Secure Time Synchronization in Windows Server 2016: UTC & Timestamps

Introduction

Increasing technological advancements despite the numerous advantages that have come with them form increased productivity, security; efficiency, and automation, and cybersecurity threats are increasingly becoming a huge problem for many organizations. The Windows Server 2016 has significantly improved the algorithms used in correcting time zones and clock synchronization with the Universal Time Coordinate (UTC) (Microsoft, 2018). Timestamps based requests/ responses and the server-based request/responses have significantly improved from its predecessor environment. The environment has also added new features including but not limited to enhanced API, the Hyper-V TimeScync service and interruption latency corrections, which play a pivotal role in task synchronization (Microsoft, 2018). Other key features include identity management – one of the most reliable security enhancement features- with the capability to ensure that data transactions remain integrity from end to end. Windows Defender is an antimalware application that detects and neutralize malware threats (Vigo, 2017).

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

The server has included several vital changes to the core operating system (windows 10). Some of the upgraded features include:

Nano Server is a Windows Server Core mode that is remotely administered and provides no local logon and only supports 64-bit applications (Vigo, 2017). This feature is very critical in running web services such as the organization's website and web-based application such as IIS and DNS, cloud computing, and data centres. Another feature is the window's containers, which work like virtual machines but allow the operating system-level of virtualization to be hosted in isolated user-space. Active Directory Domain Services and Active Directory Federation Services (ADFS). These security and access management feature helps in addressing identity thefts, credentials by collaborating with the Microsoft Identity Manager (MIM), Privileged Access Management (PAM) to protect Active Directory (AD) with privileged access. The ADFS feature provides add-on security federation for Single Sign-on (SSO) between ADFS-secured companies and partnering organizations and authenticates cloud-based providers (Vigo, 2017). Lastly, the other significant feature is the PowerShell 5.0, and management terminal with new and more improved command lets (cmdlets) and the module for the remote server, application, and clients scripting and management.

Disk configuration and file encryption

The server environment uses Full Disk Encryption (FDE) and BitLocker to convert data from readable formats to cypher-text. The idea of disk configuration and file encryption is relatively straightforward – the organization's Information security (IT) department will require configuring all disk contents to suit the needs of each sector, and ensuring only authorized parties can access the data. To do so, BitLocker Drive Encryption has to be deployed at the same time observing IT security principles (identity authentication, secure password, and backup) of the least privileges. In other words, only required resource should be accessible to the service operators and the administer have full control of the BitLocker (Warner & Zacker, 2017).

Although the Windows Server 2016 allows the user to configure this setting after operating system installation, the disk configuration and file encryption should be done during installation. The Windows Server 2016 offers several features for data encryption and configuration: Bitlocker, Encrypting File System (EFS), and File Server Resource Manager (FSRM)(Melnick, 2019).

File Server Resource Manager (FSRM) hold the most useful data and application used. The FRSM thus controls and manages the quantity and the type of data stored in the servers. The FSRM offers a several disk configuration and management features;

• File screening management, which scans, identifies, and prevents or allow specific types of files from being store on volume folders.
• Quota management, which manages about quotas to set storage limits on folders and volumes.
• Storage report management, which allows users to schedule and configure the various concepts of the FSRM.
• File management tasks, which allows users to move or delete files to a specific location based on such file properties such as type or filename (Melnick, 2019).
• BitLocker: BitLocker complements FSRM and EFS by providing an additional layer of protection for data stored on Windows devices. BitLocker also protects lost or stolen devices against data theft or exposure, as well as offer secure data disposal when the user decommission equipment (Melnick, 2019).

Implement Server Patching and Updating Solutions

Windows Server 2016 has a patch management tool that consists of scanning computes, other peripheral devices and machines, and mobile devices on a network for missing software updates, called 'patches' and fix the problems by deploying the patches once they are available (GFI Software, 2020). It is advisable to install all latest system updates by ensuring that the automatic operating updates feature is on. The server comes with its patch management feature that allows automatic updates, including the antimalware applications such as Windows Defender, and other applications such as hardware drivers (GFI Software, 2020). The Windows Server 2016 is using cumulative patch management options, which contain fixes for one or several vulnerabilities identified by assigning numbers to the Exposures (CVE) system, and weaknesses maintained by the National Cybersecurity Federally Funded Research and Development Center (FFRDC)

However, this alone is not very effect patch management process, thus following steps provide steps for developing a more efficient and up-to-date patch management strategy for the organization's existing devices:

1. Develop a patch management policy
2. Frequent/scheduled network and devices are scanning to identify potential vulnerabilities such as Internet Explorer and Windows Defender Cumulative Security.
3. Validate deployment and downloaded patches in a test environment first to test for compatibility and performance.
4. Apply regular patch across the entire organization
5. Document and create reports of downloaded, tested, and deployed patches for auditing and compliance (GFI Software, 2020).

