Hardening Windows Server

By | 2013-11-23

This guide is intended to provide basic systems administration instruction for hardening “out-of-the-box” installations of Windows Server.  Even though current versions of Windows Server provides a better security model than previous versions of Windows servers, the attack surface area can be reduced further.

The first section of this document will list services which can be safely disabled, followed by a short list of registry items that should be safeguarded.

Disabled Unused Services

DHCP Client  

Gain: Security
Explanation: DHCP is used to auto configure a computers IP settings. Most servers will have a static IP address so this service is unnecessary.

DNS Client

Gain: Security

Explanation: The Domain Name System Client service caches the result of domain name lookups and registers the server with its parent DNS server. Turning this off will slow DNS lookups but could also be used against us in a DNS cache poisoning attack. Note that turning this service off still allows the computer to do DNS lookups, the results just won’t be stored in a local cache on the local machine.

Distributed Link Tracking Client   

Gain: Security

Explanation: Distributed links are things like shell shortcuts and OLE links. This service will track if a linked file has been moved/renamed.  Linked files are more common on a desktop OS, so this can be safely disabled.

Human Interface Device Access

Gain: Security

Explanation: Allows keyboard/mouse/other hot buttons and other multimedia devices to interact with windows

IP Helper

Gain: Security

Explanation: IP Helper provides IPv6 connectivity over an IPv4 network.   Our servers are strictly IPv4 at the moment, so no IPv6 support is necessary.

Print Spooler

Gain: Security, Performance

Explanation: No server should have printers installed, unless the server in question is a print server.

Windows Error Reporting Service

Gain: Security

Explanation: This service facilitates the notification and reporting of errors to Microsoft.

Windows Remote Management

Gain: Security

Explanation: WinRM is a remote management protocol running over web services

Secondary Login

Gain: Security

Explanation: This service allows the “run as” command to run a service as a different user.


IPv6, LAN Properties

Gain: Security

Explanation: If you are not using IPv6 in your environment, this item can be safely removed / disabled in the LAN properties page for each NIC in the server.

Also modify the following registry entry, restarting after modification:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters]
Parameter: DisabledComponents
Value: FF

Remote Registry

Gain: Security

Explanation:This service allows registry access to authenticated remote users. Even though this is blocked by the firewall and ACLs this service should be turned off if you have no reason to allow remote registry access.

Registry Lockdown

Disable AutoRun for CD-ROM drives.

Gain: Security
Find this key key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom\AutoRun

Change the value to : 0 (REG_DWORD)

Secure SNMP Service

Gain:
Only allow these accounts to access the keys mentioned:

Administrators – Full Control
System – Full Control

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities

Startup Keys

Gain:
Secure the registry keys below with this access:

Administrators and System – Full Control
Authenticated Users – Read Also set auditing for Everyone on these keys; check all checkboxes under Failed and the “Set Value” checkbox under Successful.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\Software\Microsoft\DrWatson(Leave the permissions for Terminal Server User, if exists)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

Author: dwirch

Derek Wirch is a seasoned IT professional with an impressive career dating back to 1986. He brings a wealth of knowledge and hands-on experience that is invaluable to those embarking on their journey in the tech industry.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.