Windows server hardening: How much is enough?

We hear a lot about server hardening, but what exactly is a hardened Windows server? Some IT auditors define it as a system that follows the recommendations of widely accepted hardening checklists. Other more paranoid types might think of it as a server that's completely locked down to the point that no one can connect to it. Then again, if you ask some people in management what a hardened server is, they'll often bring things full circle by responding with "What does hardened mean?"

Based on recommended industry standards, you might think you have the most unsecure Windows systems on the planet. Don't be too worried though. While the Center for Internet Security's Windows Benchmarks and the DoD STIGs have their place, it's not always practical to do all things strictly by the book. You have to strike a balance between Windows security and business needs.

It seems everyone has a different assumption about Windows system hardening. Still, there's got to be a consensus on the level of hardening needed in your environment. So what do you focus on? It's simple -- look at what gets measured. What was the outcome of your last security assessment? What are your auditors looking for and auditing against? Is it internal policy? Maybe it's a certain regulation or standard? Perhaps it's what someone else has deemed a best practice?

Before you spend the time, money and effort hardening your systems, you need to know what's required of you. If you don't know what that is -- for example, if you've never had an independent assessment or internal audit -- then you have to start somewhere, right?

For the most part, not enough people bother tweaking their Windows server configurations until after someth...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Server Security BitLocker in R2 provides data protection for semi-protected servers Balancing Windows security with reasonable password policies Windows AppLocker in R2: Turning conventional security wisdom on its head Windows Server Security Guide Free Windows security tools every admin must have Common causes of Windows server security vulnerabilities Top Windows server hardening standards and guidelines Overlooked security in Windows Server 2008 Easing security concerns with Server Core for Windows 2008 Windows PowerShell: A backdoor to malware? Windows Server Monitoring and Management BitLocker in R2 provides data protection for semi-protected servers Perfmon made easy with PAL utility Converting Citrix XenServer source machines to Hyper-V format Balancing Windows security with reasonable password policies Windows AppLocker in R2: Turning conventional security wisdom on its head Top 10 things you don't know about Windows Server 2008 R2 BranchCache makes branch offices feel like home When to use VM backups versus snapshots in Hyper-V Installing Server Core for Windows 2008 the easy way Migrating virtual machines from Microsoft Virtual Server to Hyper-V

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ing bad happens. That said, you have to be realistic and approach Windows hardening with some common sense. Look at what's important. Would your efforts to digitally sign SMB communications and to audit object-and-process tracking really buy you a lot -- especially when audit and assessment time comes along? Probably not. But what about renaming administrator and guest accounts and disabling certain unnecessary services? Well, maybe. It depends on what matters to your business. I see a lot of effort spent on the little things -- admins majoring in minors -- while the big things are often overlooked.

Here are some Windows server tweaks you can make right now that'll buy you a lot of bang for your buck (they're free!):

• Lock down shares to ensure the right people are accessing the right information.
• Disable SMB null sessions to prevent someone from prodding around and gathering system configuration information.
• Enable the Windows Firewall or use a third-party alternative (this will limit what can be done on or to the server and will fix the null session issue to boot).
• Make sure the latest patches are installed. (This is still a big problem on Windows servers.)
• Run anti-malware software (failure to do so is another common oversight).
• Require strong yet reasonable passphrases. Don't fall for common password myths.
• Enable success auditing for account logon events, account management and policy changes.
• Use disk encryption for systems that are exposed physically (servers can sprout legs too).
• Be sure your basic Active Directory configuration is reasonably sound.

Whether you have Windows NT, 2000, Server 2003 or 2008, focusing on these basic essentials will do wonders for your server security status. There's probably no need (at least not yet) to tighten down every nook and cranny of your systems. Once you establish a hardening baseline using the above criteria, then you can work on further tightening the controls on your most critical servers if the business risks justify it. More on that in a future tip.

[IMAGE]Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.