Implement malware protection

The Window Server 2016 Windows Defender – an antimalware application with the ability to detect and neutralize malware threats with automatic real-time updating capability (Vigo, 2017). Besides the Active Directory Domain Services and Active Directory Federation Services (ADFS) security and access management features help in addressing identity thefts, credentials by collaborating with the Microsoft Identity Manager (MIM), Privileged Access Management (PAM) to protect Active Directory (AD) with privileged access. The ADFS feature provides add-on security federation for Single Sign-on (SSO) between ADFS-secured companies and partnering organizations and authenticates cloud-based providers (Vigo, 2017).

Virus and malware attacks can result in catastrophic outcomes, thus the Windows Defender features, including "Virus & threat protection", and "Firewall & network protection" Device performance health" should always be on and running on real-time. Also, automatic updates should be enabled to run. Finally, while the quick scan runs automatically, then it is required that full scanning be conducted as frequently as possible to ensure no dangerous or unwanted programs are running, installed, or downloaded (Vigo, 2017).

Create security baselines

1. Security Baseline defines the fundamental security objective that must be met by a given system or service.
2. Access Control and accounts
3. Restrict access to privileged accounts to a small, controlled group of users.
4. Minimize the usage of processes/services/applications requiring privileged accounts
5. Restrict or disable remote access using privileged accounts
6. Restrict general access to a controlled group of users.
7. Minimize the usage of local accounts.
8. Networks (interfaces)
9. Disable unused network services.
10. Restrict incoming connections to those necessary for this service.
11. Restrict outgoing connections to those necessary for this service.
12. Minimize openings in CERN's outer perimeter firewall.
13. Disable all Internet connectivity.
14. Disable all local modems / GPRS modems.

Physical Security

1. Restrict physical access to the server as well as to its keyboard and mouse (latter two, if present).
2. Protect access to the BIOS by a non-default password.
3. Turn off PXE boot and booting from USB disk.
4. Protect IPMI access by a non-default password.
5. Protect access to the GRUB (or another boot loader) menu by a non-default password (ITSRM, 2010).

Hardening a windows operating system image

1. Windows Server hardening involves remediating and identifying security vulnerabilities. The follows practices are the best for hardening Windows operating systems
2. Frequent/scheduled network and devices are scanning to identify potential vulnerabilities such as Internet Explorer and Windows Defender Cumulative Security.
3. Validate deployment and downloaded patches in a test environment first to test for compatibility and performance.
4. Apply regular patch across the entire organization
5. Document and create reports of downloaded, tested, and deployed patches for auditing and compliance (GFI Software, 2020).
6. Create an effective mitigation and recovery strategy for a Windows network security incident based on best practice; Implement a Guarded Fabric solution.
7. Thoroughly test and validate deployment and downloaded patches in a test environment first to test for compatibility and performance.
8. Minimize the usage of processes/services/applications requiring privileged accounts
9. Restrict or disable remote access using privileged accounts
10. Restrict general access to a controlled group of users
11. Develop a patch management policy.
12. Frequent/scheduled network and devices are scanned to identify potential vulnerabilities such as Internet Explorer and Windows Defender Cumulative Security.

Windows Firewall configuration

Windows defeater is a firewall or "antivirus" that protects the system during internet sessions and real-time computing from viruses and online attacks. To configure the Windows Defender, Select on Windows Defender > Turn On the real-time, sample submission, and cloud-based protection (Lambert & Lambert, 2015).

Configuring IPsec Policies and IPsec transport and tunnel modes

Window Operating system encryption follows IPs policy, which determines which IP traffic is safe and security design used to the IP packet. The procedures are composed of Filter actions, lists, and security Rules. When configuring IPsec policy, the following prerequisites have to be met:

• A functioning Active Directory configuration can is capable of implementing Group Policy (GPOs) settings.
• Active ExpressRoute circuit
• ExpressRoute virtual network gateway must be connected to the ExpressRoute circuit.
• Verified Azure Windows VMs are deployed to the VNet.
• Verified connectivity between the Azure VMs and the on-premises and hosts can use DNS to resolve names correctly.
• To configure, create a GPO and associate it to the OU, then Define an IPsec Filter Action, and the Filter List.