question

lra-4650 avatar image
0 Votes"
lra-4650 asked DaisyZhou-MSFT answered

Windows Server Security Guide

Hello, I am currently configuring some security policies in Windows Server 2019 environments, however the guide that I have as a reference, has some policies or configurations that I am not clear yet and I hope that here you can provide me with some suggestions, I indicate them below.

Remove administrative privileges from the "Administrator or administrator" account. Will remain in the system, but without any privileges

  • Access to a computer from the network: Delete the permissions of the "Everyone" group and add authenticated users.

  • Login on the local machine:
    o On workstations: Disable the "guest" user of the machine.
    o On servers: Delete the privileges for users, guests and remote access users through Terminal Server.
    o On a domain controller: Disable Terminal Server users via Internet.
    Verify that only administrative accounts can modify quotas, plan priorities, upload and download device drivers, use security audits and logs, modify the firmware environment, change the system performance profile, and take ownership of files and objects.

  • On a client: verify on all clients that only authenticated users can turn off the machine.

  • On a server: verify that only administrators can shut down the machine.
    This privilege should be removed from “Power users”, whenever possible.

Enable Windows options to use encryption for SMB communications.

Enable logon event auditing on all machines whose functionality is user authentication, for example, domain controllers.
Login accounts include user sessions and team sessions.

Configure Terminal Services to use Transport Layer Security (TLS) 1.0 to authenticate the server and encrypt communications. Change the default port of Termina Server. Do not activate the Web Terminal Services service.

windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @lra-4650,

Thank you for posting here.

1.Would you please provide the link of your reference to us?
2.Based on "however the guide that I have as a reference, has some policies or configurations that I am not clear yet", did you mean you can not find the settings or you can not understand the meaning of them or others?

For example:

Access to a computer from the network: Delete the permissions of the "Everyone" group and add authenticated users.
GPO setting, by default there is Everyone group and authenticated users, you can delete the permissions of the "Everyone" group if needed.
92459-acc1.png

Login on the local machine:
On workstations: Disable the "guest" user of the machine.
If guest is not disable, you can disable it if needed.

92460-acc2.png



Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.




acc1.png (101.3 KiB)
acc2.png (35.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @lra-4650,

Thank you for your update and accepting my reply as answer.

For "Configure Terminal Services to use Transport Layer Security (TLS) 1.0 to authenticate the server and encrypt communications. Change the default port of Termina Server. Do not activate the Web Terminal Services service."

Configure Terminal Services to use Transport Layer Security (TLS) 1.0 to authenticate the server and encrypt communications.

Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security

Require use of specific security layer for remote (RDP) connections
94243-rds1.png

Change the default port of Termina Server
Start the registry editor. (Type regedit in the Search box.)
Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Find PortNumber
Click Edit > Modify, and then click Decimal.
Type the new port number, and then click OK.
Close the registry editor, and restart your computer.

94186-rds2.png

Do not activate the Web Terminal Services service.
We don't know this, it seems that the version after w2012 is no longer used.




Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.


rds2.png (662.8 KiB)
rds1.png (781.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

lra-4650 avatar image
0 Votes"
lra-4650 answered lra-4650 published

thank for all

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @lra-4650,
Thank you for your update.

As I mentioned above, would you please provide the link of your reference to us?

I am an engineers for AD DS team, because some policies/settings may be not related to AD, I will explain all the policies/settings related to AD.

After that, I check if other policies/settings related to other topic, you may need to ask engineers from other team by opening a new post and selecting a corresponding tag.

I need the link of your reference to policies/settings related to AD or not


Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

lra-4650 avatar image
0 Votes"
lra-4650 answered

Regarding this policy, I am not clear about its operation since it is very general. And I have no idea how to configure it, if applicable.

  • Configure Terminal Services to use Transport Layer Security (TLS) 1.0 to authenticate the server and encrypt communications. Change the default port of Termina Server. Do not activate the Web Terminal Services service.

Like the ones I mentioned above, I don't understand them either. In the same way I will mention them again.

  On servers: Delete the privileges for users, guests and remote access users through Terminal Server.

 o On a domain controller: Disable Terminal Server users via Internet.

 Verify that only administrative accounts can modify quotas, plan priorities, upload and download device drivers, use security audits and logs, modify the firmware environment, change the system performance profile, and take ownership of files and objects.

 On a client: verify on all clients that only authenticated users can turn off the machine.

 On a server: verify that only administrators can shut down the machine.
 This privilege should be removed from “Power users”, whenever possible.

Enable Windows options to use encryption for SMB communications.

Enable logon event auditing on all machines whose functionality is user authentication, for example, domain controllers.
Login accounts include user sessions and team sessions.

I also have questions about other policies, can I consult them here? Or should I ask a new question in the forum?

For the other two policies that you sent me the images, I already applied them, thank you very much.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.