Windows 2016 Server Security Settings

It is very similar to the server security settings in 2008.

System update configuration

Changing Windows Update Servers

If you feel that the default Windows update server is slow, or if you have chosen Alibaba Cloud or Tencent Cloud server, you can change the Windows server.

Right-click the Start menu icon, select "Run", then enter gpedit.msc , select "Computer Configuration" - "Administrative Templates" - "Windows Components" - "Windows Update", and double-click "Specify Intranet Microsoft Update Service Location":

Select Enabled, and then set the Intranet update service and statistics server for detecting updates. If it is Alibaba Cloud Classic Network, it can be set to http://windowsupdate.aliyun-inc.com, Alibaba Cloud VPC network can be set to http://update.cloud.aliyuncs.com, Tencent Cloud can be set to http://windowsupdate.tencentyun.com, and the backup download server can be set to http://wsus.neu.edu.cn.

Enable and allow automatic updates

Double-click Allow Automatic Updates to install now and select Enabled to enable automatic updates. Then double-click "Configure Automatic Updates", select "Enabled" and configure it to "Automatically download and notify for installation", as shown below:

After setting the above two steps, you need to execute the following command as an administrator:

gpupdate /force

Solve the 0x8024401f and 0x8024401c errors that occur when performing automatic updates. After completing the above operations, select Start menu-Settings, execute Check for Updates, and check if it is normal.
If the error 0x8024401f or 0x8024401c appears, execute the following command as an administrator:

net stop wuauserv
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
net start wuauserv

System account security

Set up account security policies

Execute the secpol.msc command in "Run", open "Local Security Policy", and make the following settings:
(1) "Account Settings" - "Password Policy"
Set an appropriate password complexity to enhance the strength of your password. The reference settings are as follows:

(2) "Account Settings" - "Account Lock Policy"
To set the lockout time after an account password error, you need to set the "Account Lockout Threshold" before setting the other two items. The reference settings are as follows:

(3) "Local Policies" - "Security Options"
Set Interactive logon: Do not display last user name to Enabled.

Check and optimize your account

After completing the account security settings, optimize the system account. Execute the compmgmt.msc command in "Run" to open "Computer Management", and then check whether there are unused accounts in "System Tools" - "Local Users and Groups" - "Users", and delete or disable unused accounts. In addition, you also need to use the net user command in the command line to check whether there are any extra accounts (some accounts will be hidden in Computer Management). You can use net user <username> /del command to delete the corresponding account.

Rename the default administrator username to Administrator , and it is recommended to reset a new administrator password.

Disable automatic system login

After the system is reactivated from hibernation, a password is required to log in to the system. Type control userpasswords2 in Run, open User Accounts, and then enable the option "To use this computer, users must enter a user name and password."

Remote access security

Change the default port 3389 of the remote terminal

Change the default remote terminal port 3389 to another port. Run regedit to open the registry program. You need to modify two places in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\repwd\Tds\tcp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp

Change the value of PortNumber on the right side of the above two places to the new port number (it is recommended to set the base to decimal):

After the settings are completed, close the registry and restart the server to take effect. If you set up a firewall, make sure the new port is added to the firewall's whitelist.

Authorize remote shutdown, local shutdown, and user rights assignment only to the Administrators group

Execute secpol.msc in "Run", open the "Local Security Policy" window, and open "Local Policies" - "User Rights Assignment" in sequence.
(1) Double-click "Force shutdown from remote system" on the right, keep only the "Administrators group" and delete other user groups;
(2) Double-click "Shutdown System" on the right, keep only the "Administrators Group" and delete other user groups;
(3) Double-click "Take ownership of files or other objects" on the right, keep only the "Administrators group" and delete other user groups;

Set the remote login account to a specific administrator account

Specifying a specific administrator account instead of the Administrtors group will enhance the security of logging into the system. Even if an account in the Administrtors group is created through a vulnerability, it will not be able to log into the system.

