This article provides specific security recommendations to safely configure your Windows server and ensure its safe operation.
These security recommendations apply only to servers with root access.
Configure the Account Lockout Policy to Lock User Accounts during Attacks
Configure the Account Lockout Policy to lock user accounts during attacks. After the lockout, no more registrations are allowed for a certain period of time. You can use these settings to defend yourself against brute force attacks. With these attacks, cybercriminals try to find out the password combinations for one or more user accounts by automatically trying out different combinations of letters and numbers. The more combinations are tested, the greater are the chances, that the attack is successful.
Configuring the Account Lockout Policy can only reduce the frequency and success rate of these types of attacks. In addition to brute force attacks, cybercriminals can also perform Denial of Service (DoS) attacks. In such an attack, a series of password attacks can lead to the lockout of all user accounts.
Configuring the Account Lockout Policy
Log on to the server as an administrator.
Open the Server Manager.
Click Tools > Local Security Policy at the top of the menu bar.
The Local Security Policy window opens.
Click in the navigation bar on the right on Account Policies > Account Lockout Policy.
Double-click the policy Account lockout threshold.
Enter the number of unsuccessful login attempts that must be made before an account is deactivated.
Double-click the policy Account lockout duration.
Enter the desired duration.
Click on the Reset account lockout counter after.
Enter the desired time after which the account lock counter is to be reset.
Restrict Access to the Remote Desktop Connection
To limit the number of people accessing the server, you can restrict access to the remote desktop connection. Proceed as follows:
Open the Server Manager.
Click Tools > Computer Management at the top of the menu bar. The Computer Management window opens.
Click Local users and groups.
Double-click the group you want to edit. For example, remote desktop users or administrators.
Then specify the users who are allowed to log on to the server.
Use the Attack Surface Analyzer from Microsoft
The Attack Surface Analyzer is a software that allows you to search for security vulnerabilities. This software displays changes in the operating system after the installation of new software.
For this purpose the Attack Surface Analyzer creates a snapshot of your system state before and after the installation of the software to be monitored. Using this snapshot, the Attack Surface Analyzer shows the changes to the operating system.
Further information about the Attack Surface Analyzer can be found here:
Use Windows Security Principles to Harden Your Server
Microsoft Windows offers a variety of settings that have different effects. Although the manufacturer offers comprehensive instructions, the correct configuration of these settings can still take a long time. This particularly applies to the configuration of group policies.
Group policies are guidelines for configuring various settings of the operating system. This also includes security settings. For example, you can use the Group Policies to determine how often a password needs to be renewed.
The Group Policy settings cannot be changed by the users.
Improper configuration of these guidelines can lead to weak points and/or malfunctions.
To support faster deployment and further simplify Windows management, Microsoft provides its customers with security baselines in formats that you can use directly, such as Group Policy Objects backups.
Further information on the basic security values can be found in the following article:
More articles from this series
The second article of this series can be found here: