Enterprise organizations tend to rely heavily on group policy settings to secure and configure new servers. Even...
so, it is also important to configure each server's local security policy.
The Windows Server local security policy is similar to Active Directory level group policies but provides protection that is not dependent on the Active Directory. A server's local security policy can protect a server if someone disjoins a server from a domain, or logs in to a server using a local account. The nice thing about local security policies is the policy settings typically exist in the same location within the policy setting tree as its group policy counterparts. Although far from comprehensive, this article is a checklist of some of the more important items that should be configured at the local server level.
The server's firewall should be configured and enabled. When using a third-party firewall, follow the vendor's instructions. The Windows Firewall can be configured through the local security policy at: Security Settings \ Windows Firewall with Advanced Security \ Windows Firewall with Advanced Security – Local Group Policy Object, as shown in Figure A.
Another best practice is to disable any unnecessary system services. Doing so can improve the server's performance and security. The actual services that should be disabled will vary from one organization to the next, but administrators should disable anything that is not going to be used on the server. For example, many organizations disable the Windows Search service.
System services are commonly disabled by using the Service Control Manager, but depending on the version of Windows, administrators may be able to control system services through the local security policy. If available, the settings exist at: Computer Configuration \ Windows Settings \ Security Settings \ System Services.
Patch management settings
Even though patch management is usually handled at the domain level by Windows Server Update Services or by a third-party patch management solution, it can be configured at the local security policy level. This ensures that a server will continue to receive patches, even if it is somehow disassociated with the domain. The patch management related policy settings exist at: Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update.
Remote desktop services
Another item to configure at the local security policy level is the Remote Desktop Services. The Remote Desktop Services make it possible to manage the server through a remote administrative session. By configuring the Remote Desktop Services at the local security policy level, administrators can enable remote administration, even if domain connectivity fails. The policy settings controlling the Remote Desktop Services reside at: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services.
Audit policy settings
Audit policies should also be configured at the local computer level, so that non-domain logins, privilege use and system events can be audited. It is up to each organization to determine the most appropriate auditing configuration, but I recommend performing success and failure audit logging for each of the following:
- Account logon
- Account management
- Policy change
- Privilege use
- System events
The audit settings are within the local security policy at: Security Settings \ Local Policies \ Audit Policy, as shown in Figure B.
Acceptable use logon banner
Keep in mind that the local security policy is not the only thing administrators should address when deploying a new server. There are a number of other operating system level configuration tasks that should be performed on new servers. Some of these tasks might include installing drivers or hypervisor services, enabling antimalware protection and deploying backup agents.
Create a stronger Active Directory password policy
Free and low-cost Windows Server security tools
Get started with Group Policy