notacomputergeek

Let’s face it, it’s hard to stay ahead of the cyber criminals, but here are some common ways of protecting, referred to as hardening, your Local Area Network (LAN). Many of these hardening suggestions are specifically for an on-prem Windows 2022 server utilizing Group Policy Management. They can be used for earlier Windows Server versions, but the settings locations may be different.

For those looking for Standards, the Center for Internet Security (CIS) has an extensive library of PDFs outlining benchmark tasks for many software programs and the National Institute of Standards and Technology (NIST) Publication 800-123 outlines steps for securing a server.

Windows Servers

• Enforce Password Policy – In a Group Policy Management object applied to all authenticated users, ‘Computer configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy’, change these settings as necessary: ‘Enforce password history’, ‘Maximum password age’, ‘Minimum password’, ‘Minimum password length’, and ‘Password must meet complexity requirements’.
• Enforce Account Lockout Policy – In a Group Policy Management object applied to all authenticated users, ‘Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy’, change these settings as necessary: ‘Account lockout duration’, ‘Account lockout threshold’, and ‘Reset account lockout counter’.
• Disable RDP – In Server Manager -> Local Server -> Remote Desktop -> click ‘Don’t allow remote connections to this computer’. If you need to access a server remotely for system administration, use a 3rd-party app, such as Controlwise Screenconnect, instead of RDP to remotely sign in. If you want to RDP into the server from the LAN, but not the WAN, leave this setting Enabled, but close port 3389 on your router.
• Do not use the domain ‘administrator’ account. Create a separate account with administrator privileges.
• Audit user accounts for deletion or disable.
• Set the screen to lock after minimal inactivity – Right-click anywhere on the desktop -> Personalize -> Lock screen -> Screen timeout settings and Screen save settings.
• Develop a process to immediately limit domain accounts when an end user is terminated.
• Disable TLS 1.0 and TLS 1.1.
• Turn on Memory Integrity – Windows Security -> Device Security -> Core isolation details -> Memory integrity.
• Backup entire server (OS and data) – At least daily.
• Backup data files to the cloud as they change – This will require a 3rd-party vendor.
• Physical security – Server must be behind at least two locked doors.

End User Computers

• Disable RDP – In a Group Policy Management object applied to all authenticated users, disable ‘Allow users to connect remotely by using Remote Desktop Services’ in ‘Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections’.
• Disable Powershell – In a Group Policy Management object applied to all authenticated users, Disallow ‘C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe’ in ‘User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules’.
• Enable viewing of file extensions in Explorer – In a Group Policy Management object applied to all authenticated users, uncheck ‘Hide extensions for known file types’ in ‘User Configuration > Preferences > Control Panel Settings > Folder Options.
• Enable Bitlocker on all computers, especially those that have a higher probability of theft, such as laptops.

Windows Servers and End User Computers

• Implement an EDR or XDR endpoint solution with real-time and scheduled scanning.
• Develop a process to perform timely Windows updates.
• Develop a process to perform timely driver and firmware updates.

Routers

• Disable RDP, FTP, and Telnet – Do not allow port 3389 (RDP), FTP (20, 21), and Telnet (23) through the router.
• Implement the free CISA Vulnerability scanning.
• Develop a process to perform timely firmware and software/OS updates.
• Hire a 3rd party vendor to conduct penetration testing.
• Change default login credentials.
• Physical security – Router must be behind at least two locked doors.
• Backup configuration files after any changes.

Network

• Utilize VLANs to separate network traffic, such as Private vs Guest WiFi or staff vs lab computers.
• Secure your WiFi network(s) with minimum WPA2 encryption.

External DNS

Setting SPF, DKIM, and DMARC up properly will help ensure safe delivery of your emails, rather than recipient mail servers suspecting them as spam. Especially, when sending to multiple people at once.

Users

Periodic training demonstrating the common methods used by criminals. This may include phishing simulations to help users identify suspicious activity.