5 Tips to Harden Your OS On-Prem or in the Cloud
This list contains just a few of the 350+ configuration recommendations for Microsoft Windows Server 2019. Want the full list for this technology? Download the CIS Benchmark for Microsoft Windows Server.
Security Configuration 1: Disconnect After Hours
Your organization’s workforce probably adheres to a specific work schedule. Even though operating cloud-based systems means you can theoretically work from anywhere (and at any time), it’s unlikely most employees would need to log on at 2:00 a.m.
With this in mind, your organization should create settings for automatic log off after a certain time. This setting prevents unnecessary open access when employees are not using their workstations. It's an easy step to hardening your OS.
Specifically, you can configure Microsoft Windows Server 2019 to have set logon hours and automatically force logoff outside those hours. Of course, hours can be adjusted for those who work the night shift.
Security Configuration 2: Firewall
The cybersecurity community knows the benefits of firewalls. Most basically, they prevent unauthorized users from accessing your networks. They also stop malware activity that might attempt to retrieve your organization's data. Because of these reasons, this is another important security configuration in the CIS Benchmarks.
The CIS Benchmark for Microsoft Windows Server 2019 details more than 10 security configurations for firewalls — including connections, display notifications, and logging. Hardening your OS with firewalls is crucial to defend your OS against malware and malicious activity.
Security Configuration 3: Enable Audit Subcategory Policies
Tracking events at a per system or per user level prior to the introduction of auditing subcategories in Windows Vista was difficult. The larger event categories created too many events and the key information for auditing was difficult to find.
The CIS Benchmark for Microsoft Windows Server 2019 includes security configurations to ensure your organization can easily audit and track activity in your systems per system and/or per user. It's vital to apply security configurations to your system, but for a truly hardened OS, your organization must also track and audit activity.
Security Configuration 4: Account Lockout
With today’s increased password requirements, it’s possible for a user to incorrectly attempt their password several times. Unfortunately, it’s not all that simple to tell the difference between a struggling user and a malicious actor. That's where the security configuration for account lockout comes in.
Setting a threshold for the number password attempts in a given time period can help prevent a malicious attempt. One caveat – a longer lockout period doesn’t necessarily mean better security; it could equal more calls to the help desk to unlock a frustrated employee’s account.
Security Configuration 5: Audit Logon
Speaking of account lockouts, it’s important to keep track of them by setting the system to report when a user’s account locks out as a result of too many failed logon attempts. Auditing these events may be useful when investigating a security incident.
In the CIS Benchmark for Microsoft Windows Server 2019, you'll find this security configuration that recommends setting the “Audit Logon” configuration to “Success & Failure.”
Three Ways to Harden Your OS
Hardening your OS protects against remote intrusion, malware, and insufficient authorization. The security configurations above are just a few examples of the recommended security configurations to harden an OS. To develop these recommendations, CIS works with a global community of cybersecurity experts. To help harden your OS on-prem or in the cloud, CIS Benchmarks are available three ways:
- Manually apply the security recommendations using free CIS Benchmark PDFs.
- Obtain CIS SecureSuite Membership to: leverage CIS-CAT Pro Assessor to assess CIS Benchmark conformance, download CIS Benchmarks in additional formats (i.e., Excel, Word, XML), access build kits to apply security configurations directly to select systems, and reassess to monitor compliance over time.
- Deploy a CIS Hardened Image in the cloud. These pre-configured virtual machine images meet CIS Benchmark recommendations and are available in the public cloud. CIS builds and patches these images regularly to help avoid vulnerabilities.