Server hardening refers to the process of improving the security configuration of a server.
A Windows server is a soft target for attackers if:
- Operating system files are installed from a non-trusted source
- System is not current with patches and security updates
- Administrator accounts have weak passwords
- File systems don’t use NTFS and are unencrypted
UEFI:
Unified Extensible Firmware Interface (UEFI) is the successor to the older Basic Input
Output System (BIOS) firmware interface we’ve had since the first PCs; any new server
hardware you purchase nowadays uses UEFI firmware.
Windows Server 2016 fully supports all UEFI features, especially Secure Boot.
The method for starting your server into UEFI setup depends entirely on the original
equipment manufacturer (OEM). Consult your documentation or visit the vendor’s website
to find out which keystroke to use.
Following Figure 1 shows the appropriate UEFI setup screen from a Lenovo notebook computer:
How Secure Boot Secures Your PC’s Boot Process …….
A traditional BIOS will boot any software. When you boot your PC, it checks the hardware devices according to the boot order you’ve configured, and attempts to boot from them. Typical PCs will normally find and boot the Windows boot loader, which goes on to boot the full Windows operating system.
However, it’s possible for malware, such as a rootkit, to replace your boot loader. The rootkit could load your normal operating system with no indication anything was wrong, staying completely invisible and undetectable on your system. The BIOS doesn’t know the difference between malware and a trusted boot loader–it just boots whatever it finds.
Secure Boot is designed to stop this. Windows 8, 10 PCs ship with Microsoft’s certificate stored in UEFI. UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft. If a rootkit or another piece of malware does replace your boot loader or tamper with it, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.
How Secure Boot Secures Your PC’s Boot Process …..
Secure Boot is designed to stop this. Windows 8, 10, Server 2016 Computers ship with Microsoft’s certificate stored in UEFI. UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft. If a rootkit or another piece of malware does replace your boot loader or tamper with it, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.
How to Confirm Secure Boot Is Enabled Using MSINFO32:
Go to Run command window
Type msinfo32
If you find BIOS Mode Legacy, so you will find Secure Boot option as Unsupported
How to Confirm Secure Boot Is Enabled Using PowerShell:
You can check if Secure Boot is enabled using PowerShell by doing the following.
In Windows 8, 10, Server 2012 and Server 2016 (or later), press the Windows Key to go to the Start screen.
Type PowerShell, right-click Windows PowerShell in the search results and then click Run as administrator in the pop-up bar at the bottom of the screen.
Enter an administrator username and password, and click Yes.
In the PowerShell console, type Confirm-SecureBootUEFI and press ENTER.
The command will return a true or false status in the PowerShell console.
Preventing Unauthorized UEFI Changes:
An important IT security truism is that an attacker with physical access to your
server makes software-based protections far less effective. Make sure to
place your servers in physically-secured areas, preferably monitored with
security cameras.
Your server’s UEFI setup program should allow you to set one or more startup
passwords that prevent the system from unauthorized startup, you need to add physical locks to the server chassis.