Saturday, May 25, 2024

Hardening Windows Server (Basic Steps)

Abstract: This article lists some basic hardening steps which can be done on nearly any Windows Server.

1.) Make sure that the default Admin Account and Guest Account are renamed (e.g. RENAdministrator and RENGuest; but you should choose your own idea here!)

2.) Make sure the screen saver will lockout the screen after x min (would prefer 15min)

3.) Make sure that the default Admin Account and Guest Account require a password. This can be done via:

net user RENAdministrator /PASSWORDREQ:YES

4.) Windows Hardening: Disable the Print Spooler Service

5.) Hardening Windows: Disable NTFS 8 Dot 3

6.) Hardening IIS: Disable SSL 2.0 & PCT 1.0 & disable weak ciphers

7.) Disable SMBv1

As SMBv1 is quite old and has some vulnerabilities you should disable that (as explained here) via the following:

Windows 2012:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Windows 2008:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

This would still leave SMBv2 and SMBv3 active which can be used.

8.) Upgrade Diffie-Hellman Prime to 2048 bit as explained here

9.) Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP (see here)



If you run a VMWare environment, check this article here on hardening the BIOS.

If you wish to share your ideas feel free to leave a comment!

Related Articles


Please enter your comment!
Please enter your name here

Stay Connected

- Advertisement -

Latest Articles