Source: CSO Magazine On:
Security in the cloud is just as vital as security in on-premises environments. Hardening a system is a way to protect it by limiting potential weaknesses that make systems vulnerable to cyber attacks. There are hundreds of recommendations that need to be implemented to secure any one technology. Applying them manually will give your team a great look at everything that goes into detailed configuration security – but it can take hours of review. With pre-configured cloud images, however, secure settings are already in place.
Let’s focus on a few suggested security configuration guidelines of the CIS Benchmarks™ for Microsoft Windows Server 2016 and highlight how to speed that process by working in the cloud. Below are five security recommendations for Windows Server 2016, derived from the consensus-developed CIS Benchmarks.
1. Disconnect After Hours
Your organization’s workforce probably adheres to a specific work schedule. And even though operating cloud-based systems means you can theoretically work from anywhere (and at any time), it’s unlikely most employees would need to log on at 2:00 a.m.
Microsoft Windows Server 2016 can be configured to have set logon hours when users can work and automatically force logoff outside those hours. Of course, hours can be adjusted for those who work the night shift!
2. Implement a Firewall
The benefits of firewalls for preventing unauthorized users from accessing networks are well known – they keep unauthorized users away and stop the activity of malware that might attempt to retrieve data. The CIS Benchmark for Microsoft Windows Server 2016 reminds you that the firewall should be turned on – along with nine other recommendations for firewall configuration that include connections, display notifications, and logging.
3. Driver Installation for Printers
Consider whether users need to install their own shared printer drivers. Trojan horse programs can masquerade as printer drivers and spread problems throughout the server if installed. Limiting installation of shared printer drivers might be better suited to Administrators only.
4. Set an Account Lockout Duration
Between today’s complicated password requirements and the likelihood of typos, it’s certainly possible for a user to have several incorrect password attempts. Unfortunately, it’s not always easy to tell the difference between a struggling user and a malicious actor attempting to gain entry to an account by guessing passwords.
Setting an account lockout duration can help prevent a malicious attempt at breaking into an account by reducing the number of password attempts in a given time period. One caveat – a longer lockout period doesn’t necessarily mean better security; it could equal more calls to the help desk to unlock a frustrated employee’s account.
5. Audit Logon Attempts
Speaking of account lockouts, it’s important to keep track of them by setting the system to report when a user’s account is locked out as a result of too many failed logon attempts. Auditing these events may be useful when investigating a security incident. You can achieve this in Microsoft Windows Server 2016 by setting the “Audit Logon” configuration to “Success & Failure.”
Ways to Secure Systems
Applying the necessary steps to secure your systems is a solid approach to protect against cyber threats. Outlined above are just a few of the steps recommended to harden a system. CIS works with a global community of cybersecurity experts to develop configuration guidelines called CIS Benchmarks. They are available three ways to help secure systems:
- Manually apply the security recommendations for Microsoft Windows Server using the free CIS Benchmark PDFs.
- Obtain CIS SecureSuite Membership to leverage CIS-CAT Pro Assessor to assess system conformance, download CIS Benchmarks in additional formats (i.e., Excel, Word, XML), access Build Kits to apply secure configurations directly to select systems, and reassess to monitor compliance over time.
- Launch CIS Hardened Images – available in the cloud and preconfigured to meet CIS Benchmark recommendations†. CIS Hardened Images make running secure operations on cloud infrastructure fast, easy, and affordable.
† Due to cloud provider restrictions, 11 CIS Benchmark recommendations are not applied to the CIS Benchmark Hardened Image for Microsoft Windows Server 2016; the remaining 286 secure configuration settings are applied.
Hear what others have to say about CIS Hardened Images.
About the Author
Product Owner, CIS Hardened Images™
Gregory Carpenter is currently the Product Owner for CIS Hardened Images™. Throughout his career at CIS® (Center for Internet Security, Inc.), Greg has excelled at communication and product support both with CIS SecureSuite® Members and the CIS Benchmarks™ communities to help organizations strengthen their cybersecurity strategy. In his current role as Product Owner, Greg focuses on cloud cybersecurity products such as the CIS Hardened Images and strategy for the global community. His previous experiences include over 15 years as a Datacenter System Administrator for the Division of Military and Naval Affairs and Knolls Atomic Power Laboratory. Greg has also contributed on the CIS VMware ESXi 6.5 Benchmark and the CIS Controls™ – Implementing the CIS Controls in the Cloud. When his head is not in the cloud (pun intended), he enjoys ice hockey, lacrosse and biking.