Advertisement
Secure server configurations often appear to puzzle IT professionals, while it sometimes can be a headache trying to change things around without interrupting the business flow.<\/p>\n
We can apply the below six best practices to further enhance the security posture of our Windows Server deployments.<\/p>\n
As always, before we make any changes; we should previously check whether the applications running on top of the operating system will continue to work or not after the changes.<\/p>\n
Seeking advice from each respective software vendor prior to the changes could help us in making this decision as well.<\/p>\n
As of December 2020, the following configuration applies to all releases from Windows Server 2008 R2 to Windows Server 2019.<\/p>\n
However, Windows Server 2008 R2 has reached the end of extended support for nearly a year now; thus, if you are still in this release, you should ensure to upgrade to a supported one.<\/p>\n
And change them regularly. Educate and train your users on why and how passwords must change on a regular basis.<\/p>\n<\/div>\n
Encryption protocols such as SSLv2, SSLv3, TLS 1.0 and TLS 1.1 are now considered insecure. Default all communications to TLS 1.2 and TLS 1.3.<\/p>\n<\/div>\n
Remove every piece of software that is not needed throughout your infrastructure. Deploy all Windows images from your custom baseline images.<\/p>\n<\/div>\n
SMBv1 has been around for more than 30 years and isn’t secure by any means. Newer versions of Windows Server (2016 (build 1709), 2019) have SMBv1 disabled by default but if you run older OS it needs to be disabled.<\/p>\n<\/div>\n