Windows security baselines

Applies to

• Windows 10
• Windows Server
• Microsoft 365 Apps for enterprise
• Microsoft Edge

Using security baselines in your organization

Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities.

Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.

We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs.

What are security baselines?

Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.

A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Why are security baselines needed?

Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers.

For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting.

In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects Backups.

How can you use security baselines?

You can use security baselines to:

• Ensure that user and device configuration settings are compliant with the baseline.
• Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.

Where can I get the security baselines?

You can download the security baselines from the Microsoft Download Center. This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines.

The security baselines are included in the Security Compliance Toolkit (SCT), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines.

Community

Related Videos

You may also be interested in this msdn channel 9 video:

How to: Access SQL Server Using Windows Integrated Security

If your application runs on a Windows-based intranet, you might be able to use Windows integrated authentication for database access. Integrated security uses the current Windows identity established on the operating system thread to access the SQL Server database. You can then map the Windows identity to a SQL Server database and permissions.

To connect to SQL Server using Windows integrated authentication, you must identify the Windows identity under which your ASP.NET application is running. You must also be sure that the identity has been granted access to the SQL Server database. This topic includes a code example that displays the current Windows identity of the ASP.NET application.

Connecting to SQL Server

If SQL Server is on a different computer than the Web server, the Windows identity must be able to flow across the network to the remote instance of SQL Server. (Windows networks that have been configured appropriately with Kerberos authentication are able to do this.) However, depending on the settings in the identity configuration element, the Windows identity established on the operating system thread for ASP.NET applications may not be able to flow properly to the remote SQL Server.

You can supply a specific user name and password for the Web site’s worker process identity as shown in How to: Access SQL Server Using a Mapped Windows Domain User, or you can impersonate the authenticated identity supplied by Internet Information Services (IIS). To impersonate the Windows identity supplied by IIS, set the impersonate attribute of the identity configuration element to true as shown in the following example:

In IIS, only Basic Authentication logs users on with a security token that flows across the network to a remote SQL server. By default, other IIS security modes used in conjunction with the identity configuration element settings will not result in a token that can authenticate to a remote SQL Server.

If the Web site is configured to support only anonymous access in IIS, then the security token passed from IIS will be that of the Windows user account for anonymous access as configured in IIS. The anonymous user account can be used to authenticate against a remote SQL Server. However, the default anonymous user account is a local machine account and thus will not exist as an account on the remote SQL Server. You can change the IIS anonymous account to use a domain account, or you can mirror the local machine account on the remote SQL Server by creating a local account on the remote SQL Server with the same user name and password. Additionally the LogonMethod metabase property for IIS6 must be set to an option that allows credentials to flow across the network. For example, the metabase setting MD_LOGON_NETWORK_CLEARTEXT allows logon credentials to flow across the network.

If you are unsure of the Windows identity for your application and whether that identity is logged on with a token that can flow across the network, you can run the following ASP.NET page as part of your application to display the name of the Windows identity and a value indicating whether the identity can flow across the network. Note that the following sample does not take into account whether or not Kerberos delegation has been successfully set up for your domain.

The following procedure shows how to access a SQL Server database using Windows integrated authentication in an intranet scenario, where each user has been granted access to the SQL Server individually.

To begin, you need to configure your application in IIS to turn off anonymous access and turn on Windows authentication.

To configure IIS for Windows integrated authentication

In Windows, open the Internet Information Services administration tool.

In the Microsoft WindowsВ 2000 Server or Windows ServerВ 2003 operating systems: In the Windows Start menu, point to Programs, then Administrative Tools, and then Internet Services Manager.

In the Microsoft WindowsВ XP Professional operating system: open Administrative Tools in the Control Panel.

Open the node for your server, and then open nodes until you find the node for your application, which is typically located under Default Web Site.

Right-click your application and then click Properties.

On the Directory Security tab, click Edit.

In the Authentication Methods dialog box, clear the Anonymous Access check box, and then do one of the following:

If SQL Server is on the same computer as IIS, select the Integrated Windows authentication check box.

If SQL Server is a remote server, select the Basic Authentication check box and clear the Integrated Windows authentication check box.

Click all the dialog boxes.

In the application configuration file (Web.config), specify that the application will impersonate the user’s credentials supplied by IIS.

To configure Web.config to impersonate the identity supplied by IIS

Open the Web.config file for your application and add the following to the system.web element:

Elements in Web.config are case sensitive.

When you create a connection string to access SQL Server, you must include attributes that tell SQL Server that you are using integrated security.

To configure connection strings for Windows integrated security

In any connection string for SQL Server, include the attribute Trusted_Connection=Yes and remove the username and password attributes.

The following shows a typical connection string configured for Windows integrated security:

Set up SQL Server to recognize the users who will be accessing it.

To configure SQL Server for Windows integrated security

From the Windows Start menu, select Microsoft SQL Server, and then select Enterprise Manager.

Open the node for the server and expand the node for the database you want to give users permissions for.

Right-click the Users node and select New Database User.

In the Database User Properties dialog box, enter domain\username in the Login name box, and then click OK. Additionally, configure the SQL Server to allow all domain users to access the database.

Securing SQL Server

Applies to: SQL Server (all supported versions)

Securing SQL Server can be viewed as a series of steps, involving four areas: the platform, authentication, objects (including data), and applications that access the system. The following topics will guide you through creating and implementing an effective security plan.

You can find more information about SQL Server security at the SQL Server Web site. This includes a best practice guide and a security checklist. This site also contains the latest service pack information and downloads.

