-->

Windows Server 2012 Hardening (Part II)

Using the Security and Configuration Analysis

Microsoft provides security templates for Windows Server and client operating systems, containing security configuration designed for different scenarios and server roles. There are some security templates that are part of the operating system and get applied during different operations, such as when promoting a server to a domain controller.

In Windows Server 2008 and later versions, security templates are located in %systemroot%inf and are more limited than in Windows Server 2003. Templates include:

  • Defltbase.inf (baseline)
  • Defltsv.inf (web/file/print servers)
  • DCfirst.inf (for the first domain controller in a domain)
  • Defltdc.inf (other domain controllers)

Basically, you should repeat the procedures already explained for Windows 7 with two different tools, but instead of loading the .inf from the STIG now you load one of the security templates shipped with Windows Server 2012.

Analyze the baseline template with the Policy Analyzer

Add the baseline template

image

Compare

image

Analyze the differences.

image

Apply the template with SCA

Load the baseline into SCA

image 

Analyze and apply

image

Repeat the procedure using another of the templates, according to your needs and to the server role in your environment.

Using the Security Configuration Wizard

With the release of the 2003 Service Pack 1 (SP1) version, Windows Server started to include the Security Configuration Wizard tool aimed at analyzing the server’s profile and recommending changes to adjust system’s security according to the server’s role. In Windows Server 2012, the Security Configuration Wizard is conveniently located in the new Server Manager dashboard.

Create a new policy with SCW

image

When starting the Security Configuration Wizard, the first step is to choose which action is going to be performed on the server’s security policy.

image

You then select the server that you want to apply the policy to.

image

In Windows Server 2012, the Security Configuration Wizard then parses the selected server and the information collected, and compares that with Microsoft’s security recommendations for that server profile (file, database, web, etc).

image

The Security Configuration Database contains information about server roles, client features, administration options, services, Windows Firewall, and other settings.

image

The results of the Security Configuration Wizard analysis, and its suggestions for amendments, will be adapted according to your specific needs.

image

Select additional services

image

How do you to handle unspecified services?

image

Confirm changes

image

Next, you’ll have the chance to configure firewall policy, registry settings and audit policy or you can skip them. Once the Security Configuration Wizard has completed its analysis and recommendations, you can save and apply the policy.

image

Want to apply the policy immediately?

image

Convert the policy to a GPO

Since there is often more than one server in the profile that was analyzed by the wizard, it might be a good idea to create a Group Policy Object (GPO) to apply that policy to all servers with the same characteristics.

To do this, use Windows PowerShell and run the following command:

scwcmd transform /p:<FullFilePathToSecurityPolicy> /g:<GPOName>

image

When you run this command, the SCW will create a GPO folder for the newly created GPO in the SYSVOL folder and the GPO will be available in the GPMC for you to use.

image

This can result in a better standardization of the security policies applied to your environment, and make it easier for you to organize those policies as part of your overall server security strategy.

Edit a policy with SCW

If you feel the need to change your policy definitions, you can edit it with SCW.

image

Obviously, once the changes are complete you’ll have to reapply the policy

Using the STIGs

Use the STIG Viewer and check the system’s compliance after applying the appropriate Microsoft’s security templates.

Don’t forget to use also the STIGs for SQL Server, Exchange, .NET, etc.

Previous post: Windows Server 2012 Hardening (Part I)

Next post:

25 comments:

Z`ssx said...

Hello

It can be said that the best possible backlink is in the form of ad reporting, especially news reporting. Since your link is recorded with text and images, Google considers this to be valuable text and gives the links to the phallus inserted special importance and the likelihood of spam being compromised by Google’s search engine is zero.

buy edu backlink as cheap price

yamuna said...

Nice information, thanks for sharing this useful blog.
Oracle Fusion SCM Online Training

nighthawkrouterlogin said...

Netgear Login is available for those user who really wants help in case of netgear extender and router problems. Our third party technical service team available for instant help. Get in touch with us for emergency help.
https://abbottmichellema.wixsite.com/routerlogin/post/troubleshoot-router-login
https://study.mdanderson.org/eportfolios/2626/Home/Netgear_Router_Not_Connecting_to_the_Internet_What_to_do
http://wifihelp.mystrikingly.com/blog/is-your-router-keeps-dropping-internet
https://wifihelp.weebly.com/
https://www.vingle.net/posts/2746201
http://crweworld.com/usa/ny/new-york/localnews/tech/1420457/a-detailed-guide-to-fix-wifi-keeps-dropping-in-windows-pc
http://abbottmichelle.greatwebsitebuilder.com/

gamehunt said...

google play code generator no surevy

Ask The Technician said...

