-->

Windows Server 2012 Hardening (Part II)

Using the Security and Configuration Analysis

Microsoft provides security templates for Windows Server and client operating systems, containing security configuration designed for different scenarios and server roles. There are some security templates that are part of the operating system and get applied during different operations, such as when promoting a server to a domain controller.

In Windows Server 2008 and later versions, security templates are located in %systemroot%inf and are more limited than in Windows Server 2003. Templates include:

  • Defltbase.inf (baseline)
  • Defltsv.inf (web/file/print servers)
  • DCfirst.inf (for the first domain controller in a domain)
  • Defltdc.inf (other domain controllers)

Basically, you should repeat the procedures already explained for Windows 7 with two different tools, but instead of loading the .inf from the STIG now you load one of the security templates shipped with Windows Server 2012.

Analyze the baseline template with the Policy Analyzer

Add the baseline template

image

Compare

image

Analyze the differences.

image

Apply the template with SCA

Load the baseline into SCA

image 

Analyze and apply

image

Repeat the procedure using another of the templates, according to your needs and to the server role in your environment.

Using the Security Configuration Wizard

With the release of the 2003 Service Pack 1 (SP1) version, Windows Server started to include the Security Configuration Wizard tool aimed at analyzing the server’s profile and recommending changes to adjust system’s security according to the server’s role. In Windows Server 2012, the Security Configuration Wizard is conveniently located in the new Server Manager dashboard.

Create a new policy with SCW

image

When starting the Security Configuration Wizard, the first step is to choose which action is going to be performed on the server’s security policy.

image

You then select the server that you want to apply the policy to.

image

In Windows Server 2012, the Security Configuration Wizard then parses the selected server and the information collected, and compares that with Microsoft’s security recommendations for that server profile (file, database, web, etc).

image

The Security Configuration Database contains information about server roles, client features, administration options, services, Windows Firewall, and other settings.

image

The results of the Security Configuration Wizard analysis, and its suggestions for amendments, will be adapted according to your specific needs.

image

Select additional services

image

How do you to handle unspecified services?

image

Confirm changes

image

Next, you’ll have the chance to configure firewall policy, registry settings and audit policy or you can skip them. Once the Security Configuration Wizard has completed its analysis and recommendations, you can save and apply the policy.

image

Want to apply the policy immediately?

image

Convert the policy to a GPO

Since there is often more than one server in the profile that was analyzed by the wizard, it might be a good idea to create a Group Policy Object (GPO) to apply that policy to all servers with the same characteristics.

To do this, use Windows PowerShell and run the following command:

scwcmd transform /p:<FullFilePathToSecurityPolicy> /g:<GPOName>

image

When you run this command, the SCW will create a GPO folder for the newly created GPO in the SYSVOL folder and the GPO will be available in the GPMC for you to use.

image

This can result in a better standardization of the security policies applied to your environment, and make it easier for you to organize those policies as part of your overall server security strategy.

Edit a policy with SCW

If you feel the need to change your policy definitions, you can edit it with SCW.

image

Obviously, once the changes are complete you’ll have to reapply the policy

Using the STIGs

Use the STIG Viewer and check the system’s compliance after applying the appropriate Microsoft’s security templates.

Don’t forget to use also the STIGs for SQL Server, Exchange, .NET, etc.

Previous post: Windows Server 2012 Hardening (Part I)

Next post:

27 comments:

Philips Huges said...


Its very useful to me. Wonderful blog.. Thanks for sharing informative Post.

Installment loans
Payday loans
Title loans

Swati Bhatt said...

Wow! Great post! The content is very rich, and I really like it.ms window server

Philips Huges said...

Its a wonderful post and very helpful, thanks for all this information. You are including better information regarding this topic in an effective way.Thank you so much

Personal Installment Loans
Title Car loan
Cash Advance Loan

ılılılı Inderdeep Singh ılılılı said...

Thanks I am delighted to read these blogs. Please give some more inputs on Cisco UCS servers and i am keen to understand the information about the same. I checked many blogs but still i am not able to get more stuff

Thanks
www.routexp.com

cybertricks online said...

Awesome,
Thank you so much for sharing such an awesome blog...
aws usa
aws online training in india
courses on aws in india
amazon web services online course
aws training india
aws online training india
amazon web services online training
amazon aws training online

rohan rj said...

