Skip to main content

Server Hardening: Windows Server 2012

Published: October 18, 2012

Author: Rodrigo Immaginario, Microsoft MVP - Enterprise Security

Defense in depth, the practice of protecting against potential threats from as many angles as possible, is a concept that you are most likely already familiar with. With regard to server security, defense in depth involves, among other things, creating different security policies for each layer of your network. The server is the penultimate layer of security between potential threats and your company’s valuable data so applying security policies specifically for each server profile is both important and necessary.

Popular recommendations are to "stop the services that are not necessary" or "turn off features that are not being used." Luckily, every new version of Windows Server is built to be more secure by default. That said, it is common to have several  (or sometimes hundreds) of different roles on the network server as well as multiple sets of file servers, web servers, database servers, etc.  So, how can we ensure that each of these servers, with their different characteristics, are configured with the best security practices?

Since the release of Windows Server 2003 Service Pack 1 (SP1), Windows Server has included a tool called the Security Configuration Wizard that aims at analyzing the server profile and recommending changes to improve the security of the server. In Windows Server 2012, the Security Configuration Wizard is conveniently located in the new Server Manager dashboard.

Server Manager dashboard in Windows Server 2012
Figure 1. Server Manager dashboard in Windows Server 2012

When you use the Security Configuration Wizard, your first step is to define which action is taken. You can not only create a new policy but also edit, apply, and even remove an applied policy from your existing server configuration.

Configuration Action screen
Figure 2. Configuration Action screen

You then select the server that you want to apply the policy to.

Select Server screen
Figure 3. Select Server screen

In Windows Server 2012, the Security Configuration Wizard then parses the selected server and the information collected, and compares that with Microsoft’s security recommendations for that server profile (file, database, web, etc).

Security Configuration Database
Figure 4. Security Configuration Database

Below is an example of the results of a Security Configuration Wizard analysis and its suggestions for amendments, which can be changed and adapted according to a specific need.

Selecting server roles and client features
Figure 5. Selecting server roles and client features

Selecting administration options and additional services
Figure 6. Selecting administration options and additional services

Options for handling unspecific services
Figure 7. Options for handling unspecific services

Once the Security Configuration Wizard has completed its analysis and recommendations, you can then either save or apply the policy. Since there is often more than one server in the profile that was analyzed by the wizard, I recommend creating a Group Policy Object (GPO) to apply that policy to all servers with the same characteristics. To do this, use Windows PowerShell and run the following command:

scwcmd transform /p:TemplateDomainController.xml /g:GPO-Hardening-DC


This can result in a better standardization of the security policies applied to your environment, and make it easier for you to organize those policies are part of your overall server security strategy.

About the Author

Rodrigo Immaginario photo Rodrigo Immaginario has worked in the computer science field and on infrastructure projects since 1994. Recently, he has specialized in security solutions in Microsoft environments. He has worked on a security project for the CEBW (Commission of the Brazilian Army in Washington) and worldwide IPsec, Hyper-V, and DirectAccess projects.

Rodrigo's certifications include Certified Information Systems Security Professional (CISSP) and Microsoft Certified Systems Engineer (MCSE) in Security. He has been a Microsoft Most Valuable Professional (MVP) since 2004 and is currently Chief Information Officer at the University Vila Velha in Brazil where he developed a post-graduate course in Microsoft .NET.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.