We hear a lot about server hardening, but what exactly is a hardened Windows server? Some IT auditors define it as a system that follows the recommendations of widely accepted hardening checklists. Other more paranoid types might think of it as a server that's completely locked down to the point that no one can connect to it. Then again, if you ask some people in management what a hardened server is, they'll often bring things full circle by responding with "What does hardened mean?"
Based on recommended industry standards, you might think you have the most unsecure Windows systems on the planet. Don't be too worried though. While the Center for Internet Security's
It seems everyone has a different assumption about Windows system hardening. Still, there's got to be a consensus on the level of hardening needed in your environment. So what do you focus on? It's simple -- look at what gets measured. What was the outcome of your last security assessment? What are your auditors looking for and auditing against? Is it internal policy? Maybe it's a certain regulation or standard? Perhaps it's what someone else has deemed a best practice?
Before you spend the time, money and effort hardening your systems, you need to know what's required of you. If you don't know what that is -- for example, if you've never had an independent assessment or internal audit -- then you have to start somewhere, right?
For the most part, not enough people bother tweaking their Windows server configurations until after something bad happens. That said, you have to be realistic and approach Windows hardening with some common sense. Look at what's important. Would your efforts to digitally sign SMB communications and to audit object-and-process tracking really buy you a lot -- especially when audit and assessment time comes along? Probably not. But what about renaming administrator and guest accounts and disabling certain unnecessary services? Well, maybe. It depends on what matters to your business. I see a lot of effort spent on the little things -- admins majoring in minors -- while the big things are often overlooked.
Here are some Windows server tweaks you can make right now that'll buy you a lot of bang for your buck (they're free!):
Lock down shares to ensure the right people are accessing the right information.
Disable SMB null sessions to prevent someone from prodding around and gathering system configuration information.
Enable the Windows Firewall or use a third-party alternative (this will limit what can be done on or to the server and will fix the null session issue to boot).
Make sure the latest patches are installed. (This is still a big problem on Windows servers.)
Run anti-malware software (failure to do so is another common oversight).
Require strong yet reasonable passphrases. Don't fall for common password myths.
Enable success auditing for account logon events, account management and policy changes.
Use disk encryption for systems that are exposed physically (servers can sprout legs too).
Be sure your basic Active Directory configuration is reasonably sound.
Whether you have Windows NT, 2000, Server 2003 or 2008, focusing on these basic essentials will do wonders for your server security status. There's probably no need (at least not yet) to tighten down every nook and cranny of your systems. Once you establish a hardening baseline using the above criteria, then you can work on further tightening the controls on your most critical servers if the business risks justify it. More on that in a future tip.
ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.
This was first published in May 2009