{"id":6971,"date":"2020-05-28T10:13:21","date_gmt":"2020-05-28T15:13:21","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=6971"},"modified":"2020-05-28T09:33:47","modified_gmt":"2020-05-28T14:33:47","slug":"hardening-your-windows-server-in-2020","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/hardening-your-windows-server-in-2020\/","title":{"rendered":"Hardening Your Windows Server in 2020"},"content":{"rendered":"<h2><strong>Introduction<\/strong><\/h2>\n<p>Security is vital for protecting company assets and data subjects. Evolving data protection regulations, like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), have thrown light on security breaches and the security architecture of those compromised. In 2019, the global average cost for a data breach was <a href=\"https:\/\/databreachcalculator.mybluemix.net\/executive-summary\" rel=\"nofollow\" target=\"_blank\">$3.9 million<img class=\"extlink-icon\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/plugins\/external-links-nofollow-open-in-new-tab-favicon\/images\/extlink.png\"><\/a>, not including reputational damage and hidden costs. Hardening Windows Server 2019 can reduce your organization\u2019s attack surface, minimizing the disruption of business processes, legal and financial repercussions, and other damages. Windows Server comes with a suite of tools that can help defend your infrastructure.<\/p>\n<h2><strong>New Features<\/strong><\/h2>\n<p>Windows Server 2019 showcases several new features:<\/p>\n<ul>\n<li><em>Windows Defender Advanced Threat Protection (ATP):<\/em> hunts and stops low-level malicious processes<\/li>\n<li><em>Security with Software Defined Networking (SDN):<\/em> enhancements include network encryption, firewall auditing, virtual network peering, and egress metering<\/li>\n<li><em>Shielded Virtual Machines improvements: <\/em><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/security\/guarded-fabric-shielded-vm\/guarded-fabric-manage-branch-office#fallback-configuration\">fallback HGS<\/a> (Host Guardian Service) and <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/security\/guarded-fabric-shielded-vm\/guarded-fabric-manage-branch-office#offline-mode\">offline mode<\/a> aid in redundancy and connectivity, and enabling VMConnect Enhanced Session Mode and PowerShell Direct make troubleshooting easier.<\/li>\n<li><em>HTTP\/2 for a faster and safer Web: <\/em>increases throughput and builds stronger connections via encrypted channels<\/li>\n<\/ul>\n<p>These features should be used in concert with baseline measures, some of which are outlined below, and within an overall security governance program.<\/p>\n<h2><strong>Hardening Windows Server<\/strong><\/h2>\n<p>Below are a handful of steps you can take to strengthen the security of your server. These steps cover a wide range of settings from organizational measures to access controls, network configuration, and beyond.<\/p>\n<ul>\n<li>Conduct a threat risk assessment to determine attack vectors and investments for mitigation strategies.<\/li>\n<li>Protect your administrative and system accounts with strong passwords.<\/li>\n<li>Disable unnecessary services and remove unused Windows components.<\/li>\n<li>Password protect the BIOS\/firmware to prevent unauthorized changes to the server startup settings.<\/li>\n<li>Configure Account Lockout Group Policy that aligns with best practices.<\/li>\n<li>Perform <a href=\"https:\/\/www.sentryone.com\/sql-server\/sql-server-monitoring\" rel=\"nofollow\" target=\"_blank\">SQL server monitoring<img class=\"extlink-icon\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/plugins\/external-links-nofollow-open-in-new-tab-favicon\/images\/extlink.png\"><\/a><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/1st-photo.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6972\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/1st-photo.png\" alt=\"\" width=\"1647\" height=\"977\" srcset=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/1st-photo.png 1647w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/1st-photo-300x178.png 300w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/1st-photo-1024x607.png 1024w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/1st-photo-768x456.png 768w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/1st-photo-1536x911.png 1536w\" sizes=\"auto, (max-width: 1647px) 100vw, 1647px\"><\/a><\/p>\n<p><em>Figure 1: Path to set lockout periods via the Group Policy Editor<\/em><\/p>\n<ul>\n<li>Obey the <u>principle<\/u> <u>of<\/u> <u>least<\/u> <u>privilege<\/u> by limiting the number of administrators. This is key, as penetration testers and malicious attackers love to use excessive privileges to their advantage.<\/li>\n<li>Follow <u>privilege<\/u> <u>access<\/u> <u>management<\/u> (PAM) best practices; e.g., only use administrative accounts to perform administrative tasks, and auto-rotate passwords on check-outs and check-ins to mitigate <a href=\"https:\/\/attack.mitre.org\/techniques\/T1075\/\" rel=\"nofollow\" target=\"_blank\">pass the hash attacks<img class=\"extlink-icon\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/plugins\/external-links-nofollow-open-in-new-tab-favicon\/images\/extlink.png\"><\/a>.<\/li>\n<li>Enable Audit Policy to spot mysterious and malicious activity, uphold accountability, and gather forensic data.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/2nd-photo.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6973\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/2nd-photo.png\" alt=\"\" width=\"1650\" height=\"982\" srcset=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/2nd-photo.png 1650w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/2nd-photo-300x179.png 300w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/2nd-photo-1024x609.png 1024w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/2nd-photo-768x457.png 768w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/2nd-photo-1536x914.png 1536w\" sizes=\"auto, (max-width: 1650px) 100vw, 1650px\"><\/a><\/p>\n<p><em>Figure 2: Setting up Audit Policies<\/em><\/p>\n<ul>\n<li>Install and activate anti-spyware and anti-virus software, and keep them up to date.