Things to Remember While Hardening the Windows Server

Windows Server Hardening Checklist Techhyme

This article is a hardening/checklist guide for the Windows Server.

Also Read: Things to Remember While Hardening the Linux Server

The purpose of system hardening is to eliminate as many security risks as possible. This is done by removing all non-essential software programs and utilities from the server.

  1. Physical Security
  2. User Account Policies
  3. Security Settings
  4. Registry Security
  5. Network Controls
  6. Network Security Settings
  7. Active Directory Domain Member Security Settings
  8. Audit Policy Settings
  9. Event Log Settings
  10. Additional Security Protection
  11. Antivirus security

1. Physical Security

  • Set a BIOS/firmware password to intercept unauthorized modify the server start-up setting
  • Disable the option of automatic administrative logon to the recovery console.
  • Configure and protect the device boot order to prevent unauthorized booting from alternate/external media.
  • Do not permit the server to be shut down without having to log on.
  • Configure a screen-saver to lock the environment’s screen automatically after timeout if the server/machine is left unattended.

2. User Account Policies

  • Set minimum password length.
    • Configure a minimum password length of at least 10 characters for passwords or 15 for passphrases.
    • Enforce password history, with at least 10 previous passwords remembered.
    • Set a minimum password age of 3 days.
    • Set a maximum password age of 90 days for passwords and 180 days for passphrases.
    • Enable the setting that requires passwords to meet complexity requirements. This setting can be disabled for passphrases, but it is not recommended.
  • Enable password complexity requirements.
  • Do not store passwords using reversible encryption. (Default)
  • Configure account lockout policy.

3. Security Settings

  • Disable the guest account which is automatically created.
  • Require Ctrl+Alt+Del for interactive logins.
  • Configure machine inactivity limit to protect idle interactive sessions.
  • Configure Microsoft Network Client to always digitally sign communications.
  • Ensure all volumes are using the NTFS file system.
  • Enable the built-in Encrypting File System (EFS) with NTFS or BitLocker encryption for entire volumes on Windows Server.
  • Configure Microsoft Network Client to digitally sign communications
  • Configure to disable the sending of unencrypted passwords to third party SMB servers.
  • Configure the system date/time and configure it to synchronize to NTP server
  • Disable the AUTORUN service.
  • If Remote Desktop protocol is enabled, configure RDP connection encryption level to high.

4. Registry Security

  • Configure registry permissions.Protect the registry from unauthorized/anonymous access. Configure remote registry access as per requirements
  • Set value in registry
    MaxCachedSockets (REG_DWORD) to 0.
  • Set value in registry
    SmbDeviceEnabled (REG_DWORD) to 0.
  • Set value in registry
    AutoShareServer to 0.
  • Set value in registry
    AutoShareWks to 0.
  • Remove all value data INSIDE the NullSessionPipes key.
  • Remove all value data INSIDE the NullSessionShares key.

5. Network Controls

  • Disable anonymous security identifier (SID)/Name translation.
  • Disable anonymous enumeration of SAM accounts and shares.
  • Do not allow Everyone permissions to apply to anonymous users.
  • Restrict anonymous/unauthorized access to named pipes and shares.
  • Do not allow any shares to be accessed anonymously.
  • Require the “Classic” sharing and security model for local accounts.

6. Network Security Settings

  • Enable environment for Local System to use computer identity for NT Lan Manager.
  • Disable setting for Local System NULL session fallback.
  • Perform port blocking at the network setting level. Perform an analysis to determine which ports need to be open and restrict access to all other ports.
  • Configure allowable encryption types for Kerberos
  • Do not store LAN Manager hash values.
  • Configure and disable NetBIOS setting over TCP/IP.
  • Restrict the ability to access each computer from the network to Authenticated Users only
  • Configure and set LAN Manager authentication level to only allow NTLMv2(version 2) and denied Lan Manager and NTLM.
  • Enable the Windows Firewall in all profiles (domain, private, public).
  • Configure the Windows Firewall in all profiles to block inbound traffic by default.

7. Active Directory Domain Member Security Settings

  • Always use digitally encrypt or sign secure channel data
  • When possible, use digitally encrypt secure channel data
  • When possible, digitally sign secure channel data
  • Configure and mandate strong (Windows 2000 or later) session keys.
  • Configure the number of previous logons to cache.

8. Audit Policy Settings

  • Configure and manage following audit policies:
    • Account Logon audit policy.
    • Account Management audit policy.
    • Logon/Logoff audit policy.
    • Policy Change audit policy.
    • Privilege Use audit policy.

9. Event Log Settings

  • Configure Event Log retention method and size.
  • Configure log shipping (e.g. to Splunk) and save event logs to centralized server

10. Additional Security Protection

  • Disable or remove unused services.
  • Disable or remove/delete unused users and associated file/folders
  • Configure User Rights to be as secure as possible
  • Configure file/folder system permissions.
  • Configure registry permissions.
  • Disable remote registry access if not in use.

11. Antivirus security

  • Install and enable anti-virus software.
  • Install and enable anti-spyware software.
  • Configure anti-virus software to update daily.
  • Configure anti-spyware software to update daily.
  • Install software to check the integrity of critical operating system files.