Windows Domain Server Security Hardening

bryonsingh · 2018-10-08T01:06:20.000Z

Hello All,

Would like some suggestions on how I can harden my Windows Servers security a bit and tighten up some fundamentals.

My windows servers have DHCP, DNS, Active Directory, file server and print server roles.

I would also like some advice on better secure file shares. I know to create security groups but anything more advanced ?

Thank you,

dreid007 · 2018-10-08T01:15:31.000Z

Likely a little overkill for what you want, but it covers everything and you can implement it in pieces.

CIS

CIS Benchmarks™

CIS Benchmarks help you safeguard systems, software, and networks against today's evolving cyber threats.

Est. reading time: 1390 minutes

bryandoe · 2018-10-08T02:05:16.000Z

Version of Server would be a good start. CIS is a good start, as is DISA STIG and Microsoft baselines - but with all don’t just blindly enable everything.

Firewall everything, trust nothing. Your workstations are gross and dangerous. Don’t let them access more than they need to.

waltereaton · 2018-10-08T02:43:40.000Z

I’ll give you a huge one to focus on that gives big returns in typical Windows AD environments. Big problems with small / med companies I see is too many VIP’s and managers have too much write access to too much data for no reason. Yep…egos on the line. You can fuss with AD and security groups all you want: If the front desk receptionist has write access to 3/4 of your file share data and she double clicks on the wrong E-mail you will be preying you have backups to restore everything she has write access to.

Try to break down security groups and file shares as granular as possible and as vertical as possible. What you are trying to do is limit what any one person has write access to according to business needs. This process also will get mgmt aware of security and hopefully you won’t get much push back.

adrian_ych · 2018-10-08T02:50:04.000Z

Why dun you just highlight what servers you have, are they on physical servers or VMs and what OS are they on.

Always have at least 2 DCs (with DNS & DHCP) and never have file severs or print servers on DCs.

…

For file server shares, I would always recommend sharing folders, then the share access & share permissions to these folders is always to 3 groups…Domain admins, Domain backup admins and Domain “Respective User” groups. Then use DCs to control who is in these groups. So if you have N folders, you would need N+2 groups (Domain admins and Domain Backup admins are DC built-in groups).

rupesh-lepide · 2018-10-08T05:00:13.000Z

The Windows Server Hardening Checklist:

upguard.com

The Windows Server Hardening Checklist | UpGuard

Follow these 10 simple steps to harden your Windows server against the most common cyber attacks and exploits before you put them into production.

Tips for Securing Windows File Servers:

Lepide Blog: A Guide to IT Security, Compliance and IT Operations – 14 Aug 17

10 Tips for Securing Windows File Servers

We often pay a lot of attention to securing AD but file servers should also be appropriately secured. Here are 10 tips for file server security.

Est. reading time: 6 minutes

chris-is-decisions · 2018-10-08T05:32:24.000Z

With the majority of security breaches caused by users, take a look at how to better protect their domain logons - even when they are compromised.

UserLock teams up seamlessly with Windows Active Directory to deliver easily managed user logon controls, essential concurrent session management and a wealth of auditing information.