How do you deploy your Windows Server images? If you are anything like the majority of IT teams out there, you download the latest ISO from the Microsoft website, maybe even use one you have downloaded in the past. Then post install you spend a couple of hours applying all the patches which have been released since.
At least you have patched all those security vulnerabilities....right?
Well according to the CIS (Center for Internet Security), you still have 270 or more vulnerabilities by way of the default configuration applied by a standard Windows Server 2016 build, to deal with.
Who are CIS and What are their Benchmarks?
The Center for Internet security, often abbreviated as CIS is a non-profit organisation, set up in 2000 to identify and develop IT security best practices.
One of their key areas of focus and what has arguably brought the vast majority of their fame is their creation of benchmarking documents for everything from operating systems, applications and network devices.
CIS produces pages and pages of recommendations for configuring such assets, to ensure they have the smallest risk surface for breach and exploitation. One such example is Microsoft Windows Server 2016, which currently has a list of over 270 items which CIS recommends changing in the default build.
What is so Wrong with Windows Server 2016?
It wouldn't be correct to describe Microsoft Server 2016 as a bad release or wholly vulnerable in general. It is in fact a very popular version of the Microsoft server operating system family, which is widely used today.
Instead, it would be more appropriate to say that in environments where security is a focus; or where there is a heightened risk of breach. It would be sensible to harden the operating system build to reduce that risk.
CIS provides a full breakdown of their benchmark for Microsoft Windows Server here. But as a summary, it highlights five keys areas to be aware of:
- Set permitted logon hours and automated log-off actions after periods of inactivity.
- Turn on the local firewall and use it - how many of us turn this off as a first action?
- Prevent driver installations from all but administrators.
- Set account lockouts for a string of failed authentication events.
- Collect logs for authentication passes and failures.
How Can I Test My Servers for these Vulnerabilities?
CIS produce huge documents detailing which configuration vulnerabilities exist and how to correct them, with some documents running in hundreds of pages.
If you have the time, you of course could read through them and make the appropriate changes.
But who does?
Instead, consider using an automated tool for evaluating your servers, network devices and applications against the CIS benchmarks. Solutions such as NNT's Change Tracker can do just this in minutes, providing you with an easy to consume report.
It can even provide you with scripts and group policy objects in order to automate the re-configuration of those assets, to make them more compliant.
If you would like to speak to one of our consultants about NNT Change Tracker and how it can help you to test your assets against the CIS benchmarks, you can book an online meeting with us today.