Windows Server Security Rule 4: Attack Surface Reduction (ASR)

Leave your reply

What can you expect from this document:

This document covers some basic security best practices that, if combined with other security measures, will help to increase the overall security of your system.

What is the threat?

All IT systems expose a so-called “attack surface.” As the name implies, these are parts of the system an adversary can potentially attack.

How to reduce the attack surface

The basic strategies of attack surface reduction are to reduce the amount of code running, the entry points available to untrusted users and to eliminate services requested by relatively few users. One approach to improve information security is to reduce the attack surface of a system or software. By turning off unnecessary functionality, there are fewer security risks. By having less code available to unauthorized actors, there will tend to be fewer failures. Although attack surface reduction helps to prevent security failures, it does not mitigate the amount of damage an attacker could inflict once a vulnerability is found.

Typical and recommended tasks
  • Do not run unnecessary applications and services
  • Disable Windows Server 2012R2 features that you do not use. For example, if you do not need FTP access, disable it.
  • Identify those services and tasks, which are not critical to the management of your network, and then disable the associated system policy rules.
  • Limit the applicability of the system policy rules to required network entities only.
  • Activate the Window Firewall and allow only inbound and outbound connections that are necessary.

One common approach is so-called “hardening.” Microsoft offers several tools and resources for this.

In this article we provide an easy step by step instruction utilizing the Security Configuration wizard which is part of the Windows Server 2012 platform:

Defense in depth, the practice of protecting against potential threats from as many angles as possible, is a concept that you are most likely already familiar with. With regard to server security, defense in depth involves, among other things, creating different security policies for each layer of your network. The server is the penultimate layer of security between potential threats and your company’s valuable data so applying security policies specifically for each server profile is both important and necessary.

Popular recommendations are to "stop the services that are not necessary" or "turn off features that are not being used." Luckily, every new version of Windows Server is built to be more secure by default. That said, it is common to have several (or sometimes hundreds) of different roles on the network server as well as multiple sets of file servers, web servers, database servers, etc. So, how can we ensure that each of these servers, with their different characteristics, are configured with the best security practices?

Since the release of Windows Server 2003 Service Pack 1 (SP1), Windows Server has included a tool called the Security Configuration Wizard that aims at analyzing the server profile and recommending changes to improve the security of the server. In Windows Server 2012, the Security Configuration Wizard is conveniently located in the new Server Manager dashboard.


When you use the Security Configuration Wizard, your first step is to define which action is taken. You cannot only create a new policy but also edit, apply and even remove an applied policy from your existing server configuration.


You then select the server that you want to apply the policy to.


In Windows Server 2012, the Security Configuration Wizard then parses the selected server and the information collected, and compares it with Microsoft’s security recommendations for that server profile (file, database, web, etc).


Below is an example of the results of a Security Configuration Wizard analysis and its suggestions for amendments, which can be changed and adapted according to a specific need.


Select administration options and additional services:


Select how to handle unspecified services:


Once the Security Configuration Wizard has completed its analysis and recommendations, you can then either save or apply the policy.

Additional Recommendations:

The Security Configuration Wizard covers only basic settings on Microsoft Windows Server 2012.

Click here for more information on securing Windows Server 2012 and Windows Server 2012 R2.

More information on Security Baselines is available here.

Further Information:

The contribution provided by Microsoft is intended to serve general information purposes and the content is AS IS without any express or implied warranties of any kind with respect to the accuracy, correctness or reliability. The information is provided without any warranty of fitness for a particular purpose. The information is compiled with the necessary care, however no liability is assumed in this respect, in particular with regard to the absence of errors, topicality with regard to the specific state of knowledge or use as the basis for the responsible decisions of the user.