Servers hardening guidelines

1 Install a router/firewall in between the network and the host to be protected.
2 The Security Configuration Wizard can greatly simplify the hardening of the server. Once the role for the host is defined, the Security Configuration Wizard can help create a system configuration based specifically on that role. It does not completely get rid of the need to make other configuration changes, though.
3 There are several methods available to assist you in applying patches in a timely fashion: Microsoft Update Service Microsoft Update checks your machine to identify missing patches and allows you to download and install them.This is different than the “Windows Update” that is the default on Windows. Microsoft Update includes updates for many more Microsoft products, such as Office and Forefront Client Security.This service is compatible with Internet Explorer only. 
Windows Auto Update via WSUS
ITS offers a Windows Server Update Services Server for campus use using Microsoft’s own update servers. It includes updates for additional Microsoft products, just like Microsoft Update, and provides additional administrative control for software deployment.

Microsoft Baseline Security Analyzer
This is a free host-based application that is available to download from Microsoft. In addition to detailing missing patches, this tool also performs checks on basic security settings and provides information on remediating any issues found.
4 Configure Automatic Updates from the Automatic Updates control panel On most servers, you should choose either “Download updates for me, but let me choose when to install them,” or “Notify me but don’t automatically download or install them.”The campus Windows Server Update Services server can be used as the source of automatic updates.
5 Configuring the minimum password length settings is important only if another method of ensuring compliance with Company password standards is not in place. The Information Resources Use and Security Policy requires passwords be a minimum of 8 characters in length. It is strongly recommended that passwords be at least 14 characters in length.
6 Configuring the password complexity setting is important only if another method of ensuring compliance with Company password standards is not in place. The Information Resources Use and Security Policy requires that passwords contain letters, numbers, and special characters.
7 If this option is enabled, the system will store passwords using a weak form of encryption that is susceptible to compromise. This configuration is disabled by default.
8 Instead of the CIS recommended values, the account lockout policy should be configured as follows: Account lockout duration — 5 minutesAccount lockout threshold — 5 failed attemptsReset account lockout counter — 5 minutes
11 Any account with this role is permitted to log in to the console. By default, this includes users in the Administrators, Users, and Backup Operators groups. It’s unlikely that non-administrative users require this level of access and, in cases where the server is not physically secured, granting this right may facilitate a compromise of the device.
13 You may add localized information to the banner as long as the Company banner is included.
14 The use of Microsoft accounts can be blocked by configuring the group policy object at:  Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Accounts: Block Microsoft accounts   This setting can be verified by auditing the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser
15 Logon information for domain accounts can be cached locally to allow users who have previously authenticated to do so again even if a domain controller cannot be contacted. By default 10 accounts will be cached locally, but there is a risk that in the event of a compromise an attacker could locate the cached credentials and use a brute force attack to discover the passwords. Therefore, it is recommended that this value be reduced so that fewer credentials will be placed at risk, and credentials will be cached for shorter periods of time in the case of devices that are logged into frequently by multiple users. The group policy object below should be set to 4 or fewer logons: Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available)
16 The Account Logon audit policy logs the results of validation tests of credentials submitted for user account logon requests. The server that is authoritative for the credentials must have this audit policy enabled. For domain member machines, this policy will only log events for local user accounts. Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Account Logon\ Credential Validation — Success and Failure
17 Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Account Management\ Computer Account Management — Success and FailureOther Account Management Events — Success and FailuresSecurity Group Management — Success and FailureUser Account Management — Success and Failure
18 Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\ Account Lockout — SuccessLogoff — SuccessLogon — Success and FailureOther Logon/Logoff Events — Success and FailureSpecial Logon — Success
19 Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Policy Change\ Audit Policy Change — Success and FailureAuthentication Policy Change — Success
20 Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Privilege Use\ Sensitive Privilege Use — Success and Failure
21 The Company requires the following event log settings   Application: Maximum log size — 32,768 KB Security: Maximum log size— 196,608 KBSetup: Maximum log size — 32,768 KBSystem: Maximum log size — 32,768 KB The recommended retention method for all logs is: Overwrite events older than 14 days   These are minimum requirements. The most important log here is the security log. 100 MB is a suggested minimum, but if you have a high-volume service, make the file as large as necessary to make sure at least 14 days of security logs are available. You may increase the number of days that you keep, or you may set the log files to not overwrite events. Note that if the event log reaches its maximum size and no events older than the number of days you specified exist to be deleted, or if you have disabled overwriting of events, no new events will be logged. This may happen deliberately as an attempt by an attacker to cover his tracks. For critical services working with Cat 1 or other sensitive data, you should use syslog, Splunk, Intrust, or a similar service to ship logs to another device. Another option is to configure Windows to rotate event log files automatically when an event log reaches its maximum size as described in the article http://support.microsoft.com/kb/312571 using the AutoBackupLogFiles registry entry.
