SYS.1.2.3 Windows Server
With Windows Server, Microsoft offers a server operating system. The major versions 2016, 2019, and 2022 of Windows Server are so-called long-term versions...
Description
Introduction
With Windows Server, Microsoft offers a server operating system. The major versions 2016, 2019, and 2022 of Windows Server are so-called long-term versions (Long-Term Servicing Channel, LTSC), each based on the codebase of the client operating system Windows 10. As with Windows 10, Microsoft is increasingly delivering cloud-based functions and applications as well as interfaces to the Microsoft Azure cloud platform with Windows Server.
Objective
The objective of this building block is to protect information that is processed, stored, and transmitted via server systems based on Windows Server 2016, 2019, and 2022 in regular operation.
Scope and Modeling
The building block SYS.1.2.3 Windows Server is to be applied to all server systems running Microsoft Windows Server in versions 2016, 2019, or 2022. For Windows Server 2012, the building block SYS.1.2.2 Windows Server 2012 is to be modeled instead.
This building block specifies and supplements the platform-independent security aspects for servers addressed in building block SYS.1.1 General Server with the specific characteristics of Windows Server in the mentioned versions. Accordingly, both building blocks must always be applied together.
This building block deals with fundamental hardening at operating system level using built-in means, independent of the server’s intended purpose. Security requirements for possible server roles and functions such as file servers (APP.3.3 File Server) or web servers (APP.3.2 Web Server) are the subject of separate building blocks, as is the topic of virtualization (SYS.1.5 Virtualization).
Furthermore, some operating system variants also come with additional applications pre-installed, such as the Microsoft Internet Explorer browser. The relevant building blocks must be modeled for these applications.
This building block assumes enrollment as a “Member Server” in an Active Directory domain, as is common in institutions. Specifics of standalone systems are mentioned only selectively where the differences appear particularly relevant. Requirements on the topic of Active Directory are part of building block APP.2.2 Active Directory Domain Services. For the use of the partially delivered functions and applications of cloud services as well as interfaces between the Microsoft Azure Cloud platform and Windows Server, the building block OPS.2.2 Cloud Usage must be applied, which also addresses threats and general requirements for cloud usage.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to describe the threat landscape. The following specific threats and vulnerabilities are of particular significance for building block SYS.1.2.3 Windows Server.
Inadvertent Use of Cloud Services
Windows Server offers the ability to use cloud services at various points without requiring third-party software to be installed. These include, for example, Microsoft Azure Online Backup or the online storage of BitLocker recovery keys. While cloud services can offer possible advantages — for example with regard to availability — there are, in the case of inadvertent use, for example, risks to confidentiality and a dependency on service providers. Data can come into the hands of unauthorized third parties via cloud services; these can be criminals or state actors. If a cloud service is terminated by the provider, this can have a significant impact on an institution’s own business processes.
Compromise of Remote Access
Since Windows Server has a large number of options for remote management, these can fundamentally also be misused. Remote access such as RDP or WinRM sessions can be reachable by third parties via insecure or insecurely used protocols, weak authentication procedures (e.g., weak passwords), or incorrect configuration. This can result in extensive compromise of the server and the information stored on it. Often, other IT systems connected to the server can also be compromised in this way.
Windows Server Telemetry
Windows Server sends so-called diagnostic data to the manufacturer Microsoft by default. In addition, Microsoft can specifically query information from a server via the telemetry service integrated in Windows Server. Depending on the telemetry level, this includes, for example, access to crash dumps of the memory and access to operating system events on the server. There is a risk that the diagnostic and telemetry data may contain sensitive information that can reach third parties in this way.
Limited Forensics When Using Virtual Secure Mode (VSM)
The use of Virtual Secure Mode (VSM) restricts or complicates forensic investigations, e.g., for security incident handling. Processes protected by the Secure Kernel or Isolated User Mode (IUM) are no longer accessible. For example, memory images of these processes cannot be evaluated due to cryptographic measures.
Requirements
The following are the specific requirements of building block SYS.1.2.3 Windows Server. The Information Security Officer (ISO) is responsible for ensuring that all requirements are fulfilled and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. They should be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | None |
Exactly one role should be Primarily responsible. In addition, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
SYS.1.2.3.A1 Planning of Windows Server (B)
A justified and documented decision MUST be made in favor of a suitable edition of Windows Server. The intended purpose of the server and its integration into Active Directory MUST be specified. The use of cloud services delivered with the operating system MUST generally be carefully weighed and thoroughly planned. If not needed, the creation of Microsoft accounts on the server MUST be blocked.
SYS.1.2.3.A2 Secure Installation of Windows Server (B)
If the Server Core variant is functionally sufficient, it MUST be installed. Otherwise, it MUST be justified why the Server Core variant is insufficient.
SYS.1.2.3.A3 Telemetry and Usage Data under Windows Server (B)
In order to significantly reduce the transmission of diagnostic and usage data to Microsoft, telemetry level 0 (Security) MUST be configured on the Windows Server. If this setting cannot be effectively implemented, it MUST be ensured by appropriate measures — for example at the network level — that the data is not transmitted to the manufacturer.
