Skip to content

Hardening a Windows Server

hardenWindows

1. Least Privilege

Review Current Permissions

Audit the current user accounts, groups, and their permissions on each server. 

Get-LocalUser

Adjust Permissions

Adjust the permissions so that users and services have only the necessary rights to perform their duties. In Windows, you can manage user permissions through the Local Users and Groups Manager or PowerShell.

Remove or Disable Unnecessary Accounts

Identify accounts that are no longer in use or unnecessary.

Remove User 

Remove-LocalUser -Name "ExampleUser"

Disable User 

Disable-LocalUser -Name "ExampleUser"

2. Secure Remote Access

  1. Open Group Policy Editor:
    • Press Win + R, type gpedit.msc, and press Enter.
  2. Navigate to Remote Desktop Settings:
    • Go to Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security.
  3. Set Encryption Level:
    • Find and double-click on “Set client connection encryption level”.
    • Set it to “Enabled” and select “High Level” from the dropdown.
  4. Enable Network Level Authentication:
    • Find and double-click on “Require user authentication for remote connections by using Network Level Authentication” and set it to “Enabled”.

RDP in Windows Firewall

  1. Create a New Inbound Rule:
    • Open “Windows Firewall with Advanced Security”.
    • Go to Inbound Rules -> New Rule.
    • Select “Program” and specify the path to the Remote Desktop executable, or select “Predefined” and choose “Remote Desktop”.
    • Set the rule to “Allow the connection”.
    • Apply the rule to the desired profile (Domain, Private, Public).
    • Under “Scope”, add the IP addresses that are allowed to connect.
    • Finish the wizard.

3. Firewall Configuration

Identify Essential Services

  1. View Services: Open the Services application (you can search for it in the Start menu). Note the services you want to allow through the firewall.
  2. Find Port Information: Research or refer to the documentation for each service to determine which ports they use.

Configure Firewall Rules

  1. Open Windows Firewall with Advanced Security: Search for it in the Start menu and open it.
  2. Create a New Rule:
    • In the left pane, click on Inbound Rules.
    • On the right pane, click New Rule....
  3. Rule Type:
    • Select the type of rule (e.g., Port, Program) based on what you need. For service-specific ports, select Port.
  4. Specify Ports:
    • If you selected Port, specify the ports for your services. For example, for SSH, enter 22 in the specific local ports field if you're using SSH on Windows.
  5. Action:
    • Choose Allow the connection.
  6. Profile:
    • Apply the rule to the appropriate profiles (Domain, Private, Public) depending on where your service needs to be accessible.
  7. Name Your Rule:
    • Give your rule a meaningful name (e.g., “SSH Access”) and an optional description.
  8. Finish and Repeat:
    • Click Finish to create the rule. Repeat steps 2-7 for each service/port you need to allow.

4. Disable Unnecessary Services

Disable-Service [serviceName]

Stop-Service [serviceName]

5. Audit and Monitoring

  • Enable Logging: Ensure logging is enabled for critical services. This can often be configured within the service's configuration file or through the operating system's logging facilities.
  • Review Logs: Regularly check the logs for any signs of suspicious activity. Tools like logwatch on Linux and Event Viewer on Windows can help. Set up Fail2Ban

6. File System Permissions

  • Review and Apply Permissions: Use PowerShell cmdlets like Set-Acl.
  • Use ACLs: For more granular control, utilize Access Control Lists (ACLs) with the Security tab on Windows.

7. Secure Network Services

  • IIS: Enable TLS by obtaining a certificate and configuring it in the IIS Manager. Ensure your server is using the latest TLS version and regularly update your certificates.