Defense in depth, the practice of protecting against potential threats from as many angles as possible, is a concept that you are most likely already familiar with. With regard to server security, defense in depth involves, among other things, creating different security policies for each layer of your network. The server is the penultimate layer of security between potential threats and your company’s valuable data so applying security policies specifically for each server profile is both important and necessary.
Popular recommendations are to “stop the services that are not necessary” or “turn off features that are not being used.” Luckily, every new version of Windows Server is built to be more secure by default. That said, it is common to have several (or sometimes hundreds) of different roles on the network server as well as multiple sets of file servers, web servers, database servers, etc. So, how can we ensure that each of these servers, with their different characteristics, are configured with the best security practices?
Since the release of Windows Server 2003 Service Pack 1 (SP1), Windows Server has included a tool called the Security Configuration Wizard that aims at analyzing the server profile and recommending changes to improve the security of the server. In Windows Server 2012, the Security Configuration Wizard is conveniently located in the new Server Manager dashboard.
Figure 1. Server Manager dashboard in Windows Server 2012
When you use the Security Configuration Wizard, your first step is to define which action is taken. You can not only create a new policy but also edit, apply, and even remove an applied policy from your existing server configuration.
Figure 2. Configuration Action screen
You then select the server that you want to apply the policy to.
Figure 3. Select Server screen
In Windows Server 2012, the Security Configuration Wizard then parses the selected server and the information collected, and compares that with Microsoft’s security recommendations for that server profile (file, database, web, etc).
Figure 4. Security Configuration Database
Below is an example of the results of a Security Configuration Wizard analysis and its suggestions for amendments, which can be changed and adapted according to a specific need.
Figure 5. Selecting server roles and client features
Figure 6. Selecting administration options and additional services
Figure 7. Options for handling unspecific services
Once the Security Configuration Wizard has completed its analysis and recommendations, you can then either save or apply the policy. Since there is often more than one server in the profile that was analyzed by the wizard, I recommend creating a Group Policy Object (GPO) to apply that policy to all servers with the same characteristics. To do this, use Windows PowerShell and run the following command:
scwcmd transform /p:TemplateDomainController.xml /g:GPO-Hardening-DC
This can result in a better standardization of the security policies applied to your environment, and make it easier for you to organize those policies are part of your overall server security strategy.
Another option to consider for hardening the system would be the Defense Information Systems Agency STIGs. Basically, these are what the DOD uses to lock down systems