DEV Community

Hejun Wong
Hejun Wong

Posted on

Securing Windows Server 2019

This is my first blog post. I guess one of the best ways to learn fast, is by writing and sharing.

Today's post focuses on securing Windows Server 2019. I'm a developer, not a server guy but in my role, i'm exposed to the setup, configuration and patching of servers. To allow us to perform patching/maintenance as and when we like, we need a cluster of servers to achieve High Availability (HA). There are many ways to harden these servers and the method we have chosen is by enforcing group policies (GPOs) using the Domain Controller(s). Security policies are set centrally and propagated down to servers within the same domain.

The Center for Internet Security (CIS) publishes guidelines for securing both Windows and Linux servers. They are broadly categorized into Level 1 (L1) and Level 2 (L2). You can view L1 as baseline security and L2 as in-depth security where security is a must-have. There are thousands of policies which can be applied to help harden the servers. To do this efficiently, it is best to download the CIS-CAT scanner (there is a free "lite" version available!) and run it on your server. The scanner compares your server's configuration against the CIS Benchmarks.

With the scanning results, we can quickly decide to apply the necessary GPOs to reduce the number of attack surfaces. However, don't do this blindly. This may break your app. It is always about taking a prudent balance between functionality and security. Don't take unnecessary risks but going for a no-risk approach is no-go as well.

CIS has worked with the various cloud providers (AWS, Azure etc.) and users can now spin up pre-configured/CIS hardened VMs. This saves us huge amount of time and effort hardening the VMs, allowing us to sleep peacefully at night.

I'm new to this and would like to learn more about administering group policies efficiently. Are there templates available for download?

Top comments (1)

Collapse
 
herjean7 profile image
Hejun Wong

oh wow, file role is totally new to me but it sounds amazing. definitely gonna check it out! thanks Jorge!