We live in increasingly risky times. The services we use are getting more and more interconnected, and every day, there are more attackers out there using increasingly better tools to exploit even the slightest weakness. That’s why it’s important to stay alert and remain vigilant at all times when it comes to system security.
Regardless of how unimportant it might seem, there is no system, service or machine that can’t be exploited by attackers to compromise your operations.
Whatever systems or services you have, the most important thing is to make sure that they’re as secure as they can possibly be. So, in this article, we’re going to take a look at five security measures for Windows Server 2022 that should help ensure that you’re adequately protected.
NOTE: Even though this article focuses on Windows Server 2022, in reality, these tips apply just as much to other versions of Windows or even GNU/Linux systems. The exact mechanisms may be different, but the principles will be the same.
However, there is a running theme throughout all of these tips. It basically all comes down to taking your time and doing some proper planning. If you do this, you’ll save yourself a lot of trouble further down the road.
5 Security Measures for Windows Server 2022
So, without further ado, here are five key security measures that you should take when setting up your server infrastructure, whether it’s Windows Server 2022 or otherwise:
1. Minimise the attack surface: Only install the services and roles that you need.
2. Take your time when configuring the Windows firewall.
3. Keep everything updated.
4. Have a service continuity plan.
5. Schedule system audits on a regular basis.
Minimise the attack surface: Only install the services and roles that you need
One of the wonderful things about the Spanish language (our offices are based in Madrid) is that we have a wealth of sayings and idioms. In fact, I don’t think it would be any exaggeration to say that we have way more than the English language, and the other great thing is that many of them can still be used in relation to the modern world and new technology.
One saying that comes to mind when thinking about IT security is, “The nail that sticks out gets hammered down”. In other words, there’s no better way to put your infrastructure at risk than by installing programs, services and roles that you have no intention of using.
Whenever setting up a server, it’s very important to know what it is for. Once you know that, you can start installing the roles and services you need.
If you haven’t thought about this first, the most likely thing is that you’ll end up deploying a whole range of services and just increasing the attack surface where potential hackers can gain access to your systems.
Each service, role or program that you install will open ports, which will, in turn, be listening for external requests; this is where an attacker could get in.
Another important thing to bear in mind is that certain services, such as Active Directory Domain Services (AD DS), should be installed on more than one server to create some redundancy in the system. This will help prevent service failures. So, you should deploy various servers or a cluster for services like DNS, DHCP, printing, etc.
Another thing to bear in mind is that, with the increase in virtualisation, and even container-based virtualisation, it’s much easier to deploy different servers to isolate services and minimise the impact if one of them is compromised.
Take your time when configuring the Windows firewall
Once you’ve deployed all the services you need to support your IT infrastructure, it’s time to turn your attention to the Windows firewall.
First of all, if you think that having a perimeter firewall is more than enough, you couldn’t be more wrong. In a world as complex as this one, with an increasing number of threats and attackers ready to exploit the slightest oversight, you need to make sure that every single element of your infrastructure is appropriately protected.
This means investing time in reviewing each server, making a list of the services that it provides and blocking everything else. And yes, you should be adopting a block-by-default policy, then open the ports you need.
And be very careful with this last point! When we say “open the ports you need”, we don’t mean all the ports for a service that you need; we really mean just the ports you need.
A good example of this is Microsoft SQL Server. It uses countless ports depending on what it’s set up to do. For example, there’s no need to open the ports linked to Analysis Services if you’re not going to deploy that feature.
NOTE: If you’d like to learn more about the ports used by SQL Server, check out this article: Managing SQL Ports on Your Windows Server.
However, now that we’ve told you all this, you might be starting to think about how long this is going to take, deploying firewalls for your entire infrastructure and making sure that each one of them is correctly configured.
If that’s the case, we recommend that you read our article How to Configure Firewalls Using GPO, where we explain how you can use Group Policy Objects (GPO) to deploy your firewall configurations. With GPOs, you can group similar elements, such as client devices, web servers, domain controllers, database servers, etc., and that way have more control over your firewall settings.
