Windows Hardening: Detailed Checklist for Windows Server and Windows 10

System hardening is the practice of minimizing the attack surface of a computer system or server. The goal is to reduce the amount of security weaknesses and vulnerabilities that threat actors can exploit.

System hardening is generally categorized into five areas—server hardening, operating system (OS) hardening, software application hardening, network hardening, and database hardening. Each category involves hardening different areas of the environment.

OS hardening usually involves patching and securing the operating system of a server. Operating system vendors, like Microsoft, usually release updates, service packs, and patches, which users can manually or automatically install.

There are several operating system hardening techniques you can use when implementing Windows hardening. For example, you can encrypt the SSD and HDD that stores and hosts the OS, removing any unnecessary drivers. You should also limit system access permissions and authentication processes, and restrict privileges.

In this article

What are Windows Security Baselines?

Windows and Windows Server are designed with security in mind. Microsoft secures certain aspects and also provides organizations with controls that enable granular security configuration. To help organizations properly leverage security controls, Microsoft provides Security Baselines that offer guidance.

Each Windows Security Baseline is a group of configuration settings based on feedback from Microsoft’s security engineers, as well as product groups, customers, and partners. These Security Baselines are available in a consumable format, including as Group Policy Object Backups.

Windows Security Baselines can help organizations ensure that device and user settings that have already been set up are in compliance with Windows baselines. It can also help set up configuration settings for new operating system installations, for example when using Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy

Security Baselines are available from the Microsoft Download Center.

Tal Zamir
CTO, Perception Point

Tal Zamir is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works.

TIPS FROM THE EXPERTS

1. Implement strict Least Privilege Access Control
   Go beyond standard privilege reduction by regularly auditing user and service accounts to ensure they maintain only the minimum necessary access. Consider implementing Just-In-Time (JIT) access controls, where elevated privileges are granted temporarily and automatically revoked after the task completion.
2. Implement Advanced DNS Security Features
   Protect against DNS-based attacks by configuring DNS-over-HTTPS (DoH) and using DNS Security Extensions (DNSSEC). These protocols encrypt DNS queries and responses, mitigating risks such as DNS spoofing or interception attacks, which can redirect traffic to malicious sites.
3. Customize and Apply Advanced Firewall Rules
   Beyond the basic network configurations, implement granular Windows Firewall rules that control both inbound and outbound traffic based on application, IP address ranges, and ports. Regularly review and adjust these rules to reflect changes in your environment and the evolving threat landscape.
4. Monitor for Unauthorized Security Baseline Deviations
   Establish a continuous monitoring process for any deviations from your implemented Windows Security Baselines. Use automated tools to regularly compare live configurations against your baselines and immediately flag any discrepancies, enabling rapid remediation.

Windows Server Hardening Checklist

Use the following checklist to harden a Windows Server installation.

Windows User Configuration

Follow these guidelines to reduce risks from privileged user accounts on Windows Server:

• Disable the local administrator—it is usually not required, and is a popular target for attackers.
• Set up a custom admin account—it can be a domain Active Directory (AD) account or a local account in the administrators group
• Prefer to run as a regular user account—to reduce the chance of account compromise, connect to the server using a regular user account, and when you need to perform operations that require administrative privileges, request elevation using “Run As” (the Windows equivalent of sudo).

Windows Network Configuration

Take the following precautions to protect a Windows Server machine from network attacks:

• Place the machine behind the firewall—production Windows Server instances should always run in a protected network segment.
• Redundant DNS—configure two or more DNS servers and verify name resolution using nslookup.
• Verify DNS records—ensure the server has an A record and PTR record for reverse DNS lookups.
• Disable network services—any service the server is not actually using, like IPv6, should be disabled to reduce the attack surface.

Windows Service Configuration

Follow these guidelines to minimize the risk from services running on Windows Server:

• Disable unused services—many services that run by default on Windows Server may not be required in your specific use case, and should be disabled. Disable any service that is not required for basic functionality. Pay special attention to Windows Server 2008 and 2003, which had a larger number of redundant services.
• Limit security context—each service runs as a specific user account. By default these are Network Service, Local System, or Local Service accounts. For sensitive application and user services, set up accounts for each service and limit privileges to the minimum required for each service. This limits the ability for privilege escalation and lateral movement.

Network Time Protocol (NTP) Configuration

Windows login and other functions that leverage kerberos security rely on accurate NTP times. Even a small time difference can break functionality. To avoid service disruption, make sure that:

• Servers within domains automatically sync time with the domain controller
• Standalone servers sync with an external time source
• Domain controllers sync with a time server on an ongoing basis

Centralized Event Logs

Windows Server systems generate multiple logs, which can be configured to be more or less verbose. Logs are an important way to gain visibility over server operations for maintenance and security purposes. To provide convenient access to logs for an organization’s Windows Server instances, use a central syslog server, and ensure you have the following capabilities:

• Ability to assign categories to specific logs or entries
• Enable full text search and querying of log data
• Integrate logging with remediation tools to enable automated response to errors

Windows 10 Hardening Checklist

Use the following checklist to harden Windows 10.

Leverage Built-In Windows 10 Security Tools

Enterprise editions of Windows 10 come with several built-in security tools, including:

• Windows Defender Advanced Threat Protection – an advanced security system that includes state of the art antimalware protection, as well as exploit protection, automated attack surface reduction, application control, and hardware-based isolation.
• Microsoft SmartScreen – scans downloads and blocks execution of malicious payloads.
• Windows Sandbox – lets users install untrusted applications in a secure, isolated environment.

In addition to these built-in Microsoft tools, assess your threat environment and deploy additional antivirus or endpoint protection tools on all protected Windows 10 machines.

Application Management

It is strongly preferred to configure Windows to only allow the installation of approved applications from controlled software repositories or application marketplaces. You can do this by setting the “Allow apps from the Store only” option under Apps & Features, or using Windows Defender code Integrity policies.

This can prevent attackers from emailing malware to users, convincing them to download and install malware, or deploying malware via drive-by downloads or deceptive links on malicious websites. Note that even if you require administrative access on the local machine to install software, attackers can bypass this with social engineering.

Application Control

Many attack vectors rely on execution of malicious code, even if it is not installed on the user’s device. Whitelisting and blacklisting of executables in Windows 10 can be effective at preventing these attacks. Many security best practices advise creating a new whitelist of files that are allowed to execute on end-user machines, without relying on lists from application vendors or existing files on the machine.

However, in real enterprise environments, it can be difficult to create such a whitelist and maintain it across a large number of machines. Whitelists will also tend to be overly restrictive, hurting user productivity.

Disable Remote Access

Windows 10 comes with Microsoft Remote Desktop that provides remote access to a user’s machine. This feature is often used by attackers to gain remote control of user devices, install malware, and steal information. Remote Desktop is disabled by default, but in case users enable it, it is important to make sure it is disabled except when needed for approved, legitimate use.

PowerShell

PowerShell is a scripting language that is extremely powerful in the hands of an attacker. Follow these guidelines to secure systems against PowerShell exploits:

• Remove PowerShell version 2.0 or earlier, which had security vulnerabilities
• Set PowerShell to Constrained Language Mode
• Enable PowerShell logging to provide an audit trail
• Setting an execution policy – a safety feature that specifies under which conditions PowerShell will load configuration files and run scripts

Enable Auto-Updates

Deploy Microsoft security updates on all user devices immediately. Automate and enforce deployment of regular Windows updates—if possible, without the user’s involvement.

Support for Windows 7 ended in January 2020, and so any end-user device running Windows 7 or earlier is at immediate risk of cyberattacks. If users are running an older version of Windows that is no longer supported, upgrade it to a supported version urgently, and in cases where upgrades are not possible, isolate the outdated systems from the network.

Learn more in our detailed guide to Windows 10 hardening

Another Way to Think About System Hardening with Perception Point Advanced Browser Security

The web has become cybercriminals’ attack surface of choice. Thus, providing internet access to users while protecting against web attacks is the most persistent security challenge organizations face today. One way to harden enterprise networks and systems is to protect the enterprise browser ensuring that no malicious content ever penetrates the endpoint.

Perception Point Advanced Browser Security adds enterprise-grade security to standard browsers like Chrome, Edge, and Safari. The solution fuses advanced threat detection with browser-level governance and DLP controls providing organizations of all sizes with unprecedented ability to detect, prevent and remediate web threats including sophisticated phishing attacks, ransomware, exploits, Zero-Days, and more.

By transforming the organizational browser into a protected work environment, the access to sensitive corporate infrastructure and SaaS applications is secure from data loss and insider threats. The solution is seamlessly deployed on the endpoints via a browser extension and is managed centrally from a cloud-based console. There is no need to tunnel/proxy traffic through Perception Point.

An all-included managed Incident Response service is available for all customers 24/7. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.

Customers deploying the solution will experience fewer breaches, while providing their users with a better experience as they have the freedom to browse the web, use SaaS applications that they require, and access privileged corporate data, confidently, securely, and without added latency.

Contact us for a demo of the Advanced Browser Security solution.

System hardening is the practice of minimizing the attack surface of a computer system or server. The goal is to reduce the amount of security weaknesses and vulnerabilities that threat actors can exploit.

Windows Security Baselines can help organizations ensure that device and user settings that have already been set up are in compliance with Windows baselines. It can also help set up configuration settings for new operating system installations, for example when using Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy

Use the following checklist to harden a Windows Server installation:
– Windows User Configuration
– Windows Network Configuration
– Windows Service Configuration
– Network Time Protocol (NTP) Configuration
– Centralized Event Logs

Use the following checklist to harden Windows 10:
– Leverage Built-In Windows 10 Security Tools
– Application Management
– Application Control
– Disable Remote Access
– PowerShell
– Enable Auto-Updates