-->

Windows Server 2012 Hardening (Part I)

Servers are the penultimate layer of security between potential threats and your organization’s data. Therefore, applying proper security policies specifically for each server profile is both important and necessary.

Common sense recommendations are to "stop all unnecessary services" or "turn off unused features". Fortunately, every new version of Windows Server is built to be more secure by default. That said, it is common to have several of different roles assigned to a single server as well as multiple sets of file servers, web servers, database servers, etc.  So, how can we guarantee that each of these servers, with their different characteristics, is configured in compliance with the best security practices?

Using the Security Compliance Manager

Using SCM in Windows Server is basically the same as using it on a workstation. The major difference is related to what you can do with your GPOs once you are done.

You cannot install SCM 4 on a Windows Server 2012 just like that, you’ll probably get a warning from the Program Compatibility Assistant. This is a known issue when installing SQL Server 2008 Express, even on supported OSes.

Besides, Windows Server is not on the list of SCM 4 supported OSes…

image

To overcome this, install a newer version of SQL Server, like SQL Server 2014 Express, before installing SCM and everything will go smoothly.

The procedure will be exactly the same as what we did for Windows 10, but now we are going to do same extra steps.

Add a new setting to SCM

Select one of the Windows 2012 Baselines

image

Duplicate and save

image

Create a new setting group

image

Add setting and select the previously created group

image

Under Choose Settings, click the black arrow to the left of the red cross and select Computer Configuration from the drop-down menu.

A new menu will appear to the right. Set it to Administrative Templates. Set the following menus to Windows Components and Windows Installer respectively as shown in the figure below.

In the list of settings below the menus, select Prohibit non-administrators from applying vendor signed updates and click Add.

image

If you scroll down the list of settings in the template in the central pane of SCM, you should now see an ExtraSecurity group with the setting we added in the above steps.

image

Create a GPO based on a SCM template

In the right pane of SCM under Export, click GPO Backup (folder). Select or create a new folder within which to store the backup files and click OK. File Explorer will then open showing the exported Group Policy Object backup.

image 

Now, using the Group Policy Management Console (GPMC), we can create a Group Policy Object from the backup we just made.

To start GPMC, open Server Manager and select Group Policy Management from the Tools menu.

In GPMC, expand your Active Directory (AD) forest and domain in the left pane. In the left pane of GPMC, right click Group Policy Objects and click New.

image

Name the new GPO and click OK. Right click the GPO you just created and select Import Settings… from the menu

image

As there are no settings in our GPO, click Next on the Backup GPO screen. On the Backup location screen, click Browse and select the backup folder created using SCM. Click Next to continue

image

On the Source GPO screen, select the desired GPO backup and click Next.

image

Wait a second while the wizard scans the backup, then click Next on the Scanning Backup screen.

image 

If the GPO backup contains references to security principals and/or UNC paths, you will be shown the Migrating References screen.

image

If the GPO contains unique UNCs or security descriptors referencing names of servers or domains, you may need to use a migration table to map them to the new GPO.

If that is the case, choose “Using this migration table to map them in the destination GPO” and then click “New”.

In the Migration Table Editor window, click Tools and select Populate from Backup from the menu.

image

In the Select Backup dialog, make sure the backup location is set to the location of the GPO backup created in SCM, under Backed up GPOs select the GPO backup you created in SCM and then click OK.

image

In the Migration Table Editor window, you’ll see the security descriptors and UNC paths listed. If any of them will not work in the target domain, you can type the appropriate path or name in the Destination Name column.

image

In this example, I don’t need to make any changes as all the security descriptors listed will work in the target domain.

If you made any modifications to the table, select File and then Save from the menu to save the migration table to a location of your choice. Otherwise, close the Migration Table Editor window, and click No when prompted to save the table.

image

If you save a migration table that you need to use to map the references in the GPO backup for the target domain, click Browse on the Migrating References screen and select the migration table that you just saved.

image

If you don’t need to use a migration table, choose “Copying them identically from the source”.

One more screen and it’s done!

image

Check your settings:

image

Previous post: GPEdit vs SecPol

Next post: Windows Server 2012 Hardening (Part II)

12 comments:

yamuna said...

Nice information, thanks for sharing this useful blog.
Oracle Fusion SCM Online Training

Jais said...

It is very helpful i would like to read more in this blog thanks for giving information. aws training in hyderabad

ServerForHost said...

Nice blog,
Really, you are sharing informative content for us. It's helped me a lot. Thank you so much.
Windows VPS hosting

muhammad Jamil said...

The article is very nice, “thank” you for sharing it! ?
PaperScan Pro Crack
textaloud download
Wondershare Filmora Crack
VideoSolo Video Converter Ultimate Crack
Norton Utilities Premium Crack

Digital Software Market said...

Worth buying windows server 2016 Essentials, ideal for small businesses running low production workloads as this edition can serve only up to 25 users and 50 devices. It can be deployed as a first server (for inexperienced users) or a primary server (for building a multi-server environment to be used by SMBs).

Narender Singh said...

Thanks for sharing this Information. SAP SCM Course in Gurgaon

Cloud Box said...

Thank you for your post. This is excellent information.

CloudBox99 offers you with the best VPS hosting in Hyderabad and facilitates enterprises to transform digitally. We keep you covered in terms of all your IT requirements with unmatched expertise and deep domain knowledge

Evermolpro said...

Evermore Technology let businesses avail greater lead generation and higher conversions with its technical expertise. Evermore also provides Website Designing and Development Company in Noida Ghaziabad for better online visibility and brand perception.
website designer in Noida Ghaziabad

Unknown said...

AWS Training in Hyderabad

salome said...

very interesting to read. thanks for sharing. keep up the good work AWS Training in Chennai

Zenitso said...

“Thank you so much for sharing all this wonderful info with the how-to's!!!! It is so appreciated!!!” “You always have good humor in your posts/blogs. So much fun and easy to read!


OSForensics Crack

VideoSolo Video Converter Ultimate Crack

Prezi Pro Crack

n-Track Studio Crack

captainX said...

FRESH&VALID S-PAMMED U-SA DATABASE/F-ULLZ/L-EADS
SSN PROS

ICQ :748957107
Skype : @Darkiris
Telegram : @James307


U-SA S-SN F-ULLZ WITH ALL PERSONAL DATA+DL NUMBER
-F-ULLZ FOR P-UA-S-BA-U-BER-DOOR-DASH
-F-ULLZ FOR TAX RE-FUND
$2 for each f-ullz/l-ead with D-L num discount for bulk order
$1 for each S-SN+D-OB--discount for bulk order
$5 for each with Premium info--(income detail,employment detail,Good credit score)
I-D's Photos For any state (back,front,selfie & ssn )
Young age d-ata
V-isa & P-assport photos
Any age range d-ata available
UK data-Canada d-ata
(Price can be negotiable if order in bulk)

High quality and connectivity
If you have any trust issue before any deal you may get few to test
Every leads are well checked and available 24 hours
F-ully cooperate with clients
Any invalid info found will be replaced
Payment Method(B-TC,USDT,ETH,LTC & PAYPAL)
F-ullz available according to demand too i.e (format,specific state,specific zip code & specifc name etc..)

Let's do a long term business with good profit
Contact for more details & deal

Contact
ICQ :748957107
Telegram : @James307
Skype : @Darkiris