SYS.1.2.2 Windows Server 2012

Description

Introduction

With Windows Server 2012, Microsoft brought to market in September 2012 a server operating system that includes various security improvements over previous Windows versions, in particular over its predecessor Windows Server 2008 R2. Technically, it does not build on Windows Server 2008 R2 but on the codebase of the client operating system Windows 8. With the release of Windows Server 2012 R2 in October 2013, the operating system was updated and expanded again, making it the server equivalent of Windows 8.1 on the client side.

This building block addresses the hardening of Windows Server 2012 and Windows Server 2012 R2 equally. When both versions are meant, the unified notation “Windows Server 2012” is used. Differences in the R2 version are mentioned separately. The end date for mainstream support and extended support (“End-of-Life”, EOL) is 09.10.2018 and 10.10.2023 respectively for both operating systems.

Objective

The objective of this building block is to protect information and processes processed or controlled by server systems based on Windows Server 2012 in regular operation.

Scope and Modeling

The building block SYS.1.2.2 Windows Server 2012 is to be applied to all server systems running the Microsoft Windows Server 2012 operating system. For newer versions of Windows Server, the building block SYS.1.2.3 Windows Server is available.

This building block specifies and supplements the aspects addressed in the building block SYS.1.1 General Server with the specific characteristics of Windows Server 2012. Accordingly, both building blocks must always be applied together.

This building block assumes standard integration into an Active Directory domain, as is common in institutions. Specifics of standalone systems are mentioned only selectively where the differences appear particularly relevant. Requirements on the topic of Active Directory are part of building block APP.2.2 Active Directory Domain Services.

Security requirements for possible server roles and functions such as file servers (APP.3.3 File Server), web servers (APP.3.2 Web Server), or Microsoft Exchange and Outlook (APP.5.2 Microsoft Exchange and Outlook) are the subject of separate building blocks, as is the topic of virtualization (SYS.1.5 Virtualization). This building block deals with the fundamental hardening at operating system level using built-in means, independent of the server’s intended purpose.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to describe the threat landscape. The following specific threats and vulnerabilities are of particular significance for building block SYS.1.2.2 Windows Server 2012.

Inadequate Planning of Windows Server 2012

Windows Server 2012 is a complex operating system with a large number of functions and configuration options. There is a great deal of flexibility in domain integration and networking with other IT systems and services. Although modern Windows versions come with good default settings in many areas, the basic configuration is not always the most secure. Inadequate planning can lead to a large number of attack vectors that unauthorized third parties can easily exploit. Furthermore, if key decisions are not made before installation, Windows Server 2012 will be operated in an insecure and undefined state that is almost impossible to correct after the fact.

Inadvertent Use of Cloud Services

Windows Server 2012 offers the ability to use cloud services at various points without requiring third-party software to be installed. These include, for example, Microsoft Azure Online Backup or the online storage of BitLocker recovery keys. While cloud services can in principle offer advantages — for example with regard to availability — there are risks to confidentiality and an additional dependency in the case of inadvertent use. Data can come into the hands of unauthorized persons via cloud services; these can be either criminal actors or state actors. If a cloud service is discontinued, this can have a significant impact on an institution’s own business processes.

Incorrect Administration of Windows Servers

Windows Server 2012 and Windows Server 2012 R2 have gained many new security-relevant functions compared to their predecessors. For other (known) features, sub-functions, parameters, or default configurations have changed. If IT Operations is not sufficiently trained in the specifics of the systems, configuration errors and human mistakes may occur that can affect not only the functionality but also the security of the system.

A particular risk is posed by inconsistent Windows server security settings (e.g., for SMB, RPC, or LDAP). If the configuration is not systematically and centrally planned, documented, reviewed, and maintained, a so-called configuration drift may occur. The more the actual configurations of functionally similar systems diverge without justification and documentation, the harder it becomes to maintain an overview of the current state and to uphold security holistically and consistently.

Improper Use of Group Policies (GPOs)

Group Policy Objects (GPOs) are a useful and powerful way to configure many (security) aspects of Windows Server 2012, particularly in a domain. With the large number of possible settings, it is easy to accidentally set conflicting or incompatible settings, or to overlook certain areas. With an unsystematic approach, this leads at best to operational disruptions that are sometimes difficult to resolve, and at worst to serious vulnerabilities on the server or on connected clients. In particular, misunderstood inheritance rules and filters can result in GPOs not being applied to a system at all.

Loss of Integrity of Information or Processes Requiring Protection

Windows Server 2012 has a large number of functions to protect the integrity of information processed by the operating system. Each of these functions may have vulnerabilities. Furthermore, there is frequently a lack of consistent configuration, not least for reasons of convenience. Information and processes can thus be corrupted by unauthorized persons, and traces can often even be covered up. Malware is also frequently used to remotely manipulate information.

Unauthorized Acquisition or Misuse of Administrative Rights

Working with standard permissions is now common practice. However, since administrators still need to elevate their privileges at certain points, attackers can potentially obtain privileged rights there. Misuse of rights by legitimate administrators is also a relevant damage scenario. Since the roles are often very powerful, the impact is typically considerable, especially for so-called domain administrators. Even without guessing or breaking passwords, suitable credentials can be read and misused, for example through so-called pass-the-hash techniques, to move laterally within the network.

Compromise of Remote Access

Since Windows Server 2012 has a large number of options for remote management, these can fundamentally also be misused. Remote access such as RDP sessions can be reachable by third parties via insecure or insecurely used protocols, weak authentication (e.g., weak passwords), or incorrect configuration. This can result in extensive compromise of the server and the information stored on it. Often, other IT systems connected to the server can also be compromised in this way.

