File Size:. System Requirements Supported Operating System. Install Instructions To start the download, click the Download button and then do one of the following, or select another language from Change Language and then click Change.
Click Run to start the installation immediately. Click Save to copy the download to your computer for installation at a later time. Additional Information Other critical security updates are available: To find the latest security updates for you, visit Windows Update and click Express Install.
Customers of all sizes trust Windows Server to run their business and mission-critical workloads. With… Read more. You are invited to get a first look deep-dive at Windows Server by registering… Read more. Today, we are announcing the general availability of Windows Server Microsoft Windows Server Blog.
Monojit Bhattacharya Windows Server Team. Security , Announcements. By default 10 accounts will be cached locally, but there is a risk that in the event of a compromise an attacker could locate the cached credentials and use a brute force attack to discover the passwords. Therefore, it is recommended that this value be reduced so that fewer credentials will be placed at risk, and credentials will be cached for shorter periods of time in the case of devices that are logged into frequently by multiple users.
The Account Logon audit policy logs the results of validation tests of credentials submitted for user account logon requests. The server that is authoritative for the credentials must have this audit policy enabled.
For domain member machines, this policy will only log events for local user accounts. The university requires the following event log settings instead of those recommended by the CIS Benchmark:. The recommended retention method for all logs is: Overwrite events older than 14 days. These are minimum requirements. The most important log here is the security log. You may increase the number of days that you keep, or you may set the log files to not overwrite events.
Note that if the event log reaches its maximum size and no events older than the number of days you specified exist to be deleted, or if you have disabled overwriting of events, no new events will be logged. This may happen deliberately as an attempt by an attacker to cover his tracks. For critical services working with Cat 1 or other sensitive data, you should use syslog, Splunk, Intrust, or a similar service to ship logs to another device.
Splunk licenses are available through ITS at no charge. ITS also maintains a centrally-managed Splunk service that may be leveraged.
Configure user rights to be as secure as possible, following the recommendations in section 2. Microsoft has provided instructions on how to perform the conversion.
Be extremely careful, as setting incorrect permissions on system files and folders can render a system unusable. Be extremely careful, as setting incorrect permissions on registry entries can render a system unusable. Some remote administration tools, such as Microsoft Systems Management Server, require remote registry access to managed devices.
Disabling remote registry access may cause such services to fail. If remote registry access is not required, it is recommended that the remote registry service be stopped and disabled.
If remote registry access is required, the remotely accessible registry paths should still be configured to be as restrictive as possible. The group policy object below controls which registry paths are available remotely:. Further restrictions on the registry paths and subpaths that are remotely accessible can be configured with the group policy object:. By default, domain members synchronize their time with domain controllers using Microsoft's Windows Time Service.
The domain controller should be configured to synchronize its time with an external time source, such as the university's network time servers. Anti-spyware software is only required to be installed if the server is used to browse Web sites not specifically related to the administration of the server, which is not recommended. ITS provides anti-spyware software for no additional charge. At a minimum, SpyBot Search and Destroy should be installed.
An additional measure that can be taken is to install Firefox with the NoScript and uBlock add-ons. Microsoft Forefront may also be used, and can be configured directly or through the use of GPOs , which can simplify the management of multiple servers. Spyware Blaster - Enabling auto-update functionality requires the purchase of an additional subscription. SpyBot Search and Destroy - Automatic update tasks can be created inside the program itself and are scheduled using the Windows Task Scheduler.
In the Scheduled Task window that pops up, enter the following In the Run field:. Windows provides the Encrypting File System as a built-in mechanism to allow the encryption of individual users' files and folders. Be aware of the caveats involved in the use of EFS before implementing it for general use, though. Another encryption option to consider is whole-disk encryption, which encrypts the entire contents of the drive instead of just specific files and folders.
Windows comes with BitLocker for this. If encryption is being used in conjunction with Category I data, one of the solutions listed in the Approved Encryption Methods EID required must be implemented. Windows has a feature called Windows Resource Protection which automatically checks certain key files and replaces them if they become corrupted.
It is enabled by default. You can audit in much more in depth using Tripwire. Modern versions of Tripwire require the purchase of licenses in order to use it. The Tripwire management console can be very helpful for managing more complex installations.
All rights reserved.
0コメント