Windows Server Security Guide

lra 86 Reputation points
2021-04-28T16:28:02.917+00:00

Hello, I am currently configuring some security policies in Windows Server 2019 environments, however the guide that I have as a reference, has some policies or configurations that I am not clear yet and I hope that here you can provide me with some suggestions, I indicate them below.

Remove administrative privileges from the "Administrator or administrator" account. Will remain in the system, but without any privileges

  • Access to a computer from the network: Delete the permissions of the "Everyone" group and add authenticated users.
  • Login on the local machine:
    o On workstations: Disable the "guest" user of the machine.
    o On servers: Delete the privileges for users, guests and remote access users through Terminal Server.
    o On a domain controller: Disable Terminal Server users via Internet.
    Verify that only administrative accounts can modify quotas, plan priorities, upload and download device drivers, use security audits and logs, modify the firmware environment, change the system performance profile, and take ownership of files and objects.
  • On a client: verify on all clients that only authenticated users can turn off the machine.
  • On a server: verify that only administrators can shut down the machine.
    This privilege should be removed from “Power users”, whenever possible.

Enable Windows options to use encryption for SMB communications.

Enable logon event auditing on all machines whose functionality is user authentication, for example, domain controllers.
Login accounts include user sessions and team sessions.

Configure Terminal Services to use Transport Layer Security (TLS) 1.0 to authenticate the server and encrypt communications. Change the default port of Termina Server. Do not activate the Web Terminal Services service.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,773 questions
0 comments
Accepted answer
  1. Daisy Zhou 18,706 Reputation points Microsoft Vendor
    2021-04-29T02:38:32.643+00:00

    Hello @lra ,

    Thank you for posting here.

    1.Would you please provide the link of your reference to us?
    2.Based on "however the guide that I have as a reference, has some policies or configurations that I am not clear yet", did you mean you can not find the settings or you can not understand the meaning of them or others?

    For example:

    Access to a computer from the network: Delete the permissions of the "Everyone" group and add authenticated users.
    GPO setting, by default there is Everyone group and authenticated users, you can delete the permissions of the "Everyone" group if needed.
    92459-acc1.png

    Login on the local machine:
    On workstations: Disable the "guest" user of the machine.
    If guest is not disable, you can disable it if needed.

    92460-acc2.png

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. lra 86 Reputation points
    2021-04-30T00:37:02.287+00:00

    Regarding this policy, I am not clear about its operation since it is very general. And I have no idea how to configure it, if applicable.

    • Configure Terminal Services to use Transport Layer Security (TLS) 1.0 to authenticate the server and encrypt communications. Change the default port of Termina Server. Do not activate the Web Terminal Services service.

    Like the ones I mentioned above, I don't understand them either. In the same way I will mention them again. 

     On servers: Delete the privileges for users, guests and remote access users through Terminal Server.

o On a domain controller: Disable Terminal Server users via Internet.

Verify that only administrative accounts can modify quotas, plan priorities, upload and download device drivers, use security audits and logs, modify the firmware environment, change the system performance profile, and take ownership of files and objects.

On a client: verify on all clients that only authenticated users can turn off the machine.

On a server: verify that only administrators can shut down the machine.
This privilege should be removed from “Power users”, whenever possible.

    Enable Windows options to use encryption for SMB communications.

    Enable logon event auditing on all machines whose functionality is user authentication, for example, domain controllers.
    Login accounts include user sessions and team sessions.

    I also have questions about other policies, can I consult them here? Or should I ask a new question in the forum?

    For the other two policies that you sent me the images, I already applied them, thank you very much.

    0 comments
  2. Daisy Zhou 18,706 Reputation points Microsoft Vendor
    2021-04-30T07:05:54.22+00:00

    Hello @lra ,
    Thank you for your update.

    As I mentioned above, would you please provide the link of your reference to us?

    I am an engineers for AD DS team, because some policies/settings may be not related to AD, I will explain all the policies/settings related to AD.

    After that, I check if other policies/settings related to other topic, you may need to ask engineers from other team by opening a new post and selecting a corresponding tag.

    I need the link of your reference to policies/settings related to AD or not

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  3. lra 86 Reputation points
    2021-05-03T14:05:30.043+00:00

    thank for all

    0 comments
  4. Daisy Zhou 18,706 Reputation points Microsoft Vendor
    2021-05-06T03:21:20.657+00:00

    Hello @lra ,

    Thank you for your update and accepting my reply as answer.

    For "Configure Terminal Services to use Transport Layer Security (TLS) 1.0 to authenticate the server and encrypt communications. Change the default port of Termina Server. Do not activate the Web Terminal Services service."

    Configure Terminal Services to use Transport Layer Security (TLS) 1.0 to authenticate the server and encrypt communications.

    Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security

    Require use of specific security layer for remote (RDP) connections
    94243-rds1.png

    Change the default port of Termina Server
    Start the registry editor. (Type regedit in the Search box.)
    Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
    Find PortNumber
    Click Edit > Modify, and then click Decimal.
    Type the new port number, and then click OK.
    Close the registry editor, and restart your computer.

    94186-rds2.png

    Do not activate the Web Terminal Services service.
    We don't know this, it seems that the version after w2012 is no longer used.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments