This article is a hardening/checklist guide for the Windows Server.
Also Read: Things to Remember While Hardening the Linux Server
The purpose of system hardening is to eliminate as many security risks as possible. This is done by removing all non-essential software programs and utilities from the server.
- Physical Security
- User Account Policies
- Security Settings
- Registry Security
- Network Controls
- Network Security Settings
- Active Directory Domain Member Security Settings
- Audit Policy Settings
- Event Log Settings
- Additional Security Protection
- Antivirus security
1. Physical Security
- Set a BIOS/firmware password to intercept unauthorized modify the server start-up setting
- Disable the option of automatic administrative logon to the recovery console.
- Configure and protect the device boot order to prevent unauthorized booting from alternate/external media.
- Do not permit the server to be shut down without having to log on.
- Configure a screen-saver to lock the environment’s screen automatically after timeout if the server/machine is left unattended.
2. User Account Policies
- Set minimum password length.
- Configure a minimum password length of at least 10 characters for passwords or 15 for passphrases.
- Enforce password history, with at least 10 previous passwords remembered.
- Set a minimum password age of 3 days.
- Set a maximum password age of 90 days for passwords and 180 days for passphrases.
- Enable the setting that requires passwords to meet complexity requirements. This setting can be disabled for passphrases, but it is not recommended.
- Enable password complexity requirements.
- Do not store passwords using reversible encryption. (Default)
- Configure account lockout policy.
3. Security Settings
- Disable the guest account which is automatically created.
- Require Ctrl+Alt+Del for interactive logins.
- Configure machine inactivity limit to protect idle interactive sessions.
- Configure Microsoft Network Client to always digitally sign communications.
- Ensure all volumes are using the NTFS file system.
- Enable the built-in Encrypting File System (EFS) with NTFS or BitLocker encryption for entire volumes on Windows Server.
- Configure Microsoft Network Client to digitally sign communications
- Configure to disable the sending of unencrypted passwords to third party SMB servers.
- Configure the system date/time and configure it to synchronize to NTP server
- Disable the AUTORUN service.
- If Remote Desktop protocol is enabled, configure RDP connection encryption level to high.
4. Registry Security
- Configure registry permissions.Protect the registry from unauthorized/anonymous access. Configure remote registry access as per requirements
- Set value in registry
MaxCachedSockets (REG_DWORD) to 0. - Set value in registry
SmbDeviceEnabled (REG_DWORD) to 0. - Set value in registry
AutoShareServer to 0. - Set value in registry
AutoShareWks to 0. - Remove all value data INSIDE the NullSessionPipes key.
- Remove all value data INSIDE the NullSessionShares key.
5. Network Controls
- Disable anonymous security identifier (SID)/Name translation.
- Disable anonymous enumeration of SAM accounts and shares.
- Do not allow Everyone permissions to apply to anonymous users.
- Restrict anonymous/unauthorized access to named pipes and shares.
- Do not allow any shares to be accessed anonymously.
- Require the “Classic” sharing and security model for local accounts.
6. Network Security Settings
- Enable environment for Local System to use computer identity for NT Lan Manager.
- Disable setting for Local System NULL session fallback.
- Perform port blocking at the network setting level. Perform an analysis to determine which ports need to be open and restrict access to all other ports.
- Configure allowable encryption types for Kerberos
- Do not store LAN Manager hash values.
- Configure and disable NetBIOS setting over TCP/IP.
- Restrict the ability to access each computer from the network to Authenticated Users only
- Configure and set LAN Manager authentication level to only allow NTLMv2(version 2) and denied Lan Manager and NTLM.
- Enable the Windows Firewall in all profiles (domain, private, public).
- Configure the Windows Firewall in all profiles to block inbound traffic by default.
7. Active Directory Domain Member Security Settings
- Always use digitally encrypt or sign secure channel data
- When possible, use digitally encrypt secure channel data
- When possible, digitally sign secure channel data
- Configure and mandate strong (Windows 2000 or later) session keys.
- Configure the number of previous logons to cache.
8. Audit Policy Settings
- Configure and manage following audit policies:
- Account Logon audit policy.
- Account Management audit policy.
- Logon/Logoff audit policy.
- Policy Change audit policy.
- Privilege Use audit policy.
9. Event Log Settings
- Configure Event Log retention method and size.
- Configure log shipping (e.g. to Splunk) and save event logs to centralized server
10. Additional Security Protection
- Disable or remove unused services.
- Disable or remove/delete unused users and associated file/folders
- Configure User Rights to be as secure as possible
- Configure file/folder system permissions.
- Configure registry permissions.
- Disable remote registry access if not in use.
11. Antivirus security
- Install and enable anti-virus software.
- Install and enable anti-spyware software.
- Configure anti-virus software to update daily.
- Configure anti-spyware software to update daily.
- Install software to check the integrity of critical operating system files.
- Important Terms Related to Log Monitoring (A to Z Terms)
- How to View SSH Logs on Linux
- How to Choose the Best Penetration Testing Tool for Your Business
- Top 8 Cybersecurity Testing Tools for 2024
- How To Parse FortiGate Firewall Logs with Logstash
- Categorizing IPs with Logstash – Private, Public, and GeoIP Enrichment
- 9 Rules of Engagement for Penetration Testing
- Google vs. Oracle – The Epic Copyright Battle That Shaped the Tech World
- Introducing ChatGPT Search – Your New Gateway to Instant, Up-to-date Information
- Python Has Surpassed JavaScript as the No. 1 Language on GitHub