Windows Server is a server operating system from Microsoft. Unlike, UNIX-based operating system, Windows Server offers ease of management through its interface. Microsoft server includes different types of roles such as AD, DFS, DNS, DHCP, IIS, File and print server, etc. Understanding how to maintain a secure, optimized, and well-monitored Windows Server can drastically reduce your risks of being attacked. Below are the 9 best practices that I follow for securing Windows Server.
1. Document your Windows Server: In order to keep a clean and secure Windows Server, it’s essential that everyone on the team is on the same page. This means documenting things like naming conventions and key security policies. Here’s a good checklist to start with:
- Identify all of your computers, users, domain, and OU naming conventions.
- Describe your OU hierarchy, DNS configuration, network numbering conventions, and DHCP configuration.
- List main functions of your GPOs and the process of organization.
- Take note of the locations of AD’s Flexible Single Master Operation Roles (FSMO) roles.
- Identify the organization’s policy when adding new user accounts or when revoking user accounts.
- Describe the organizations’ policy for user restrictions.
2. Control your Administration: Attackers are notorious for exploiting power accounts – local admins, privileged users, domain admins, etc. These accounts are often used by sysadmins to manage and deploy IT systems. So make sure only legitimate people have access to AD and only on the appropriate OUs. Many security teams have real-time alerts setup to report on any changes/additions to these groups, since they should happen very infrequently.
3. Limit the Number of Administrators: Don’t hand out admin privileges like Halloween candy, you’ll regret it. Adding admins exponentially increases the risk. Once one is attacked, it potentially exposes all the other. Why? Each admin may belong to groups others do not. If one is attacked, it can lead to two, two may lead to three, and so on. So make an effort to limit the number of admins and review periodically who has admin rights.
4. Use Separate Administrative Accounts: Administrators responsible for IT operations should use separate admin accounts. This makes approved admin access easier to track and document, and unusual admin access easier to spot. These accounts should be in their own OU – perhaps by the roles they perform, so that you can apply specified GPOs to them.
5. Restrict Elevated Built-In Groups: There are plenty of built-in groups to choose from, so make sure you restrict built-in groups. My suggestion: Disable “Guest” and then rename “Administrator” so attackers won’t gain more momentum on a default attack.
6. Enforce Strong Password Rules: Don’t let convenience and short passwords tempt you! Protect the Service Account’s password. Watch the Directory Services Restore Mode(DSRM) password and update the DSRM password regularly – don’t let unauthorized accounts get a hold of it!
7. Test Group Policy Settings: One way to make your environment more secure is to set and configure security settings using Group Policy. Just make sure your GPOs are set, activated and don’t conflict with each other.
8. Audit Important Events: A searchable audit trail of AD changes is a necessity. Whether it is GPO, user, or group membership changes, keep track of changes for forensic purposes.
9. Monitor AD for Signs of Compromise: In order to monitor risk on your domain, you need to make sure to have the tools and rules that can detect AD changes and that will alert you when abnormal behaviors are happening.