Windows Operating System - Securing Windows Server
Securing Windows Server
Server Core and Nano Server
- Microsoft offers Server Core for organizations that want a Windows Server, but with a much smaller attack surface
- Server Core or Nano Server can be a good solution for a server that handles critical network operations such as DNS and DHCP
- Server Core eliminates most of the GUI portion of the operating system and Nano Server eliminates even more
- They also can be a good solution for a web or other server in the demilitarized zone (DMZ) of a network
- Nano Server is a remotely administered server operating system optimized for private clouds and datacenters.
- It is similar to Windows Server in Server Core mode, but significantly smaller, has no local logon capability, and only supports 64-bit applications, tools, and agents
- The smaller kernels in Server Core and Nano Server also can offer better performance and lead to fewer problems
- Nano Server: It takes up far less disk space, sets up significantly faster, and requires far fewer updates and restarts than Windows Server
- When it does restart, it restarts much faster
- DMZ: A portion of a network that is between two networks, such as between a private network and the Internet
- DMZ: Computers in the DMZ have fewer security defenses via routers and firewalls
Evolving Group Policy
Windows Firewall and IPsec
- Settings are merged for consistency
- Windows Firewall protects incoming and outgoing communications
- Windows Firewall includes Windows Firewall with Advanced Security MMC snap-in
- Windows Firewall via Control Panel
- Right-click Start and click Control Panel.
- In the Control Panel Large icons or Small icons view, click Windows Firewall.
- In the Windows Firewall window, click Advanced settings.
- Click Inbound Rules in the left pane (see Figure 10-25). Scroll to view the inbound rules in the middle pane.
- Click Outbound Rules in the left pane and scroll to view these rules.
- IPsec (WIKI): Internet Protocol Security (IPsec)
- IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure
encrypted communication between two computers over an Internet Protocol network
- It is used in virtual private networks (VPNs).
- IPsec includes protocols for establishing mutual authentication between agents at the beginning of a session
and negotiation of cryptographic keys to use during the session
- IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network),
or between a security gateway and a host (network-to-host)
- IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks.
Windows Defender
- Software that scans for viruses, spyware, and malware
- Windows Server 2016 is the first Windows Server operating system to include Windows Defender
- Windows Defender can remove or quarantine viruses and other malware to keep them from doing harm.
- How to use Windows defender
- Right-click Start and click Control Panel
- Set View by to Large icons or Small icons and click on Windows Defender
- You can find Windows Defender or Windows Defender Firewall, BitLocker inscription,
- Windows Defender Commands: SC query
- sc query windefend: This command check if Windows Defender is running
- sc query: Enumerates status for active services & drivers
- sc query eventlog: Displays status for the eventlog service
- sc queryex eventlog: Displays extended status for the eventlog service
- sc query type= driver: Enumerates only active drivers
- sc query type= service: Enumerates only Win32 services
- sc query state= all: Enumerates all services & drivers
- sc query bufsize= 50: Enumerates with a 50 byte buffer
- sc query ri= 14: Enumerates with resume index = 14
- sc queryex group= "": Enumerates active services not in a group
- sc query type= interact: Enumerates all interactive services
- sc query type= driver group= NDIS: Enumerates all NDIS drivers
- Enable you to configure server-wide security
- Windows Server 2016 offers the Security Templates MMC snap-in that enables you to create one or more security templates to house in Active Directory.
This snap-in enables you to set up security to govern the following (Michael Palmer: MP):
- Account policies
- Local policies
- Event log tracking policies
- Group restrictions
- Service access security
- Registry security
- File system security
- How to use the Security Templates snap-in.
- Right-click Start, click Run, type mmc in the Open text box and click OK.
- Click File and click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, click Security Templates and click the Add button. Now click
Security Configuration and Analysis and click the Add button
- Click OK.
- Click Security Templates in the tree.
- etc...
Use the cipher command for encryption
- When you deploy NTFS you can use the Encrypt attribute to protect folders and files.
- enabling only the user who encrypts the folder or file to read it
- you learned that you can set the Encrypt attribute on a folder or file through working with that folder’s or file’s properties
- Another option that you learn in this section is to use the cipher command from the Windows PowerShell or Command Prompt window
- cipher /?: Lists the cipher command options
- cipher
- How to encrypte a folder
- Create a folder
- Right-click the folder you created and click Properties.
- On the General tab, click Advanced.
- Click Encrypt contents to secure data. Click OK.
- Click OK in the folder’s Properties dialog box
- How to see encrypted and non encripted files
- Go to the folder where the encrypted folder is using command line.
- Type "cipher"
- You should see the encrypted folder with E
BitLocker and TPM (Tuested Platform Module)
- BitLocker: It applied to
- Windows 10
- Windows 11
- Windows Server 2016 and above
- BitLocker Drive Encryption is another effective tool for protecting data on hard drives, including removable hard drives connected through a USB port
- Windows Server 2016 and above BitLocker Drive Encryption also supports EFI-based computers as well as computers using BIOS.
- BitLocker Drive Encryption is a data protection feature that integrates with the operating system
- It addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
- BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM)
- BitLocker Drive Encryption uses TPM (Trusted Platform Module).
- TPM: Trusted Platform Module
- TPM(Trusted Platform Module) is a chip on your computer’s motherboard.
- TPM is a chipset (hardware) inside the motherboard of your system
- when you attempt to encrypt hard disk, it will store the key inside the TPM
- when you boot into your system, it will read they key from the TPM
- The hardware device with the security specification can be a chip or microcontroller
on a motherboard that contains the security capabilities
- TPM verifies that the computer to which the hard drive is connected has authority to access
that hard drive. This means if a hard drive is stolen, it cannot be accessed by another computer.
Security at the hardware level, such as TPM, is thought to be more foolproof than software security.
- If someone take away your hard disk, he/she won't be able to access the key because it is secure inside the TPM.
- The TPM provides an extra layer of security by storing passwords and keys in a secure form.
- TPM is very secure and an attack on it is near impossible
- https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
All Commands for Securing Windows
- sc query
- cipher /e: This command encrypts the specified files or directories. Directories are marked so that files added afterward are encrypted
- cipher /c: Displays information on the encrypted file
- cipher /d: Decrypts the specified directories
- cipher /h: Displays files with the hidden or system attributes.
- cipher /k: Create new file encryption key for the user running CIPHER
Reference