Abstract: This article lists some basic hardening steps which can be done on nearly any Windows Server.

1.) Make sure that the default Admin Account and Guest Account are renamed (e.g. RENAdministrator and RENGuest; but you should choose your own idea here!)

2.) Make sure the screen saver will lockout the screen after x min (would prefer 15min)

3.) Make sure that the default Admin Account and Guest Account require a password. This can be done via:

net user RENAdministrator /PASSWORDREQ:YES
net user RENGuest /PASSWORDREQ:YES

4.) Windows Hardening: Disable the Print Spooler Service

5.) Hardening Windows: Disable NTFS 8 Dot 3

6.) Hardening IIS: Disable SSL 2.0 & PCT 1.0 & disable weak ciphers

7.) Disable SMBv1

As SMBv1 is quite old and has some vulnerabilities you should disable that (as explained here) via the following:

Windows 2012:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Windows 2008:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

This would still leave SMBv2 and SMBv3 active which can be used.

 

If you run a VMWare environment, check this article here on hardening the BIOS.

If you wish to share your ideas feel free to leave a comment!

Leave your comments

Post comment as a guest

0

Comments

    • No comments found