Windows Server is among the most commonly used operating systems for powering the servers. Due to the nature of the operation that usually involves businesses, Windows Server security is critical for enterprise data.
By default, Windows Server has some security measures in place. But, you can do more to ensure your Windows servers have sufficient defense against potential threats. Here are a few critical tips for securing your Windows Server.
1. Keep Your Windows Server Up To Date
While it may look like an obvious thing to do, most servers installed with Windows Server images are without the latest security and performance updates. Installing the latest security patches is crucial in protecting your system from malicious attacks.
If you have set up a new Windows server or received credentials to one, make sure to download and install all the latest updates available for your computer. You can defer the feature update for some time, but you should install security updates as it becomes available.
2. Install Only Essential OS Components via Windows Server Core
On Windows Server 2012 and above, you can use the operating system in its core mode. The Windows Server Code Mode is a minimal installation option that installs Windows Server without the GUI, which means reduced features.
Installing Windows Server Core has many benefits. The obvious one being the performance advantage. You can use the same hardware to gain performance improvements through unutilized OS components resulting in lesser RAM and CPU requirements, better uptime and boot time, and fewer patches.
While the performance benefits are nice, the security benefits are even better. Attacking a system with fewer tools and attack vectors is harder than hacking a fully GUI-based operating system. Windows Server Core reduces the attack surface, offers Windows Server RSAT (Remote Server Administration) tools and the ability to switch from Core to GUI.
3. Protect the Admin Account
The default user account in Windows Server is named Administrator. As a result, most of the brute force attacks are targeted at this account. To protect the account, you can rename it to something else. Alternatively, you can also disable the local administrator account altogether and create a new admin account.
Once you have the local admin account disabled, check if a local guest account is available. Local guest accounts are the least secure, so it is best to get them out of the way wherever possible. Use the same treatment for unused user accounts.
A good password policy that requires regular password changes, complex and lengthy passwords with numbers, characters, and special characters can help you secure user accounts against brute force attacks.
4. NTP Configuration
It is important to configure your server to sync time with NTP (Network Time Synchronization) servers to prevent a clock drift. This is essential as even a difference of few minutes can break various functions, including Windows login.
Organizations use network devices that use internal clocks or rely on a Public Internet Time Server for synchronization. Servers that are domain members usually have their time synced with a domain controller. However, stand-alone servers will require you to set up NTP to an external source to prevent replay attacks.
5. Enable and Configure Windows Firewall and Antivirus
Windows Servers come with a built-in firewall and antivirus tool. On servers that do not have hardware firewalls, Windows Firewall can reduce the attack surface and provide decent protection against cyber attacks by limiting the traffic to necessary pathways. That said, a hardware-based or Cloud-based firewall will offer more protection and take the load off of your server.
Configuring the firewall can be a messy task and hard to master at first. However, if not configured correctly, open ports accessible to unauthorized clients can pose a huge security risk to servers. Also, keep a note of the rules created for its use and other attributes for future references.
6. Secure Remote Desktop (RDP)
If you use RDP (Remote Desktop Protocol), make sure it is not open to the internet. To prevent unauthorized access, change the default port, and restrict the RDP access to a specific IP address if you have access to a dedicated IP address. You may also want to decide who can access and use RDP, as it is enabled by default for all the users on the server.
Also, adopt all the other basic security measures to secure RDP, including using a strong password, enabling two-factor authentication, keeping the software up to date, restricting access through advanced firewall settings, enabling network-level authentication, and setting an account lockout policy.
7. Enable BitLocker Drive Encryption
Similar to Windows 10 Pro, the server edition of the operating system comes with a built-in drive encryption tool called BitLocker. It’s considered to be among the best encryption tools by the security pros as it allows you to encrypt your entire hard drive even if the physical security of your server is breached.
During encryption, BitLocker captures information about your computer and uses it to verify the authenticity of the computer. Once verified, you can log in to your computer using the password. When suspicious activity is detected, BitLocker will ask you to enter the recovery key. Unless the decryption key is provided, the data will remain locked.
If you are new to hard drive encryption, check out this detailed guide on how to use BitLocker in Windows 10.
8. Use Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer (MBSA) is a free security tool used by IT professionals to help manage the security of their servers. It can find security issues and missing updates with the server and recommend remediation guidance in accordance with Microsoft’s security recommendations.
When used, MBSA will check for Windows administrative vulnerabilities such as weak passwords, the presence of SQL and IIS vulnerabilities, and the missing security updates on individual systems. It can also scan an individual or group of computers by IP address, domain, and other attributes. Finally, a detailed security report will be prepared and shown on the graphical user interface in HTML.
9. Configure Log Monitoring and Disable Unnecessary Network Ports
Any services or protocols that are not needed or used by the Windows Server and installed components must be disabled. You can run a port scan to check which network services are exposed to the internet.
Monitoring login attempts is useful to prevent intrusion and protect your server against brute force attacks. Dedicated intrusion prevention tools can help you view and review all log files and send alerts if suspicious activities are detected. Based on the alerts, you can take appropriate action to block the IP addresses from connecting to your servers.
Windows Server Hardening Can Reduce the Risk of Cyber-Attacks!
When it comes to your Windows Server security, it is always good to be on top of things by auditing the system for security risks regularly. You can start by installing the latest updates, protect the admin account, use the Windows Server Core mode whenever possible, and enable drive encryption through BitLocker.
While Windows Server may share the same code as the consumer edition of Windows 10 and look identical, the way it is configured and used is vastly different.
Read Next
About The Author
