Windows Server Hardening: Configure Security Settings & Policies for Windows Server. Windows Server Hardening is essential for bolstering the security of our Windows Server infrastructure. We fortify our server against potential threats and unauthorized access by configuring security settings and policies. This guide provides us with steps and best practices to harden our Windows Server environment.
Windows Server Hardening: Configure Security Settings & Policies for Windows Server
The every recent version of Windows Server was upped with security capabilities of Windows Server 2022 to protect this vital infrastructure component. The release of Windows Server 2022 means organizations should upgrade to Windows Server 2022 before support ends for older Windows Server versions. It’s a good idea to consider a Windows Server 2022 migration, particularly for critical infrastructure such as domain controllers.
A Windows Server 2022 upgrade brings the advantage of security features not existing in earlier Windows Server versions. In addition, given the sensitive nature of domain controllers and other infrastructure components in the data center, it makes sense to harden those servers to the newest server operating system.
Enhancements to Windows Server Baseline Security
One tool offered to administrators to harden the Windows environment is the Microsoft Security Compliance Toolkit, which contains the Windows Server 2022 security baseline, consisting of Group Policy Objects (GPOs) configured according to Microsoft’s recommended best practices. In addition, the toolkit includes a Policy Viewer utility to compare a system’s configuration against the baseline security settings.
The Microsoft Security Compliance Toolkit is not a new tool, but Microsoft has made some changes to the baselines for Windows Server 2022. For example, the domain controller’s browser restriction list shows Internet Explorer because Edge is Microsoft’s recommended browser. Similarly, the Windows Server 2022 security baseline now treats script scanning as a security best practice. Also only admins are able to install print drivers.
Getting Started with the Windows Server 2022 Security Baselines
Please visit the Microsoft Security Compliance Toolkit page and download the Policy Analyzer and the Windows Server 2022 security baseline as .zip files that we need to extract. To compare a Windows Server 2022 system against the security baseline:
- Run the PolicyAnalyzer.exe file.
- Click the Add button and follow the prompts to open the Policy File Importer.
- Select the Add Files From GPOs option from the File menu, as shown below.
The Policy File Importer displays the available GPOs, as shown below. The GPOs are role specific. For example, there are GPOs for general purposes, but there are different GPOs for domain controllers, which we need to harden to a greater degree than basic servers.
Choose the policy file to use and then click the Import button. When prompted, save the imported GPO as a policy rules file. Next, to compare the baseline against a server’s current state, click the View/Compare button. This button opens the Policy Viewer to compare the baseline against the system’s effective state, as shown below.
The Policy Analyzer highlights the differences between the security baseline and the current system GPOs during its comparison test. The tool also checks for unnecessary or conflicting settings. Admins export their findings in Excel format and make a snapshot to check for modifications at another time.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Tools and Utilities to Support Windows Server Hardening
There are several powerful tools available that assist you in securing your Windows Server environment. In this guide, we explore some of these tools, highlighting their capabilities in strengthening the security of your Windows Server 2022 infrastructure.
Microsoft introduced several security features in Windows Server 2022, including the following:
Secured Core Server
Secured-core server feature integrates hardware, firmware, and software security to create a robust defence against advanced threats. It leverages trusted hardware components and secure boot processes to establish a highly secure foundation.
Windows Server 2022 supports using secured-core hardware, which stores cryptographic keys inside the CPU rather than in a separate Trusted Platform Module (TPM) chip. This process dramatically improves the security of the keys by making them much more difficult to access, even if an attacker has physical possession of the machine.
Hardware Root-of-Trust
This feature ensures the system’s integrity by verifying the authenticity of hardware components during the boot process. It establishes a chain of trust that starts from the hardware level, providing strong protection against firmware-level attacks.
Windows Server 2022 uses TPM 2.0 in either the motherboard or on newer processors to implement its Secure Boot feature to check for unauthorized code before loading the operating system.
Firmware Protection
Firmware protection mechanisms defends against firmware-based attacks. It includes features like Secure Boot and measured boot, which validate the firmware integrity and detect tampering attempts.
Traditionally, antimalware software cannot scan system firmware. A server equipped with a secured-core processor verifies the boot process through the dynamic root of trust for measurement technology. It is also possible to isolate drivers using Direct Memory Access protection.
