Scribd
Upload
214 views5 pages

Security Hardening Settings For Windows Servers

The document discusses 10 security hardening settings for Windows servers and Active Directory: 1) user accounts with non-expiring passwords, 2) unused user accounts, 3) default privileged groups, 4) application privileged groups, 5) server-based user rights, 6) Active Directory delegations, 7) Group Policy delegations, 8) service accounts, 9) password policy, and 10) monitoring Active Directory changes. For each setting, it identifies potential issues and recommends solutions to improve security such as using least privileged access, regularly evaluating group memberships, and implementing monitoring tools.

Uploaded by

Gophis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
214 views5 pages

Security Hardening Settings For Windows Servers

The document discusses 10 security hardening settings for Windows servers and Active Directory: 1) user accounts with non-expiring passwords, 2) unused user accounts, 3) default privileged groups, 4) application privileged groups, 5) server-based user rights, 6) Active Directory delegations, 7) Group Policy delegations, 8) service accounts, 9) password policy, and 10) monitoring Active Directory changes. For each setting, it identifies potential issues and recommends solutions to improve security such as using least privileged access, regularly evaluating group memberships, and implementing monitoring tools.

Uploaded by

Gophis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Security Hardening Settings for Windows Servers and

Active Directory Security Hardening


Based on #RSA Security Conference #Manage Engine #Connect to Protect #Microsoft AD Hardening Recourses

1. User accounts with non-expiring passwords

Issues
 Infinite time to be hacked.
 All internal users can determine these accounts.
 Resetting passwords at scheduled intervals improves security.
 Forces attackers to have time limit to break into account.
 Compromised accounts need to be re-compromised.

Solutions

All user accounts need to have expiring passwords:

 IT
 Developers
 Help desk
 Executives
 Service accounts...

2. User accounts that never logged in

Issues

 Accounts have “new user password.”


 All employees know “(default) new user password.”
 Any employee could log on to these accounts.
 Access and privileges are already granted at time of creation.

Solutions

 Delete user accounts that will never be used.


 Report on all user accounts that are not logged into regularly.
 Do not use same “new user password” for all new user accounts.
 Implement a random password generator for new user accounts.
3. Default privileged groups need evaluation

Issues

Domain level groups:

 Domain Admins
 Administrators
 DNSAdmins
 Etc.

Forest level groups:

 Enterprise Admins
 Schema Admins

Solutions

 Verify group membership regularly.


 Use tool that can get group members recursively.
 Use least privilege concepts.

4. Application and custom privileged groups need evaluation

Issues

 Microsoft applications:
 SQL
 Exchange
 SharePoint Etc.
 Third party applications

Solutions

 Document all privileged groups.


 Verify group membership regularly.
 Use tool that can get group members recursively.
 Use least privilege concepts.

5. Server-based user rights

Issues

 Provide privileges over computer where user rights are assigned.


 User rights supercede resource access.
 User rights can allow inappropriate access.
 User rights can allow denial of service attacks.
 User rights can allow to run malwares ;ransomware kind of attacks

Solutions

 Verify user rights using appropriate tool – secpol.msc.


 Use Group Policy to standardize and deploy user rights settings.
 Use least privilege concepts.

6. Active Directory delegations

Issues

 Delegations provide privileged access to AD objects:


 Resetting user passwords
 Creating groups
 Modifying group membership
 Delegations are difficult to report.
 Delegations can be difficult to remove

Solutions

 Verify delegations on all OUs and domain – dsacls.


 Use least privilege concepts.
 Use third party tool for delegations:
 Proxy user
 Easier and increased delegations
 Track all activity and actions

7. Group Policy delegations

Issues

 Group Policy is integral to Active Directory.


 Group Policy can decrease security providing access.
 Group Policy can cause significant issues and consequences.
 Delegations provide access over GPOs:
 Creating for domain
 Linking to domain, OU, site
 Modifying GPO setting

Solutions

 Use least privilege concepts.


 User GPMC, GPMC scripts, or PowerShell to obtain delegations.
8. Service accounts

Issues

 Service accounts are granted privileges at install or configuration.


 Service accounts often have non-expiring passwords.
 Service accounts often have original passwords.
 Service accounts are rarely monitored for access.

Solutions

 Associate all service accounts to servers where configured.


 User long and strong passwords.
 Configure accounts to only be able to log on to specified
 computers.
 Configure accounts to not be able to change own password.

9. Password policy

Issues

 Controls domain and local user password parameters.


 Most password policy settings are weak.
 Password policy changes are difficult to “see.”
 Password policy is misunderstood in GPOs.
 Fine-grained password policies are rarely used

Solutions

 Use correct tool(s) to report on current password policy – secpol.msc.


 Ensure password policies in GPOs linked to OUs are not considered
for domain users.
 User fine-grained password policies or third party tool to have
multiple password policies in same domain.
 Use security concepts to set password parameters, not compliance

10. Real-time monitoring of Active Directory changes

Issues

 Security settings change over time.


 Security settings are hard to “see” and report.
 Privileged accounts can alter security settings.
 Security settings change to solve problems.
 Without change monitoring of security settings, actual settings are
unknown until manually checked.

Solutions

 Establish a real-time change monitoring tool to track all Active


Directory changes. (SIEM will helps)
 Generate reports to see “drift” of security settings.
 Review reports often to ensure security is still intact.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy