Solved

Develop a standard win 2012 configuration guidline

Posted on 2015-01-09
5
177 Views
Last Modified: 2015-01-13
Regardless of the role (i.e. DNS, Print, Web, Terminal, DHCP, Application, Active Directory, etc) of the windows 2012 server,
I am trying to put together a configuration guidance list that can be followed and used to securely build and configure a 2012 server. I have used CIS and Microsoft compliance check tools to show me baseline configuration vulnerabilities but that tool is used after system is active. Please share any configuration recommendations I should have to secure and protect a 2012 server before it is configured for a specific role.

This is what I have thus far if the server requires a windows GUI Platform
1) Install & configure Antivirus Software
2) Install & configure Windows Update
3) Install & configure Malware Software
4) Install & configure Firewall Software
5) Install & configure HIPS/HIDS Agent
6)  Install & configure AppLocker
7) Install & configure the server role
8) Install & configure vendor software (based on server role: i..e. Application server - SQL Server or Deltek Time Card Software)
9) Run CIS, Microsoft, Nessus baseline configuration audit software

Thank you in advance.
0
Comment
Question by:cesemj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40540774
"Regardless of the role" ...no such thing. The purpose of the server is integral to the checklist. Every single step you listed, I can show a counterpoint where a specific role or applications makes that step irrelevant, or even worse, antithetical to the server's purpose. You can't simply make a lost in a void. Each deployment is about meeting the needs as specified, and *that* becomes about project management.

Sure, you could argue that you are making a baseline for common deployments. But even then, applocker? I'd argue *most* servers don't need it. That is a client lockdown tool. A HIPS on every server? Hmmm.....   and a CIS/Nesses scan? If this is really about building a solid baseline, wouldn't you do it once and then rely on the system? Rescinding each time seems redundant. And those are just the easy low hanging fruit.
0
 

Author Comment

by:cesemj
ID: 40540803
Ok, I need to develop a secure baseline checklist for each server role listed below:

Active Directory Domain Services role
Application Server role
DHCP Server role
DNS Server role
File Services role
Hyper-V role
Network Policy and Access Services role
Print Services role
Terminal Services role
Web Server role
Windows Deployment Services role
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40540809
Plenty of books cover those roles in detail. No need to reinvent (or rewrote) the wheel.
0
 

Author Comment

by:cesemj
ID: 40540817
ok
0
 

Author Closing Comment

by:cesemj
ID: 40546891
Thanks
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question