Windows Server Security Hardening Guide

This guide provides detailed instructions on how to harden a Windows Server installation, focusing on security best practices, tools, and configuration steps to protect your server environment.

Security Assessment Tools

Port Scanning and Vulnerability Assessment

• Nmap: Network mapper for port scanning and service enumeration
• Microsoft Baseline Security Analyzer (MBSA): Identifies common security misconfigurations
• Windows Defender for Endpoint: Microsoft's enterprise security platform
• Qualys: Comprehensive vulnerability management
• Nessus: Industry-standard vulnerability scanner
• OpenVAS: Open-source vulnerability scanner

Security Monitoring Tools

• Windows Event Viewer: Built-in log management
• Microsoft Sentinel: Cloud-native SIEM and SOAR solution
• Sysmon: Enhanced system monitoring and logging
• Splunk: Log collection and analysis platform
• Wazuh: Open-source security monitoring solution
• OSSEC: Host-based intrusion detection system

Server Hardening Steps

1. Update Management

1. Configure Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager
2. Implement regular patching schedule
3. Enable automatic updates for critical security patches
4. Run the following PowerShell commands to check for updates:

   Get-WindowsUpdate
   Install-WindowsUpdate -AcceptAll

2. Minimize Attack Surface

Disable Unnecessary Services

1. Open Server Manager > Tools > Services
2. Identify and disable non-essential services
3. Consider disabling services like:
   • Print Spooler (if not used)
   • Remote Registry
   • Secondary Logon
   • WebClient
   • Windows Remote Management (if not required)

Remove Unnecessary Roles and Features

1. Open Server Manager > Manage > Remove Roles and Features
2. Remove any roles not specifically required for server function

Disable SMBv1

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

3. Firewall Management

Configure Windows Defender Firewall

1. Open Windows Defender Firewall with Advanced Security
2. Set default action for inbound connections to "Block"
3. Create specific inbound rules for required services
4. Implement firewall logging for denied connections:
   • Right-click on each profile (Domain, Private, Public)
   • Select Properties > Logging > Customize
   • Enable logging for dropped packets and successful connections

Create Strict Firewall Rules

# Block all inbound connections except those specifically allowed
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block -DefaultOutboundAction Allow

# Allow RDP only from specific IP addresses (replace with your management IP range)
New-NetFirewallRule -DisplayName "Allow RDP from Admin IPs" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 10.0.0.0/24 -Action Allow

Implement Network Segmentation

1. Create separate network segments for different server roles
2. Use VLANs to isolate traffic
3. Configure Windows Advanced Firewall to restrict traffic between segments

4. User Account and Authentication Security

Implement Strong Password Policies

1. Open Group Policy Management Console
2. Navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
3. Configure:
   • Minimum password length: 14 characters
   • Password complexity requirements: Enabled
   • Maximum password age: 90 days
   • Password history: 24 passwords remembered

Enable Multi-Factor Authentication

1. Implement Windows Hello for Business or
2. Deploy Azure Multi-Factor Authentication for on-premises systems with:
   • Azure AD Connect
   • MFA Server

Limit Administrative Access

1. Create dedicated administrative accounts
2. Implement Just-In-Time (JIT) administration using Privileged Access Management
3. Use the principle of least privilege for all accounts

5. Remote Access Security

Secure Remote Desktop Protocol (RDP)

1. Enable Network Level Authentication (NLA):
   • System Properties > Remote tab > Check "Allow connections only from computers running Remote Desktop with Network Level Authentication"
2. Restrict RDP access through firewall rules
3. Change default RDP port (3389) to a custom port:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

   Modify the "PortNumber" value

Implement Remote Access Solutions

1. Deploy a VPN solution like:
   • Windows Server Always On VPN
   • DirectAccess
2. Configure a Remote Desktop Gateway (RD Gateway)
3. Implement an SSL VPN solution

Secure PowerShell Remoting

# Enable PowerShell remoting with HTTPS
New-SelfSignedCertificate -DnsName "ServerName" -CertStoreLocation Cert:\LocalMachine\My
Enable-PSRemoting -Force
Set-WSManQuickConfig -UseSSL

6. DDoS Attack Protection

Windows Server-Level Protection

1. Enable TCP/IP hardening:

   # Increase TCP connection timeout to help with SYN attacks
   Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "SynAttackProtect" -Value 2
   Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "TcpMaxPortsExhausted" -Value 5
   Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "TcpMaxConnectResponseRetransmissions" -Value 2

2. Configure connection limits in IIS (if web server role is installed):

   • Open IIS Manager
   • Select server > Connection Limits
   • Set maximum concurrent connections

Network-Level DDoS Protection

1. Work with your network team to implement:
   • Rate limiting at network edge
   • Traffic filtering using dedicated hardware or cloud services
2. Consider Azure DDoS Protection for cloud-connected resources
3. Configure advanced TCP/IP settings to mitigate SYN floods

7. Malware Protection

Configure Windows Defender Antivirus

1. Ensure real-time protection is enabled:

   Set-MpPreference -DisableRealtimeMonitoring $false

2. Configure regular scans:

   Set-MpPreference -ScanScheduleDay Everyday

3. Enable cloud-based protection:

   Set-MpPreference -MAPSReporting Advanced
   Set-MpPreference -SubmitSamplesConsent SendAllSamples

Enable Application Control

1. Configure Windows Defender Application Control or AppLocker
2. Create policies that only allow trusted applications to run
3. Implement code integrity policies:

   # Create a new Code Integrity policy
   New-CIPolicy -Level FilePublisher -Fallback Hash -FilePath "C:\temp\CIPolicy.xml" -UserPEs

8. Security Monitoring and Logging

Configure Windows Event Logging

1. Enable enhanced logging through Group Policy:
   • Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration
2. Configure the following audit policies:
   • Account Logon Events: Success and Failure
   • Account Management: Success and Failure
   • Logon Events: Success and Failure
   • Object Access: Failure
   • Policy Change: Success
   • Privilege Use: Success and Failure
   • System Events: Success and Failure

Deploy Security Information and Event Management (SIEM)

1. Configure log forwarding to a central SIEM solution

2. Set up Windows Event Forwarding:

   # Configure event collector server
   wecutil qc /q
   
   # Create a subscription on collector server
   wecutil cs "C:\temp\subscription.xml"

Implement File Integrity Monitoring

1. Enable auditing for critical system files
2. Use tools like Windows File Integrity Monitor or Wazuh

9. Regular Security Assessments

Implement Vulnerability Scanning

1. Schedule regular scans using tools like Nessus, Qualys, or OpenVAS
2. Run Microsoft Baseline Security Analyzer monthly
3. Scan for open ports using Nmap:

   nmap -sS -sV -T4 <server-ip>

Conduct Security Compliance Scanning

1. Use Microsoft Security Compliance Toolkit to assess servers against security baselines
2. Run the following PowerShell command to check current security settings:

   Get-ComputerInfo | Select-Object OsName, OsVersion, OsBuildNumber, OsHardwareAbstractionLayer

10. Documentation and Incident Response

Document Security Configuration

1. Maintain detailed documentation of:
   • Network configuration
   • Firewall rules
   • User accounts and permissions
   • Installed software and services

Create an Incident Response Plan

1. Define roles and responsibilities
2. Document incident response procedures
3. Establish communication channels for security incidents
4. Test the plan through tabletop exercises

Ongoing Security Management

Maintaining a secure Windows Server environment requires regular attention:

1. Schedule monthly security reviews
2. Keep up with Microsoft security bulletins
3. Regularly test backup and recovery procedures
4. Review and rotate credentials
5. Update security documentation when changes occur
6. Test the network with penetration testing tools periodically

Implementing these hardening measures will significantly improve your Windows Server security posture and help protect against common attack vectors.