Wow this good but, iptv server I like your post and good pics may be any peoples not like because def-rent mind all people.

Thebes Group said...

By outsourcing initiatives to IT managed services London organizations can break down their costs into fixed monthly payments, as opposed to the large capital expenditures that come with managing systems in-house.

Md. Shameem Mridha said...

Mridha IT
Thank you, I’ve just been searching for information about this topic for a while and yours is the greatest I’ve discovered till now.

Kumar Ranjan said...

NETWORKING TRAINING IN GURGAON

sabung ayam said...

ayo bermain di sabung ayam-pukul mati

Bakar Ayam Marketing said...

AWESOME THE PROMOTION OF GIRL BEAUTIFUL SALES KLIK HERE SABUNG AYAM

GOOD PRICE AND CHEAP
http://www.gorengayam.net 


PLEASE PRICE DIRECTLY

http://bakarayammarketing.blogspot.com/2018/08/telur-puyuh-berubah-menjadi-andalan.html


========================================================
INFO SEPUTAR SABUNG AYAM

SABUNG AYAM

SABUNG AYAM ONLINE

SABUNG AYAM BANGKOK

SABUNG AYAM FILIPINA

SFCable said...

Wonderful post I read so far. The information is much helped me. Networking

Dharani M said...

Nice post
best android training center in Marathahalli

best android development institute in Marathahalli

android training institutes in Marathahalli

ios training in Marathahalli

android training in Marathahalli

mobile app development training in Marathahalli



online shop said...

Amazing Post Good artical your site
Hot Shapers Belt in Pakistan | slimming belt online pakistan | Hot Shapers Belt price in Pakistan | Hot Shapers Belt online in Pakistan

OLIVIA H said...

Our customers love it and we have had no technical issues since we done mobile service for 1 decades in this mobile industry.
Authorized iphone service center in Chennai | iphone service center in chennai | Mobile service center in chennai | Authorized iphone service center in Chennai | iphone service center in chennai | Authorized iphone service center in Chennai

Teamnorth Point said...

Network security’s made up of the hardware, software, policies and procedures designed to defend against both internal and external threats to our company’s computer systems. The basic needs are clearly defined over here. Thank you.

Router ip logins said...

want to find out ? why you may not be able to access the NETGEAR Router ip logins (admin settings) page. check out our page and know how to access to your account .

OLIVIA H said...

This is a great post,as always like to learn for mobile development.I’am so enjoying this blog.You are the best writer!
Authorized ipad service center in Chennai | Authorized apple service center in Chennai | iphone display replacement | Authorized ipad service center in Chennai | Authorized ipod service center in Chennai | Apple laptop service center in chennai | 100% genuine mobile parts | Mobile phone Battery replacement

Unknown said...

This was a fantastic article. Really loved reading your we blog post. The information was very informative and helpful. best iptv provider

DedicatedHosting4u said...

Nice journal very fascinating and useful information on your website. Thanks for sharing the journal and this nice information that's definitely on the brink of facilitate us....We are going to be change this post with new data to our data box.

Cheapest dedicated hosting

Samira George said...

Thanks for sharing this valuable post. Must visit if you are looking for Cloud File Hosting. Highly Recommended.

MindtechAffiliates said...

Thank you for such a informative information.It will really helpfull for beginer to know the basic difference between linux and windows hosting.

Thanks
Cpa offers

nick jones said...

Thank you for the information,very good blog..
Server and Storage Solutions
Server and storage

Mac pro said...

Nice article admin thanks for share your atricle keep share your knowledge i am waiting for your new post check long sleeve shirts girls polo shirts kindly review and reply me

htop said...

nice blog
data Science training in chennai
best devops training in chennai
 devops training in chennai
best hadoop training in chennai
best hadoop training in omr
hadoop training in sholinganallur
best java training in chennai

shark said...

GREAT PIECE OF WORK!!!
GOOD CONTENT!!
data network in dubai

Rajesh said...

nice message
informatica Training in Bangalore
Azure DevOps training in Bangalore
Google Cloud Training in Bangalore
Blue Prism Training in Bangalore
MERN StackTraining in Bangalore
RPA Training in Bangalore
Qlikview Training in Bangalore
Qlik Sense Training in Bangalore