SECURING NETWORK INFRASTRUCTURE is an asymmetric challenge. You must be nearly perfect. Bad actors need to find just one weakness. Since the most secure networks are those with security baked in, let’s start with the basic recipe for that.
Hardening the OS
The simplest way to harden your operating system installation is to reduce the attack surface by limiting the number of running services as much as possible. There’s no one answer for just how small that number should be, as the roles your server performs and other requirements dictate which services you require. For example, most of us need to have DHCP, DNS, and other services running on our domain controllers. You can whittle away many more services from an RDS or other single-purpose server, though.
Another way to harden your servers is to implement the Windows firewall in the most restrictive way possible, opening only those ports that are absolutely necessary. Don’t forget to keep an eye on “Active Directory bloat” either, to ensure you have only the accounts in place that you need. Finally, remember to build your file system as simply as you can, with minimal permissions that you loosen only as becomes necessary.
The real OS jocks out there, meanwhile, can install Windows in “Server Core” mode, eliminating the GUI altogether. The most common usage of Server Core mode is for Hyper-V host deployments, where performance is paramount and most management is performed by tools located on separate guest machines anyway. Forgoing the GUI means you lose out on the use of local GUI-based native OS management tools for RAID, power management, and other functions, but for those who are capable of it, command line interface-only implementations are a great way to slim down Windows.
As with anything security-related, you’ll need to test and refine whatever techniques you use iteratively as you go. No matter how well you believe you know your Windows internals and ports, you’ll be amazed at just what fails when you really start battening down the Windows firewall and shutting down services. Further, many services have complex dependencies that are not easily spotted in native OS tools, so becoming familiar with third-party tools that can find them will be invaluable.
Group Policy Objects and Other Security Hacks
The past few years have seen resurging interest in security Group Policy Objects (GPOs). In addition to configuring automatic updates through Windows Server Update Services, many of us deploy GPOs to restrict software by computer or user, or to force the Windows Certificate Store to update for DPI-SSL. Another GPO security enhancement is giving users login permissions only on specific PCs.
Making sure your users are not local admins, as painful as that can be, is also crucial. Given enough time, it’s possible to run almost any application without the “local admin crutch.”
Another quick security enabler is turning on MAC address filtering in your DHCP Manager once you’ve completely populated your network with DHCP addresses. This is a “poor man’s substitute” for network access control and is both quick and easy to implement. It won’t prevent users from hard-coding an IP on a device to gain network access, but it will alert you to casual attempts to add devices to the network.
Yet another way to boost the security of your SMB networks that’s relatively easy to implement but often overlooked is enforcing reasonable password policies. Nothing draconian, but eight characters with at least one non-alphanumeric character and no embedded user names generally does the trick.