By, Fabian A. Campo H. (MVP Cloud and Data Center Management) Bogota, Colombia.
I had a very important customer whose need to apply a special hardening to the Windows Servers in their datacenter. So, this is another opportunity to leave another tips and tricks post.
I’ve made a checklist, but first, I’ve taken the categories and start filling into them the steps that came to my mind:
Every Windows Machine got three minimal protections by default, the Firewall (disabled by many users), the Updates (also disabled to avoid applications failures), and the antivirus (that sometimes doesn’t have the proper exceptions). So as a first steps let’s update the machine against the Windows Updates site, let’s use the Microsoft Network Traffic Analizer or PortQuery (from Sysinternals) to identify the open and required ports, and there after enable the Windows Firewall with the appropriate rules to allow the traffic, and finally update the Antivirus, antimalware, and scan deeply your machine.
This process requires to pay attention in detail, to avoid unwanted behaviors. If you reach this point, your server is a little bit more secure. Now I can mention the next steps…
Consider using the Security Configuration Wizzard, this utility should guide you in the hardening.
The windows update has just begun, but you should make it monthly, every second Tuesday Microsoft release new updates. Keep it in mind, the best way to do this is configuring the server to download automatically the updates, and let you decide when to apply and restart it.
You should restrict the ability to access remotely from the network. Remote Desktop Protocol allows to set more secure client connections. But you can restrict by Active directory, whose can log in each computer, and the time allowed to do it.
Even as a local policy or a Domain GPO set a minimum password length, enable password complexity requirements, do not store passwords using reversible encryption, configure account lockout policy.
Restrict local logon access only to administrators and try to use LAPS to randomize the local admin passwords.
Deny guest accounts the ability to logon as a service, a batch job, locally, or via RDP
Place an explicit warning banner indicating «that all the actions over the system will be recorded», as a message text for users attempting to log on.
Require Ctrl+Alt+Del for logon
Configure machine inactivity limit to 15 minutes to close idle sessions
Disable SMB 1.0 protocol
Disable the sending of unencrypted passwords to third party SMB servers
Configure Microsoft Network Server to always digitally sign communications and Configure Microsoft Network Server to digitally sign communications if client agrees
Disable anonymous SID/Name translation
Do not allow anonymous enumeration of SAM accounts
Do not allow anonymous enumeration of SAM accounts and shares
Do not allow Everyone permissions to apply to anonymous users
Do not allow any named pipes to be accessed anonymously
Restrict anonymous access to named pipes and shares
Do not allow any shares to be accessed anonymously
Configure Account Logon audit policy
Configure Account Management audit policy
Configure Logon/Logoff audit policy
Configure Policy Change audit policy
Configure Privilege Use audit policy
Configure Event Log retention method and size
Disable or uninstall unused services
Disable or delete unused users
Configure User Rights to be as secure as possible
Set the system date/time and configure it to synchronize against campus time servers