Windows server 2016 disable unnecessary services

Hardening Windows Systems for Security Compliance Introduction
Hardening a computer is the process of identifying as many of its vulnerabilities as possible and implementing countermeasures to those vulnerabilities. Countermeasures to vulnerabilities can take on many different forms. Some countermeasures are technical controls that protect a vulnerable asset, while other countermeasures simply remove the vulnerability.

Windows Server operating systems install various default features that could increase the computer’s attack surface. One of the first steps in hardening any Windows computer is to consider what its purpose will be and then only install the minimum features and services that it needs to carry out its purpose. However, you can’t always install the minimum features. In some cases, you’ll need to circle back after installation and disable or remove items that were added during installation. Fortunately, Microsoft publishes online documentation that provides guidance to security administrators on potentially unneeded services and helps reduce the attack surface of Windows computers. You can use this documentation to determine if any services present on a Windows computer should be disabled or removed.

Security administrators will also need to harden the servers using Windows Firewall to eliminate other network access methods. The Windows Firewall with Advanced Security configuration option allows more granular control over inbound and outbound traffic based on ports, programs, IP addresses, computers, users, and more.

In this lab, you will examine the installed roles and services of a Windows Server 2016 computer and identify features that you really don’t need. You’ll remove an entire role, which includes multiple services, and then disable additional services to harden your server. You will then use the built-in Windows Firewall to prevent unauthorized access to the server.

Lab Overview
Each section of this lab is assigned at your instructor’s discretion. Please consult your instructor to confirm which sections you are required to complete for your lab assignment.

SECTION 1 of this lab has three parts, which should be completed in the order specified.

1. In the first part of the lab, you will manually harden the security posture of a Windows Server 2016 machine by removing an unnecessary server role.

2. In the second part of the lab, you will manually harden the security on a Windows Server 2016 machine by disabling unnecessary services.

3. In the last part of the lab, you will manually harden the security on a Windows Server 2016 machine by changing the internal firewall configuration.

SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will import a security baseline GPO from the Security Compliance Toolkit, reset the DSRM password on TargetWindows01, and use the Windows Defender Firewall with Advanced Security to edit Inbound Rules.

Finally, you will explore the virtual environment on your own in SECTION 3 of this lab. You will answer questions and complete challenges that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.

Learning Objectives
Upon completing this lab, you will be able to:

1. Define system hardening as it applies to securing Windows Server Operating Systems

2. Harden Windows Server 2016 by using the Windows Security Manager to remove roles

3. Harden Windows Server 2016 by stopping and disabling services to optimize performance and security

4. Harden Windows Server 2016 by activating the Windows Firewall

5. Section 2: Harden Windows Server 2019 by using security baselines to create new Group Policy Objects

6. Section 2: Harden a Domain Controller by updating the DSRM password

7. Section 2: Harden Windows Server 2019 by editing inbound rules in the Windows Defender Firewall

Topology
This lab contains the following virtual machines. Please refer to the network topology diagram below.

· TargetWindows01 (Windows Server 2019) [Domain Controller]

· TargetWindows04 (Windows Server 2016)

Tools and Software
The following software is required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

· Security Compliance Toolkit (SKT)

· Group Policy Management Console (GPMC)

· Ntdsutil

· Windows Firewall

· Windows Defender Firewall with Advanced Security

Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:

SECTION 1:
1. Lab Report file including screen captures of the following;

· current Roles and Server Groups;

· updated Roles and Server Groups;

· disabled DHCP Server service;

· results of the first ping test on TargetWindows01;

· enabled Windows Firewall for all three profiles;

· results of the second ping test on TargetWindows01;

2. Any additional information as directed by the lab:

· describe how the firewall changes affected the results.

SECTION 2:
1. Lab Report file including screen captures of the following:

· Microsoft's recommended Password and Account Lockout policy settings;

· linked MSDomainSecurity2019 object;

· implemented Password and Account Lockout policy settings;

· successful DSRM password change;

· results of the first ping test on TargetWindows04;

· results of the second ping test on TargetWindows04;

2. Any additional information as directed by the lab:

· discuss how the firewall changes affected the results.

SECTION 3:
1. Analysis and Discussion

2. Tools and Commands

3. Challenge Exercise

Section 1: Hands-On Demonstration
Part 1: Remove Unnecessary Server Roles

5. Make a screen capture showing the current Roles and Server Groups and paste it into your Lab Report file.

17. Make a screen capture showing the updated Roles and Server Groups and paste it into your Lab Report file.

Part 2: Remove Unnecessary Services
8. Make a screen capture showing the disabled DHCP Server service and paste it into your Lab Report file.

Part 3: Secure the Windows Firewall
4. Make a screen capture showing the results of the first ping test on TargetWindows01 and

paste it into the Lab Report file.

15. Make a screen capture showing the enabled Windows Firewall for all three profiles and paste

it into the Lab Report file.

19. Make a screen capture showing the results of the second Ping test and paste it into the Lab Report file.

20. In the Lab Report file, describe how the firewall changes affected the results. Below is an example; Answer may vary by student.