UEFI Secure Boot
A security feature that verifies the operating system bootloader’s and firmware’s authenticity during the system start-up process. It prevents the execution of unauthorized or malicious code, protecting against boot-level attacks and rootkits.
With this feature, the system only boots firmware and operating system files that the server’s manufacturer trusts to protect against rootkit attacks.
Virtualization based Security
Provides isolation and protection for critical system components. It leverages hardware virtualization features to create isolated environments, known as virtual secure mode, to protect sensitive data and processes from unauthorized access.
This security feature stores credentials and keys in a secure container that the OS cannot access directly to prevent a breach in the event of a malware attack.
Enable HTTPS and Transport Layer Security (TLS) 1.3 by Default
Windows Server 2022 promotes secure communication by enabling HTTPS and TLS 1.3 as default protocols. This process ensures that network traffic is encrypted, protecting data in transit and reducing the risk of eavesdropping and tampering.
Microsoft enabled HTTPS and TLS 1.3 by default in Windows Server 2022 to replace older, less secure protocols. Admins need to configure applications or services to use it.
Secure DNS
Windows Server 2022 introduces enhanced security for DNS (Domain Name System) resolution. It includes DNS encryption, DNS over HTTPS (DoH), and DNSSEC (Domain Name System Security Extensions), which provide confidentiality, integrity, and authentication for DNS queries, mitigating DNS-based attacks.
This feature, also known as DNS-over-HTTPS, encrypts DNS queries to improve privacy by securing traffic to prevent network eavesdropping.
SMB East West Encryption
It encrypts SMB traffic between servers within the same data center or network segment. It safeguards data confidentiality and integrity, preventing unauthorized access to sensitive information within the server infrastructure.
This feature scrambles communications within Storage Spaces Direct clusters to protect data transfer between servers.
SMB Direct and RDMA Encryption
Windows Server 2022 supports SMB Direct and RDMA (Remote Direct Memory Access) Encryption, which enhances the security of data transfers between servers by encrypting the data during transmission. This process protects against eavesdropping and unauthorized interception of SMB traffic.
The SMB Direct feature for high-speed transfers in file servers now supports encryption. Windows Server 2022 performs encryption before data placement for much better performance compared to earlier manifestations of this technology.
SMB Over QUIC
SMB Over QUIC (Quick UDP Internet Connections) introduces a secure and efficient transport protocol for SMB traffic. It leverages encryption and authentication mechanisms provided by QUIC to ensure the confidentiality and integrity of SMB data exchanged between clients and servers.
This feature, combined with TLS 1.3, uses a relatively new transport protocol for securely accessing data without needing a VPN. Only available in the Windows Server 2022 Datacenter Azure Edition.
Windows Server 2022 Security Best Practices
Microsoft provides best practice analysers based on role and server version that help us harden our systems by scanning and making recommendations.
Although User Account Control (UAC) serves the vital purpose of abstracting executables from the security context of the logged-in user. When we log in as an admin, UAC prevents applications from running as we do without our consent. This measure prevents malware from running in the background and malicious websites from launching installers or other code. Therefore, leave UAC on whenever possible.
Hardening every application we run is also crucial to secure the Windows operating system, according to the tips provided in this guide. Although typical Microsoft servers applications such as MSSQL and Exchange have specific security mechanisms that help protect them against attacks like ransomware such as WannaCry, be sure to research and tweak each application for maximum resilience. If we are building a web server, we follow our hardening guide to improve its internet-facing security.
Check out our article on Windows Server security best practices for more information.
Windows Server Hardening: Configure Security Settings & Policies for Windows Server Conclusion
In conclusion, proper Windows Server hardening through configuring security settings and policies are crucial for safeguarding our server infrastructure against evolving threats. By implementing features like a Secured-core server, hardware root-of-trust, firmware protection, UEFI Secure Boot, virtualization-based security, and enabling default HTTPS and TLS 1.3, we significantly enhance the security of our Windows Server environment. Additionally, features such as secure DNS, SMB East-West Encryption, SMB Direct and RDMA Encryption, and SMB Over QUIC further contribute to fortifying our server against potential vulnerabilities and unauthorized access.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
Comment (1)
Dee
August 28, 2023Hi,
Where did you get the policy rule files for Windows 2022. I cannot find them in Microsoft website.
thanks
Dee