Tag: security hardening

Windows Server 2012 Step by Step Book

Windows Server 2012 Step by Step

This is my first book published on December 2 2012. The following is the chapters available in detailed in the book titled “Windows Server 2012 Step by Step”

Chapter 1: Introduction to windows server 2012

Chapter 2: Installing and navigating windows server 2012

Chapter 3: Server Roles and Features

Chapter 4: Active Directory Domain Services

Chapter 5: Active Directory Certificate Services

Chapter 6: Active Directory Federation Services

Chapter 7: Active Directory Rights Management Services

Chapter 8: Networking Infrastructure

Chapter 9: Failover Clustering

Chapter 10: Remote Desktop Services

Chapter 11: Security, Protection and protection

Chapter 12: Building Private Cloud with Hyper-V

Chapter 13: Web Server (IIS)

Chapter 14: BranchCache Server configuration

Chapter 15: Routing and Remote Access Server Configuration

Chapter 16: Windows Deployment Services

Chapter 17: Windows Server Update Services

Chapter 18: Volume Activation

Chapter 19: File and Storage Services

Chapter 20: Print and Document Services

Chapter 21: Network Policy and Access Server

Chapter 22: Group Policy Object

Chapter 23: Migrating from Server 2008 to Server 2012

Chapter 24: Supporting Windows Server 2012

 

Hardening Security of Server- The Bottom Line

Securing Servers from internal and external threat is the key aspect of managing and administering Windows Servers. If you carefully design, implement and maintain IT Infrastructure you will have a better night sleep knowing you are safe. There will not be music in the ears of oncall Engineer facing nightmare. So how you accomplish a tight security and control on IT infrastructure without compromising work environment. Here are some tips for you.

Infrastructure Firewalls

You must have an isolated Head Office network from branch office. You can purchase MPLS or IP WAN service from your ISP. Alternatively you can create site to site VPN using security appliance or application like Forefront TMG 2010. A better design approach would be a multi-tier firewall so that your internal server, DMZ servers and branch servers stay securely connected. You can have specific VLANs for specific servers/services/applications with correct Access Control List (ACL) in Cisco switches and routers. This will add another layer of firewall to the network.

Computer based Firewalls

In Windows Server 2008 and Windows Server 2012, there is built in firewall. You can configure that built-in firewall for a group of servers or individual server to provide host based firewall. Both Server 2008 and Server 2012 shipped with advanced Firewall and security configuration tools which you can administer through Group Policy object.

Intrusion Detection System

Another key aspect of firewall is security appliance that provide you to harden security using Intrusion Detection System (IDS) /Intrusion Protection System (IPS). These are third-party Devices or appliance. The IDS helps you monitor network traffic, logs data about the traffic, analyses the traffic based on signatures and anomalies, recognizes potential attacks, and alerts the IT staff to the perceived attack. The IPS does all that, but it also has the capability to react to the perceived  attack. IPS is also capable of reacting to an attack based on your configured rules.

Server Hardening- The bottom line

You execute the following action to stop being hacked or take these actions to prevent hacking

  • Isolate Administrator Role for individual tasks similar to their job description.
  • Stopping and disabling all unnecessary services and applications
  • Renaming the Administrator account
  • Implement password policy using Default Domain Policy in Group Policy Object
  • Implement GPO to secure servers and clients
  • Deleting or disabling all unnecessary user accounts
  • Use of Service Account to run services and application instead of running services using IT Admin’s generic account and store password to safe location
  • Create Role Based User Account instead of using user account by user name
  • Requiring strong authentication and certificates to access applications
  • Performing regular firmware, operating system and application updates using WSUS or SCCM
  • Installing renowned Antivirus and Anti-Spyware program and manage them centrally 
  • Document all system configurations and store these documents in safe location
  • Audit and monitor IT infrastructure regularly to prevent any misconfiguration
  • Use Read only Domain Controller (RODC) for branch office
  • Utilize great benefit of Server Core Technology reducing surface attack further
  • Utilize NPS, NAP and Certificate Servers to secure access to applications and services.