CIS Logo
tagline: Confidence in the Connected World
HomeResourcesBlog post5 Tips for Securing Systems On-Prem or in the Cloud

5 Tips for Securing Systems On-Prem or in the Cloud

Security in the cloud is just as vital as security in on-premises environments. Hardening a system is a way to protect it by reducing vulnerability. While hundreds of security recommendations may exist to harden any one technology, this post focuses on a few suggested in the CIS Benchmarks – objective, consensus-driven security configuration guidelines.

This list contains just a few of the 270+ configuration recommendations for Microsoft Windows Server 2016. Want the full list for this technology? Download the CIS Benchmark for Microsoft Windows Server.

CIS Benchmark for Microsoft Windows Server 2016

1. Disconnect After Hours

Your organization’s workforce probably adheres to a specific work schedule. And even though operating cloud-based systems means you can theoretically work from anywhere (and at any time), it’s unlikely most employees would need to log on at 2:00 a.m.

Microsoft Windows Server 2016 can be configured to have set logon hours when users can work and automatically force logoff outside those hours. Of course, hours can be adjusted for those who work the night shift!

2. Firewall

The benefits of firewalls for preventing unauthorized users from accessing networks are well known – they keep unauthorized users away and stop the activity of malware that might attempt to retrieve data. The CIS Benchmark for Microsoft Windows Server 2016 reminds you that the firewall should be turned on – along with nine other recommendations for firewall configuration that include connections, display notifications, and logging.

3. Driver Installation

Consider whether users need to install their own shared printer drivers. Trojan horse programs can masquerade as printer drivers and spread problems throughout the server if installed. Limiting installation of shared printer drivers might be better suited to Administrators only.

4. Account Lockout

Between today’s complicated password requirements and the likelihood of typos, it’s certainly possible for a user to have several incorrect password attempts. Unfortunately, it’s not always easy to tell the difference between a struggling user and a malicious actor attempting to gain entry to an account by guessing passwords.

Setting an account lockout duration can help prevent a malicious attempt at breaking into an account by reducing the number of password attempts in a given time period. One caveat – a longer lockout period doesn’t necessarily mean better security; it could equal more calls to the help desk to unlock a frustrated employee’s account.

5. Audit Logon

Speaking of account lockouts, it’s important to keep track of them by setting the system to report when a user’s account is locked out as a result of too many failed logon attempts. Auditing these events may be useful when investigating a security incident. You can achieve this in Microsoft Windows Server 2016 by setting the “Audit Logon” configuration to “Success & Failure.”

How to Harden Systems

Hardening your systems is a solid approach to protect against cybersecurity threats. Outlined above are just a few of the steps recommended to harden a system. CIS works with a global community of cybersecurity experts to develop configuration guidelines called CIS Benchmarks.  They are available three ways to help harden systems:

  1. Manually apply the security recommendations for Microsoft Windows Server using the free CIS Benchmark PDFs.
  2. Obtain CIS SecureSuite Membership to leverage CIS-CAT Pro Assessor to assess systems conformance, download CIS Benchmarks in additional formats (i.e., Excel, Word, XML), access remediation kits to apply secure configurations directly to select systems, and reassess to monitor compliance over time.
  3. CIS Hardened Images are available in the cloud and are preconfigured to meet CIS Benchmark recommendations. CIS Hardened Images make running secure operations in the cloud fast, easy, and affordable.

CIS provides 3 ways to harden systems

† Due to cloud provider restrictions, 11 CIS Benchmark recommendations are not applied to the CIS Benchmark Hardened Image for Microsoft Windows Server 2016; the remaining 286 secure configuration settings are applied.