Your Windows Server 2012 and Server 2012 R2-based systems are at risk of attack. What was assumed to be Microsoft's...
most secure server OS is merely a sitting duck on most networks. But why?
Remember decades ago when Microsoft made bad decision after bad decision when it came to securing its Windows server OS? It started in the days of LAN Manager and then with Windows NT. Windows NT was followed by Windows 2000 Server with unsecure storage of passwords in the SAM database, network shares being open to the Everyone Group, and the unpredictable release of security hotfixes and patches. There was also the Windows registry architecture to boot.
Those days are gone, folks. Most of the serious vulnerabilities have vanished. Microsoft is no longer the problem.
We all love to hate the company from time to time, but Microsoft has gone above and beyond the call of duty for securing its latest server operating system. This is not only because of its hardening out of the box and server role configuration wizard approaches, but also because of the resources the company provides customers and the community as a whole. The Security Compliance Manager tool set, for example, locks down the OS even further based on your organization's specific needs.
As I write this, I'm running a vulnerability scan of a fresh Windows Server 2012 installation with all of the roles and features enabled using Rapid7's Nexpose, a top commercial vulnerability scanner. It doesn't matter if I run a scan with or without authentication -- there are no major security flaws of concern outside of password policies that haven't been tweaked yet, recursive DNS queries yet to be enabled and patches yet to be applied. I know I'd get the same general results using QualysGuard, LanGuard or other vulnerability scanners.
So, where does that leave things with securing Windows Server 2012? Why are vulnerabilities still cropping up in larger security assessments and penetration tests of Windows Server 2012 and 2012 R2 installations? Why are breaches still occurring? The answer is actually pretty simple, but the fix is complex: It's a people problem.
As with any aspect of security, all security bets are off once people get involved. The issues with securing Windows Server 2012 tend to unfold by our own hands. Take these three examples.
- Business processes call for quick and easy access. Rather than getting the right people involved, thinking things through to engineer security options or implementing necessary mitigating controls, it becomes a case of "open up the access and we'll figure it out later."
- Compliance and subsequent audits make people nervous. Most people I know would rather do something half-heartedly in a timely manner, such as running through a high-level checklist to pass an audit, rather than taking the time to get to the heart of the problems. Some of the most common reasons include poor communication and a lack of money.
- People are hesitant to rock the boat. Rather than do things in Windows Server 2012, it's easier and less risky to go with the flow. People will hesitate to enforce complex passwords or apply patches when there's a risk because they may not be comfortable doing something a vendor or department head didn't decide for them. People may also hesitate to close off server shares to avoid any internal wrongdoings or ensure the necessary resources are allocated to properly manage audit logs and security events.
When you put people into the equation, Microsoft's most resilient OS ends up about as well off as its predecessors that are at least 10 years old. It's security at its worst.
You can boost your security by taking a step back, looking at your environment and seeing what actually needs to be done. Your Windows Server 2012- and Server 2012 R2-based systems used to be secure servers. The odds are high that they're no longer that way. Ask yourself what's working and what's not. Better yet, bring someone in to tell you what needs attention. Have the courage to stand up for what's right with securing Windows Server 2012. It's more than just installing the OS and forgetting about it -- it's fixing the people problems at the core.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.