leave the permissions for Terminal Server User, if exists)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg


 

 


About the Author

dwirch has posted a total of 173 articles.

You can find more information from dwirch by visiting http://www.derekwirch.com.


Comments On This Post

No comments on this post yet!


Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.


Your IP address is:54.198.233.27

Before you can post, you need to prove you are human. If you log in, this test goes away.



Recent Forum Posts

Fold Code Manager into main KB?
VB6Boy posted on July 22, 2017 at about 14:42 in Site News

Fold Code Manager into main KB?
dwirch posted on July 22, 2017 at about 14:41 in Site News

Fold Code Manager into main KB?
dwirch posted on July 21, 2017 at about 22:46 in Site News

Fold Code Manager into main KB?
dwirch posted on July 20, 2017 at about 7:55 in Site News

Job Spammer: Sam Mallon
dwirch posted on July 18, 2017 at about 18:36 in Spammers

When setting up a certificate authority ...
dwirch posted on July 13, 2017 at about 9:07 in General