Windows Server 2016 Hardening Checklist

Windows Server 2016 Hardening Checklist
1 If other options are not available, this can be achieved by setting up a SOHO router/firewall in between the network and the host to be secured. 2 There are numerous techniques offered to help you in using spots in a prompt style:

Microsoft Update Service

  • Microsoft Update checks your maker to recognize missing out on spots and enables you to download and install them.
  • This is various than the “Windows Update” that is the default on Windows. Microsoft Update consists of updates for much more Microsoft items, such as Office and Forefront Client Security.
  • This service works with Internet Explorer just.

Windows AutoUpdate by means of WSUS
ITS uses a Windows Server Update Services Server for school usage utilizing Microsoft’s own upgrade servers. It consists of updates for extra Microsoft items, much like Microsoft Update, and supplies extra administrative control for software application release.

Microsoft Baseline Security Analyzer
This is a totally free host-based application that is offered to download from Microsoft In addition to detailing missing out on spots, this tool likewise carries out look at fundamental security settings and supplies details on remediating any concerns discovered.

Upguard
This is a compliance management tool that makes sure fundamental patching and compliance is being regularly handled (this item is relatively economical and can incorporated with Splunk).

3 Configure Automatic Updates from the Automatic Updates control board
  • On the majority of servers, you ought to pick either “Download updates for me, however let me pick when to install them,” or “Notify me however do not instantly download or install them.”
  • The school Windows Server Update Services server can be utilized as the source of automated updates.
4 Configuring the minimum password length settings is very important just if another technique of guaranteeing compliance with university password requirements is not in location. The Information Resources Use and Security Policy needs passwords be a minimum of 8 characters in length. It is highly advised that passwords be at least 14 characters in length (which is likewise the suggestion of CIS). 5 Configuring the password intricacy setting is necessary just if another approach of making sure compliance with university password requirements is not in location. The Information Resources Use and Security Policy needs that passwords include letters, numbers, and unique characters.
Ensure Domain Administrators (and even Departmental/GPO Admin accounts utilized by TSCs) have a greater requirement for password intricacy, are needed to alter their passwords more regularly (e.g., two times a year) and are highly alerted versus reuse of these qualifications beyond the Austin advertisement context. 6 If this alternative is allowed, the system will save passwords utilizing a weak type of file encryption that is vulnerable to jeopardize. This setup is disabled by default.

For additional password securities:
1. Update Active Directory practical level to 2012 R2 or greater.
2. In Registry crucial HKEY_LOCAL_MACHINE System CurrentControlSet Control SecurityProviders WDigest, set “UseLogonCredential” to 0.
3. Execute MS KBs 2928120 and 2871997

7 Instead of the CIS suggested worths, the account lockout policy must be set up as follows:
  • Account lockout period– 5 minutes
  • Account lockout limit– 5 stopped working efforts
  • Reset account lockout counter– 5 minutes
10 Any account with this function is allowed to visit to the console. By default, this consists of users in the Administrators, Users, and Backup Operators groups. It’s not likely that non-administrative users need this level of gain access to and, in cases where the server is not physically protected, giving this right might assist in a compromise of the gadget. 12 The text of the university’s main caution banner can be discovered on the ISO Web website. You might include localized info to the banner as long as the university banner is consisted of. 13 The usage of Microsoft accounts can be obstructed by setting up the group policy things at:

Computer Configuration Windows Settings Security Settings Local Policies

Security Options Accounts: Block Microsoft accounts

This setting can be confirmed by auditing the windows registry secret:

HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Policies System NoConnectedUser

43 Logon details for domain accounts can be cached in your area to permit users who have actually formerly validated to do so once again even if a domain controller can not be called. By default 10 accounts will be cached in your area, however there is a threat that in case of a compromise an aggressor might find the cached qualifications and utilize a strength attack to find the passwords. It is suggested that this worth be minimized so that less qualifications will be positioned at threat, and qualifications will be cached for much shorter durations of time in the case of gadgets that are logged into often by numerous users.

The group policy item listed below must be set to 4 or less logins:

Computer Configuration Windows Settings Security Settings Local Policies Security Options Interactive logon: Number of previous logons to cache (in case domain controller is not readily available)

44 The Account Logon audit policy logs the outcomes of recognition tests of qualifications sent for user account logon demands. The server that is reliable for the qualifications should have this audit policy allowed. For domain member makers, this policy will just log occasions for regional user accounts.

Configure the group policy things listed below to match the noted audit settings:

Computer Configuration Windows Settings Security Settings

Advanced Audit Policy Configuration Audit Policies Account Logon

  • Credential Validation– Success and Failure
45 Configure the group policy item listed below to match the noted audit settings:

Computer Configuration Windows Settings Security Settings

Advanced Audit Policy Configuration Audit Policies Account Management

  • Computer Account Management– Success and Failure
  • Other Account Management Events– Success and Failures
  • Security Group Management– Success and Failure
  • User Account Management– Success and Failure
46 Configure the group policy item listed below to match the noted audit settings:

Computer Configuration Windows Settings Security Settings

Advanced Audit Policy Configuration Audit Policies Logon/Logoff

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: