Solved

hardening windows servers.

Posted on 2013-11-04
4
409 Views
Last Modified: 2013-11-19
Hi,

Can someone suggest security guidelines to hardening Windows servers - Exchange, SQL, File and Print, IIS?
0
Comment
Question by:nav2567
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39621992
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39622065
Here's some more sources:
http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
http://web.nvd.nist.gov/view/ncp/repository

Some excellent training is provided by SANS.
http://www.sans.org/windows-security/2013/06/03/download-scripts


Operating System and Applications Hardening:

    How your anti-virus scanners can fail you
    AppLocker whitelisting
    EMET, ASLR, SEHOP, DEP (EMET 4.0)
    Windows OS and Applications Hardening tools
    The Group Policy Management Console (GPMC)
    INF and XML Security templates
    How to manage Group Policy
    WMI filtering and GPO preferences
    Custom ADM/ADMX templates
    Hardening Adobe Reader
    Hardening Java
    Hardening Internet Explorer
    Hardening Google Chrome
    Hardening Microsoft Office
    Virtual Desktop Infrastructure (pros and cons)

High-Value Targets & Restricting Admin Compromise:

    What makes something a high-value target?
    Users in the local administrators group
    Secretly limiting the power of administrative users
    Limiting privileges, logon rights and permissions
    Token abuse and pass-the-hash attack mitigations
    Group Policy control of Windows security
    User Account Control (UAC)
    Delegating IT power more safely
    Organizational units for role-based controls
    Active Directory permissions for delegation
    Active Directory auditing and logging
    Painless (or Less Painful) Patch Management

PKI, BitLocker and Secure Boot:

    Why must I have a PKI?
    Examples: Smart Cards, VPNs, Wireless, SSL, S/MIME, etc.
    How to install the Windows PKI
    Root vs. subordinate certification authorities
    Should you be your own root CA?
    Detecting malicious trusted CA changes
    How to manage your PKI
    Group policy deployment of certificates
    How to revoke certificates
    Automatic private key backup
    Deploying smart cards
    Best practices for private keys
    BitLocker drive encryption
    BitLocker for USB drives
    UEFI Secure Boot
    TPM chip options for BitLocker
    BitLocker emergency recovery

IPSec, Windows Firewall, DNS, and Wireless:

    Isn't IPSec just for VPNs? No!
    IPSec for TCP port permissions
    How to create IPSec policies
    Windows Firewall and IPSec integration
    Group Policy for IPSec and firewall rules
    NETSH and PowerShell rules scripting
    DNSSEC response validation
    DNS secure dynamic updates
    DNS sinkholes for malware
    Wireless attack vulnerabilities
    Configuring RADIUS policies (NPS)
    Wi-Fi Protected Access (WPA2)
    Secure access to wireless networks
    Secure access to Ethernet networks
    Smart cards for wireless and Ethernet

Server Hardening & Dynamic Access Control:

    A recipe for hardening most servers
    Dangerous protocols: SSL, RDP, IPv6, SMB
    SMBv3 encryption and downgrade attacks
    Pre-forensics and incident response preparation
    Service accounts and recovery
    Scheduling elevated tasks safely
    Protocol stack hardening
    Kerberos armoring and restricting NTLM
    Server Core vs. Server Minimal/Full
    DMZ cross-forest Active Directory trusts
    Dynamic Access Control (DAC)
    DAC for data loss prevention
    DAC for complying with regulations
    Automatic File Classification Infrastructure

PowerShell Scripting:

    Getting comfortable in your shell
    PowerShell remoting
    Running cmdlets and scripts
    Writing your own functions
    Writing your own scripts
    Flow control within scripts
    Managing the event logs
    Managing Active Directory
    Windows Management Instrumentation (WMI)
    Accessing COM Objects
    Security and execution policy
0
 

Accepted Solution

by:
nav2567 earned 0 total points
ID: 39624118
Thanks, guys.  

I will check out these links and will respond before the end of this week.  

Thanks.
0
 

Author Closing Comment

by:nav2567
ID: 39658839
Thanks.  I will look into it and do more research on them.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question