How to do a Windows Server Hardening

By, Fabian A. Campo H. (MVP Cloud and Data Center Management) Bogota, Colombia.

I had a very important customer whose need to apply a special hardening to the Windows Servers in their datacenter. So, this is another opportunity to leave another tips and tricks post.

I’ve made a checklist, but first, I’ve taken the categories and start filling into them the steps that came to my mind:

Every Windows Machine got three minimal protections by default, the Firewall (disabled by many users), the Updates (also disabled to avoid applications failures), and the antivirus (that sometimes doesn’t have the proper exceptions). So as a first steps let’s update the machine against the Windows Updates site, let’s use the Microsoft Network Traffic Analizer or PortQuery (from Sysinternals) to identify the open and required ports, and there after enable the Windows Firewall with the appropriate rules to allow the traffic, and finally update the Antivirus, antimalware, and scan deeply your machine.

This process requires to pay attention in detail, to avoid unwanted behaviors. If you reach this point, your server is a little bit more secure. Now I can mention the next steps…

Consider using the Security Configuration Wizzard, this utility should guide you in the hardening.

The windows update has just begun, but you should make it monthly, every second Tuesday Microsoft release new updates. Keep it in mind, the best way to do this is configuring the server to download automatically the updates, and let you decide when to apply and restart it.

You should restrict the ability to access remotely from the network. Remote Desktop Protocol allows to set more secure client connections. But you can restrict by Active directory, whose can log in each computer, and the time allowed to do it.

Even as a local policy or a Domain GPO set a minimum password length, enable password complexity requirements, do not store passwords using reversible encryption, configure account lockout policy.

Restrict local logon access only to administrators and try to use LAPS to randomize the local admin passwords.

Deny guest accounts the ability to logon as a service, a batch job, locally, or via RDP

Place an explicit warning banner indicating «that all the actions over the system will be recorded», as a message text for users attempting to log on.

Require Ctrl+Alt+Del for logon

Configure machine inactivity limit to 15 minutes to close idle sessions

Disable SMB 1.0 protocol

Disable the sending of unencrypted passwords to third party SMB servers

Configure Microsoft Network Server to always digitally sign communications and Configure Microsoft Network Server to digitally sign communications if client agrees

Disable anonymous SID/Name translation

Do not allow anonymous enumeration of SAM accounts

Do not allow anonymous enumeration of SAM accounts and shares

Do not allow Everyone permissions to apply to anonymous users

Do not allow any named pipes to be accessed anonymously

Restrict anonymous access to named pipes and shares

Do not allow any shares to be accessed anonymously

Configure Account Logon audit policy

Configure Account Management audit policy

Configure Logon/Logoff audit policy

Configure Policy Change audit policy

Configure Privilege Use audit policy

Configure Event Log retention method and size

Disable or uninstall unused services

Disable or delete unused users

Configure User Rights to be as secure as possible

Set the system date/time and configure it to synchronize against campus time servers


Dejar un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *