Secure server configurations often appear to puzzle IT professionals, while it sometimes can be a headache trying to change things around without interrupting the business flow.
We can apply the below six best practices to further enhance the security posture of our Windows Server deployments.
As always, before we make any changes; we should previously check whether the applications running on top of the operating system will continue to work or not after the changes.
Seeking advice from each respective software vendor prior to the changes could help us in making this decision as well.
As of December 2020, the following configuration applies to all releases from Windows Server 2008 R2 to Windows Server 2019.
However, Windows Server 2008 R2 has reached the end of extended support for nearly a year now; thus, if you are still in this release, you should ensure to upgrade to a supported one.
1) Use strong passwords
And change them regularly. Educate and train your users on why and how passwords must change on a regular basis.
2) Disable obsolete encryption protocols
Encryption protocols such as SSLv2, SSLv3, TLS 1.0 and TLS 1.1 are now considered insecure. Default all communications to TLS 1.2 and TLS 1.3.
3) Reduce the Attack Surface
Remove every piece of software that is not needed throughout your infrastructure. Deploy all Windows images from your custom baseline images.
If you want more on this, you can read a previous blog post on how the Reduce the Attack Surface approach could help to safeguard an infrastructure.
4) Disable SMBv1
SMBv1 has been around for more than 30 years and isn’t secure by any means. Newer versions of Windows Server (2016 (build 1709), 2019) have SMBv1 disabled by default but if you run older OS it needs to be disabled.
5) Always patch your servers
Microsoft releases important and critical security updates from time to time. Ensure to always patch your servers by installing Windows Updates.
6) Keep Windows Firewall enabled
Microsegmentation is one of the top architectures when it comes to the design of modern-day infrastructures. Why disable an OS built-in security layer?
While various configurations could exist and still be valid in the secure server journey; applying the above steps will safeguard your deployments; hence, be sure to adapt and enforce them!