Microsoft Windows server 2016

Considerations on security hardening Microsoft Windows server 2016

john alexander / 08.29.17

The introduction of a new OS always comes with new features including updated security features and enhanced security configuration options. With the release of Windows Server 2016, Microsoft has stepped it up in the security arena. To illustrate some of these new features and help companies understand what is necessary to secure their Windows Server 2016 systems, we’ve come up with this short guide.

Windows Server 2016 is tied closely to Windows 10, much like how Windows 2012 and Windows Server 2012 R2 are technically related to Windows 8 and 8.1, respectively. From a security standpoint, one of the benefits of using GPOs – or Group Policy Objects (which is how you configure security in Windows) – to lock down or harden a system, is that many features that would normally be difficult to lock down are modular and easy to secure. For example, Microsoft Edge has eleven GPO settings. Set these items through GPO and Microsoft Edge is easily and securely locked down.

According to the Center for Internet Security’s (CIS) Windows Server 2016 Benchmark there are about 50 new configuration items (from the CIS Windows Server 2012 R2 Benchmark) that should to be locked down through Group Policy. The split of new configuration items is roughly 20% for system related configurations and 80% for new applications and features of Windows Server 2016.

Windows Server 2016’s new networking security configurations are primarily about the new peer-to-peer networking and sharing functionalities. In general, many of these features should, of course, be turned off. An example is a new feature to support DNS-based Server Scenarios, which allows you to enable location-aware DNS. There are now several options for configuring this new feature. For example you could allow only someone with elevated privileges to set the location of servers on the network. A user could also harden access to Universal Naming Convention (UNC) paths, particularly access to the SYSLOG and NETVOL shares. In this case a GPO setting allows gives you the ability to require mutual authentication and integrity checks when accessing these shares.

The remaining 80% of new security configuration considerations in hardening Windows Server 2016 primarily deals with new applications and new features of Windows Server 2016 itself. About a quarter of these new options involve locking down Microsoft Edge. In general, you don’t want to use a browser on a server so you should lock Microsoft Edge down tight. Microsoft easily allows you to do this with their Group Policy. Example configuration items are: make sure InPrivate browsing is disabled, make sure anyone using Microsoft Edge is not allowed to save passwords locally, make sure the pop-up blocker is turned on, etc.

Microsoft also released a new lock screen feature called Spotlight. When enabled it controls the lock screen, so that instead of the lock screen displaying static images, Spotlight offers suggestions to users on Windows features, apps in the Windows Store, and more. The problem with this from a security standpoint is that Spotlight sends and receives data from third parties, so it should be disabled on a server.

Cortana, another significant new feature of Windows Server 2016, needs to be locked down. Cortana is an intelligent personal assistant that can allow for the control of simple system features, like calendar notification, but it’s primarily used for search. Sensitive information could be contained in the search history and sent out to Microsoft, so the security rationale here is to prevent potential data leakage.

This gets us to the last new feature of Windows Server 2016 that I will talk about in this blog. Microsoft added the ability to collect telemetry and data, a feature intended to collect information so that Microsoft can improve its products. Microsoft has been criticized for making some of this data collection hard to turn off in Windows 10, but control of collection on Windows Server 2016 is easy through Group Policy. In fact, Microsoft has a GPO configuration item that when set to a value of Enabled: 0 – Security [Enterprise Only] shuts down telemetry and data collection completely.

Finally, there is a plethora of miscellaneous items that involve many of the new applications and system features that are on Windows Server 2016 Server. These new applications or features include: App Privacy, App Package Deployment, Biometrics, Camera, Connect, Windows Store, Windows Update, and Windows Ink Workspace. Most of the settings here are straightforward, from allowing use of enterprise accounts (versus Microsoft accounts) to access the Windows Store (for centralized control of access), to disabling the “suggested apps” feature of Windows Ink Workspace, which sends data to Microsoft. All of these configuration items are in Section 18 of the CIS Windows Server 2016 Benchmark.

In summary, Windows Server 2016 has a significant number of new and changed features that require consideration from a security perspective. Most of the items are nicely organized and are easy to configure through Group Policy. To make it scalable for an enterprise, powerful configuration management tools like Halo that provide support for Windows Server 2016 and support CIS Windows Server 2016 Benchmark configuration scans will make it even easier to lock down all your Windows Server 2016 servers that are in the cloud.