If you refer to industry recommendations, you may think that your Windows system is the least secure in the world. Don't worry too much about this. While the Cyber Security Windows Baseline and the US Department of Defense STIG are important, doing everything in strict accordance with books is not always feasible. You must balance both Windows security and business needs.
seems that everyone on the Windows system strengthening has a different view. Still, there should be a consensus on the level of enhancement of the system. So what do you need to focus on? It's very simple, just check what you've checked. What was the result of your last safety assessment? What are your auditors looking for and what are you against? Is it an internal policy? Maybe it is a rule or a standard? Maybe this is the best practice that others think?
before you spend time, money and effort to strengthen the system, you need to know what you have to meet the requirements. If you don't know this, for example, if you have never conducted an independent assessment or internal audit, then you must start somewhere, right?
In most cases, many people have trouble, do not want to strengthen their Windows server configuration, until an accident. That is to say, you must be realistic and consciously carry out Windows hard work. See what is important. Will digital signing for SMB (Server Message Block) communication and audit target tracking and process tracking really benefit you? Especially when auditing and evaluation are about to begin? probably not. So rename the administrator and client accounts and disable some unwanted services? Well, you might do this. It depends on what will affect your business. I have seen administrators waste energy on very small things, others focus on low-level issues, and important things are often overlooked.
Here are some Windows server hardening measures you can take right now, and they will give you many benefits (free!):
- locking share files, make sure the right people access Appropriate information.
- Disable SMB empty conversation connections to prevent someone from spying around and collecting system configuration information.
- Enable Windows Firewall, or use a third-party alternative (this will limit others to the server or to the server, and will only let the boot user use a null dialog connection).
- Make sure you have the latest patches installed. (This is still a big problem on Windows servers.)
- Running anti-virus software (not running anti-virus software is another common negligence.)
- Set a secure and reasonable password. Don't believe in the myth of passwords.
- Enables successful auditing of account login events, account management, and policy changes.
- Use disk encryption for exposed systems (the server will have long legs).
- Make sure your basic Active Directory configuration is very robust.
Whether you are using a WindowsNT, 2000, Server2003 or 2008, take advantage of these basic essentials of server will give you the security status of wonders. It may not be necessary (at least not yet) to tighten every corner and gap in the system. After you use the above criteria to establish an enhanced benchmark, if business risk proves that it is correct, then you can further strengthen control over the most critical servers.