The most valuable data in your organization is likely to be held in Active Directory (AD), databases, and on file servers. We often pay a lot of attention to securing AD and databases but file servers should also be appropriately secured. Here are my top 10 tips for keeping file servers protected.
1. Physical security
Don’t let somebody walk out the door with your file server. But server theft isn’t the only risk. Once a hacker has physical access to a server, security controls you have in place can be more easily circumvented.
2. Upgrade to Windows Server 2016
Windows Server 2016 has the latest and greatest security protections built in, with features like Credential Guard and Device Guard that can use Virtualization-Based Security (VBS) to harden against common attacks such as Pass-the-Hash. And because of the way Windows 10 and Windows Server 2016 are updated, they were less vulnerable to the WannaCry and Petya ransomware that surfaced earlier this year. Windows Defender is included Windows Server 2016 out-of-the-box, so you might not need to license a separate antivirus product.
3. Microsoft security baseline
Apply Microsoft’s baseline security settings for Windows Server 2016. There are thousands of settings that can be configured. Let Microsoft do the hard work to determine which features should be disabled. Microsoft was already recommending disabling the legacy Server Message Block (SMB) v1 protocol, which was vulnerable to attack, with the release of the Creators Update in Spring this year. Download the Security Compliance Toolkit to disable SMBv1 now.
4. Enable BitLocker
Encrypt all server disk volumes. Even if your server is physically secure, BitLocker encryption adds protection if physical security fails or if the hard drives are inappropriately disposed of.
5. Randomize and store local administrator password
Make sure that the local administrator password on your file server is unique, changed on a regular basis, and stored securely. You can use Microsoft’s Local Administrator Password Solution (LAPS) to automatically randomize passwords on servers and store them securely in AD. And don’t forget about other security best practices, such as using least privilege and restricting the use of domain administrator accounts to DCs.
6. Block Internet access at the perimeter firewall
File servers generally don’t need Internet access. Restrict access to required sites, such as Microsoft’s update servers if you don’t have Windows Server Update Services (WSUS) available on your company intranet.
7. Keep permissions simple
Plan how you are going to grant permissions to file shares. Keep it as simple as possible, and plan access based on users’ roles in your organization. Add ACLs to folders and keep file share permissions set to Authenticated Users, which is like Everyone, but excludes built-in security accounts like SERVICE, LOCAL_SERVICE, and NETWORK_SERVICE.
8. Enable auditing of shares and folders
Enable auditing of folders and shares so that access to files is monitored and changes to permissions are recorded. File Server audit component of LepideAuditor collects and monitors audit events from the Windows Event Log, and provides more detailed auditing for events such as file copies and historical permissions.
9. Add a global deny group to each folder
Create a group that has deny permissions on each shared folder. Deny always overrides allow permissions, so you can add users to this group if you need to quickly block access to file server resources.
10. Tested backup
Finally, it’s crucial to make sure you have a tested and secure backup procedure. If security controls fail to protect data, you’ll want to be able to recover your valuable data assets.