Secure Your Non-Active Directory Windows Server

If a server that you manage is permitted to access or maintain U-M sensitive institutional data, it should be hardened to meet the minimum expectations below. Check out the Sensitive Data Guide and the Responsible Use of Information Resources (SPG 601.07) for more general guidance on data types and usage.

Information Assurance (IA) recommends that you begin the process of hardening university servers, workstations, or databases by running the Center for Internet Security's Configuration Assessment Tool—CIS-CAT. The tool will scan your system, compare it to a preset benchmark, and then generate a report to help guide further hardening efforts. See CIS-CAT for U-M Systems for information about the UM-specific version of the tool.

Notes:
  • While the general instructions here apply to most Windows systems, the specific configuration instructions are for Windows 2008 R2.
  • Unless stated otherwise, the steps below use the Local Group Policy Editor, which can be opened by typing gpedit.msc in the search box of the Start menu (the Run box).
  • These configuration changes require administrative permissions.

Configuration and Management

Set a system use or logon notification that references SPG 601.07.

Responsible Use of Information Resources (SPG 601.07) is available online.

Configure a Logon Notification

  • Open the Local Group Policy Editor. Select Computer Configuration, then Windows Settings, then Security Settings, then Local Policies, then Security Options.
  • In the Policy list, locate Interactive logon: Message text for users attempting to log on. Double click to open the policy.
  • Paste the following recommended text, or custom text for your unit, into the text box:
    By your use of these resources, you agree to abide by Responsible Use of Information Resources (SPG 601.07), in addition to all relevant state and federal laws.
  • Click Apply, then OK to save the changes.

Enable previous logon display at login.

Configure Previous Logon Display

  • Open the Local Group Policy Editor. Select Computer Configuration, then select Administrative Templates, then Windows Components, then Windows Logon Options.
  • Double click Display information about previous logons during user logon. Select the Enabled radio button. Click OK.
  • Restart the computer for changes to take effect.

Set your screensaver to activate after 15 minutes (or less) of inactivity and require your password to unlock it.

Configure a Password-protected Screensaver

  1. Open the Local Group Policy Editor.
  2. Select User Configuration, then select Administrative Templates, then Control Panel, then Personalization.
    1. Double click Enable screen saver. Select the radio button for Enabled.
    2. Double click Password protect the screen saver. Select the radio button for Enabled.
    3. Double click Set screen saver timeout. Select the radio button for Enable, then set the number of seconds to wait to enable the screen saver to 900 seconds.
    4. Click Apply, then OK.
  3. Select Computer Configuration, then select Windows Settings, then Security Settings, then Security Options.
    1. Double click MSS: (ScreensaverGracePeriod), and set the time in seconds before the screen saver grace period expires to 5 seconds.
    2. If this setting does not appear in the Local Group Policy Editor, update the .ADMX file for Group Policy on your system.

Install and use anti-virus software.

For servers connected to U-M's Active Directory (UMROOT), and/or university-owned systems, IIA recommends System Center Endpoint Protection (SCEP) for anti-virus protection. SCEP configuration should include:

  • On-access scanning
  • On-demand scanning
  • Scheduled scanning (full/weekly)
  • Automatic definition updates (daily)

Members of the U-M community can download SCEP for Windows servers via M+Box.

Run Windows Server Security Configuration Wizard.

This is general information about the Security Configuration Wizard. Check Microsoft Support for specific instructions for these settings for your version of Windows.

If the wizard is not available, configure server security manually:

  1. Confirm Windows Firewall is turned on.
  2. Confirm anti-virus is running and up to date.
  3. Turn on Automatic Updates.
  4. Confirm the most current version of a web browser is installed and configure the appropriate security settings and limit web browser use to activity necessary for server maintenance.

Disable any unused or unnecessary features of the server or the service or application. Server Manager can be used to disable many of these features.

Update promptly. Update the service or application within 30 days of an official security patch release by a vendor.

Configure Windows Update

  1. Open the Local Group Policy Editor.
  2. Select Computer Configuration, then select Administrative Templates, then Windows Components, then Windows Update.
  3. Select one of the following:
    1. To use the Windows Update Service provided by U-M, double click Specify intranet Microsoft update service location. Set it to the following location: http://windowsupdate.umich.edu
    2. To use updates direct from Microsoft, double click Configure Automatic Updates and select Auto download and notify for install from the drop-down list, and select your preferred scheduled install date and time.

Assign a Static or reserve a DHCP IP address and register a DNS name for your server.

Using ITS DNS is recommended. In addition, set up reverse DNS for each IP address(es) on the server. Include email contact information in the DNS record.

Avoid running local versions of services that ITS provides centrally (such as DHCP, NTP, and DNS) as they may create vulnerabilities for exploit or attack.

Request an SSL server certificate and enable its use by the web server.

Request an SSL certificate from UMWeb. Do not use default certificates in production.

Configure network time synchronization.

Use the Windows Time Service to synchronize with a trusted Windows domain controller, or configure ntp to use the university’s time servers at ntp.itd.umich.edu.

Configure Network Time Synchronization

  1. Open the Local Group Policy Editor. Select Computer Configuration, then System, then Windows Components, then Windows Time Service, then Time Providers. Double click Configure Windows NTP Client.
  2. Select the radio button for Enabled to start the time service.
  3. Under Options, specify the U-M time servers, ntp.itd.umich.edu and how often the time service should sync with those servers.
  4. To confirm your changes were successful, open Command Prompt. Check the time service status by entering the following command:
    C:\w32tm /query /status

Back up your data.

The university offers the MiBackup service for server backups. The Sensitive Data Guide entry for MiBackup provides detail about which types of data can or cannot be backed up using TSM.

  1. Ensure your chosen backup medium (external hard drive, tape drive, network attached storage device) is connected to your system.
  2. Confirm Windows Server Backup is installed on your system.
    1. From the start menu, select Server Manager, then open the Storage section and select Windows Server Backup.
    2. If it is not installed, from Server Manager, click Add Features and check the checkbox next to Windows Server Backup Features. Follow the on-screen prompts to complete the installation.

Backup recommendations:

  • Determine a backup schedule that works for you based on how frequently the data stored on the system changes.
  • The most recent full backup of the system should be stored off-site in case of disaster.
  • Run one full backup of the system once a week, and incremental backups on every other day. Schedule the backups for times when the system is not in use to ensure that all files are captured and performance issues are avoided.
  • Test system restores using the backups on a regular basis.

Locate servers in an ITS-maintained data center using a service such as MiDatabase or MiServer, or at least maintain security and power.

ITS offers data center services and virtualization services like MiServer and MiDatabase.

If you are unable to use these, follow these expectations:

  • Secure physical server access: Keep your server in a physically locked space. Do not keep your server in a publicly accessible location.
  • Maintain constant power: For the safety of the server equipment and the data stored on it, use an uninterruptible power source to supply power to the server.

Dispose of safely and securely.

Before selling, returning or disposing of your server hardware at Property Disposition, securely erase the data. See Prepare Devices for Disposal.

Access and Accounts

Require a password for access to your computer.

Follow these guidelines for a strong password. Unauthenticated access should not be permitted, whether by unauthenticated web servers, anonymous ftp servers, or open network shares which allow access to the server's file system.

Configure Password Access

  1. Open the Local Group Policy Editor. Select Computer Configuration, then select Windows Settings, then Security Settings, then Account Policies, then select Password Policy.
  2. Double click Minimum password length, and in the window that opens, set the minimum password length to 9 characters. Click Apply, then OK.
  3. In addition, we recommend that you set the following account policies:
    1. Password must meet complexity requirements should be enabled.
    2. Store passwords using reversible encryption should be disabled.

Change default or vendor-supplied passwords to secure and unique passwords.

Use a secure file system that allows permissions to be set to restrict access, such as NTFS.

Use low-permissions accounts whenever possible.

  • Create specific accounts for each service or application limited to the access privileges necessary for the service to run.
  • Avoid using administrative level accounts to run services.
  • Accounts that access or administer the server should have the minimum permissions necessary to conduct the appropriate functions.

Require centralized authentication.

Avoid using local accounts for authentication into any service or application hosted on your server. Instead, use a centrally-managed account in a system such as Active Directory. Do not allow authentication with shared accounts.

De-provision regularly.

Implement account lifecycle management procedures to remove access of employees and collaborators that no longer require access to the server or applications.

Force session timeouts.

Regularly disconnect sessions idle more than two hours using a scheduled task or other methods.

Enable two-factor authentication, especially if the system will be storing sensitive data.

To implement two-factor authentication with Shibboleth, see Configuring Your Service Provider for Two-Factor Authentication (S4396).

Monitoring

Configure service audit logging for the server system and each unique service or application housed on the server.

Log authentications for services or applications housed on the server using a centralized logging system. Enable login auditing of failed and successful login attempts.

Configure Login Auditing for Failed and Successful Login Attempts

  1. Open the Local Group Policy Editor. Select Computer Configuration, then select Windows Settings, then Security Settings, then Advanced Audit Policy Configuration, then System Audit Policies - Local Group Policy Object. Click Logon/Logoff.
  2. For the following subcategories, ensure that the audit events property matches what is below:
    • Audit Logoff: Success
    • Audit Logon: Success and Failure
    • Audit Special Logon: Success

    To make changes, double click on the subcategory, check the appropriate checkbox, click Apply, then OK.

  3. Restart your system to allow the settings to take effect.

Configure file level access logging for the server file system.

Configure File Level Access Logging

  1. Open the Local Group Policy Editor. Select Computer Configuration, then Windows Settings, then Security Settings, then Advanced Audit Policy Configuration, then System Audit Policies - Local Group Policy Object. Select Object Access.
  2. Double click the subcategory Audit File System and check the checkbox for Configure the following audit events, then check the Failure checkbox. Click Apply then OK.
  3. Restart your system for the changes to take effect.

Configure Drive-specific File Level Access Logging

If you have a large file system, this may take some time to complete.

  1. Open Computer and right-click on the drive on which you want to configure file-level access logging. From the drop-down list, select Properties.
  2. Select the Security tab, then click Advanced.
  3. From the window that appears, select the Auditing tab. Click Continue to confirm that you have the appropriate rights to make changes, and click Yes when prompted.
  4. In the Advanced Security Settings window for the selected drive, click Add..., then enter the object name Everyone. Click OK in each open window to complete the configuration.

Increase audit log size to accommodate the increased activity occurring on a server.

Configure Increased Audit Log Size

  1. Open the Local Group Policy Editor. Select Computer Configuration, then select Administrative Templates, then Windows Components, then Event Log Service.
    1. Select Application, then double click Maximum Log Size (KB) and increase the maximum log size to 32768 KB.
    2. Do the same for System.
    3. Do the same for Security, but set the maximum log size to 81920 KB.
    4. For each event log service, ensure that Retain old events is set to Disabled.
  2. Click OK and restart your system for changes to take effect.

Configure notifications to alert the system owner or administrator when the system stops or restarts.

Report security incidents.

If your server or associated devices are compromised, stolen, or otherwise accessed in an unauthorized manner, report a security incident.

Connections

Disable unused optional network connections such as Wi-Fi or Bluetooth.

Limit network access to the service to LAN or U-M campus networks using a local or gateway firewall. Run a port scan of the system to confirm that ports are properly protected.

Require VPN connections to access the service from off-campus or non-LAN IP networks.

Connect securely to the server.

Do not use insecure or clear text protocols to connect to the server. If those methods must be used, restrict server access to specific IP addresses or the U-M campus network.

Restrict access to remote access management cards or interfaces using firewall or other network restrictions to U-M campus networks and require use of the U-M VPN for off-campus access.

Other Things to Consider

Monitor file system modifications for unauthorized changes using a binary file integrity check service such as tripwire.

Enable encryption.

You can encrypt the hard drive (full disk encryption), partitions on the hard drive, or files and file directories. Hard drive encryption can be set up during the installation of the operating system. Microsoft provides instructions for enabling file encryption.

Restrict boot source in BIOS.

Configure BIOS to disable boot from CD/DVD, external devices (USB), or from a floppy drive if the physical security of the server could be compromised. Additionally, consider setting a BIOS password to further restrict access to the system.

Configure BIOS Boot Restrictions and Set a Password

  1. Restart your system and access BIOS.
  2. On the Boot tab, set the first boot device to be the local hard drive. Disable booting from other boot devices.
  3. On the Security tab, set a supervisor password.

Regularly scan the server for vulnerabilities.

Check the Sensitive Data Guide to confirm that your server is eligible to access or maintain the type(s) of sensitive data it is storing or processing.

Checking the Sensitive Data Guide is especially important if your server is a virtual machine.

If you are accessing or maintaining Credit Card or Payment Card Information (PCI) or Protected Health Information (PHI) on your server, you should consult with IIA to determine if your server is approved.

Centrally manage anti-virus and update utilities, especially if the server network is large or distributed. Send anti-virus logs to a centralized logging system such as splunk.

Use appropriate settings or controls to ensure that sensitive data accessed or maintained by your server cannot be cached to client systems connecting to your server.

Additional Resources for Securing Windows Servers