Execute secpol.msc in "Run", open the "Local Security Policy" window, and open "Local Policies" - "User Rights Assignment" in sequence. Double-click "Access this computer from the network" on the right, delete all user groups, then click the "Add User or Group..." button below, click the "Advanced" button, then click the "Query Now" button, select the administrator's account from the query results, and then confirm and save in sequence;

System network security

Turn off unnecessary services

Execute the services.msc command in "Run" to open "Services". It is recommended to disable the following services according to the situation:

Application Layer Gateway Service (provides support for application-level protocol plug-ins and enables network/protocol connectivity)
Background Intelligent Transfer Service (Uses idle network bandwidth to transfer files in the background. If the service is disabled, features such as Windows Update and MSN Explorer will not be able to automatically download programs and other information)
Computer Browser (maintains an updated list of computers on the network and provides the list to computers designated as browsers)
DHCP Client
Diagnostic Policy Service
Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Print Spooler (manages all local and network print queues and controls all print jobs)
Remote Registry (Enables remote users to modify registry settings on this computer)
Server (you can turn it off if you don’t use file sharing. After turning it off, right-click a disk and select Properties. The “Sharing” page will no longer exist.)
Shell Hardware Detection
TCP/IP NetBIOS Helper (provides support for NetBIOS over TCP/IP (NetBT) services and NetBIOS name resolution for clients on the network, enabling users to share files, print, and log on to the network)
Task Scheduler (enables users to configure and schedule automated tasks on this computer)
Windows Remote Management (Port 47001, Windows Remote Management Service, used to manage hardware with IIS, generally not used)
Workstation (creates and maintains client network connections to remote services. If the service is stopped, these connections will be unavailable)

Close the "Synchronize Host_xxx" service

In Windows 2016, there is a service called "SyncHost_xxx", where xxx is a number that is different for each server. Need to be closed manually, the operation is as follows:
First, execute regedit in "Run" to open the registry, then find the four items OneSyncSvc, OneSyncSvc_xxx, UserDataSvc and UserDataSvc_xxx under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, and change the start value to 4 in turn, exit the registry and restart the server.

Disable IPC sharing

If you stop and disable the Server service above, IPC sharing will not appear. After executing the net share command, it will prompt "Server service is not started". Otherwise, it will be similar to the default sharing such as C$, D$, etc., which can be deleted using the net share C$ /del command.

Find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters in the registry, right-click in the blank space on the right, select "New" - "DWORD Item", set the name to AutoShareServer , and set the key value to 0.

Close port 139 (Netbios service), port 445, port 5355 (LLMNR)

(1) Close port 139. Open "Control Panel" - "View network status and tasks" in sequence, then click "Change adapter settings" on the left, double-click the activated network card in Network Connections, click the "Properties" button, double-click "Internet Protocol Version 4 (TCP/IPv4)", click the "Advanced" button in the lower right corner of the window that opens, then select the "WINS" tab above, select "Disable NetBIOS over TCP/IP" in "NetBIOS Settings", and finally click "OK" in sequence.

If you turn off this function, all sharing service functions on your server will be turned off, and others will not be able to see your shared resources in the resource manager. This also prevents information leakage.

(2) Close port 445

Port 445 is the service port used by NetBIOS to resolve machine names within the local area network. Generally, servers do not need to open any sharing to the LAN, so it can be closed. Open the registry, in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters, right-click on the right side and select "New" - "Dword Value" in turn, set the name to SMBDeviceEnabled and the value to 0.

(3) Close port 5355 (LLMNR)

LLMNR Link-Local Multicast Name Resolution, also called Multicast DNS, is used to resolve names on the local network segment and can be turned off through Group Policy. Open "Run" and enter gpedit.msc to open the "Local Group Policy Editor", select "Computer Configuration" - "Administrative Templates" - "Network" - "DNS Client" in turn, double-click the "Turn off multicast name resolution" item on the right, and then set it to "Disabled".

Network access restrictions

Execute secpol.msc in "Run" to open "Local Security Policy", open "Security Settings" - "Local Policies" - "Security Options", and set the following policy:

Network access: Do not allow anonymous enumeration of SAM accounts: Enabled Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled Network access: Apply Everyone permissions to anonymous users: Disabled Accounts: Allow only console logon for local accounts with blank passwords: Enabled

After the settings are completed, execute gpupdate /force in the command line (as an administrator) to make it take effect immediately.

Log Audit

Enhanced logging

Increase the log size to avoid incomplete log records due to the small log file capacity. Execute the eventvwr.msc command in "Run" to open the "Event Viewer" window, open the "Windows Log" file, right-click the "Application", "Security" and "System" items below, select "Properties", and change the "Maximum log size" to 20480.

Enhanced Auditing

System events are recorded for future troubleshooting and auditing. Execute the secpol.msc command in "Run" to open the "Local Security Policy" window, select "Security Settings" - "Local Policies" - "Audit Policy" in turn, and it is recommended to set the items as follows:

Audit policy changes: Success Audit logon events: Success, Failure Audit object access: Success Audit process tracking: Success, Failure Audit directory service access: Success, Failure Audit system events: Success, Failure Audit account logon events: Success, Failure Audit account management: Success, Failure

After the above items are set successfully, execute the gpupdate /force command in "Run" to make the settings take effect immediately.