The ping is no longer successful since because the firewall is blocking ping responses from the target. Since the default configuration blocks all incoming connections unless explicitly allowed, we’d have to create a rule that allows ICMP pings to get successful responses again.

Section 2: Applied Learning
Part 1: Apply Windows Security Baselines

5. Make a screen capture showing Microsoft's recommended Password and Account Lockout policy settings and paste it into your Lab Report file.

18. Make a screen capture showing the linked MSDomainSecurity2019 object and paste it into your Lab Report file.

22. Make a screen capture showing the implemented Password and Account Lockout policy settings and paste it into your Lab Report file.

Part 2: Reset the DSRM Password
7. Make a screen capture showing the successful DSRM password change and paste it into your Lab Report file

Part 3: Secure the Windows Defender Firewall
3. Make a screen capture showing the results of the first ping test on TargetWindows04 and

paste it into your Lab Report file.

16. Make a screen capture showing the results of the second ping test on TargetWindows04 and
paste it into your Lab Report file.

17. In the Lab Report file, describe how the firewall changes affected the results. Below is an example; Answer may vary by student.

After disabling all ICMPv4 traffic – ICMP echo requests (pings) included -- the TW04 machines is unable to penetrate the firewall we’ve erected on TW01.

Section 3: Lab Challenge and Analysis
Note: The following challenge questions are provided to allow independent, unguided work, similar to what you will encounter in a real situation. You should aim to improve your skills by getting the correct answer in as few steps as possible. Use screen captures in your lab document where possible to illustrate your answers.

Part 1: Analysis and Discussion
Why would disabling services be important in securing and optimizing server performance? What determines which services are disabled?

Below is an example; Answer may vary by student.

Disabling unnecessary services decreases the attack surface area of a server. Any services exposed to the network increase the server’s vulnerability, so disabling would make them mostly unavailable to be used by a bad actor as vector for entry. And by disabling unnecessary services, you free up memory and computing resources from the server, which naturally increases performance.

Services are disabled and enabled depending on the programs you install which require them. It’s up to you which services remain enabled, and some are easier to determine the value and consequences of than others (not acting as a DHCP server? Disable DHCP on that server). However, Microsoft also provides guidelines for which services it recommends disabling. Starting in Win2019, these guidelines are applied by default.

Part 2: Tools and Commands
Use the Internet to research a command line statement that will add a new Inbound rule for the Windows Defender Firewall with Advanced Security that will allow all traffic from TCP port 8088 on all security profiles. Name the new rule “yourname port 8088”, replacing yourname with your own name. Make a screen capture of your executed command line statement.

Below is an example; Answer may vary by student.

Part 3: Challenge Exercise
In the Windows Firewall with Advanced Security, create a new Outbound rule to deny HTTP/HTTPS traffic on the TargetWindows01 server. Apply the changes and use screen captures to document your changes and the result of the rule in the browser window.

-/i New Outbound Rule Wizard X

Action

Specify the action to be taken when a connection matches the conditions specified in the rule.

Sleps:

· Rule Type

· Protocol andPorts

· Action

· Profile

· Name

What action should be taken when a connection matches the specified conditions?

0 Allow lhe conneclion

This includes connections that are protected withIPsec as well as those are not.

0 Allow the onnection if it is secure

This includes only connections that have been authenticated by usingIPsec. Connections willbe secured using the settings in IPsec properties andrules in the Connection Security Rule node.

@ Bloc.!; lhe conneclion

_ c _ k _

< I _ C _ a _ n c _ e _ l- - •

I I Next> j

fl New Outbound Rule Wizard X

Name

Specif}' the name and description of this rule.

Steps:

Rule T}'pe

· Protocol and Ports

· Action Profile Name

!:lame:

IDen}' HTTP/HTTPS

Qescription (optional):

Denies the usual ports used b}' HTTP/HTTPS (80 an 443)

_ C _ a _ n _ c e _ l _ _ , . ._ <_Jl_.a_ck_ _

_.I!.. E_in_is_h _ ..!. I

fl Windows Defender Firewall with Advanced Security

Eile ,£!,.ction iew .tielp

□ X

ti Window5 Defender Fircw II wit l

Outbound Rules

,= = = = = = = = = = = = = =

Name

0 Deny HTTP/HTTPS

S @{Micro,oft.AAD.BrokerPlugin_1000.143...

S @{Microsoft.AAD.BrokerPlugin_1000.143...

D @{Microsoft.AccountsControl_10.0.1439,,,

=

= = = = = = = = =

Group

@{Microsoft.AAD,BrokerPlu,,,

@{Microsoft.AAD,BrokerPlu.,,

@{Microsoft.AccountsContr...

= =

Profile

All All All

All

=

= = =

Enabled

Yes Yes Yes

Yes

=

=

A "

B A A

A

Actions

t=O auatbaoa.u. anaadaaRu.aale,aaaa========-

New Rule...

V Filter by Profile

V Filter by St t c

El Inbound Rule5 1

Outbound Rules

! Connection Security Rub

) _ Monitoring

And the result of this rule, after its application, is that I am now unable to reach the IIS homepage on TW04 from TW01, which IS reachable without the rule (screenshot below).