Platform and Network Security

The platform for SQL Server includes the physical hardware and networking systems connecting clients to the database servers, and the binary files that are used to process database requests.

Physical Security

Best practices for physical security strictly limit access to the physical server and hardware components. For example, use locked rooms with restricted access for the database server hardware and networking devices. In addition, limit access to backup media by storing it at a secure offsite location.

Implementing physical network security starts with keeping unauthorized users off the network. The following table contains more information about networking security information.

For information about	See
SQL Server Compact and network access to other SQL Server editions	«Configuring and Securing the Server Environment» in SQL Server Compact Books Online
В	В

Operating System Security

Operating system service packs and upgrades include important security enhancements. Apply all updates and upgrades to the operating system after you test them with the database applications.

Firewalls also provide effective ways to implement security. Logically, a firewall is a separator or restrictor of network traffic, which can be configured to enforce your organization’s data security policy. If you use a firewall, you will increase security at the operating system level by providing a chokepoint where your security measures can be focused. The following table contains more information about how to use a firewall with SQL Server.

For information about	See
Configuring a firewall to work with SQL Server	Configure a Windows Firewall for Database Engine Access
Configuring a firewall to work with Integration Services	Integration Services Service (SSIS Service)
Configuring a firewall to work with Analysis Services	Configure the Windows Firewall to Allow Analysis Services Access
Opening specific ports on a firewall to enable access to SQL Server	Configure the Windows Firewall to Allow SQL Server Access
Configuring support for Extended Protection for Authentication by using channel binding and service binding	Connect to the Database Engine Using Extended Protection
В	В

Surface area reduction is a security measure that involves stopping or disabling unused components. Surface area reduction helps improve security by providing fewer avenues for potential attacks on a system. The key to limiting the surface area of SQL Server includes running required services that have «least privilege» by granting services and users only the appropriate rights. The following table contains more information about services and system access.

For information about	See
Services required for SQL Server	Configure Windows Service Accounts and Permissions
В	В

If your SQL Server system uses Internet Information Services (IIS), additional steps are required to help secure the surface of the platform. The following table contains information about SQL Server and Internet Information Services.

For information about	See
IIS security with SQL Server Compact	«IIS Security» in SQL Server Compact Books Online
Reporting Services Authentication	Authentication in Reporting Services
SQL Server Compact and IIS access	«Internet Information Services Security Flowchart» in SQL Server Compact Books Online
В	В

SQL Server Operating System Files Security

SQL Server uses operating system files for operation and data storage. Best practices for file security requires that you restrict access to these files. The following table contains information about these files.

For information about	See
SQL Server program files	File Locations for Default and Named Instances of SQL Server
В	В

SQL Server service packs and upgrades provide enhanced security. To determine the latest available service pack available for SQL Server, see the SQL Server Web site.

You can use the following script to determine the service pack installed on the system.

Principals and Database Object Security

Principals are the individuals, groups, and processes granted access to SQL Server. «Securables» are the server, database, and objects the database contains. Each has a set of permissions that can be configured to help reduce the SQL Server surface area. The following table contains information about principals and securables.

For information about	See
Server and database users, roles, and processes	Principals (Database Engine)
Server and database objects security	Securables
The SQL Server security hierarchy	Permissions Hierarchy (Database Engine)
В	В

Encryption and Certificates

Encryption does not solve access control problems. However, it enhances security by limiting data loss even in the rare occurrence that access controls are bypassed. For example, if the database host computer is misconfigured and a malicious user obtains sensitive data, such as credit card numbers, that stolen information might be useless if it is encrypted. The following table contains more information about encryption in SQL Server.

For information about	See
The encryption hierarchy in SQL Server	Encryption Hierarchy
Implementing secure connections	Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager)
Encryption functions	Cryptographic Functions (Transact-SQL)

Certificates are software «keys» shared between two servers that enable secure communications by way of strong authentication. You can create and use certificates in SQL Server to enhance object and connection security. The following table contains information about how to use certificates with SQL Server.

For information about	See
Creating a certificate for use by SQL Server	CREATE CERTIFICATE (Transact-SQL)
Using a certificate with database mirroring	Use Certificates for a Database Mirroring Endpoint (Transact-SQL)
В	В

Application Security

Client programs

SQL Server security best practices include writing secure client applications. For more information about how to help secure client applications at the networking layer, see Client Network Configuration.

Windows Defender Application Control (WDAC)

Windows Defender Application Control (WDAC) prevents unauthorized code execution. WDAC is effective way to mitigate the threat of executable file-based malware. For more information, see to Windows Defender Application Control documentation.

SQL Server Security Tools, Utilities, Views, and Functions

SQL Server provides tools, utilities, views, and functions that can be used to configure and administer security.

SQL Server Security Tools and Utilities

The following table contains information about SQL Server tools and utilities that you can use to configure and administer security.

For information about	See
Connecting to, configuring, and controlling SQL Server	Use SQL Server Management Studio
Connecting to SQL Server and running queries at the command prompt	sqlcmd Utility
Network configuration and control for SQL Server	SQL Server Configuration Manager
Enabling and disabling features by using Policy-Based Management	Administer Servers by Using Policy-Based Management
Manipulating symmetric keys for a report server	rskeymgmt Utility (SSRS)
В	В

SQL Server Security Catalog Views and Functions

The Database Engine exposes security information in several views and functions that are optimized for performance and utility. The following table contains information about security views and functions.