The most valuable data in your organization is likely to be held in Active Directory (AD), databases, and on file servers. We often pay a lot of attention to securing AD and databases but file servers should also be appropriately secured.
Here are my top 10 tips for keeping file servers protected.
Top 10 Tips for Securing Windows File Servers
1. Physical security
Don’t let somebody walk out the door with your file server. But server theft isn’t the only risk. Once a hacker has physical access to a server, security controls you have in place can be more easily circumvented.
2. Keep all software patched/up-to-date
To prevent unauthorized access to critical file servers, it is important to maintain up-to-date software and operating systems. Outdated and unpatched software creates vulnerabilities that can be exploited by attackers. Even if a Windows file server is not connected to the internet, software updates can be applied through running Windows Server Update Services (WSUS) on another server within the network. If internet access is necessary, it is recommended to enable automatic downloading and installation of patches through Windows Update, unless a manual testing process is in place. Additionally, enabling Internet Explorer Enhanced Security Configuration on the server, even if it is not used for browsing, can provide added security. This can be done by accessing the control panel and selecting the Internet Enhanced Security Configuration option in the Add Windows Components section.
3. Microsoft security baseline
Apply Microsoft’s baseline security settings for Windows Server 2016. There are thousands of settings that can be configured. Let Microsoft do the hard work to determine which features should be disabled. Microsoft was already recommending disabling the legacy Server Message Block (SMB) v1 protocol, which was vulnerable to attack, with the release of the Creators Update in Spring this year. Download the Security Compliance Toolkit to disable SMBv1 now.
4. Enable BitLocker
Encrypt all server disk volumes. Even if your server is physically secure, BitLocker encryption adds protection if physical security fails or if the hard drives are inappropriately disposed of.
5. Randomize and store local administrator password
Make sure that the local administrator password on your file server is unique, changed on a regular basis, and stored securely. You can use Microsoft’s Local Administrator Password Solution (LAPS) to automatically randomize passwords on servers and store them securely in AD. And don’t forget about other security best practices, such as using least privilege and restricting the use of domain administrator accounts to DCs.
6. Block Internet access at the perimeter firewall
File servers generally don’t need Internet access. Restrict access to required sites, such as Microsoft’s update servers if you don’t have Windows Server Update Services (WSUS) available on your company intranet.
7. Keep permissions simple
Plan how you are going to grant permissions to file shares. Keep it as simple as possible, and plan access based on users’ roles in your organization. Add ACLs to folders and keep file share permissions set to Authenticated Users, which is like Everyone, but excludes built-in security accounts like SERVICE, LOCAL_SERVICE, and NETWORK_SERVICE.
8. Tested backup
it’s crucial to make sure you have a tested and secure backup procedure. If security controls fail to protect data, you’ll want to be able to recover your valuable data assets.
9. Add a global deny group to each folder
Create a group that has deny permissions on each shared folder. Deny always overrides allow permissions, so you can add users to this group if you need to quickly block access to file server resources.
10. Enable auditing of shares and folders
Finally, Enable auditing of folders and shares so that access to files is monitored and changes to permissions are recorded. You can also use Lepide’s File Server auditing solution to audit changes made to files, folders and their permissions.
Additional Best Practices to Secure File Servers
Harden your firewall
To decrease potential points of attack, limit internet access to your file servers. Only allow the DNS and NTP services within your network to connect with the file servers. Use a firewall to monitor inbound and outbound traffic, examine accessible ports, and prevent access attempts from unfamiliar and dubious IP addresses.
Use real-time malware detection tools
Malicious software, such as ransomware, may cause a sudden increase in file activity (encrypting, renaming and deleting files). It is crucial to use a security incident response tool capable of quickly identifying such attacks early on and triggering actions aimed at stopping the attack and isolating infected devices for further investigation.
Assess security vulnerabilities
Discover hidden security weaknesses in your file servers such as inadequate authentication methods, excessive exposure of sensitive data, problems with permission management, insecure data transfers, and other similar concerns. Leverage practical insights gained from security assessments to identify and remove these gaps in your security framework.
Remove unnecessary software
Unneeded software often comes with extra vulnerabilities and security weaknesses that can be exploited. By removing these applications, the server becomes less prone to attacks, as there are fewer opportunities for hackers to exploit known vulnerabilities. Additionally, simplifying the server’s software environment makes it easier to keep track of security updates and patches, improving the overall maintenance and security posture of the file server.
Disable unnecessary services
Each service running on the server introduces potential vulnerabilities that can be exploited by malicious actors. Additionally, unnecessary services may run with excessive privileges, which increases the risk of privilege escalation attacks. Furthermore, stopping unnecessary services also helps to conserve system resources and improves performance by freeing up memory, CPU cycles, and network bandwidth. Unless you have a specific need for them, it is advisable to disable Fax Service, Messenger, IIS Admin, SMTP, Task Scheduler, Telnet, Terminal Services, and World Wide Web Publishing Services in Windows.
How Lepide Helps Secure Windows File Servers
Lepide Auditor for File Server can help to secure Windows file servers in the following ways:
- Establish a baseline of normal behavior: The Lepide solution can analyze user behavior and identify patterns that indicate access anomalies. By understanding normal behavior, the system can identify users or entities that have unauthorized access or are making unusual changes in permissions. This helps in keeping permissions simple and ensures that access control is maintained effectively.
- Audit shares and folders: The Lepide solution can monitor and audit the activity associated with shares and folders on Windows file servers. This includes tracking file and folder access, modifications, and permission changes. Detailed auditing logs are created, providing visibility into who accessed what and when. In case of any suspicious activity, it becomes easier to investigate and take necessary actions.
- Threshold alerting: The Lepide solution can be configured to detect and respond to events that cross predefined threshold conditions. For example, if multiple files are encrypted, renamed, or removed within a specified timeframe, it could indicate a ransomware attack. Lepide can identify such abnormal activities and alert security teams or execute a response in real-time.