Windows Server 2019 ships and installs with an existing level of hardening that is significantly more secure compared to previous Windows Server operating systems. Gone are the bloat of Xbox integration and services and the need for third-party security solutions to fill security gaps.
Operating System (OS) hardening provides additional layers of security and preventative measures against both unauthorized changes and access. Hardening is critical in securing an operating system and reducing its attack surface.
Be careful! If you harden an operation system too much, you risk breaking key functionality.
Harden your Windows Server 2019 servers or server templates incrementally. Implement one hardening aspect at a time and then test all server and application functionality. Your cadence should be to harden, test, harden, test, etc.
Mistakes to avoid
Reducing the surface area of vulnerability is the goal of operating system hardening. Keeping the area as small as possible means avoiding common bad practices.
- Do not turn off User Access Control (UAC). You should move the UAC slider to the top: Always notify. The few extra clicks to make while trying to install a new application or change system settings might prevent system compromise in the future.
- Do not install Google Chrome, Firefox, JAVA, Adobe Flash, PDF viewers, email clients, etc. on your Windows Server 2019 operating systems unless you have an application dependency for these applications.
- Do not install unnecessary roles and features on your Windows Server 2019 servers. If you need to install a role such as IIS, only enable the minimum features you require and do not enable all role features.
- Do not forget to fully patch your Windows Server 2019 operating system and establish a monthly patch window allowing you to patch and reboot your servers monthly.
Windows 2019 Server Core
As a foundation to Windows Server 2019, the Core version of Windows Server 2019, should be installed. This version is Windows 2019 Server Core. Server Core removes the traditional GUI interface to the operating system and provides the following security benefits.
• Server Core has a smaller attack surface than Server with a GUI
• Requires fewer software updates and reboots
• Can be managed using new Windows Admin Center
• Improved Application Compatibility features in Windows Server 2019
Traditional Windows administrators may be apprehensive running Server Core due to a lack of PowerShell familiarity. The new Windows Admin Center provides a free, locally deployed, browser-based app for managing servers, clusters, hyper-converged infrastructure, and Windows 10 PC’s. Windows Admin Center comes at no additional cost beyond Windows and is ready to use in production.
You can install Windows Admin Center on Windows Server 2019 as well as Windows 10 and earlier versions of Windows and Windows Server and use it to manage servers and clusters running Windows Server 2008 R2 and later.
Secure the Local Administrator Account
Local Administrator Password Solution (LAPS)
If Windows Server does get compromised, the attacker will quickly try to move laterally across your network to find highly valuable systems and information.
Credential theft attacks like pass-the-hash, are attacks using a technique in which an attacker captures account login credentials from a compromised computer, and then uses those captured credentials to authenticate to other computers on the network.
Microsoft released the free Local Administrator Password Solution (LAPS) in 2015. LAPS is a lightweight tool for Active Directory domain-joined systems that periodically sets each computer’s local admin account password to a new random and unique value. Passwords are stored in a secured confidential attribute on the corresponding computer object in Active Directory where only specifically authorized users can retrieve it. Passwords can be retrieved via PowerShell or using the LAPS GUI.
In particular, the LAPS solution mitigates the risk of lateral escalation that results when you use the same local administrator account and password combination on all servers and workstations.
Enable Windows Defender Credential Guard
Windows Defender Credential Guard leverages in-box virtualization-based security to isolate credentials, NTLM password hashes, Kerberos tickets in separate virtual container isolated from the operating system. Credential Guard only allows privileged system software access to this isolated container containing sensitive credentials. Malware that is installed and running in the operating system cannot extract credentials and secrets that are protected by virtualization-based security. Even if the malware or process is running with administrative privileges.
By enabling Windows Defender Credential Guard, the following features and solutions are provided:
- Hardware security: NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
- Virtualization-based security: Windows NTLM and Kerberos credentials run in a protected environment that is isolated from the running of Windows 2019 operating system.
- Better Protection against Advanced Persistent Threats (APT): When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked.
Enable Windows Defender Exploit Guard
Despite innovations in antivirus detection capabilities, attackers are endlessly adapting and have been developing techniques to compromise endpoints, steal credentials, and execute ransomware attacks without needing to write anything to disk. This emerging trend of fileless attacks, which compose over 50% of all threats, is extremely dangerous, constantly changing, and designed to evade traditional antivirus.
Fileless attacks have two types: those that use non-traditional executable files (e.g., documents with active content in them), and those that exploit vulnerabilities.
Windows Defender Exploit Guard utilizes signals and intelligence from the Microsoft Intelligent Security Graph (ISG) to identify malware and active exploits and stops these types of attacks at various stages. If you’ve used the now retired Enhanced Mitigation Experience Toolkit (EMET), Exploit Guard is the modern version of EMET bundled into Windows Defender. Exploit Guard works by correlating events to malicious behaviors using ISG. Windows Defender Exploit Guard provides the capability and controls needed to handle these types of existing and emerging threats.
The four components of Windows Defender Exploit Guard are:
- Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking MS Office, scripts, and email-based threats
- Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
- Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
- Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications
You can enable Exploit Guard from a number of control points, including locally, Group Policy, SCCM, Microsoft Endpoint Manager (InTune).
Practice good admin habits
Your daily account used to read email and generate reports should be standard user account. This account should not be added to any elevated access groups in Active Directory or local server groups. You should not be member of Local Administrator Group. Only use privileged accounts from to perform administrative tasks.
Hardening your Windows Server 2019 servers and creating a reliable and scalable hardened server OS foundation is critical to your organization’s success. As configuration drift occurs with patching and new software installs, it is important to document all changes implemented in the hardening process to have a source to refer to