22 It is highly recommended that logs are shipped from any Category I devices to a service like Splunk, which provides log aggregation, processing, and real-time monitoring of events among many other things. This helps to ensure that logs are preserved and unaltered in the event of a compromise, in addition to allowing proactive log analysis of multiple devices.
23 Configure user rights to be as secure as possible. Every attempt should be made to remove Guest, Everyone, and ANONYMOUS LOGON from the user rights lists.
24 Volumes formatted as FAT or FAT32 can be converted to NTFS, by using the convert.exe utility provided by Microsoft. Microsoft has provided instructions on how to perform the conversion. Windows servers used with Category I data must use the NTFS file system for all partitions where Category I data is to be stored.
25 Be extremely careful, as setting incorrect permissions on system files and folders can render a system unusable.
26 Be extremely careful, as setting incorrect permissions on registry entries can render a system unusable.
27 Some remote administration tools, such as Microsoft Systems Management Server, require remote registry access to managed devices. Disabling remote registry access may cause such services to fail. If remote registry access is not required, it is recommended that the remote registry service be stopped and disabled. If remote registry access is required, the remotely accessible registry paths should still be configured to be as restrictive as possible. The group policy object below controls which registry paths are available remotely: Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Network access: Remotely accessible registry paths This object should be set to allow access only to: System\CurrentControlSet\Control\ProductOptionsSystem\CurrentControlSet\Control\Server ApplicationsSoftware\Microsoft\Windows NT\CurrentVersion Further restrictions on the registry paths and sub paths that are remotely accessible can be configured with the group policy object: Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Network access: Remotely accessible registry paths and sub-paths
28 By default, domain members synchronize their time with domain controllers using Microsoft’s Windows Time Service. The domain controller should be configured to synchronize its time with an external time source, such as the Company’s network time servers.
29 a managed, antivirus service.
30 Windows provides the Encrypting File System as a built-in mechanism to allow the encryption of individual users’ files and folders. Be aware of the caveats involved in the use of EFS before implementing it for general use, though. Other options such as PGP and GNUPG also exist. Another encryption option to consider is whole-disk encryption, which encrypts the entire contents of the drive instead of just specific files and folders. Windows comes with BitLocker for this.
31 Windows has a feature called Windows Resource Protection which automatically checks certain key files and replaces them if they become corrupted. It is enabled by default. You can audit in much more in depth using Tripwire. Modern versions of Tripwire require the purchase of licenses in order to use it. The Tripwire management console can be very helpful for managing more complex installations.
32 This setting is configured by group policy object at: \Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\ Remote Desktop Session Host\Security This policy object should be configured as below: Set client connection encryption level — HighRequire use of specific security layer for remote (RDP) connections — SSL (TLS 1.0)Require user authentication for remote connections by using Network Level Authentication — Enabled
33 Open the Display Properties control panel.Select the Screen Saver tab.Select a screen saver from the list. Although there are several available, consider using a simple one such as “Blank.”The value for Wait should be no more than 15 minutes.Select the On resume, password protect option.
Previous post Famous APIs by big 3 Google,Amazon,Facebook
Next post Metamorphosing Online Gaming Start-Up to an Unicorn