Windows server 2008 system hardening

Baseline Security Settings Account Policies 1. Refuse LM. Symbolic Links Enabled 1. For the Enterprise Member Server and Enterprise Domain Controller profile s , the recommended value is User is prompted when the key is first used. Audit: Force audit policy subcategory settings Windows Vista or later to override audit policy category settings.

For all profiles, the recommended state for this setting is Require NTLMv2 session security, Require bit encryption. For all profiles, the recommended state for this setting is any value that does not contain the term "admin". For all profiles, the recommended state for this setting is any value that does not contain the term "guest".

Interactive logon: Number of previous logons to cache in case domain controller is not available. Network access: Do not allow storage of credentials or. NET Passports for network authentication. For all profiles, the recommended state for this setting is Classic - local users authenticate as themselves. The process hosting the service has only the privileges specified in the registry value. Something important to note here - you cannot use the RequiredPrivilege mechanism to augment a service's privileges - only to reduce them.

If RequiredPrivileges refers to a privilege that the service does not already have, then those privileges are ignored. Privileges are specified by their string. For example, the string for the Impersonate privilege is SeImpersonatePrivilege. Determining what privileges are needed by a service is not an easy task - in some cases, you may have to use trial and error.

That having been said - do not start making changes to the Service Privileges without thorough testing in an isolated environment. Finally, there are still some situations where a dedicated domain wide user account will be necessary, for example where a service needs to be trusted, or needs access to remote resources such as allowing the Performance Logs and Alerts service to query a remote machine. The last change we're going to look at today is Applying a write-restricted access token to the service process.

This access token can be used when the set of objects written to by the service is bounded and can be configured. An attempt to write to resources that do not explicitly grant the Service SID access will fail. The important thing to note here is that a write-restricted token is only restricted from write operations.

Both Guest and Help Assistant accounts provide an easy target for attackers which exploited this vulnerability before on the earlier Windows Server These accounts should be disabled at all times. Remember, your server is a vital part of your network and services that you provide. The number of applications installed on these servers should be role related and set to a minimum.

It is a good idea to test these applications out in a separate environment before deploying them on the production network. Some applications make use of service backdoors, which can sometimes compromise the overall security of the server. After installing each application, make sure that you double check to see if the application created any firewall exception or created a service user account.

Windows server comes with a phenomenal built in firewall called the Windows Firewall with Advanced Security. As a security best practice, all servers should have its own host based firewall. This firewall needs to be double checked to see if there are no unnecessary rules or exceptions. I have outlined some of the new features that the Windows Server provides.

One of the most significant changes on Windows Server auditing is that now you can not only audit who and what attribute was changed but also what the new and old value was. Another significant change is that in the past Server versions you were only able to turn auditing policy on or off for the entire Active Directory structure.

In Windows Server the auditing policy is more granular. As a security best practice, the following events should be logged and audited on the Windows Server Most log events on the event viewer have registered incident ID numbers; these numbers can be used to troubleshoot the server. Windows Server offers a native log subscription feature which forwards all system and security audit logs to a centralized server.

Unnecessary shares pose a great threat to vital servers. After a server or application deployment, system and security administrators should check to see if the server has any unnecessary shares. This can be done using the following command:.