Windows Server

Hardening Checklist

1
Table of contents
Server Preparation 3

Update Windows Server Installation and Keep It Updated 3

User Account Security Hardening 4

Feature and Role Configuration 4

Application and Service Configuration 5

Network Configuration 5

Firewall Configuration 6

Network Time Configuration (NTP) Configuration 6

Registry Configuration 6

Encryption 7

Access Management 7

Remote Access Configuration 7

General Security Hardening Practices 8

Windows Server Hardening Guide: Additional Recommendations 8

How Netwrix Can Help 9

2
While deploying servers in their default state can be the fastest way to get them operational, it falls significantly
short in terms of security. Out of the box, servers are optimized for ease of use — which often comes at the
expense of security.

This caveat is particularly important for Windows Server systems because of the vital role they play in the
Microsoft ecosystem, including both authentication and authorization. By investing a little extra time configuring
your Windows Server systems securely, you can dramatically reduce your attack surface.

To help, this guide offers an extensive checklist of Windows Server hardening best practices. First, we’ll cover
Windows Server itself: users, features, roles, services and so on. But then we’ll provide Windows hardening guide
for a variety of other aspects of the IT environment that also impact Windows Server security and availability, such
as network and firewall configuration, application and service configuration, access management, and auditing
policies. Finally, we’ll offer a solution that dramatically streamlines the process of server hardening.

Server Preparation
Server hardening begins even before you install the operating system. To provide a firm foundation for server
security, take the following steps:

ƒ Establish and maintain a detailed inventory of all your servers.

ƒ Isolate new servers from network and internet traffic until they are fully hardened.
ƒ Secure the BIOS/firmware with a robust password.
ƒ Disable automatic administrative logon to the recovery console.
ƒ Configure device boot order to prevent booting from alternate media.

Update Windows Server Installation and Keep It Updated

After installing the Windows Server operating system, immediately update it with the latest patches to mitigate
known vulnerabilities. Updates can be downloaded straight from Microsoft or through Window Server Update
Services (WSUS) or System Center Configuration Manager (SCCM).

To help keep your servers secure, enable automatic notification of patch availability and install updates promptly.
However, before deploying any patch, hotfix or service pack, make sure to thoroughly test it to ensure it works
properly in your specific environment.

3
User Account Security Hardening
As soon as a server is deployed and up-to-date on security patches, proceed to user security configuration to
mitigate the risk of unauthorized access. Key user configuration best practices include the following:

ƒ Disable the guest account on each server.

ƒ Either rename the local Administrator account, or disable it and create a new account with a unique name.

ƒ Minimize both the membership and permissions of built-in groups like Local System (NT AUTHORITY\System),
Network Service (NT AUTHORITY\NetworkService), Administrators, Backup Operators, Users and Everyone.
For example, to prevent unrestricted remote access to your servers, be sure to change the default setting
granting the ‘Access this computer from the network’ right to the Everyone group.

ƒ Ensure that the passwords of system and administrator accounts adhere to best password practices. In
particular, require these passwords to be at least 15 characters long and use a mix of letters, numbers and
special characters, and to be changed every 90–180 days.

ƒ Configure an account lockout policy according to account lockout best practices.

ƒ Disable anonymous SID/Name translation.

ƒ Promptly disable or delete unused user accounts.

ƒ Require server administrators to log on using a local administrator account rather than a privileged domain
account in order to limit the risk of domain-wide issues or compromises.

Feature and Role Configuration

Another important best practice to harden Windows servers is to remove any features and roles that are not
necessary for the server’s intended purpose. This strategy reduces the attack surface and also makes the server
easier to manage.

4
Application and Service Configuration
Similarly, minimize the number of applications, services and protocols that are installed on each server.
In particular, do not install any additional web browsers on the server and restrict web access for all users.

Limiting the applications and services running on a server reduce its attack surface and also simplifies update and
patch management.

Network Configuration
The configuration of your network dramatically impacts the security of your Windows servers. Here are some key
network configurations practices you should follow.

ƒ Isolate the server from untrusted networks or segments using VLANs, subnetting or other network segregation
techniques. This strategy limits the server’s exposure to potential threats.

ƒ Ensure that DNS and hostname configurations are accurate to prevent DNS-related manipulation.

ƒ Implement IP restrictions and filtering rules to control which IP addresses or ranges can communicate with
the server. This helps limit unauthorized access and exposure to attacks.

ƒ If remote administration is required, limit RDP access to specific IP addresses or networks to help prevent
unauthorized access.

ƒ Disable both NetBIOS over TCP/IP and LMHosts lookup unless they are required for legacy software or
hardware.

5
Firewall Configuration
To help safeguard your Windows servers from unauthorized access and malicious traffic, follow these firewall
configuration best practices:

ƒ Enable the Windows firewall.

ƒ Configure each Windows firewall profile (Domain, Private and Public) to block inbound traffic by default.
When inbound access is necessary for a server, limit it to essential protocols, ports and specific IP addresses.

ƒ Open only required network ports; restrict or deny access for all other ports.

ƒ Disable both NetBIOS over TCP/IP and LMHosts lookup unless they are required for legacy software or
hardware.

Network Time Configuration (NTP) Configuration

NTP is vital for ensuring accurate timestamps on events, which helps organizations guard against time-spoofing
and replay attacks.

Designate a specific server as the primary timekeeper and configure it to sync with a trusted atomic clock source. Then
establish a policy that mandates all servers and workstations to synchronize their time exclusively with that server.

Registry Configuration
Properly configuring registry settings and controlling changes to them is also vital to server security. Best practices
include the following:

ƒ If the Remote Registry service is not required, disable it. If it is needed, tightly control access to it.

ƒ Disable the “NullSessionPipes” and “NullSessionShares” settings to limit anonymous access to network
resources.

ƒ Allow only authorized users and administrators to modify critical registry keys and subkeys.

6
Encryption
To enhance server security, it’s advisable to enable and configure BitLocker drive encryption for the entire system
drive, as well as any additional drives containing data. For more fine-grained data protection, consider utilizing
Encrypting File System (EFS) to encrypt individual files.

To ensure data confidentiality and integrity across the network, you can implement IPsec for encrypting network
traffic between servers.

Access Management
Access management is a critical component of Windows hardening checklist because it controls who can access
which IT resources and what level of access they have. Access management best practices include the following:

ƒ Enforce the principle of least privilege by granting users and processes the minimum rights necessary to
perform their tasks. In particular, be very judicious about granting permissions to the Everyone group.

ƒ Allow only authenticated users to access any computer from the network.

ƒ Configure allowable encryption types for Kerberos authentication.

ƒ Do not store LAN Manager hash values.

ƒ Disable file and print sharing if it is not required.

ƒ Disable the NTLMv1 protocol unless it is needed to support older technology.

Remote Access Configuration

Remote Desktop Protocol (RDP) is a common target for hackers so it should be enabled only if necessary. If RDP
is enabled, set the RDP connection encryption level to high.

Moreover, grant remote access rights to only the specific users who require them, and use multifactor
authentication (MFA) if possible to add an extra layer of protection.

7
General Security Hardening Practices
Consider implementing these general security best practices:

ƒ Disable the use of removable media, such as USB sticks, to mitigate the risk of data exfiltration and malware
injection.

ƒ Display a legal notice like the following before the user logs in: “Unauthorized use of this computer and
networking resources is prohibited.”

ƒ Require Ctrl+Alt+Del for interactive logins, and configure a time limit to automatically terminate idle interactive
sessions.

ƒ If the server has ample RAM, consider disabling the Windows swap file to enhance performance and bolster
security by preventing sensitive data from being written to the hard drive.

Windows Server Hardening Guide: Additional

Recommendations
Other hardening recommendations include the following:

ƒ Perform regular risk assessments and use them to update your risk management plan.

ƒ Use an endpoint security solution to protect your servers and other machines. Windows Defender is included
by default, but third-party solutions are also available. Consider anti-spyware protection as well.

ƒ Install a data loss prevention (DLP) solution to help protect sensitive information against improper access and
leakage.

ƒ Monitor activity that could compromise server security. Native logs provides some insight; these logs can
be reviewed using Windows Event Viewer. But for more comprehensive logging and monitoring capabilities,
implement an enterprise auditing solution that offers not just monitoring but advanced features like user
behavior analytics (UBA), real-time alerts and automated incident response.

8
How Netwrix Can Help
Netwrix Change Tracker dramatically simplifies Windows Server hardening and configuration management.
In particular, it:

ƒ Makes it easy to establish secure baseline configurations that conform to standards like those from the Center
for Internet Security (CIS) and the US Department of Defense Security Technical Implementation Guide (STIG).

ƒ Automatically detects deviations or drift away from your baseline configurations using system and file integrity
monitoring (FIM) technology.

ƒ Coordinates with your IT service management (ITSM) solution to identify unexpected configuration changes
and alerts administrators.

ƒ Speeds incident response by providing detailed information about changes.

ƒ Streamlines compliance audits with out-of-the-box reports covering NIST, PCI DSS, CMMC, STIG and NERC CIP.

9
Harden Windows Server
configurations with
Netwrix Change Tracker
Establish strong Windows Server configurations faster
with hardened configuration templates.

Quickly spot and correct any configuration drift.

Monitor all changes to Windows Server configurations

and get targeted alerts on unexpected modifications to
avert security incidents and business downtime.

Increase confidence in your security posture with

comprehensive information on security status.

Pass compliance audits with ease using 250+ CIS‑certified

reports covering NIST, PCI DSS, CMMC, STIG and NERC CIP.

Request One-to-One Demo

10
About Netwrix
Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of security
professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach, and to detect,
respond to and recover from attacks, limiting their impact. More than 13,500 organizations worldwide rely on
Netwrix solutions to strengthen their security and compliance posture across all three primary attack vectors:
data, identity and infrastructure.

For more information, visit www.netwrix.com

Next Steps

Netwrix products — Check out the full portfolio of Netwrix products: netwrix.com/products

Live demo — Take a product tour with a Netwrix expert: netwrix.com/livedemo

Request quote — Receive pricing information: netwrix.com/buy

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

6160 Warren Parkway, Suite 1-949-407-5125 Spain: +34 911 982608

100 Frisco, TX, US 75034 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
Switzerland: +41 43 508 3472
5 New Street Square, London +44 (0) 203 588 3023 France: +33 9 75 18 11 19 netwrix.com/social
EC4A 3TW Germany: +49 711 899 89 187
Hong Kong: +852 5808 1306
11
Italy: +39 02 947 53539