<\/li>\n<li>Enable <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/identity-protection\/credential-guard\/credential-guard-manage\" rel=\"nofollow\" target=\"_blank\">Windows Defender Credential Guard<img class=\"extlink-icon\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/plugins\/external-links-nofollow-open-in-new-tab-favicon\/images\/extlink.png\"><\/a> and <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/enable-exploit-protection#microsoft-endpoint-configuration-manager\">Windows Defender Exploit Guard<\/a> for improved hardware security, virtual security, protection against advanced persistent threats (APT), and other benefits.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/3rd-photo.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6974\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/3rd-photo.png\" alt=\"\" width=\"1650\" height=\"818\" srcset=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/3rd-photo.png 1650w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/3rd-photo-300x149.png 300w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/3rd-photo-1024x508.png 1024w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/3rd-photo-768x381.png 768w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2020\/05\/3rd-photo-1536x761.png 1536w\" sizes=\"auto, (max-width: 1650px) 100vw, 1650px\"><\/a><\/p>\n<p><em>Figure 3: Enabling Virtualization Based Security<\/em><\/p>\n<p>These tips, while not exhaustive, are a good start. Comprehensive lists for securing Windows Server will be included in the Resources section at the end of this article. Be sure to follow the inline links throughout for further information.<\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>Windows Server 2019 offers several improvements to its security. Such improvements should be implemented on top of fundamental controls, which should in turn be a part of a grander information security program. Ensure these improvements go through a change management process to guarantee proper configuration and a smooth rollout.<\/p>\n<h2><strong>Resources<\/strong><\/h2>\n<ul>\n<li>The Electronic Frontier Foundation\u2019s threat modeling <a href=\"https:\/\/www.eff.org\/keeping-your-site-alive\/evaluating-your-threat-model\" rel=\"nofollow\" target=\"_blank\">framework<img class=\"extlink-icon\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/plugins\/external-links-nofollow-open-in-new-tab-favicon\/images\/extlink.png\"><\/a><\/li>\n<li>Windows Server 2019 OS hardening \u2013 a <a href=\"https:\/\/cybersecurity.att.com\/blogs\/security-essentials\/windows-server-2019-os-hardening\" rel=\"nofollow\" target=\"_blank\">blog<img class=\"extlink-icon\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/plugins\/external-links-nofollow-open-in-new-tab-favicon\/images\/extlink.png\"><\/a> by Thomas Jung<\/li>\n<li>Windows Server 2016 Security <a href=\"https:\/\/download.microsoft.com\/download\/5\/8\/5\/585DF9E9-D3D6-410A-8B51-81C7FC9A727C\/Windows_Server_2016_Security_Guide_EN_US.pdf\" rel=\"nofollow\" target=\"_blank\">Guide<img class=\"extlink-icon\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/plugins\/external-links-nofollow-open-in-new-tab-favicon\/images\/extlink.png\"><\/a> from Microsoft<\/li>\n<li>Microsoft Windows Server 2019, Ver 1, Rel 3 <a href=\"https:\/\/nvd.nist.gov\/ncp\/checklist\/914\" rel=\"nofollow\" target=\"_blank\">Checklist<img class=\"extlink-icon\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/plugins\/external-links-nofollow-open-in-new-tab-favicon\/images\/extlink.png\"><\/a> Details from NIST<\/li>\n<\/ul>\n<p>\u2014\u2013<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/margiotis\/\" rel=\"nofollow\" target=\"_blank\"><em>Paul Margiotis<\/em><img class=\"extlink-icon\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/plugins\/external-links-nofollow-open-in-new-tab-favicon\/images\/extlink.png\"><\/a><em> (@paulmargiotis) is the Security Engineer at <\/em><a href=\"https:\/\/www.sentryone.com\/\" rel=\"nofollow\" target=\"_blank\"><em>SentryOne<\/em><img class=\"extlink-icon\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/plugins\/external-links-nofollow-open-in-new-tab-favicon\/images\/extlink.png\"><\/a><em>, where he writes and implements security policy, directs compliance with data privacy and protection regulations, and strengthens the organization\u2019s network and perimeter defense. In his articles, he shares insight into hardening systems and infrastructure, building robust processes and protocols to enhance security governance, risk management, and cryptography. Paul holds a Master\u2019s degree in Cybersecurity, with a concentration in Network Security, from the University of North Carolina at Charlotte.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Security is vital for protecting company assets and data subjects. Evolving data protection regulations, like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), have thrown light on security breaches and the security architecture of those compromised. In 2019, the global average cost for a data breach was $3.9 million, [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":6974,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,42,8],"tags":[],"class_list":["post-6971","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pc-security","category-security","category-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/6971","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=6971"}],"version-history":[{"count":2,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/6971\/revisions"}],"predecessor-version":[{"id":6976,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/6971\/revisions\/6976"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/6974"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=6971"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=6971"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=6971"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}