Enable and configure the firewall

If you use a cloud server (such as Alibaba Cloud, Tencent Cloud, etc.), the cloud service provider will provide a firewall tool, which is usually placed at the routing level. It is more convenient to use and will not exclude itself from the server if it is operated incorrectly. Therefore, it is recommended to give priority to the firewall provided by the cloud service provider.

Turn Windows Firewall on or off

Open the "Control Panel", select "System and Security" - "Windows Firewall", select "Turn Windows Firewall on or off" on the left, and choose to turn Windows Firewall on or off as needed. If you use the firewall provided by the cloud service provider, it is recommended to turn off the Windows Firewall. PS: Before turning on the firewall, you need to allow remote login port access, otherwise the remote connection will be interrupted!

Allow access to specific ports

Here we take Windows Firewall as an example (in fact, the firewall rules provided by cloud service providers are similar), provided that the firewall is enabled. Execute WF.msc in "Run" to open "Windows Firewall with Advanced Security", click "Inbound Rules" on the left, and then click "New Rule..." on the right to open the "New Inbound Rule Wizard" window, select "Port" and click the "Next" button; select "TCP" for the port type, select "Specific local ports" below, enter the set remote login port and Web port, such as: 80, 433, 3389, and then click the "Next" button; select "Allow the connection", and then click the "Next" button; select all the options, and then click "Next"; finally enter a rule name, such as "Allow remote connections and Web services", and finally click "Finish" to save.

Disable ICMP (disable ping)

Follow the above steps to open "Windows Firewall with Advanced Security" and select "Inbound Rules" on the left. Double-click "File and Printer Sharing (Echo Request - ICMPv4-In)" from the default rules, select "Enabled" in "General", and select "Block the connection" in "Action". Finally, click "OK" to save.

Other security settings

Set a screen saver so that a local attacker cannot directly restore desktop control

Open the "Control Panel", go to "Appearance and Personalization" - "Personalization" - "Screen Saver", select a screen saver, then select "Show logon screen on resume", and set the waiting time to 10 minutes.

Turn off Windows AutoPlay

Execute the gpedit.msc command in "Run", open "Computer Configuration" - "Template" - "All Settings" in sequence, double-click "Turn off AutoPlay", and then select "Enabled".

Disable IPV6. See the operation.

When deploying a weblogic web application on a windows server 2008/2016 operating system, and testing after deployment, it is found that the address of the test page uses the address of the tunnel adapter instead of the static ip address, and the network does not have ipv6 access, so it is decided to disable ipv6 and the tunnel adapter. The operation is as follows:
It is very simple to disable IPv6. Go to Control Panel\Network and Internet\Network and Sharing Center, click "Change adapter settings" on the right side of the panel to enter the network connection interface, select the connection to be set, right-click and select Properties, cancel the selection box in front of Internet Protocol Version 6 (TCP/IPv6), and click OK.

To disable the tunnel adapter, you need to change the registry information as follows:
Start -> Run -> Enter Regedit to enter the registry editor and navigate to:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters]
Right-click Parameters, select New -> DWORD (32-bit) Value, name the value DisabledComponents, and then change the value to ffffffff (hexadecimal)
Take effect after restart
DisableComponents value definitions:
0, enable all IPv6 components, default setting
0xffffffff, disable all IPv6 components, except the IPv6 loopback interface
0x20, use IPv4 instead of IPv6 in prefix policy
0x10, disable native IPv6 interface
0x01, disable all tunnel IPv6 interfaces
0x11, disable all IPv6 interfaces except the loopback interface for IPv6

OVER! Restart the server

123WORDPRESS.COM Editor Added

In fact, in many cases, you can refer to the security settings of win2008 r2 server.

Install mcafee, SafeDog, Guardian suite, etc. There are basic security settings and one-click operation. But the principle is still the same as above, but manual operation is more conducive to the improvement of personal skills. It is recommended to operate manually for the first time, and then use tools to check it.

For more information, please refer to the following two articles

Windows Server 2008 R2 general security settings and basic security policies

Summary of win2008 r2 server security configuration steps

This is the end of this article about Windows 2016 server security settings. For more relevant win2016 server security configuration content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!