Get started Bring yourself up to speed with our introductory content.

What to configure in Windows Server local security policy

Organizations should configure the local security policy for new servers to handle patch management and for protection against unauthorized access.

Enterprise organizations tend to rely heavily on group policy settings to secure and configure new servers. Even...

so, it is also important to configure each server's local security policy.

The Windows Server local security policy is similar to Active Directory level group policies but provides protection that is not dependent on the Active Directory. A server's local security policy can protect a server if someone disjoins a server from a domain, or logs in to a server using a local account. The nice thing about local security policies is the policy settings typically exist in the same location within the policy setting tree as its group policy counterparts. Although far from comprehensive, this article is a checklist of some of the more important items that should be configured at the local server level.

The firewall

The server's firewall should be configured and enabled. When using a third-party firewall, follow the vendor's instructions. The Windows Firewall can be configured through the local security policy at: Security Settings \ Windows Firewall with Advanced Security \ Windows Firewall with Advanced Security – Local Group Policy Object, as shown in Figure A.

Windows Firewall
Figure A. The Windows Firewall can be configured through the local security policy.

System services

Another best practice is to disable any unnecessary system services. Doing so can improve the server's performance and security. The actual services that should be disabled will vary from one organization to the next, but administrators should disable anything that is not going to be used on the server. For example, many organizations disable the Windows Search service.

System services are commonly disabled by using the Service Control Manager, but depending on the version of Windows, administrators may be able to control system services through the local security policy. If available, the settings exist at: Computer Configuration \ Windows Settings \ Security Settings \ System Services.

Patch management settings

Even though patch management is usually handled at the domain level by Windows Server Update Services or by a third-party patch management solution, it can be configured at the local security policy level. This ensures that a server will continue to receive patches, even if it is somehow disassociated with the domain. The patch management related policy settings exist at: Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update.

Remote desktop services

Even though patch management is usually handled at the domain level by Windows Server Update Services or by a third-party patch management solution, it can be configured at the local security policy level.

Another item to configure at the local security policy level is the Remote Desktop Services. The Remote Desktop Services make it possible to manage the server through a remote administrative session. By configuring the Remote Desktop Services at the local security policy level, administrators can enable remote administration, even if domain connectivity fails. The policy settings controlling the Remote Desktop Services reside at: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services.

Audit policy settings

Audit policies should also be configured at the local computer level, so that non-domain logins, privilege use and system events can be audited. It is up to each organization to determine the most appropriate auditing configuration, but I recommend performing success and failure audit logging for each of the following:

  • Account logon
  • Account management
  • Policy change
  • Privilege use
  • System events

The audit settings are within the local security policy at: Security Settings \ Local Policies \ Audit Policy, as shown in Figure B.

Audit settings
Figure B. Audit settings are controlled within the local security policy.

Acceptable use logon banner

It is also a good idea to use the local security policy to display a logon banner on the servers. Such a banner can display the terms of use or a warning against unauthorized access. The policy settings used to display such a banner are located at: Computer Configuration \ Windows Settings \ Security Settings \ Local Policy \ Security Options. The policy settings that control the logon banner are Interactive Logon: Message Text for Users Attempting to Log On and Interactive Logon: Message Title for Users Attempting to Log On.

Keep in mind that the local security policy is not the only thing administrators should address when deploying a new server. There are a number of other operating system level configuration tasks that should be performed on new servers. Some of these tasks might include installing drivers or hypervisor services, enabling antimalware protection and deploying backup agents.

Next Steps

Create a stronger Active Directory password policy

Free and low-cost Windows Server security tools

Get started with Group Policy

This was last published in May 2016

Dig Deeper on Windows Operating System Management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Aside from local security policy configurations, what practices keep Windows-based servers secure?
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchEnterpriseDesktop

SearchVirtualDesktop

Close