Skip to content

WS - Hardening Checklist (idea)

Network Configuration

  • Isolate server from other networks using VLANs, subnetting, or other techniques.
  • Ensure DNS and hostname are accurate to help prevent DNS-related manipulation.
  • Implement IP restrictions and filtering rules to limit unauthorized access and exposure to attacks.
  • If remote administration is required, limit RDP access to specific IP or networks to prevent unauthorized access.
  • Disable both NetBIOS over TCP/IP and LMHosts lookup unless required for legacy software or hardware.

User Account Security Hardening

  • Disable Guest Accounts.
  • Rename the “Administrator” user.
  • Minimize members and permissions of built-in groups like NT AUTHORITY\System.
  • Implement an account logout policy.
  • Disable anonymous SID/Name translation.
  • Require server administrators to log on using a local administrator account rather than a privileged domain account to limit the risk of domain-wide issues or compromises.

Firewall Configuration

  • Enable the Windows firewall.
  • Configure each Windows firewall profile (Domain, Private, and Public) to block inbound traffic by default.
  • When inbound access is necessary for a server, limit it to essential protocols, ports, and specific IP addresses.
  • Open only required network ports; restrict or deny access for all other ports.

VM Preparation

  • Secure the BIOS/Firmware with a password.
  • Disable automatic administrative logon to the recovery console.
  • Configure device boot order to prevent booting from alternate media.

Application and Service Configuration

  • Reduce non-required applications on the server.
  • Reduce non-required services on the server.
  • Reduce non-required protocols on the server.
  • Refrain from installing additional browsers.
  • Restrict web access for all users.

Feature and Role Configuration

  • Remove all features and roles that are not in use to minimize the attack surface.

Network Time Configuration (NTP) Configuration

  • Designate a primary timekeeper and configure it to sync with a trusted atomic clock source.
  • Establish a policy that mandates all servers and workstations to synchronize their time exclusively with that server to guard against time-spoofing and replay attacks.

Registry Configuration

  • If the Remote Registry service is not required, disable it. If it is needed, tightly control access to it.
  • Disable the "NullSessionPipes" and "NullSessionShares" settings to limit anonymous access to network resources.
  • Allow only authorized users and administrators to modify critical registry keys and subkeys.

Access Management

  • Do not store LAN Manager hash values.
  • Configure allowable encryption types for Kerberos authentication.
  • Disable file and print sharing if it is not required.
  • Disable the NTLMv1 protocol unless it is needed to support older technology.

Remote Access Configuration

  • Enable Remote Desktop Protocol (RDP) only if necessary. If RDP is enabled, set the RDP connection encryption level to high.
  • Grant remote access rights to only the specific users who require them.
  • Implement multifactor authentication (MFA).

General Security Hardening Practices

  • Require Ctrl+Alt+Del for interactive logins.
  • Configure a time limit to automatically terminate idle interactive sessions.

Windows Server Hardening Guide: Additional Recommendations

  • If the server has ample RAM, consider disabling the Windows swap file.