Now available: Windows Server 2016 Security Guide!

This blog post was authored by Nir Ben Zvi, Principal PM Manager, Windows Server.

Windows Server 2016 includes major security innovations that can help protect privileged identity, make it harder for attackers to breach your servers, and detect attacks so that you can respond faster. This is powerful technology, and all that’s missing is guidance on how to best deploy and use Windows Server 2016 to protect your server workloads.

Today we are pleased to share the new Windows Server 2016 Security Guide.

This paper includes general guidance for helping secure servers in your environment as well as specific pointers on how you can utilize new security features in Windows Server 2016. We are committed to continue our effort to provide you with the right security solutions so that you can better protect, detect and respond to threats in your datacenter and private cloud.

Download the Windows Server 2016 Security Guide now and check out our website for more information on Windows Server security.

Related blog posts

Announcing public preview of Windows Admin Center in the Azure portal

Announcing Windows Server 2022—now in preview

One week to go! Windows Server Summit 2020

You must be logged in with your Microsoft Account to post a comment.

Windows Server Security Guide

Take an in-depth look at Windows server security. This guide features information on common network vulnerabilities, server hardening best practices, security improvements with Windows Server 2008 and more.

Security is one of the most important aspects of any Windows server environment. Not sure of how – or where – to start securing your Windows server? Read on — we’ve compiled a wealth of information on server security for you.

This Windows Server Security Guide features tips, book excerpts and more on a wide range of topics including common security vulnerabilities (and how to avoid them), Windows server security policies and the latest security enhancements for Windows Server 2008 – all aimed to help you figure out the best approach for your network.

Windows server security basics

In order to ensure security of your Windows server, you need to be well-informed on the fundamentals. This section covers common causes of Windows network security vulnerabilities as well as the best server hardening practices.

Common Windows server security vulnerabilities
Why does it seem like everyone has the same security flaws to worry about? Because most organizations make the same mistakes. Learn to sidestep the most common server security issues.

Basic Windows server hardening practices
When it comes to Windows server hardening, it’s all about doing what’s best for your environment without going overboard. These basic steps will help you secure your Windows server, without compromising your business needs.

→ Windows server hardening standards and guidelines
Take a look beyond the basics of server hardening with details on the most popular policies and standards for securing Windows servers.

Pros and cons of configuring branch offices
One of the most debated topics among Windows administrators is branch office security, specifically regarding configuration. This tip explores both sides of the server security coin.

How can RODCs help?
In this video, Microsoft’s Justin Graham explains how read-only domain controllers (RODC) and Active Directory can help to improve Windows branch office security.

Best practices for a secure Windows server

In this next section you’ll find the best practices available for securing your network and step-by-step guides on getting it done. Learn how to test VPN security, secure Microsoft endpoints and cut the cost of Windows identity and access management.

Using NAP and NAQC to protect network access
Network Access Quarantine Control and Network Access Protection are two services that can help Windows security administrators beef up security and prevent malicious hackers from entering their networks.

Testing, troubleshooting and deploying VPN security
Although virtual private networks make life easier for employees by allowing them to access a company’s network from almost anywhere, they also makes it easier for hackers to steal sensitive information. See how to test VPN security, troubleshoot flaws and vulnerabilities and learn about VPN alternatives.

→ What does DirectAccess mean for VPN security?
Windows Server 2008 R2 debuts a new feature designed to simplify network connections for remote users. But will is leave your Windows network more vulnerable?

Securing Microsoft network endpoints
Given the rapid growth of employees who use laptop computers, securing network endpoints has become a major concern for security administrators. Learn how to defend against network security breaches and other Windows endpoint security tactics.

Remote access security measures for Windows users
Security for remote users has become a hot topic for Windows security professionals with the growth of telecommuting. Check out how to secure remote access points, best practices for remote user authentication and more.

Network security assessment for Windows infrastructures
Discover the consequences of improper network security assessments and see why you should test your network infrastructure for vulnerabilities in this excerpt from Hacking for Dummies.

→ Testing firewall rules
Here you’ll learn how to test your firewall’s rules — and overall Windows network security — to prevent a network break in.

Cutting the cost of Windows identity and access management
Are you spending too much time and money on identity and access management? See how to get around the limitations of Windows’ native IAM tools and reduce overhead in the process.

Windows server security tools

Certain tools are needed to properly secure your Windows server. This section explores the Windows server security tools you shouldn’t live without.

Top free ‘must-have’ Windows security tools
Believe it or not, there’s more to life than Sysinternals. Here some of the best free security tools from third-parties for Windows server administration.

Security tools that limit user logon
The LimitLogin and UserLock tools allow network administrators to increase server security by limiting the number of times users can log onto their Windows networks.

Windows Server 2008 security

Microsoft made several changes in Windows Server 2008. This section explore the security updates and new additions designed to keep your Windows environment safe and secure after the upgrade.

Overlooked security issues in Windows Server 2008

In this three-part series, Window expert Don Jones breaks down some crucial – yet often ignored – security issues administrators should consider before deploying Microsoft Windows Server 2008.

NAP and IPsec help secure Windows Server 2008
Network Access Protection (NAP), in conjunction with IPsec, prevents problematic machines from communicating with healthy hosts on your network, stopping a lot of malware in its tracks and providing an inexpensive way to secure communications across your network.

→ IPsec’s new features and improvements in Windows Server 2008
IPsec isn’t just for VPNs anymore. See the steps Microsoft has taken to broaden the reach of IPsec in Windows Server 2008, including simplifying the configuration console and isolating the server and domain.

→ Implementing simple NAP for Windows Server 2008
While NAP’s ability to protect your environment from unhealthy computers is a huge benefit, there’s a good chance that some administrators are still confused about how to implement it. Fortunately, the installation process for Network Access Protection is easier than you think.

Group Policy Object modeling simplifies network security
Group Policy modeling is a great security tool for troubleshooting Group Policy settings and testing GPOs before they are applied with Windows Server 2008.

More Windows security resources

Active Directory Security Guide
This guide offers plenty of must-know tips on maintaining a secure Active Directory environment, starting with the basics and moving on to more advanced practices.

File Server Security Tutorial
File servers are a prime target of malicious hackers. Learn to keep your Windows file servers safe with this step-by-step tutorial.

Web Server Security Guide
Web server security is critical to overall network protection. Here you’ll find configuration and testing best practices for Microsoft Internet Information Services (IIS).

• 

Microsoft Network Policy and Access Services (Microsoft NPAS)

Avoiding access issues with Microsoft Network Access Protection

Microsoft Network Access Protection (NAP)

Configuring access control in a Windows Server 2008 infrastructure

• Leveraging A Consistent Platform To Reduce Risk in Cloud Migrations –Dell Technologies VMware
• Built for Business, Built for Now –Intel
• Why Intel vPro® is more than manageability –Intel
• See More

• Exploring Microsoft’s Network Access Protection . – SearchSecurity
• Implementing simple Network Access Protection for . – SearchWindowsServer
• Microsoft Network Access Protection (NAP) – SearchNetworking

Search Server Virtualization

2021 virtualization trends focus on HCI, Kubernetes

Organizations require easier, quicker ways to spin up and manage virtual workloads. This year, container support and DevOps help .

6 virtual server management best practices

When overseeing virtual servers, take advantage of self-service VM management, VM templates, monitoring tools and permissions .

Nvidia launches integrated AI platform for VMware vSphere 7

Making good on their promise last fall, Nvidia and VMware have delivered a platform allowing vSphere 7 users to run the next .

Search Cloud Computing

Ready to be a GCP architect? Try this quiz and see

This 10-question quiz, drawn from a new GCP certified professional cloud architect prep guide, helps identify your strengths and .

Choose the right serverless container service

Many IT pros consider serverless containers to be largely hype, while others say it offers real advances in serverless computing.

IBM boosts vertical cloud push with financial services cloud

IBM doubles down on its investment in vertical markets, rolling out a financial services cloud that shares workloads with clouds .

Search SQL Server

SQL Server database design best practices and tips for DBAs

Good database design is a must to meet processing needs in SQL Server systems. In a webinar, consultant Koen Verbeeck offered .

SQL Server in Azure database choices and what they offer users

SQL Server databases can be moved to the Azure cloud in several different ways. Here’s what you’ll get from each of the options .

Using a LEFT OUTER JOIN vs. RIGHT OUTER JOIN in SQL

In this book excerpt, you’ll learn LEFT OUTER JOIN vs. RIGHT OUTER JOIN techniques and find various examples for creating SQL .

Search Enterprise Desktop

Incorporating zero trust into endpoint security

Zero trust is a complex term, but organizations that take security seriously must know what it is and how it can support existing.

Keeping tabs on employees in the hybrid workplace

Companies want better ways to determine if their employees are mentally healthy or are at risk of a breakdown in the hybrid .

Top 6 endpoint security software options in 2021

The market for endpoint security software can be confusing to navigate for decision-makers, but this market roundup should help .

Search Virtual Desktop

Guide for WVD pricing with Microsoft Azure

Organizations that want to deploy WVD and Azure should go beyond Microsoft’s estimates for pricing and learn the total cost of .

Why and when to use Windows Virtual Desktop

Organizations considering Windows Virtual Desktop should take a step back and evaluate when it makes sense to use WVD, and when .

Compare Citrix Virtual Apps and Desktops vs. WVD

It’s difficult to know exactly how Citrix’s and Microsoft’s virtual desktop offerings stack up against one another, but this .

Guidance on disabling system services on Windows Server 2016 with Desktop Experience

Applies to: Windows Server 2016

The Windows operating system includes many system services that provide important functionality. Different services have different default startup policies: some are started by default (automatic), some when needed (manual), and some are disabled by default and must be explicitly enabled before they can run. These defaults were chosen carefully for each service to balance performance, functionality, and security for typical customers.

However, some enterprise customers may prefer a more security-focused balance for their Windows PCs and servers, one that reduces their attack surface to the absolute minimum, and may therefore wish to fully disable all services that are not needed in their specific environments. For those customers, MicrosoftВ® is providing the accompanying guidance regarding which services can safely be disabled for this purpose.

The guidance is only for Windows Server 2016 with Desktop Experience (unless used as a desktop replacement for end users). Beginning with Windows Server 2019, these guidelines are configured by default. Each service on the system is categorized as follows:

• Should Disable: A security-focused enterprise will most likely prefer to disable this service and forego its functionality (see additional details below).
• OK to Disable: This service provides functionality that is useful to some but not all enterprises, and security-focused enterprises that don’t use it can safely disable it.
• Do Not Disable: Disabling this service will impact essential functionality or prevent specific roles or features from functioning correctly. Therefore it should not be disabled.
• (No guidance): The impact of disabling these services has not been fully evaluated. Therefore, the default configuration of these services should not be changed.

Customers can configure their Windows PCs and servers to disable selected services using the Security Templates in their Group Policies or using PowerShell automation. In some cases, the guidance includes specific Group Policy settings that disable the service’s functionality directly, as an alternative to disabling the service itself.

Microsoft recommends that customers disable the following services and their respective scheduled tasks on Windows Server 2016 with Desktop Experience:

1. Xbox Live Auth Manager
2. Xbox Live Game Save

You can also access the information on all services detailed in this article by viewing the attached Microsoft Excel spreadsheet: Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience)

Disabling services not installed by default

Microsoft recommends against applying policies to disable services that are not installed by default.

• The service is usually needed if the feature is installed. Installing the service or the feature requires administrative rights. Disallow the feature installation, not the service startup.
• Blocking the Microsoft Windows service doesn’t stop an admin (or non-admin in some cases) from installing a similar third-party equivalent, perhaps one with a higher security risk.
• A baseline or benchmark that disables a non-default Windows service (for example, W3SVC) will give some auditors the mistaken impression that the technology (for example, IIS) is inherently insecure and should never be used.
• If the feature (and service) is never installed, this just adds unnecessary bulk to the baseline and to verification work.

For all system services listed in this document, the two tables that follow offer an explanation of columns and Microsoft recommendations for enabling and disabling system services in Windows Server 2016 with Desktop Experience:

Explanation of columns

Name	Description
Service name	Key (internal) name of the service
Description	The service’s description, from sc.exe qdescription.
Installation	Always installed: Service is installed on Windows Server 2016 Core and Windows Server 2016 with Desktop Experience. Only with Desktop Experience: Service is on Windows Server 2016 with Desktop Experience, but is not installed on Server Core.
Startup type	Service Startup type on Windows Server 2016
Recommendation	Microsoft recommendation/advice about disabling this service on Windows Server 2016 in a typical, well-managed enterprise deployment and where the server is not being used as an end-user desktop replacement.
Comments	Additional explanation

Explanation of Microsoft recommendations

Name	Description
Do not disable	This service should not be disabled
OK to disable	This service can be disabled if the feature it supports is not being used.
Already disabled	This service is disabled by default; no need to enforce with policy
Should be disabled	This service should never be enabled on a well-managed enterprise system.

The following tables offer Microsoft guidance on disabling system services on Windows Server 2016 with Desktop Experience: