Windows Server 2016 Hardening and Security Baseline Best Practices – Part 1

Security is the biggest concern nowadays for all the organization and to maintain the control of your whole environment we should bring the better hardening solutions. This article is the first part to talk on those scenarios and pointers (Windows Server 2016 Hardening). We will soon publish the second part of it soon.

Windows Server 2016 Hardening & Security: Why it is essential?

Security is a real risk for organizations; a security breach can be potentially disrupting for all business and bring the organizations to a halt.

Sooner you can detect a potential attack that will help you more to mitigate any compromise in security. The attacker starts researching weak points and then proceeds to perform the attack. Once attackers are in an environment, the next step the perform by escalating their privileges through lateral movement within the operating environment until they take control over the organization within 24 to 48 hours from the first compromise.

We need to extend the time it takes an attacker to take control to weeks or even months by blocking their lateral movements and hardening your systems.

The following is a typical attack scenario:

1. The attacker does some research and preparation about an organization (such as by using Facebook, Linked In, search engines, or other social networking services).
2. The attacker determines the best method for initiating an attack (such as a phishing email or probing edge-of-network services).
3. The attacker initiates an attack to gain a foothold in the organization’s network and services.
4. The attacker gains access and then, using one or more compromised identities, attempts to escalate their privileges.
5. The attacker gains escalated privileges and continue to compromise services and servers within the organization, compromising data and causing a denial of service.

Windows Server 2016 help prevent and detect compromise?

Windows Server 2016 has built-in security features to help & improve better harden the operating system and detect malicious activity by:

• Build a secure foundation.
  • Windows Server security updates
  • Group Policy settings
  • Local Script tools
  • Integrating with Microsoft Operations Management Suite (OMS).
• Protect privileged identities.
  • Just Enough Administration (JEA)
  • Just in Time Administration (JIT)
  • Credential Guard
  • Remote Credential Guard
  • Advanced Threat Analytics.
• Harden Windows Server
  • Control Flow Guard
  • Windows Defender
  • Device Guard
  • AppLocker
  • Microsoft OMS.
• Improve threat detection
  • Windows event log entries
  • Windows Server auditing
  • Microsoft OMS.
• Harden Hyper-V® environments
  • Guarded fabric
  • TPM in Hyper-V
  • Datacenter Firewall in Software Defined Networking (SDN).

Build a secure foundation by implementing best practice as mentioned below

Windows Server security updates

Microsoft updates for Windows operating systems regularly gets a release. These patches include security updates to keep Windows Server secure as new threats and vulnerabilities are discovered as well as anti-malware and anti-spyware definition updates for Windows Defender.

You can deploy these updates to the servers in your organization by using one of the methods listed in the following table.

Method	When to select this method
Windows Update only	Use this method when you have a small number of servers that have direct access to the Internet and can download updates directly from Windows Update.
Windows Server Update Services (WSUS)	Use this method when you do not have System Center Configuration Manager but desire a centralized way of downloading and managing updates.
System Center Configuration Manager	This method leverages Windows Server Update Services to download the updates but then uses the deployment flexibility of the Software Update feature in System Center Configuration Manager to deploy the updates to servers on your network.

Configure Windows Server security settings

Windows operating systems include security settings that you can use to help harden computer security profiles. Microsoft publishes security baselines which provide for recommended settings for Windows Firewall, Windows Defender, and other security settings. These security baselines are supplied as Group Policy object (GPO) backups that you can import into ADDS and then deploy to domain-joined servers. Further, you can use some tools to understand and do the server level and domain level hardenings.

One Tool I like to mention is LAPS which is apart from Just Enough Administration (JEA), Just in Time Administration (JIT), Credential Guard, Remote Credential Guard and Advanced Threat Analytics.

Local Administrator Password Solution is a beneficial solution to automatically manages local administrator password on domain-joined computers, so as the password is:

• Unique on each managed computer
• Randomly generated
• Securely stored in AD infrastructure

This solution is built upon just AD infrastructure, so there is no need to install and support other technologies. This tool itself is a Group Policy Client-Side Extension that is mounted on managed machines and performs all management tasks. Management tools delivered with the solution allow for easy configuration and administration.

It helps to do following task:

• Checks whether the password of local Administrator account has expired or not
• Generates the new password when old password expired or is required to be changed before the expiration
• Changes the password of the Administrator account
• Reports the password to password Active Directory, storing it in a confidential attribute with computer account in AD
• It states the next expiration time to Active Directory, storing it in a confidential attribute with computer account in AD
• Password then can be read from an AD by users who can do so
• The password can be forced to be changed by eligible users

Feature of LAPS

• Security:
  • The random password that automatically regularly changes on managed machines
  • Effective mitigation of Pass-the-hash attack
  • The password is protected during the transport via Kerberos encryption
  • The password is preserved in an AD by AD ACL, so granular security model can be easily implemented
• Manageability
  • Configurable password parameters: age, complexity, and length
  • Ability to force a password reset on the per-machine basis
  • Security model integrated with AD ACLs
  • End-use UI can be any AD management tools of choice, plus custom tools (PowerShell and Fat client) are provided
  • Protection against computer account deletion
  • Easy implementation and minimal footprint

Back up your information and systems

You should perform scheduled backups of the Windows Server operating system, including the applications and data stored on Windows Server. Doing so will help protect against ransomware attacks on Windows Server. You should perform backups frequently so that you can quickly restore to a point-in-time before a ransomware attack.

Management and monitoring using Operations Management Suite

OMS is a cloud-based IT management solution that helps you manage and protect your on-premises and cloud infrastructure. OMS is implemented as a cloud-based service, and you can start maintaining your apps, services, and support with minimal extra investment. OMS is also updated periodically with new features and can help dramatically reduce your ongoing maintenance and upgrade costs.

OMS offers the following critical capabilities:

• Insight and analytics. This feature can collect, correlate, search, and act on logs and performance data generated by Windows operating systems and apps. It provides real-time operational insights for all your workloads and servers, on-premises and in Azure.
• Security and compliance. This feature identifies, assesses, and mitigates security risks. It uses the Security and Audit solution (which collects and analyzes security events), the Antimalware solution (which provides current malware protection status), and the System Updates solution (which provides current software update status) to ensure the ongoing security of your on-premises and cloud workloads and servers.
• Automation and control. This feature automates administrative processes with runbooks (like runbooks in System Center) using Windows PowerShell®. Runbooks can access any apps, operating systems, or services that can be managed by Windows PowerShell. It also provides configuration management with Windows PowerShell Desired State Configuration (DSC), which can automatically enforce your configuration settings on-premises and in Azure.
• Protection and recovery. This feature can back up recovery workloads and servers. Azure Backup protects app data for on-premises and cloud-based servers. Azure Site Recovery helps provide disaster recovery by orchestrating replication, failover, and restoration of on-premises Hyper-V virtual machines.

Protect privileged identities

Privileged identities are any accounts that have elevated privileges, such as user accounts that are members of the Domain Admins, Enterprise Admins, local Administrators, or even Power Users groups. You need to protect these privileged user identities from compromise by potential attackers.

How identities get compromised?

Privileged identities often get compromised when organizations do not have proper guidelines to protect them. The following are examples:

• More privileges that are necessary: One of the most common issues is that users have more rights that are necessary to perform their job function. For example, a user who manages DNS might also be an AD administrator. In most cases, this is done to avoid the need to configure different administration levels. If such an account is compromised, the attacker automatically has elevated privileges.
• Signed in with elevated privileges all the time. Another common issue is that users have with elevated privileges can use it for an unlimited time. It is very common with IT pros who sign in to a desktop computer using a privileged account, stay signed in, and use the privileged account to browse the web and use email. Unlimited durations of privileged accounts makes the account prone to attack and increases the odds of the account will be compromised.
• Social engineering research: In most cases, credential threats start out by researching the org and then conducted detailed social engineering. For example, an attacker may perform phishing attack via. Email to compromise legitimate accounts (but not necessarily elevated accounts) that have access to the organization’s network. The attacker then uses these valid accounts to perform additional research on your system and to identify privileged accounts that can perform administrative tasks.
• Leverage accounts with elevated privileges. Even with a standard, the non-elevated user account in the network, attackers can potentially gain access to accounts using elevated permissions. One of the more popular methods of doing so is by using the Pass-the-Hash or Pass-the-Token attacks.

There are of course other methods that the attackers can use to identify and compromise privileged user identities (with new techniques being created every day).

Prevent attackers from gaining access to privileged identities

You can reduce the attack surface for privileged identities (discussed in the previous section) with each of the mitigations described in the following table.

Attack vectors	How to mitigate
More privileges than are necessary	Implement Just Enough Administration (JEA) for all IT pros who administer Windows Server and the apps and services (such as Exchange Server or Exchange Online) running on Windows Server by using Windows PowerShell.
Signed in with elevated privileges all the time	Implement Just in Time Administration (JIT) for all users who require elevated privileges so that the elevated privileges can only be used for a limited amount of time. Many organizations use the Local Administrator Password Solution (LAPS) as a simple yet powerful JIT administration mechanism for their server and client systems.
Compromised identity and Pass-The-Hash attacks	Implement Microsoft Advanced Threat Analytics (ATA) to help detect compromised identities in on-premises workloads and servers. ATA is an on-premises solution that you can use to manage physical and virtualized workloads.
Pass-The-Hash attacks	·        Implement Credential Guard to help protect credentials and credential derivates from attacks such as Pass-the-Hash or Pass-the-Token. “Credential-Guard” is a new feature in Windows Server 2016. ·        Implement Remote Credential Guard to help protect credentials and credential derivates from attacks such as Pass-the-Hash or Pass-the-Token that can be performed on servers that host Remote Desktop connections. Remote Credential Guard is a new feature in Windows Server 2016.

Conclusion

I will continue to write on this series based on the my expeirence with Global clients that i worked with. I hope the article was helpful. Questions/suggestions are welcome in the comment section below. Thanks for visiting!

Disclaimer: The Questions and Answers provided on https://www.gigxp.com are for general information purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose.