Security Hardening Tips and Recommendations

This article will focus on real security hardening, for instance when most basics if not all, are already in place (see previous article: http://social.technet.microsoft.com/wiki/contents/articles/12432.general-security-advice-and-best-practices.aspx).

Obviously, the changes to be made on the systems to Harden may have a higher impact on applications and specific business environments, therefore testing before hardening is crucial and highly recommended.

Operational security hardening items

MFA for Privileged accounts  

Use dual factor authentication for privileged accounts, such as domain admin accounts, but also critical accounts (but also accounts having the SeDebug right). See http://technet.microsoft.com/fr-fr/library/ff404294(v=ws.10).aspx. You might also want to consider deploying smartcard logon for VPN: http://technet.microsoft.com/en-us/library/cc875840.aspx

Admin bastions

Harden security administration leveraging admin bastions: those machines are especially hardened, and the administrators first connects to the bastion, then from the bastion connects to the remote machine (server/equipment) to be administrated. Traceability can be enforced this way (even generic admin accounts could be linked to nominative accounts), as well as authentication (smart card logon to be used on the remote server). Great measure to defend against keylogging, pass-the-hash attack, and administrators potentially unwanted actions. (you might want to read this documentation: Implementing secure administrative hosts: http://technet.microsoft.com/en-us/library/dn487449.aspx )

Microsoft recommends the use of hardened, dedicated administrative workstations, which are known as Privileged Administrative Workstations ( for guidance see https://aka.ms/cyberpaw ). Bastion hosts, otherwise commonly known as jump servers, can not be considered secure unless the admin's session, from the keyboard all the way to the Exchange server, are protected and secured. If an Exchange Administrator's source workstation is compromised, and they attempt a session with a bastion or jump server, it is possible that an attacker can intercept, surveil and potentially hi jack the remote session.

EMET

Mitigate the risk of successful unpatched applications vulnerabilities exploitation with DEP, ALSR, SEHOP, etc (if applicable). Deploy the EMET: https://support.microsoft.com/en-us/kb/2458544 and set it up depending on the versions of Windows you're running.

OWA

 Harden Outlook Web App (OWA) access by publishing it through reverse proxies, and automatically deploy a component to check remote clients security. Windows Server WAP (see: https://technet.microsoft.com/en-us/library/dn584107%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396) could be an option: https://blogs.technet.microsoft.com/jrosen/2013/12/28/setting-up-windows-application-proxy-for-exchange-2013/

Antivirus

Run offline scans of antivirus, after a compromise and on a regular basis (sensitive machines). Here is an implementation example made of SCCM and System Sweeper: http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/launching-a-windows-defender-offline-scan-with-configuration-manager-2012-osd.aspx

Network

• Enhance network isolation with Network Access Control technologies, for instance NAP, at least for critical assets and infrastructure servers: http://technet.microsoft.com/library/cc512682.aspx and http://technet.microsoft.com/en-us/library/cc753550(v=ws.10).aspx
• Enable Network Level Authentication: http://technet.microsoft.com/en-us/library/cc732713.aspx
• White/blacklisting applications, through AppLocker for example: http://technet.microsoft.com/en-us/library/ee791890(v=ws.10).aspx
• Use strong algorithms to cypher network communications: from the list of implemented SSL/TLS versions, depending on the versions of Windows you have got, enable and prioritize the strongest cyphering suite possible (see http://blogs.msdn.com/b/benjaminperkins/archive/2011/10/07/secure-channel-compatibility-support-with-ssl-and-tls.aspx). By default, our recommendation is TLS 1.2 (maybe 1.1 also, for app backward compatibility), both client and server side.
• Use IpSec at least between domain controllers (AD replication, etc), and for critical application servers: http://technet.microsoft.com/en-us/library/deploy-ipsec-firewall-policies-step-by-step(v=ws.10).aspx
  • For internal network communications, that you might want to harden with NIPS filtering, we recommend you to only enable IPSec authentication (not cyphering). This will allow network traffic inspection, as well as client authentication..
  • For external network communications, at a higher risk of interception, we recommend you to enable both IPSec authentication and cyphering. This may apply to WAN links for instance. In that case, NIPS will most likely not be efficient. NIPS filtering should be then locally done on both sides of the IPsec tunnel.

Advance Threats

Deploy an anti-APT solution and other security measures to detect advanced attacks. You may want to have a look at Microsoft Advanced Threat Analytics.

Specific security guides/best practices to harden systems or environments

Windows Client

• Win XP Threats and countermeasures guide: http://www.microsoft.com/en-us/download/confirmation.aspx?id=24696
• Win Vista security guide: http://www.microsoft.com/download/en/details.aspx?id=18328 (Vista being pretty close to 7, NT6.0 / NT6.1)
• Win 7 security features: http://technet.microsoft.com/en-us/library/dd571075(WS.10).aspx
• Win 7 Security Compliance Manager, and security guide: http://technet.microsoft.com/en-us/library/ee712767.aspx
• Windows 10 Security guide: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-10-enterprise-security-guides

Windows Server

• Win Server 2003 Security guide: http://www.microsoft.com/en-us/download/details.aspx?id=8222
• Win server 2008 r2 Security guide: http://technet.microsoft.com/en-us/library/gg236605.aspx
• Win Server 2012 Security Baseline: http://technet.microsoft.com/en-us/library/jj898542.aspx
• Win Server 2016 Security Baseline https://aka.ms/2016secbaseline

IIS

• IIS security guide: http://technet.microsoft.com/fr-fr/library/dd450371(v=ws.10).aspx
• SSL/TLS configuration in IIS: http://technet.microsoft.com/en-us/library/dd163531.aspx
• Exchange TLS & SSL Best Practices https://aka.ms/exchangetls1

AD

• AD 2003 security best practices: http://technet.microsoft.com/en-us/library/cc778219(v=ws.10).aspx
• Best practices for securing Active Directory: http://www.microsoft.com/en-us/download/details.aspx?id=38785
• WSUS best practices (complete doc): http://technet.microsoft.com/en-us/library/cc720525(v=ws.10).aspx

O365

• Office365 security whitepaper: http://download.microsoft.com/download/6/6/2/662F89E4-9340-4DDE-B28E-D1643681ADEB/Security%20in%20Office%20365%20Whitepaper.docx.

EMET

• EMET v3 features: http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx
• EMET v4 additions: http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx

Other

• MS Exchange (2010) Security guide: http://technet.microsoft.com/en-us/library/bb691338.aspx
• Lync Server 2010 Security guide: http://www.microsoft.com/en-us/download/details.aspx?id=2729
• Sharepoint Server (2010) security guide: http://technet.microsoft.com/en-us/library/cc263215.aspx
• MS SQL Server 2008 R2 Security best practices: http://download.microsoft.com/download/1/2/A/12ABE102-4427-4335-B989-5DA579A4D29D/SQL_Server_2008_R2_Security_Best_Practice_Whitepaper.docx