Abstract: This article lists some basic hardening steps which can be done on nearly any Windows Server.
1.) Make sure that the default Admin Account and Guest Account are renamed (e.g. RENAdministrator and RENGuest; but you should choose your own idea here!)
2.) Make sure the screen saver will lockout the screen after x min (would prefer 15min)
3.) Make sure that the default Admin Account and Guest Account require a password. This can be done via:
net user RENAdministrator /PASSWORDREQ:YES
net user RENGuest /PASSWORDREQ:YES
4.) Windows Hardening: Disable the Print Spooler Service
5.) Hardening Windows: Disable NTFS 8 Dot 3
6.) Hardening IIS: Disable SSL 2.0 & PCT 1.0 & disable weak ciphers
7.) Disable SMBv1
As SMBv1 is quite old and has some vulnerabilities you should disable that (as explained here) via the following:
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
This would still leave SMBv2 and SMBv3 active which can be used.
8.) Upgrade Diffie-Hellman Prime to 2048 bit as explained here.
9.) Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP (see here)
If you run a VMWare environment, check this article here on hardening the BIOS.
If you wish to share your ideas feel free to leave a comment!