Requirements

The following are the specific requirements of building block SYS.1.2.2 Windows Server 2012. The Information Security Officer (ISO) is responsible for ensuring that all requirements are fulfilled and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.

Additional roles are defined in the IT-Grundschutz Compendium. They should be filled insofar as this is sensible and appropriate.

Exactly one role should be Primarily responsible. In addition, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many persons should fill these roles.

Basic Requirements

The following requirements MUST be fulfilled as a priority for this building block.

SYS.1.2.2.A1 Planning of Windows Server 2012 (B)

The use of Windows Server 2012 MUST be carefully planned before installation. Hardware requirements MUST be reviewed before procurement. A justified and documented decision MUST be made in favor of a suitable edition of Windows Server 2012. The intended purpose of the server and its integration into Active Directory MUST be specified. The use of cloud services integrated into the operating system MUST generally be weighed and planned. If not needed, the creation of Microsoft accounts on the server MUST be blocked.

SYS.1.2.2.A2 Secure Installation of Windows Server 2012 (B)

NO server roles or features/functions other than those required MUST be installed. If the Server Core variant is functionally sufficient, it MUST be installed. Otherwise, it MUST be justified why the Server Core variant is insufficient. The server MUST be brought to a current patch level during installation.

SYS.1.2.2.A3 Secure Administration of Windows Server 2012 (B)

All administrators responsible for the server system MUST be trained in the security-relevant aspects of administering Windows Server 2012. Web browsers on the server MUST NOT be used to browse the web.

Standard Requirements

Together with the basic requirements, the following requirements reflect the state of the art for this building block. They SHOULD generally be fulfilled.

SYS.1.2.2.A4 Secure Configuration of Windows Server 2012 (S)

Multiple key functions/roles SHOULD NOT be fulfilled by a single server but SHOULD be appropriately distributed. Before commissioning, the system SHOULD be fundamentally hardened. For this purpose, function-specific and institution-wide security templates SHOULD be created and maintained, and deployed to the servers. Internet Explorer on the server SHOULD only be used in Enhanced Security Configuration and in Enhanced Protected Mode.

SYS.1.2.2.A5 Protection Against Malware on Windows Server 2012 (S)

Except for IT systems with Windows Server 2012 that are operated as standalone devices without network connection and removable media, an antivirus program SHOULD be installed before the first connection to the network or to removable media. The concept for protection against malware SHOULD provide for regular full scans of all hard drives. Alerts for virus finds SHOULD be configured.

SYS.1.2.2.A6 Secure Authentication and Authorization in Windows Server 2012 (S)

In Windows Server 2012 R2, all user accounts SHOULD be members of the “Protected Users” security group. Accounts for services and computers SHOULD NOT be members of “Protected Users”. Service accounts in Windows Server 2012 SHOULD be members of the “Managed Service Account” group. The PPL protection of the Local Credential Store LSA SHOULD be activated. The use of dynamic access rules on resources SHOULD be preferred.

SYS.1.2.2.A7 DISCONTINUED (S)

This requirement has been discontinued.

SYS.1.2.2.A8 Protection of System Integrity (S)

AppLocker SHOULD be activated and configured as strictly as possible.

SYS.1.2.2.A9 DISCONTINUED (S)

This requirement has been discontinued.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the protection level corresponding to the state of the art. The proposals SHOULD be considered in the case of high protection needs. The specific determination is made within the framework of an individual risk analysis.

SYS.1.2.2.A10 DISCONTINUED (H)

This requirement has been discontinued.

SYS.1.2.2.A11 Intrusion Detection for Windows Server 2012 (H)

Security-relevant events in Windows Server 2012 SHOULD be collected and evaluated at a central point. Encrypted partitions SHOULD be locked after a defined number of decryption attempts.

SYS.1.2.2.A12 Redundancy and High Availability for Windows Server 2012 (H)

It SHOULD be examined which availability requirements can be met or supported by operating system functions such as Distributed File System (DFS), ReFS, Failover Cluster, and Network Load Balancing or NIC Teaming (LBFO). BranchCache SHOULD be activated for branch offices.

SYS.1.2.2.A13 DISCONTINUED (H)

This requirement has been discontinued.

SYS.1.2.2.A14 Shutting Down Encrypted Servers and Virtual Machines (H)

To protect encrypted data, servers that are not needed (including virtual machines) SHOULD always be shut down. This SHOULD be done as automatically as possible. Decryption of data SHOULD require an interactive step or at a minimum be recorded in the security log.

Additional Information

Good to Know

The manufacturer Microsoft provides, among others, the following additional information on Windows Server 2012:

• Secure Windows (for Windows 8/8.1, largely applicable to Windows Server 2012 / 2012 R2): https://technet.microsoft.com/en-us/library/hh832031.aspx
• Secure Windows Server 2012 R2 and Windows Server 2012: https://technet.microsoft.com/en-us/library/hh831360.aspx
• Security and Protection: https://technet.microsoft.com/en-us/library/hh831778.aspx
• List of security events under Windows 8.1 and Windows Server 2012: https://www.microsoft.com/en-us/download/confirmation.aspx?id=50034
• Configuring additional LSA protection: https://docs.microsoft.com/de-de/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
• Windows Server Guidance to protect against Speculative Execution: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-speculative-execution

The Information Security Forum (ISF) makes requirements for the use of servers in its standard “The Standard of Good Practice for Information Security”, in particular in Area SY1.2 Server Configuration.

The National Institute of Standards and Technology (NIST) provides the document “Guide to General Server Security: NIST Special Publication 800-123”, July 2008.