Managing network security risks on Windows Server 2019 involves several critical steps to ensure the
system remains secure. Below are best practices and measures to help manage and mitigate security
risks:
1. Use Windows Firewall
• Enable and configure Windows Firewall: Ensure the firewall is enabled and set rules to allow or
block incoming and outgoing connections.
• Create custom rules: You can define specific rules for services and ports to ensure only
necessary traffic is allowed.
Steps:
• Go to Control Panel > Windows Defender Firewall.
• Click on Advanced Settings to define inbound and outbound rules.
2. Implement Role-Based Access Control (RBAC)
• Principle of Least Privilege: Assign permissions only to users and administrators who need them.
• Active Directory Users and Groups: Use AD to manage access rights centrally.
Steps:
• In Active Directory, use the Group Policy to set user permissions.
• Assign roles via the Server Manager (Server Manager > Tools > Active Directory Users and
Computers).
3. Enable and Configure BitLocker
• Encrypt sensitive data: Use BitLocker to encrypt the entire disk to protect data from
unauthorized access.
Steps:
• Go to Control Panel > System and Security > BitLocker Drive Encryption.
• Follow the steps to encrypt your disks.
4. Use Network Security Groups (NSGs)
• Isolate resources: Define Network Security Groups to control traffic to servers based on IP, ports,
and services.
Steps:
• Set up NSGs using the Windows Admin Center or via PowerShell.
5. Enable Intrusion Detection and Prevention Systems (IDPS)
• Monitor for malicious activities: Implement IDPS to detect suspicious activities in your network
and automatically block them.
�Steps:
• Use third-party IDPS tools like Snort or Windows Defender Advanced Threat Protection (ATP).
6. Regularly Apply Patches and Updates
• Keep your server updated: Ensure you regularly install updates to fix vulnerabilities.
Steps:
• Go to Settings > Update & Security > Windows Update and check for updates.
7. Use Secure Protocols
• Disable insecure protocols: Disable protocols such as SMBv1 and older versions of TLS. Ensure
you use modern, secure protocols like SMBv3, TLS 1.2, and 1.3.
Steps:
• Use PowerShell to disable insecure protocols:
powershell
Copy code
Set-SmbServerConfiguration -EnableSMB1Protocol $false
8. Implement Group Policy for Security Configuration
• Enforce security policies: Use Group Policy to enforce password policies, screen lock timers, and
audit policies.
Steps:
• Open Group Policy Management Console (GPMC) and configure security policies under
Computer Configuration > Windows Settings > Security Settings.
9. Deploy Windows Defender Antivirus and ATP
• Antivirus protection: Ensure Windows Defender is running and updated. For advanced
protection, use Windows Defender ATP for real-time threat detection.
Steps:
• Open Windows Security > Virus & Threat Protection and configure the settings.
10. Monitor with Event Viewer and Logging
• Monitor network and system activities: Regularly check Event Viewer for security logs and
anomalies.
Steps:
• Open Event Viewer > Windows Logs > Security and set up alerts for specific events like failed
login attempts.
�11. Enable Network Access Protection (NAP)
• Control access to the network: Use NAP to ensure that devices connecting to the network meet
certain security criteria (e.g., antivirus, firewall status).
Steps:
• Configure NAP via the Network Policy Server (NPS) in Server Manager > Tools > Network Policy
Server.
12. Backup and Disaster Recovery Plan
• Backup critical data: Regularly back up your server and have a disaster recovery plan in place in
case of a security breach or failure.
Steps:
• Use Windows Server Backup for regular backups (Server Manager > Tools > Windows Server
Backup).
13. Utilize PowerShell for Security Management
• Use PowerShell scripts to automate security monitoring, log analysis, and configuration
enforcement.
