User Manual
Checklist
4
80 | 85
A6V11646120_enUS_b_40
be available over a VPN connection, ensuring that unauthorized people cannot exploit
the port at will from the net.
The Windows firewall is a built-in software firewall that allows configuration of port-
based traffic from within the OS. On a standalone server, or any server without a
hardware firewall in front of it, the Windows firewall will provide some protection
against network-based attacks by limiting the attack surface to the allowed ports. That
said, a hardware firewall is always a better choice because it offloads the traffic to
another device and offers more options on handling that traffic, leaving the server to
perform its main duty. Whichever method you use, the key point is to restrict traffic to
only necessary pathways.
● Remote Access Configuration
As mentioned above, if you use RDP, be sure it is only accessible via VPN if at all
possible. Leaving it open to the internet does not guarantee that you will be hacked,
but it does offer potential hackers another inroad into your server.
Make sure RDP is only accessible by authorized users. By default, all administrators
can use RDP once it is enabled on the server. Additional people can join the Remote
Desktop Users group for access without becoming administrators.
In addition to RDP, various other remote access mechanisms such as PowerShell and
SSH should be carefully locked down if used and made accessible only within a VPN
environment. Telnet should never be used at all, as it passes information in plain text
and is insecure in several ways. Same goes for FTP. Use SFTP or SSH (from a VPN)
whenever possible and avoid any unencrypted communications altogether.
● Service Configuration
Windows server has a set of default services that start automatically and run in the
background. Many of these are required for the OS to function, but some are not and
should be disabled if not in use. Following the same logic as the firewall, we want to
minimize the attack surface of the server by disabling everything other than primary
functionality. Older versions of Microsoft server have more unneeded services than
newer, so carefully check any 2008 or 2003 servers.
Important services should be set to start automatically so that the server can recover
without human interaction after failure. For more complex applications, take advantage
of the Automatic (Delayed Start) option to give other services a chance to get going
before launching intensive application services. You can also set up service
dependencies in which a service will wait for another service or set of services to
successfully start before starting. Dependencies also allow you to stop and start an
entire chain at once, which can be helpful when timing is important.
● Further Hardening
Microsoft provides best practices analyzers based on role and server version that can
help you further harden your systems by scanning and making recommendations.
Although User Account Control (UAC) can be annoying, it serves the important
purpose of abstracting executables from the security context of the logged on user.
This means that even when you are logged on as an admin, UAC will prevent
applications from running as you without your consent. This prevents malware from
running in the background and malicious websites from launching installers or other
code. Leave UAC on whenever possible.
● Logging and Monitoring
Make sure that your logs and monitoring are configured and capturing the data you
want so that in the event of a problem, you can quickly find what you need and
remediate the issue. Logging works differently depending on whether your server is
part of a domain. Domain logons are processed by domain controllers, and as such,
they have the audit logs for that activity, not the local system. Stand-alone servers will
have security audits available and can be configured to show passes and/or failures.