Keep everything updated
Another critical part of IT security is keeping everything updated, and this applies to quite a few different aspects:
- You need to keep your operating systems up to date but only apply the latest update once you’re sure that it doesn’t pose a risk to your systems.
- You need to keep your services, roles and applications up to date, just like your operating system.
- You need to keep yourself up to date by checking the news and setting aside time each week to review forums, specialist websites, security newsletters, etc.
- You need to keep yourself up to date and learn new ways of managing IT systems. For example, you could spend more time learning about PowerShell and process automation to save time on repetitive tasks and spend it on more important things, like making improvements.
When it comes to updating your operating systems and services, it’s worth investing a little in deploying a test environment or “pilot” environment. That way, you can try out updates first before you put them into production.
As for managing updates, there are many different options depending on the budget you have available.
For example, there’s System Center, which has been out for many years, and some of you may already be very familiar with it. Older versions include System Center Configuration Manager. However, this has now migrated to the cloud. SCCM, as it’s commonly known amongst “wintel” administrators, has been enormously useful over the years for those people who have a big enough budget. The only drawback is that you need to invest a fair amount of time at the beginning deploying and tuning your infrastructure.
NOTE: Currently, Microsoft Endpoint Configuration Manager is available as a natural substitute for this software.
However, there are many other options on the market, like MDM, for deploying, updating and controlling devices, but they all need a decent investment of both money and time.
For those of you who don’t have a huge budget, there’s always WSUS (Windows Server Update Services), the Microsoft update manager that can be used to create different profiles for servers and clients and only deliver the packages that are relevant for each profile.
Plan your service continuity
The next important security measure is to have a robust plan to maintain the continuity of your service and, thus, your business. But don’t worry; there’s no need to implement ISO/IEC-22301 (the international standard for Business Continuity Management Systems) in its entirety. In reality, this tends to be more of a seal of quality and formal compliance than an actual continuity measure.
A decent service continuity plan starts with common sense, and that means applying technical measures and the right procedures to ensure that your business can survive any potential incident.
First, you need to think about training. That’s not just for you and your team but staff in other departments too.
Every member of staff should have at least a certain level of knowledge and training about security and how to use business services correctly in order to avoid incidents or small errors that could compromise security, such as falling for phishing scams, social engineering, etc.
The next step is something that I’m almost embarrassed to talk about because it should already be obvious. However, it’s often overlooked: backup. All your services and servers should be backed up, especially critical ones, which should have multiple copies that are made more frequently and retained for longer.
It’s also important not to forget about certain key users in the business whose work is vital for the company to function. For example, in some businesses, the salary management system is entirely dispensable. If it fails, it’ll be quite inconvenient, but not the end of the world. However, in other businesses, this function is absolutely vital, and a systems failure would bring the whole company to a standstill. So, your backup policy should certainly reflect the needs of your business, not the other way around.
At Jotelulu, we have scheduled backups by default for all servers deployed for customers, as you can read here on the Infrastructure and Security page.
Lastly, when it comes to backups and server clusters, wherever possible, you should keep them outside the business in a remote location and, if possible, outsource one or more copies to an external provider.
Schedule system audits on a regular basis
Lastly, we believe that a regular audit of your system will help enormously to keep your infrastructure under control.
However, we’re not going to talk any more about this topic because we’ll be dedicating an entire article to it very soon on our blog.
Summary
In this article, we’ve looked at some key measures that you should adopt to keep Windows Server 2022 (0r any other version) secure against threats. Everything here is valid for other systems too, whether on-premises or on the cloud.
Every one of the points covered here will make your infrastructure more secure. But, as we said at the beginning, they all follow a common theme, which is to ensure that you take your take and do some correct planning upfront. This will help protect you against the majority of the vulnerabilities or deployment errors that could arise.
We’ve aimed to keep this article brief because we don’t want to completely bore our readers to death. But there are many other things that we will talk about in a future post, and of course, it’s worth mentioning the importance of account security and user passwords.
With these tips, we’re sure that you’ll be able to greatly improve the security of your systems, but we encourage you to do your own research and really dedicate yourself to the topic to keep your business safe.
Thanks for reading!
