Top Windows server hardening standards and guidelines

I previously wrote about the basics of Windows server hardening, with a specific focus on how much is enough. As I mentioned, you may just need to be concerned with the fundamentals of Windows server security right now; at least that's where the majority of Windows shops currently stand.

The common Windows server weaknesses are pretty well-known: shares not being locked down, null sessions being accessible, patches not current, malware and personal firewall software not installed, password policies out of whack, sufficient logging not enabled, and Active Directory design and management not up to par.

My typical advice is to fix these basic flaws now before developing security standards and policies that fit into your organization's long-term needs and goals. But what if you've already addressed the basics, or want to know the recommended server hardening standards so that you can start integrating best practices into your work now? No matter what your approach is, there are certain Windows server security guidelines that must be on your radar.

So where can you turn to obtain widely-accepted guidance on locking down your existing and future Windows servers? Below is the lay of the land of Windows server hardening guides, benchmarks, and standards:

• Windows Server 2008 Security Guide (Microsoft) -- The one and only resource specific to Windows 2008.
• Windows Server 2003 Security Guide (Microsoft) -- A good resource, straight from the horse's mouth.
• Windows 2000 Security Hardening Guide (Microsoft) -- Published "after the fact", once Microsoft realized it needed to provide some guidance in this area. Still worth a look-see, though.
• Windows Benchmarks (The Center for Internet Security) -- Arguably the best and most widely-accepted guide to server hardening.
• Guide to General Server Security (NIST) -- Generic in nature, but still a good resource.
• Windows 2000/XP/2003/Vista Addendum, V6R1 (Defense Information Systems Agency) -- These Security Technical ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchWindowsServer.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchWindowsServer.com

  As an existing member of the TechTarget network please activate your SearchWindowsServer.com account 

  By joining SearchWindowsServer.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  Digg This!     StumbleUpon     Del.icio.us

  
  
  
  

  RELATED CONTENT Windows Server Security How Windows Server 2008 R2 stands up to security checks BitLocker in R2 provides data protection for semi-protected servers Balancing Windows security with reasonable password policies Windows AppLocker in R2: Turning conventional security wisdom on its head Windows Server Security Guide Free Windows security tools every admin must have Common causes of Windows server security vulnerabilities Windows server hardening: How much is enough? Overlooked security in Windows Server 2008 Easing security concerns with Server Core for Windows 2008 Windows Server Monitoring and Management How Windows Server 2008 R2 stands up to security checks BitLocker in R2 provides data protection for semi-protected servers Perfmon made easy with PAL utility Converting Citrix XenServer source machines to Hyper-V format Balancing Windows security with reasonable password policies Windows AppLocker in R2: Turning conventional security wisdom on its head Top 10 things you don't know about Windows Server 2008 R2 BranchCache makes branch offices feel like home When to use VM backups versus snapshots in Hyper-V Installing Server Core for Windows 2008 the easy way

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  Implementation Guides are growing in popularity, especially among IT auditors, so it may be good to get to know this one as well.

Finally, here are some resources in the commercial and quasi-commercial realms that I've found to be beneficial:

• Securing Windows 2000 Step by Step and Windows NT Security Step by Step (SANS) -- These consensus guides are out of publication, so you'll have to search for them for sale online. They're two of my all-time favorites and are still applicable.
• The Administrator Shortcut Guide to Active Directory Security and The Definitive Guide to Building a Windows Server 2008 Infrastructure (Realtime Publishers) -- These are free e-books that are definitely worth a look.

Now before you jump in head first and start locking everything down based on what these documents recommend, there are some key points to be aware of:

1. You have to understand what you have and how it's at risk before you can realistically adopt any semblance of Windows server security standards. Start out with an information risk assessment (in-house or via an independent expert) that looks at both technical and operational issues related to the security of your Windows servers. You no doubt have threats and vulnerabilities in this area, but probably just haven't thought about them yet.
2. These (or any other) Windows hardening standards shouldn't be construed as one-size-fits-all. Each of these guides/standards takes a different approach, so it's important to find the one that best fits your needs. Every network and server is different enough to the point that you could actually consider this a no-size-fits-all dilemma. It all depends on your line of business, the regulations you're up against, the risks you uncover, and the criticality of each server and the information it stores and/or processes.
3. You have to understand your management's view of security. Are they buying into security or do they think it only gets in the way of doing business? Based on your organization's leadership and culture, you'll likely have to tweak your hardening standards a bit. This usually means having to back off from some of these best practices to loosen things up and do what's right for the business overall. As frustrating as this might be, balancing Windows security with business needs is a big part of the process.
4. No matter how tight you lock down your Windows servers, they're still going to be exploitable in some way. It's important to get past the "everything's secure because we locked down our systems" mindset that so many auditors, regulators and managers believe is the law of the land. It never has been nor will it ever be, so be sure not to let your Windows security guard down.

Remember, the best way to tackle a server hardening project is to go into it informed and armed with management support -- you'll be a lot more successful if you do.

[IMAGE]Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.