Windows Server Hardening Checklist

Below are a few quick implementations when hardening a Windows Server environment. Please note that this checklist does not cover network configurations.

Windows Updates

1. Manage these via an automation tool like Systems Center. Schedule monthly updates.

Windows Security

1. Defender is on
2. Exploit protection is on

Under Local Security Policy (or within GPOs)

1. Local Security Policy
   1. Password policy (change it to at least 12)
   2. Lockout policy (3 failed login attempts)
   3. Kerberos policy
2. Local Policies
   1. Audit policy (if this needs to be on for compliance purposes)
      1. Account logon events
      2. Policy changes

Defender

1. Windows Defender Credential Guard: Open GPO > Administrative Templates > System > Device Guard > Turn on virtualization based security
2. Microsoft Defender Exploit Guard: Open GPO > Administrative Templates > Windows components > Windows Defender Exploit Guard > Exploit Protection > Use a common set of exploit protection settings.

Services

1. Disable Remote Registry: services.msc > Remote Registry > Disable

Encryption

1. Bitlocker
2. EFS encryption

Quick Checklist

1. Ensure that the Roles and Features installed on Windows Server are necessary.
2. Ensure the guest user account is disabled (it usually is by default).
3. Don’t install apps you don’t need (e.g - Google Chrome).
4. Use Windows Server Core where teams are comfortable, and even if they want a GUI, they can use Windows Admin Center for free to connect to the server and have a GUI feel.
5. Local admin password set and stored in a password manager.

if ActiveDirectory == True

1. DSMR password set and stored in a password manager
2. Domain admins list added