6: Take advantage of local security policies
Using Active Directory based on policy group settings does not disable the need for local security policy settings. Remember that group policy settings are used only when someone signs in with a domain account. They will do nothing if someone logs on to the computer using a local account. Local security policies can help protect your computer against using local accounts.
7: Review the firewall configuration
You should use fiewall on the outer ring of the network and on each machine in the network. However, this is not enough. You should also review the firewall's exception port list to ensure that only important ports are still open.
The focus is often placed on ports used by the Windows operating system. However, you should also check any firewall rule that accepts ports 1433 and 1434. These ports are used for remote monitoring and connection to the SQL server. They are hackers' favorite targets.
8: Isolation of services
Whenever possible, you should configure the server for them to perform a specific task. In this way, if a server is attacked, the hacker will only be able to gain access to a certain set of services. We recognize that financial pressure often forces organizations to run multiple roles on their servers. In such cases, you can upgrade security without spending money using virtualization. In a virtualized environment, Microsoft allows you to deploy multiple virtual machines running Windows Server 2008 R2 operating systems with only one license server.
9: Apply timeline security patches
You should regularly check the patches before applying them to the server. However, some organizations still have the habit of ignoring the inspection process. Surely we cannot deny the importance of ensuring the stability of the server, but you still have to balance the need to check with security needs.
Every time Microsoft releases a security patch, this patch is designed to target a certain vulnerability. This means hackers are sure to know this vulnerability and will look for deployment options while the patch for the vulnerability has not yet been applied.
10: Take advantage of the Security Configuration Wizard
The Security Configuration Wizard allows you to create XML-based security policies that can be applied to your server. These policies are used to activate services, configure settings, and set firewall rules. However, keep in mind that policies created by the Security Configuration Wizard are not the same as policies created from security templates (using .INF files). Additionally, you cannot use policy groups to deploy the policy Security Configuration Wizard.