Tip

Top Windows server hardening standards and guidelines

I previously wrote about the basics of Windows server hardening, with a specific focus on how much is enough. As I mentioned, you may just need to be concerned with the fundamentals of Windows server

    Requires Free Membership to View

security right now; at least that's where the majority of Windows shops currently stand.

The common Windows server weaknesses are pretty well-known: shares not being locked down, null sessions being accessible, patches not current, malware and personal firewall software not installed, password policies out of whack, sufficient logging not enabled, and Active Directory design and management not up to par.

My typical advice is to fix these basic flaws now before developing security standards and policies that fit into your organization's long-term needs and goals. But what if you've already addressed the basics, or want to know the recommended server hardening standards so that you can start integrating best practices into your work now? No matter what your approach is, there are certain Windows server security guidelines that must be on your radar.

So where can you turn to obtain widely-accepted guidance on locking down your existing and future Windows servers? Below is the lay of the land of Windows server hardening guides, benchmarks, and standards:

Finally, here are some resources in the commercial and quasi-commercial realms that I've found to be beneficial:

Now before you jump in head first and start locking everything down based on what these documents recommend, there are some key points to be aware of:

  1. You have to understand what you have and how it's at risk before you can realistically adopt any semblance of Windows server security standards. Start out with an information risk assessment (in-house or via an independent expert) that looks at both technical and operational issues related to the security of your Windows servers. You no doubt have threats and vulnerabilities in this area, but probably just haven't thought about them yet.

  2. These (or any other) Windows hardening standards shouldn't be construed as one-size-fits-all. Each of these guides/standards takes a different approach, so it's important to find the one that best fits your needs. Every network and server is different enough to the point that you could actually consider this a no-size-fits-all dilemma. It all depends on your line of business, the regulations you're up against, the risks you uncover, and the criticality of each server and the information it stores and/or processes.

  3. You have to understand your management's view of security. Are they buying into security or do they think it only gets in the way of doing business? Based on your organization's leadership and culture, you'll likely have to tweak your hardening standards a bit. This usually means having to back off from some of these best practices to loosen things up and do what's right for the business overall. As frustrating as this might be, balancing Windows security with business needs is a big part of the process.

  4. No matter how tight you lock down your Windows servers, they're still going to be exploitable in some way. It's important to get past the "everything's secure because we locked down our systems" mindset that so many auditors, regulators and managers believe is the law of the land. It never has been nor will it ever be, so be sure not to let your Windows security guard down.

Remember, the best way to tackle a server hardening project is to go into it informed and armed with management support -- you'll be a lot more successful if you do.

ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

This was first published in June 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.