Windows server hardening: How much is enough?

We hear a lot about server hardening, but what exactly is a hardened Windows server? Some IT auditors define it as a system that follows the recommendations of widely accepted hardening checklists. Other more paranoid types might think of it as a server that's completely locked down to the point that no one can connect to it. Then again, if you ask some people in management what a hardened server is, they'll often bring things full circle by responding with "What does hardened mean?"

Based on recommended industry standards, you might think you have the most unsecure Windows systems on the planet. Don't be too worried though. While the Center for Internet Security's

Requires Free Membership to View

Windows Benchmarks and the DoD STIGs have their place, it's not always practical to do all things strictly by the book. You have to strike a balance between Windows security and business needs.

More on server security

Windows PowerShell: A backdoor to malware?

Easing security concerns with Server Core for Windows 2008

Common Active Directory security oversights

It seems everyone has a different assumption about Windows system hardening. Still, there's got to be a consensus on the level of hardening needed in your environment. So what do you focus on? It's simple -- look at what gets measured. What was the outcome of your last security assessment? What are your auditors looking for and auditing against? Is it internal policy? Maybe it's a certain regulation or standard? Perhaps it's what someone else has deemed a best practice?

Before you spend the time, money and effort hardening your systems, you need to know what's required of you. If you don't know what that is -- for example, if you've never had an independent assessment or internal audit -- then you have to start somewhere, right?

For the most part, not enough people bother tweaking their Windows server configurations until after something bad happens. That said, you have to be realistic and approach Windows hardening with some common sense. Look at what's important. Would your efforts to digitally sign SMB communications and to audit object-and-process tracking really buy you a lot -- especially when audit and assessment time comes along? Probably not. But what about renaming administrator and guest accounts and disabling certain unnecessary services? Well, maybe. It depends on what matters to your business. I see a lot of effort spent on the little things -- admins majoring in minors -- while the big things are often overlooked.

Here are some Windows server tweaks you can make right now that'll buy you a lot of bang for your buck (they're free!):

  • Lock down shares to ensure the right people are accessing the right information.

  • Disable SMB null sessions to prevent someone from prodding around and gathering system configuration information.

  • Enable the Windows Firewall or use a third-party alternative (this will limit what can be done on or to the server and will fix the null session issue to boot).

  • Make sure the latest patches are installed. (This is still a big problem on Windows servers.)

  • Run anti-malware software (failure to do so is another common oversight).

  • Require strong yet reasonable passphrases. Don't fall for common password myths.

  • Enable success auditing for account logon events, account management and policy changes.

  • Use disk encryption for systems that are exposed physically (servers can sprout legs too).

  • Be sure your basic Active Directory configuration is reasonably sound.

Whether you have Windows NT, 2000, Server 2003 or 2008, focusing on these basic essentials will do wonders for your server security status. There's probably no need (at least not yet) to tighten down every nook and cranny of your systems. Once you establish a hardening baseline using the above criteria, then you can work on further tightening the controls on your most critical servers if the business risks justify it. More on that in a future tip.

Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at  kbeaver@principlelogic.com.

This was first published in May 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.