I previously wrote about the basics of Windows server hardening, with a specific focus on how much is enough. As I mentioned, you may just need to be concerned with the fundamentals of Windows server
The common Windows server weaknesses are pretty well-known: shares not being locked down, null sessions being accessible, patches not current, malware and personal firewall software not installed, password policies out of whack, sufficient logging not enabled, and Active Directory design and management not up to par.
My typical advice is to fix these basic flaws now before developing security standards and policies that fit into your organization's long-term needs and goals. But what if you've already addressed the basics, or want to know the recommended server hardening standards so that you can start integrating best practices into your work now? No matter what your approach is, there are certain Windows server security guidelines that must be on your radar.
So where can you turn to obtain widely-accepted guidance on locking down your existing and future Windows servers? Below is the lay of the land of Windows server hardening guides, benchmarks, and standards:
- Windows Server 2008 Security Guide (Microsoft) -- The one and only resource specific to Windows 2008.
- Windows Server 2003 Security Guide (Microsoft) -- A good resource, straight from the horse's mouth.
- Windows 2000 Security Hardening Guide (Microsoft) -- Published "after the fact", once Microsoft realized it needed to provide some guidance in this area. Still worth a look-see, though.
- Windows Benchmarks (The Center for Internet Security) -- Arguably the best and most widely-accepted guide to server hardening.
- Guide to General Server Security (NIST) -- Generic in nature, but still a good resource.
- Windows 2000/XP/2003/Vista Addendum, V6R1 (Defense Information Systems Agency) -- These Security Technical Implementation Guides are growing in popularity, especially among IT auditors, so it may be good to get to know this one as well.
Finally, here are some resources in the commercial and quasi-commercial realms that I've found to be beneficial:
- Securing Windows 2000 Step by Step and Windows NT Security Step by Step (SANS) -- These consensus guides are out of publication, so you'll have to search for them for sale online. They're two of my all-time favorites and are still applicable.
- The Administrator Shortcut Guide to Active Directory Security and The Definitive Guide to Building a Windows Server 2008 Infrastructure (Realtime Publishers) -- These are free e-books that are definitely worth a look.
Now before you jump in head first and start locking everything down based on what these documents recommend, there are some key points to be aware of:
- You have to understand what you have and how it's at risk before you can realistically adopt any semblance of Windows server security standards. Start out with an information risk assessment (in-house or via an independent expert) that looks at both technical and operational issues related to the security of your Windows servers. You no doubt have threats and vulnerabilities in this area, but probably just haven't thought about them yet.
- These (or any other) Windows hardening standards shouldn't be construed as one-size-fits-all. Each of these guides/standards takes a different approach, so it's important to find the one that best fits your needs. Every network and server is different enough to the point that you could actually consider this a no-size-fits-all dilemma. It all depends on your line of business, the regulations you're up against, the risks you uncover, and the criticality of each server and the information it stores and/or processes.
- You have to understand your management's view of security. Are they buying into security or do they think it only gets in the way of doing business? Based on your organization's leadership and culture, you'll likely have to tweak your hardening standards a bit. This usually means having to back off from some of these best practices to loosen things up and do what's right for the business overall. As frustrating as this might be, balancing Windows security with business needs is a big part of the process.
- No matter how tight you lock down your Windows servers, they're still going to be exploitable in some way. It's important to get past the "everything's secure because we locked down our systems" mindset that so many auditors, regulators and managers believe is the law of the land. It never has been nor will it ever be, so be sure not to let your Windows security guard down.
Remember, the best way to tackle a server hardening project is to go into it informed and armed with management support -- you'll be a lot more successful if you do.
|Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.|
This was first published in June 2009