With over 10 years’ experience in the industry, we’re the Server and Network Security Setup in Sydney that has helped many Australian businesses step up their IT game. We’re all about offering laser-focused, customised solutions for your business’ needs.

Kailey Robinson said...

Download Video Player | Windows Media Player | Best Media Player

cloudminister said...

Very informative and impressive post you have written, this is quite interesting and I have gone through it completely, an upgraded information is shared, keep sharing such valuable information. Server Management Services

Reviewswriter said...

This great site for use & service!
BEST REVIEWS YOU CAN GET
http://reviewswriters.com/

Anonymous said...
This comment has been removed by the author.
Anonymous said...

Interesting blog.
You did a fantastic job. Read your full Blog and cognize something interesting. I also want to share something about VPS hosting and providing you the best USA VPS Hosting ​service for your website at a very cheap price.

Anonymous said...

I Have read many articles but It's two different.
I am really happy to see this blog thanks for sharing it with us.
Law Essay Writing Service

Charles said...

Thank you so much for this nice information.

Sentiment Analysis Software

Entity Extraction Software

Churn Prevention Solutions

OCR Software

Puppies for sale said...

https://networksandservers.blogspot.com/2011/11/how-to-setup-virtualization-lab-i.htmlHere at Leslie's Pugsland Breeder, Our beautiful fawn pug has given birth to 4 healthy Pug puppies.
She is our beloved family dog and this is her 1st litter.
Both mum and dad are AKC registered with 5 gen pedigree certificate. Both from Top Champion bloodlines.Mum and Dad can be seen. Puppies have been wormed weeks 2,4,6,8 and will have had a flea preventative treatment before leaving us.
They will have their vet check, 1st vaccinations and microchip.
To view all available puppies and recent pictures, Search us in google as LESLIE'S PUGSLAND BREEDER or click on our website link bellow : https://pugslandbreeder.company.com/
Pug puppies for sale
pugs for sale
pug puppies for sale
pug puppies for sale near me
Pug Puppies for sale | pug for sale near me | pug puppy for sale | pug puppy | pug for sale | pug puppies for sale in va | black pug puppies for sale

Haris said...

I feel satisfied with your share.
It's very helpful for me and I am so happy to see your blog.
Thank you for sharing it with us. Law essay help

Unknown said...

Thanks for sharing this valuable and understanding article with us.
Finding Best HP Printer Black Friday Deals
then plusply digital is offering the Best HP Printer Black Friday Deals for
your business website or Online Marketing.

Unknown said...

Thanks for sharing this valuable and understanding article with us.
Finding SEO Company Udaipur
then plusply digital is offering the best SEO Services in Udaipur for
your business website or Online Marketing.

CalCom Software said...
This comment has been removed by the author.
CalCom Software said...
This comment has been removed by the author.
CalCom Software said...
This comment has been removed by the author.
CalCom Software said...
This comment has been removed by the author.
CalCom Software said...

Excellent and highly instructive information. keep up the fantastic work.
In this Blog, they will give you the complete information about Windows server 2012. If you are looking for the best blog you can read this blog carefully because they describe very easily what Windows server 2012 and Hardening Windows. Thanks for sharing this informative blog with us, keep posting and please do post more about Windows server 2012

Pema wangmo said...

Keeping sharing your nice post. Joining Digital Marketing Course in Noida will help you to learn digital marketing and with this knowledge you can do better.

Biz Glide Web Solutions said...

Y2mate Youtube Video Downloader
SEO Vs SEM
Top 10 Most Subscribed YouTube Channels

Biz Glide Web Solutions said...

Packers and Movers Bill For Claim Bangalore
Packers and Movers GST

Henry Jenson said...

Excellent article on Windows Server 2012 Hardening! Security is paramount in today's digital landscape. If you're considering a Windows Server 2012 VPS Hosting solution that combines robust security measures with top-notch performance, look no further than KemuHost. Their Windows Server 2012 VPS Hosting has been a game-changer for my business.