Hardening Windows Server

Question 1

How can a security baseline be implemented?

Answer 1

1. Open Group Policy Management Editor. Create a GPO that is linked to an OU
   that contains member servers. Give it a friendly name
2. Click on the Group Policy Objects folder, find the GPO, then right-click and
   choose Import Settings.
3. Select the GPO you’ve downloaded from CIS or MSFT Compliance Tool
4. Force a policy update and restart a target
   server before running the analysis with policy analyzer

Question 2

What are best practices for hardening domain controllers?

Answer 2

• DCs should only run Active Directory Domain Services (AD DS) and DNS
  server roles.
• Use a Server Core installation for DCs and purchase hardware that supports
  Secure-Core if you’re hosting physical servers on-premises.
• Block the DC from connecting directly to the internet. Only allow exclusions for
  WSUS or Windows Update services if possible.
• Admins should only interact with DCs from known workstations, jump servers, or
  Bastion environments. This includes remoting tools such as PowerShell, Windows
  Admin Center, and MMCs.

Question 3

What is best practice for hardening other non-DC member servers?

Answer 3

• Only allow signed scripts to be executed.
• Restrict hosts that are allowed to perform administrative actions. Use safelists by IPs
  and only allow access from a PAW or other trusted device.
• Use PowerShell Just Enough Administration for remote administration with PowerShell.
• For remote management overWinRM, enableWinRMover HTTPS to encrypt data
  in transit using certificates.
• Avoid creating privileged accounts that have permission to perform multiple
  administrative functions when possible.

Question 4

What is the purpose of a “fine-grained password policy”

Answer 4

Some use cases include setting stronger password requirements for
administrator and service accounts or changing the account lockout thresholds for
DoS mitigations.

Question 5

Where are fine-grained password policies configured?

Answer 5

In Active Directory Administrative Center

Question 6

What can fine-grained password policies be applied to?

Answer 6

Can be applied directly to specific users or security groups.

Question 7

What are “user rights assignment”

Answer 7

Policies that define the ways a user or service can log on and interact
with a host locally.

Question 8

Where are user rights assignments configured?

Answer 8

Group policy

Computer Configuration > Windows Settings > Security Settings
> Local Policies > User Rights Assignment.

Question 9

What is best practice for securing/administering user rights assignments?

Answer 9

Refer to CIS benchmark

Question 10

How should PowerShell be secured?

Answer 10

Configure PowerShell logging; enable PowerShell constrained language mode; set PowerShell script execution to restricted/RemoteSigned/AllSigned; Enable JEA