Standard Requirements
Together with the basic requirements, the following requirements reflect the state of the art for this building block. They SHOULD generally be fulfilled.
SYS.1.2.3.A4 Protection Against Exploitation of Vulnerabilities in Applications (S)
Measures to protect against exploits SHOULD be activated for all programs and services that support Windows exploit protection (cf. reference in Chapter 4.1 Good to Know).
SYS.1.2.3.A5 Secure Authentication and Authorization in Windows Server (S)
In Windows Server, all user accounts SHOULD be members of the “Protected Users” security group. Accounts for services and computers SHOULD NOT be members of “Protected Users”. Service accounts in Windows Server SHOULD be members of the “Managed Service Account” group.
SYS.1.2.3.A6 Security for Remote Access via RDP (S)
The effects on the configuration of the local firewall SHOULD be taken into account when planning remote access. The group of authorized users and IT systems for Remote Desktop access (RDP) SHOULD be defined by assigning appropriate permissions. Mechanisms of the operating system SHOULD be considered to protect the transmitted login credentials (e.g., Remote Credential Guard or RestrictedAdmin). In complex infrastructures, the RDP target system SHOULD only be reachable via an intermediary RDP gateway. For the use of RDP, a review and its implementation SHOULD ensure that the following convenience functions are consistent with the protection needs of the target system:
- the use of the clipboard,
- the integration of removable media and network drives, and
- the use of file storage, other devices and resources, such as smart card readers.
The cryptographic protocols and algorithms used SHOULD comply with the institution’s internal requirements.
If the use of Remote Desktop access is not planned, it SHOULD be completely deactivated.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the protection level corresponding to the state of the art. The proposals SHOULD be considered in the case of high protection needs. The specific determination is made within the framework of an individual risk analysis.
SYS.1.2.3.A7 Use of Windows PowerShell (H)
PowerShell execution SHOULD be centrally logged. The generated logs SHOULD be appropriately monitored. The execution of PowerShell scripts SHOULD be restricted using the Set-ExecutionPolicy AllSigned command to prevent unsigned scripts from being (accidentally) executed. Older Windows PowerShell versions SHOULD be deactivated. The use of PowerShell Constrained Language Mode SHOULD be reviewed. To restrict Windows PowerShell, role-based administration SHOULD be implemented in Windows Server using Just Enough Administration (JEA).
SYS.1.2.3.A8 Use of Virtual Secure Mode (VSM) (H)
When using Virtual Secure Mode (VSM), it SHOULD be taken into account that forensic investigations, e.g., for security incident handling, are restricted or complicated.
Additional Information
Good to Know
The manufacturer Microsoft provides, among others, the following additional information on Windows Server:
- Windows Server - Documentation https://docs.microsoft.com/en-us/windows-server/
- What’s New in Windows Server 2019: https://docs.microsoft.com/en-us/windows-server/get-started-19/whats-new-19
- What’s New in Windows Server 2022: https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2022
- Comparison of Standard and Datacenter editions of Windows Server 2019: https://docs.microsoft.com/en-us/windows-server/get-started-19/editions-comparison-19
- Comparison of Standard and Datacenter editions of Windows Server 2022: https://docs.microsoft.com/en-us/windows-server/get-started/editions-comparison-windows-server-2022
- Fixed Lifecycle Policy https://support.microsoft.com/en-us/help/14085/fixed-lifecycle-policy
- Features removed or planned for replacement in Windows Server 2019: https://docs.microsoft.com/en-us/windows-server/get-started-19/removed-features-19
- Security and Assurance (overview): https://docs.microsoft.com/en-us/windows-server/security/security-and-assurance
- Microsoft Security Compliance Toolkit 1.0: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10
- Customize exploit protection https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection
- Credentials Protection and Management https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/credentials-protection-and-management
- Protect Remote Desktop credentials with Windows Defender Remote Credential Guard https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard
- Configure Windows diagnostic data in your organization https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization
- List of security events under Windows Server: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l–events-to-monitor
- Windows Server Guidance to protect against Speculative Execution: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-speculative-execution
- Windows Authentication Overview https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-overview
The Information Security Forum (ISF) makes requirements for the use of servers in its standard “The Standard of Good Practice for Information Security”, in particular in Area SY1.2 Server Configuration.
The National Institute of Standards and Technology (NIST) provides the document “Guide to General Server Security: NIST Special Publication 800-123”, July 2008.
The BSI provides recommendations for secure configuration and deactivation of telemetry — which also apply to Windows Server — as part of the study on system architecture, logging, hardening, and security functions in Windows 10 (SiSyPHuS Win10): https://www.bsi.bund.de/DE/Service-Navi/Publikationen/Studien/SiSyPHuS_Win10/AP4/SiSyPHuS_AP4_node.html