What is server hardening? There are many different ways for a hacker to attack a Windows server, from unpatched system vulnerabilities to misconfigured settings, unnecessary protocols, or vulnerable applications. The process of getting these vulnerabilities closed off or patched (or at least most of them) is server hardening
Unfortunately, like a bodybuilder, a hardened system does not stay hard without continuous attention. OS, driver and application patches must be updated promptly; user and application settings should be checked regularly, security systems should be installed, and logging should be enabled to identify what attacks are being tried against the server.
Table of Contents
Windows Server Hardening Checklist
#1 Update Installation
In server hardening process many administrators are reluctant to automatically install Windows patches since the chances of a patch causing problems with either the OS or an application are relatively high. There are a number of solutions beyond manually installing patches, such as Microsoft management server products or third-party solutions (some of which cannot only manage OS patches, but also hardware drivers, application software patches, plus a wide variety of other system management tasks). Some can install patches in a sandbox environment, allowing you to test them before applying them to production systems.
Server hardening software can make the needed changes for you, rather than requiring an admin to manually change settings. There are also many pricing models, from per server per month to a fixed price for any number of servers. The number of servers you have and the amount of free time your administrator has will guide you to the best server hardening tool option.
#2 User Configuration
At the simplest level, this server hardening step refers to basic confirmation options, like requiring complex passwords for all user and administrative accounts, or enabling two-factor authentication or other enhanced security models like biometrics. There are server hardening tools that can help you to audit user, application and administrative accounts, and ensure that passwords are sufficiently complex and are changed as required. It also includes limiting rights for any given account to those strictly necessary.
It’s often the case that some roles, whether accounts used to execute SQL Server commands or user accounts belonging to executives, will wind up with more rights than they should, either because the users want all rights (whether they need them or not), or because troubleshooting applications is harder than just granting administrative rights.
Unfortunately, giving excess rights to these accounts and users can result in malware being installed when a user clicks on a malware link. Or it can result in an SQL exploit in your e-commerce application that allows a hacker to access data they shouldn’t be able to read. In server hardening process it can truly be a pain to make some applications work with limited rights, but it is one of the best ways to block attacks, many of which that have resulted in well-publicized breaches over the last few years.
At the simplest level, a firewall maps TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) port from external requests to specific ports on internal servers. Blocking all ports by default and then enabling only the ones needed to get applications to work is a basic step in server hardening.
This can actually be done at different levels — the firewall/router that is the interface between the Internet and the internal private network on each Windows (or other) server, and at the application level. In addition to disabling unused protocols, you can also map ports from the standard number (for example, port 80 for HTTP and port 443 for secure HTTP) to alternate port numbers.
#4 Features and Roles Configuration
During the server hardening process, in addition to limiting the rights of accounts that are used by users and applications, it’s also a good idea to create roles, remove others, and add or subtract Windows Features as needed. For instance, creating sub-roles for lower-tier administrators means that access doesn’t need to be an all-or-nothing affair. Junior administrators can be given the right to edit users’ configuration files without letting them view private files in users’ home directories or providing access to the configuration settings for file or application servers.
SQL administrators can likewise be given rights to create and run test queries on some servers while being blocked from making changes to production servers. Features work in similar ways at the application level — If there’s no need for an HTTP or HTTPS server on an SQL or file server, removing that role can reduce potential attack vectors and other vulnerabilities at this step of server hardening.
#5 NTP (Network Time Protocol) Configuration
Network Time Protocol is intended to ensure that all servers in an organization (whether all in one data center or located all over the world) are synced up to the same time standard. Servers or workstations out of sync by as little as a few minutes can cause configuration errors or leave the potential for security holes. However, some caution should be used when implementing NTP. For instance, by default, Windows Servers and workstations are set to use time.windows.com to get their Internet time. This can introduce vulnerabilities, since man-in-the-middle attacks and other spoofing count on systems using this standard.
A safer option may be to set up one system, perhaps even a Linux system or other system with no other roles, and have that system get its time synchronization from one of the major Internet NTP servers (such as pool.ntp.org) and then have all the other servers in your organization poll that NTP server to get their time.
#6 Firewall Configuration
In terms of server hardening firewalls can be critical to stopping most hacking attacks. If an outside connection cannot reach an internal system, it can’t steal information. Blocking everything by default and whitelisting only the necessary ports is a good start, but firewalls can also create logs of every attempt to connect to an internal system. Scanning these logs can give you a good idea of whether attempts are caused by users with incorrect login credentials, or by hackers for hire working for your competitors.
In addition, many firewalls can detect traffic that is typical for certain attacks, or identify internal users or applications that are sending information to an outside system. Using these logs directly (or through an application like SIEM (security information and event management) can help you to identify the few lines in the hundreds of pages of log information that you need to know about.
#7 Remote Access Configuration
Remote access allows a user with the proper credentials to connect to a Windows server from another system and access the desktop, applications, configuration tools and so forth. It’s the next best thing to being there. However, it’s also a great way for an unauthorized user to get access to all sorts of things you don’t want them to have.
Beyond the basics of limiting remote access to specific roles and ensuring that users of those roles don’t share passwords, it’s possible to limit remote access to specific IP addresses or blocks of addresses or to add additional token-based authentication to ensure that the user really is authorized. In addition, logging all remote access and the originating IP address can help you discover users’ actions if a breach does occur.
#8 Service Configuration
As with removing or limiting server roles and features, services are lower-level apps that enable specific network protocols, access to server hardware, application functionality, etc. Many services can be shut off or configured to run on demand, rather than being constantly enabled.
The trick is to know what services are needed for which applications. (You don’t want to open Task Manager and start randomly shutting down services.) Shutting down the right services can not only help server hardening by disabling common ways to attack the server, it can also speed up operations because unnecessary services aren’t using CPU or memory.
#9 Logging and Monitoring
Logging and monitoring can be a security administrator’s best friends. It may not always be possible to block every attack (with new forms arising every day), but at least you can discover a problem and keep it from happening again as long as you’re logging and monitoring your systems.
Simply logging everything isn’t practical. System logs can generate hundreds of thousands of lines of text per day. The key to successful windows server hardening is to log only the system events that are helpful, and then find the right events if there’s a problem. SIEM tools are a great way of handling this, or you can hire an experienced systems administrator who can do the same thing with less expensive tools.
#10 Additional Measures — Email
There’s a quote from Ron Burns: “You can’t make anything idiot-proof, because idiots are so ingenious.” However, as one means of protection, firewalls, and email security applications can stop a majority of phishing emails.
Currently, it’s estimated that as many as 95% of security breaches start with a successful phish.
Further reading Guide to Staying Safe from Phishing
Server hardening is a complex process that, like most things, will deliver results in proportion to the effort you put into it. A simple one-page Windows Server hardening checklist will likely make your systems more secure than they are now, but hardening a web server, file server or SQL server will have very different requirements, and will yield better results with more research into the specifics of what each type of server requires and what they can do without.