Securing Systems in the Cloud or On-Prem: 5 Tips


Whether working in the cloud or on-site, it’s essential to secure systems and networks. “Hardening” is one way to increase security posture by reducing a system’s vulnerabilities. There may be hundreds of recommendations for hardening any single technology.

In this post, we’ll focus on a few secure configuration recommendations for Microsoft Windows Server 2016, as suggested by the CIS Benchmarks – objective, consensus-driven security configuration guidelines to harden operating systems, mobile devices, routers, and more.

1. Disconnect After Normal Work Hours

Most organizations’ workforces adhere to a set work schedule. And even though working from cloud-based machines means you can (in theory) work from anywhere, anytime, it’s unlikely that most employees would need to log on at 3:00 a.m.

Microsoft Windows Server 2016 can be configured to have set logon hours during which employees can work with an automatic “force-logoff” outside those hours. Of course, these settings can be adjusted for those who work the night shift!

2. Use a Firewall

The benefits of firewalls for preventing unauthorized access to networks and systems are well known – they keep unapproved users away and stop the activities of malware that might attempt to retrieve data. The CIS Benchmark for Microsoft Windows Server 2016 reminds you that the firewall should be turned on – along with nine other recommendations for configuring firewalls that include display notifications, connections, and logging.

3. Limit Driver Installation Privileges

Consider whether users in your organization need to install their own shared printer drivers. Malicious applications such as Trojan horse programs can masquerade as printer drivers and spread problems throughout the server if unknowingly installed. For many workplaces, limiting the installation of shared printer drivers is better suited to administrators only.

4. Implement Account Lockout

Between today’s complex password requirements and the chance of typos, it’s certainly possible for a user to have several incorrect password attempts. Unfortunately, it can be challenging to tell the difference between a struggling user and a malicious actor trying to gain unauthorized access to an account by guessing passwords.

Configuring an account lockout duration helps prevent break-in attempts by reducing the number of password attempts in a given time frame. However, setting a longer lockout period doesn’t necessarily mean better security posture; it could also mean more calls to the technical help desk to unlock a frustrated employee’s account.

5. Deploy Audit Logon

Speaking of account lockouts, it’s important to keep track of them by configuring your operating system to report when a user’s account is locked out due to too many failed logon attempts. Auditing and reviewing these event logs may be useful when investigating a security incident. You can implement this in Microsoft Windows Server 2016 by setting the “Audit Logon” configuration to “Success & Failure.”

Hardening for Secure Configurations

Hardening your networks and operating systems is a solid approach to protect against a variety of cybersecurity threats. We’ve outlined just a few guidelines for hardening a system – but most environments contain multiple unique systems, browsers, and applications. CIS works with a global community of cybersecurity experts to develop configuration guidelines for a multitude of technologies called CIS Benchmarks. They are available three ways to help with the hardening process:

  1. Manually apply configuration guidelines for your technology platform using the free CIS Benchmark PDFs.
  2. Obtain CIS SecureSuite Membership and leverage CIS-CAT Pro Assessor to quickly assess a system’s conformance to the CIS Benchmarks, download benchmarks in additional formats (i.e., Excel, Word, XML), access remediation kits to apply secure configurations directly to select systems, and monitor compliance over time with CIS-CAT Pro Dashboard.
  3. CIS Hardened Images are available via multiple cloud providers and preconfigured to meet CIS Benchmark recommendations. CIS Hardened Images make operating securely in the cloud fast, easy, and affordable.

This list describes just a few of the 270+ secure configuration recommendations for Microsoft Windows Server 2016. Want to see the complete guide? Download the free CIS Benchmark for Microsoft Windows Server.

† Due to cloud provider restrictions, 11 CIS Benchmark recommendations are not applied to the CIS
Benchmark Hardened Image for Microsoft Windows Server 2016; the remaining 286 secure
configuration settings are applied.