Windows Hardening: Detailed Checklist for Windows Server and Windows 10
What is Windows Hardening?
System hardening is the practice of minimizing the attack surface of a computer system or server. The goal is to reduce the amount of security weaknesses and vulnerabilities that threat actors can exploit.
System hardening is generally categorized into five areas—server hardening, operating system (OS) hardening, software application hardening, network hardening, and database hardening. Each category involves hardening different areas of the environment.
OS hardening usually involves patching and securing the operating system of a server. Operating system vendors, like Microsoft, usually release updates, service packs, and patches, which users can manually or automatically install.
There are several operating system hardening techniques you can use when implementing Windows hardening. For example, you can encrypt the SSD and HDD that stores and hosts the OS, removing any unnecessary drivers. You should also limit system access permissions and authentication processes, and restrict privileges.
What are Windows Security Baselines?
Windows and Windows Server are designed with security in mind. Microsoft secures certain aspects and also provides organizations with controls that enable granular security configuration. To help organizations properly leverage security controls, Microsoft provides Security Baselines that offer guidance.
Each Windows Security Baseline is a group of configuration settings based on feedback from Microsoft’s security engineers, as well as product groups, customers, and partners. These Security Baselines are available in a consumable format, including as Group Policy Object Backups.
Windows Security Baselines can help organizations ensure that device and user settings that have already been set up are in compliance with Windows baselines. It can also help set up configuration settings for new operating system installations, for example when using Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy
Security Baselines are available from the Microsoft Download Center.
Windows Server Hardening Checklist
Use the following checklist to harden a Windows Server installation.
Windows User Configuration
Follow these guidelines to reduce risks from privileged user accounts on Windows Server:
- Disable the local administrator—it is usually not required, and is a popular target for attackers.
- Set up a custom admin account—it can be a domain Active Directory (AD) account or a local account in the administrators group
- Prefer to run as a regular user account—to reduce the chance of account compromise, connect to the server using a regular user account, and when you need to perform operations that require administrative privileges, request elevation using “Run As” (the Windows equivalent of sudo).
Windows Network Configuration
Take the following precautions to protect a Windows Server machine from network attacks:
- Place the machine behind the firewall—production Windows Server instances should always run in a protected network segment.
- Redundant DNS—configure two or more DNS servers and verify name resolution using nslookup.
- Verify DNS records—ensure the server has an A record and PTR record for reverse DNS lookups.
- Disable network services—any service the server is not actually using, like IPv6, should be disabled to reduce the attack surface.
Windows Service Configuration
Follow these guidelines to minimize the risk from services running on Windows Server:
- Disable unused services—many services that run by default on Windows Server may not be required in your specific use case, and should be disabled. Disable any service that is not required for basic functionality. Pay special attention to Windows Server 2008 and 2003, which had a larger number of redundant services.
- Limit security context—each service runs as a specific user account. By default these are Network Service, Local System, or Local Service accounts. For sensitive application and user services, set up accounts for each service and limit privileges to the minimum required for each service. This limits the ability for privilege escalation and lateral movement.
Network Time Protocol (NTP) Configuration
Windows login and other functions that leverage kerberos security rely on accurate NTP times. Even a small time difference can break functionality. To avoid service disruption, make sure that:
- Servers within domains automatically sync time with the domain controller
- Standalone servers sync with an external time source
- Domain controllers sync with a time server on an ongoing basis
Centralized Event Logs
Windows Server systems generate multiple logs, which can be configured to be more or less verbose. Logs are an important way to gain visibility over server operations for maintenance and security purposes. To provide convenient access to logs for an organization’s Windows Server instances, use a central syslog server, and ensure you have the following capabilities:
- Ability to assign categories to specific logs or entries
- Enable full text search and querying of log data
- Integrate logging with remediation tools to enable automated response to errors
Windows 10 Hardening Checklist
Use the following checklist to harden Windows 10.
Leverage Built-In Windows 10 Security Tools
Enterprise editions of Windows 10 come with several built-in security tools, including:
- Windows Defender Advanced Threat Protection – an advanced security system that includes state of the art antimalware protection, as well as exploit protection, automated attack surface reduction, application control, and hardware-based isolation.
- Microsoft SmartScreen – scans downloads and blocks execution of malicious payloads.
- Windows Sandbox – lets users install untrusted applications in a secure, isolated environment.
In addition to these built-in Microsoft tools, assess your threat environment and deploy additional antivirus or endpoint protection tools on all protected Windows 10 machines.
It is strongly preferred to configure Windows to only allow the installation of approved applications from controlled software repositories or application marketplaces. You can do this by setting the “Allow apps from the Store only” option under Apps & Features, or using Windows Defender code Integrity policies.
This can prevent attackers from emailing malware to users, convincing them to download and install malware, or deploying malware via drive-by downloads or deceptive links on malicious websites. Note that even if you require administrative access on the local machine to install software, attackers can bypass this with social engineering.
Many attack vectors rely on execution of malicious code, even if it is not installed on the user’s device. Whitelisting and blacklisting of executables in Windows 10 can be effective at preventing these attacks. Many security best practices advise creating a new whitelist of files that are allowed to execute on end-user machines, without relying on lists from application vendors or existing files on the machine.
However, in real enterprise environments, it can be difficult to create such a whitelist and maintain it across a large number of machines. Whitelists will also tend to be overly restrictive, hurting user productivity.
Disable Remote Access
Windows 10 comes with Microsoft Remote Desktop that provides remote access to a user’s machine. This feature is often used by attackers to gain remote control of user devices, install malware, and steal information. Remote Desktop is disabled by default, but in case users enable it, it is important to make sure it is disabled except when needed for approved, legitimate use.
PowerShell is a scripting language that is extremely powerful in the hands of an attacker. Follow these guidelines to secure systems against PowerShell exploits:
- Remove PowerShell version 2.0 or earlier, which had security vulnerabilities
- Set PowerShell to Constrained Language Mode
- Enable PowerShell logging to provide an audit trail
- Setting an execution policy – a safety feature that specifies under which conditions PowerShell will load configuration files and run scripts
Deploy Microsoft security updates on all user devices immediately. Automate and enforce deployment of regular Windows updates—if possible, without the user’s involvement.
Support for Windows 7 ended in January 2020, and so any end-user device running Windows 7 or earlier is at immediate risk of cyberattacks. If users are running an older version of Windows that is no longer supported, upgrade it to a supported version urgently, and in cases where upgrades are not possible, isolate the outdated systems from the network.
Learn more in our detailed guide to Windows 10 hardening
Windows Hardening with Hysolate
Hysolate provides a fully managed isolated Workspace for Windows 10, for added security for employees and contractors dealing with risky or sensitive activities on their endpoint device.
With Hysolate you can split your users’ endpoint devices into a more secure corporate OS and a less secure OS for daily productivity tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open productivity zone, for accessing necessary but less trusted websites and applications.
Admins can harden the Workspace OS by choosing which applications can be used, and they can remotely deploy applications, as well as deploy patches and security updates from the cloud. Policies can be set for transferring between Workspace and the host OS, including copy/paste, keylogging, screenshotting etc. Unlike traditional browser isolation solutions, Hysolate isolates your whole OS, including websites, files, documents, applications and even peripherals like USBs and printers.
For users, the Hysolate Workspace mimics their native Windows 10 experience, with minimal lag and latency issues. Hysolate takes minutes to be deployed from the cloud, and users can easily switch between the different operating systems with a press of a button.
Try Hysolate Free here, a free isolation solution for Windows 10..