Solved

hardening windows servers.

Posted on 2013-11-04
4
405 Views
Last Modified: 2013-11-19
Hi,

Can someone suggest security guidelines to hardening Windows servers - Exchange, SQL, File and Print, IIS?
0
Comment
Question by:nav2567
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39621992
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39622065
Here's some more sources:
http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
http://web.nvd.nist.gov/view/ncp/repository

Some excellent training is provided by SANS.
http://www.sans.org/windows-security/2013/06/03/download-scripts


Operating System and Applications Hardening:

    How your anti-virus scanners can fail you
    AppLocker whitelisting
    EMET, ASLR, SEHOP, DEP (EMET 4.0)
    Windows OS and Applications Hardening tools
    The Group Policy Management Console (GPMC)
    INF and XML Security templates
    How to manage Group Policy
    WMI filtering and GPO preferences
    Custom ADM/ADMX templates
    Hardening Adobe Reader
    Hardening Java
    Hardening Internet Explorer
    Hardening Google Chrome
    Hardening Microsoft Office
    Virtual Desktop Infrastructure (pros and cons)

High-Value Targets & Restricting Admin Compromise:

    What makes something a high-value target?
    Users in the local administrators group
    Secretly limiting the power of administrative users
    Limiting privileges, logon rights and permissions
    Token abuse and pass-the-hash attack mitigations
    Group Policy control of Windows security
    User Account Control (UAC)
    Delegating IT power more safely
    Organizational units for role-based controls
    Active Directory permissions for delegation
    Active Directory auditing and logging
    Painless (or Less Painful) Patch Management

PKI, BitLocker and Secure Boot:

    Why must I have a PKI?
    Examples: Smart Cards, VPNs, Wireless, SSL, S/MIME, etc.
    How to install the Windows PKI
    Root vs. subordinate certification authorities
    Should you be your own root CA?
    Detecting malicious trusted CA changes
    How to manage your PKI
    Group policy deployment of certificates
    How to revoke certificates
    Automatic private key backup
    Deploying smart cards
    Best practices for private keys
    BitLocker drive encryption
    BitLocker for USB drives
    UEFI Secure Boot
    TPM chip options for BitLocker
    BitLocker emergency recovery

IPSec, Windows Firewall, DNS, and Wireless:

    Isn't IPSec just for VPNs? No!
    IPSec for TCP port permissions
    How to create IPSec policies
    Windows Firewall and IPSec integration
    Group Policy for IPSec and firewall rules
    NETSH and PowerShell rules scripting
    DNSSEC response validation
    DNS secure dynamic updates
    DNS sinkholes for malware
    Wireless attack vulnerabilities
    Configuring RADIUS policies (NPS)
    Wi-Fi Protected Access (WPA2)
    Secure access to wireless networks
    Secure access to Ethernet networks
    Smart cards for wireless and Ethernet

Server Hardening & Dynamic Access Control:

    A recipe for hardening most servers
    Dangerous protocols: SSL, RDP, IPv6, SMB
    SMBv3 encryption and downgrade attacks
    Pre-forensics and incident response preparation
    Service accounts and recovery
    Scheduling elevated tasks safely
    Protocol stack hardening
    Kerberos armoring and restricting NTLM
    Server Core vs. Server Minimal/Full
    DMZ cross-forest Active Directory trusts
    Dynamic Access Control (DAC)
    DAC for data loss prevention
    DAC for complying with regulations
    Automatic File Classification Infrastructure

PowerShell Scripting:

    Getting comfortable in your shell
    PowerShell remoting
    Running cmdlets and scripts
    Writing your own functions
    Writing your own scripts
    Flow control within scripts
    Managing the event logs
    Managing Active Directory
    Windows Management Instrumentation (WMI)
    Accessing COM Objects
    Security and execution policy
0
 

Accepted Solution

by:
nav2567 earned 0 total points
ID: 39624118
Thanks, guys.  

I will check out these links and will respond before the end of this week.  

Thanks.
0
 

Author Closing Comment

by:nav2567
ID: 39658839
Thanks.  I will look into it and do more research on them.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now