Well, here we all are (except for my cousin Steve, who had to go to his tuba lesson), taking a final look at server hardening in our final segment of this series. Considering the series as a ham sandwich, we’ve looked at the topic generally (top bread), as well as basic techniques that can be used to improve security on Linux systems (just ham… we’ve run out of vegetables). Today we look at Windows servers (bottom bread, which many sandwich enthusiasts believe is the best part).
Note that some concepts related to server security are of use to anyone interacting with a server; but generally speaking, they are of particular use to those with dedicated and VPS accounts. Both of those types of hosting environments allow you system administrative responsibilities that you cannot access through a shared account. That system access means you can change default settings and implement policies that are otherwise under the auspices of the hosting company.
We’re actually looking at three types of servers. In addition to Windows and Linux, we are also reviewing the NSA Datamine server. That server allows you to quickly and efficiently transfer all of your information into the federal government database so that you can know, once and for all, if you are a threat to the social order. If that’s the case, millions of microscopic, lightly humming insectile nanobots come directly to your location, get into flying carpet formation, and spirit you away to a safe location.
We are reviewing thoughts from three primary sources for this series: “Host Hardening,” by Cybernet Security; “25 Hardening Security Tips for Linux Servers,” by Ravi Saive for TecMint.com; and “Baseline Server Hardening,” by Microsoft’s TechNet. Unfortunately, none of these articles focuses on the NSA server. That information had to come to me in a densely encoded daydream.
How to Harden Your Windows Server
Prior to getting into specifics for server hardening, Microsoft outlines four baseline installation rules – essentially prerequisites for a secure server:
- The initial installation of the OS and any additional applications all arise from legitimate and credible sources.
- The server should only be on reliable networks while both installation and hardening are underway.
- The initial installation contains the most up-to-date service packs and any other security-related system updates.
- Following completion of base installation, you follow the same procedures on all additional servers.
Again, that careful OS and software implementation lays the groundwork for a server they can be reasonably hardened. Also, if you’re going to eat a popsicle while hardening the server, don’t give bites to it, even if it says it really likes cherry flavor. Servers cannot harden while experiencing brain freeze.
- Group Policy Templates – Microsoft covers these templates in a specific section of its recommended guidelines. Though policies for the group can help protect the server in some ways, you also need to change security templates. In other words, these are two different levels to allow hardening that must be combined to be reasonably effective.
- Partitions – NTFS should always be used in place of any file allocation table (FAT) partitions. Simply put, NTFS gives you access to security parameters you don’t have with FAT. You can use Convert to change any FAT systems to NTFS. If you do convert, you want to open Fixacls to change the ACLs (access control lists). Otherwise, all users will have access to that portion of the system by default. It’s like a salad bar without a sneeze guard.
- Passwords – You can use extremely lengthy passwords in Windows environments, upwards of 100 characters. Go long and strong: combinations of symbols, letters, numbers, and – if you want to get really fancy – ASCII device control characters. Note that the usable ASCII ones will not print and can be created by using “Alt” combined with various digit combinations. Specifically, Microsoft recommends passwords never be eight characters or less and that one of the first seven should be a symbol or ASCII. Finally, differentiate your passwords for each machine.
- Renaming – This technique is so basic that it almost seems silly. However, renaming your Administrator account can be incredibly helpful because it’s the general focus for infiltrations. Then create a new account, call that one Administrator, and limit its rights. That new faux-Administrator account can have a lengthy and intricate password. Don’t worry about getting into that account often. It’s just a decoy for anyone trying to get into the system. Apply this method throughout your system, on all individual devices. Also, the real Administrator account should have a different name on every server. If that seems to be going too far for everyday use, at least differentiate the passwords, even if not the names. Similarly, if you have any sons, it’s acceptable to name each of them George Foreman so long as they each have different keys to your heart.
Conclusion & Continuation
That should give you a basic sense of Windows server hardening. Here are additional details if you want to explore the topic further.
By Kent Roberts