Windows Server is one of the most commonly deployed critical systems in the organization. Most of the applications used in the organization are also Windows based, plus there are other legacy applications built on these Windows platforms. Since these servers are used the most, they need to be configured with tight security. The latest ones, Windows Server 2012 and Windows Server 2012 R2 have some great security features and improvements to protect from security threats and vulnerabilities. These features need to be implemented and configured to prevent against any kind of security breaches occurring in the environment. Given below are ten simple ways to prevent security breaches in Windows Server 2012.
1. Microsoft Security Assessment Tool
Microsoft Security Assessment Tool is a free tool which helps identify and assess security threats providing the guidelines for minimizing risks quickly and efficiently. This single tool can run across the complete environment like a PC server, database or other heterogeneous environment. It has ‘a set of hundred questionnaires’ which helps understand the security strategy and uses best practices to give the most appropriate recommendations.
2. Microsoft Security Baseline Analyzer
Microsoft Security Baseline Analyzer helps scan the local and remote systems with eight categories of effectiveness, trustworthiness and reliability. It assists with categories such as security, performance, configuration, policy and operation, pre-deployment, post-deployment and other prerequisites. It scans the system for all the defined categories and searches to match the best practice rule specified in the Microsoft Security Baseline Analyzer. It looks into the system recommendations with Error, Warning and Information. Errors are returned when their conditions do not match. Warnings are returned when the conditions are matched at 50-80% and when they are not fixed leading to the error situation. Similarly, information is returned when the conditions are satisfied with the best practice rule.
3. Microsoft Security Compliance Manager
Microsoft Security Compliance Manager is a great tool which helps in deploying, configuring and managing computers in your environment using Group Policy and Microsoft System Center Configuration Manager (SCCM) with Microsoft Security Guide recommendations and industry best practices. It allows configuring computers running from the latest version to the legacy version of Windows Server, Windows client, Microsoft Office applications and Windows Internet Explorer.
4. Active Directory Rights Management (AD RMS)
Active Directory Rights Management can be implanted to protect the documents, presentations, workbooks and other sensitive information from being forwarded, copied, and printed; also, it protects data from leaking. Documents are protected using Information Rights Management, permissions are provided down to file level and these permission are stored in the file itself. Hence, no matter where, when and how a file is been stored and accessed, the appropriate permission restrictions are applied to the file.
Applocker prevents users from installing and using any unauthorized/unlicensed/outdated applications on the servers to avoid huge damage to the performance and security of the application and save huge amount of administrator’s efforts on fixing. Protecting these applications reduces security risks and increases performance.
Bitlocker is a built-in feature to provide full disk encryption and protect against any kind of disk or removable devices data theft. Disk failures are inevitable, but you can extract data from a failed disk. Hence, it is highly recommended to implement Bitlocker and use it on servers which have sensitive information. Bitlocker can be implemented on both physical and – with some additional configuration – virtual machines.
7. Security Auditing
Security auditing allows the administrator to monitor various activities on the servers such as user activities, forensic analysis, regulator, compliance, troubleshooting, etc. through audit logs. Audit log helps monitoring any unusual activities or intruder attempts to gain access. Other forensic attempts are also logged, which allows administrators to take action immediately. These auditing logs can be kept for a while, until you need to analyze some abnormal user activity in the past.
8. Smart Cards
With the increased number of internet application and cloud-based systems, Smart cards help implement a two-factor authentication using the personal identification number (PIN). This reduces the chances of unauthorized access to the organizational network. Smart cards provide effective protection with a secured remote system access, data signing and data encryption. Implementing smart cards can be expensive for some organizations; however, this can be solved by using virtual smart cards. A user can be granted more than one virtual smart cards.
9. Encrypting File System (EFS)
Encrypting FileSystem allows users to encrypt the information on the hard disk with NTFS file system so that data stays secure. EFS is enabled by selecting the check box on the file or folder properties and also allows users to control access permissions. Even though you encrypt files and folders, it is recommended to apply this settings on the folder level and inherit the properties to the files and folders inside it.
10. Windows Firewall
Enabling Windows firewall helps protect the server against unauthorized incoming and outgoing network traffic. It reduces the risk of network security threats and protects database from unauthorized access. Windows Server 2012 supports IKEv2 for IP sec Transport mode; with this feature another machine operating system using IKEv2 will be able to provide end-to-end transport security. Windows 2012 firewall also supports Windows Store app network isolation. This allows developers to customize Windows firewall configuration in order to isolate the network access to the new Windows store apps running in the system.
Hopefully, these recommendations will help you keep the environment properly secured and protect the system from any kind of vulnerabilities or threats. I would also recommend you to make sure to keep antivirus software updated; keep limited access to the Internet; and allow only authorized software to be installed on the servers.