This short document outlines some steps which can be performed on an Exchange 2016 in order to improve the overall security (also called as hardening).

General Windows Hardening:

1.) Disable the "X-AspNet-Version" header

as explained here.

2.) Disable NTFS 8 Dot 3

as explained here.

3.) Disable non needed ports and the floppy drive

Disable any not needed ports (e.g. COM & LTP) and the Floppy drive in the BIOS (for an VMWare howto see here).

4.) Disable "NetBIOS over TCP/IP"

as explained here.

5.) Disable the "Printer Spooler" service

As the "Printer Spooler" service isn´t needed on the OS it should be disabled. To do that change the startup type from automatically to disabled. Then stop the service fully. This normally disabled also the printer sharing, however not on every environment. So open the computer management and go to "Shared Folders" then "Shares" and disable the printer share.

6.) Rename the Administrator and Guest accounts

Make sure that the default Admin Account and Guest Account are renamed (e.g. RENAdministrator and RENGuest; but you should choose your own idea here!)

7.) Make sure that the default Admin Account and Guest Account require a password.

This can be done via:

net user Administrator /PASSWORDREQ:YES
net user Guest /PASSWORDREQ:YES

8.) Disable SSL 2.0/3.0 and weak ciphers

as explained here, which will also enable TLS 1.2 in an additional section. You can also follow the howto here.

9.) Make sure you are using Microsoft Updates rather Windows Updates to update also non Windows core components installed on the OS

10.) Set a proxy to the OS

To prevent that an proxy is added to the OS which isn´t the correct one set the proxy by hand (as mentioned here) and disable the "WinHTTP Web Proxy Auto-Discovery Service" service

11.) Disable SMBv1

As SMBv1 is quite old and has some vulnerabilities you should disable that (as explained here) via the following:

Windows 2012:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Windows 2008:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

This would still leave SMBv2 and SMBv3 active which can be used.

12.) Upgrade Diffie-Hellman Prime to 2048 bit as explained here.

13.) Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP (see here)

Comments (0)

There are no comments posted here yet

Leave your comments

Posting comment as a guest.
Attachments (0 / 3)
Share Your Location