Windows Server Hardening for a Stronger Security Posture

Windows Server Hardening Updates

Best practices for mitigating various attack vectors are changing depending on the environment and server functionality. CIS baselines cover most of the relevant scenarios by addressing the first stage of your Windows Server Hardening project.

Microsoft has been making efforts to improve the default security configuration of their products by providing monthly guidelines for hardening changes with a timeline.

Figure 1:  A visual timeline of the hardening changes taking place in 2024.

Despite these efforts, there remains a significant gap between the default Windows configuration and widely recognized security best practices, such as those outlined in CIS common benchmarks. Bridging this gap to achieve a basic hardening posture requires a dedicated allocation of time, resources, and careful planning by IT teams.

Windows Hardening 2024 Monthly Changes

Microsoft has provided details for all their upcoming hardening changes per month to help security teams.

April 2024 Phase 3

Secure Boot bypass protections KB5025885

Third Deployment phase. This phase will add additional boot manager mitigations. This phase will start no sooner than April 9, 2024.

October 2024 or later Phase 3

Secure Boot bypass protections KB5025885

Mandatory Enforcement phase. The revocations (Code Integrity Boot policy and Secure Boot disallow list) will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled.

February 2025 or later Phase 3

Certificate-based authentication KB5014754

Full Enforcement mode. If a certificate cannot be strongly mapped, authentication will be denied.

Windows Server Hardening Project Stages

1. User Configuration

Modern Windows Server editions require you to reset the local Administrator account password to something secure. For enhanced security, disable the local Administrator account whenever possible, as it is a common target for attacks.

Create an admin account to use: either add an appropriate domain account if your server is part of Active Directory, or create a new local account and place it in the administrators group. Use a non-administrator account for daily tasks, utilizing “Run As” for administrative actions.

Ensure the local guest account is disabled, as it is particularly insecure. Verify security groups to ensure users are correctly assigned, such as adding domain accounts to the remote desktop users group.

2. Network Configuration

Production servers should have a static IP in a protected segment behind a firewall to prevent network-based attacks. Configure at least two DNS servers for redundancy and verify name resolution using nslookup. Ensure the server has a valid A record for its name and a PTR record for reverse lookups. Note that DNS changes may take several hours to propagate, so establish production addresses well before going live. Disable any unnecessary network services, like IPv6, but test changes thoroughly before implementation.

3. Using Configuration Manager for Windows Features and Roles

Microsoft uses roles and features to manage OS packages. Roles are collections of features for specific purposes. Choose a role that fits the server’s purpose, then customize the features.

Two key tasks:

• Ensure all necessary components (e.g., .NET framework, IIS) are installed for your applications to function properly.
• Uninstall unnecessary components to minimize the attack surface. Remove default applications that aren’t needed.

Design servers with only essential parts to ensure smooth and efficient operation.

4. NTP Configuration

A time difference of merely 5 minutes will completely break Windows logons and various other functions that rely on Kerberos security. Servers that are domain members will automatically have their time synched with a domain controller upon joining the domain, but stand alone servers need to have NTP set up to sync to an external source so the clock remains accurate. Domain controllers should also have their time synched to a time server, ensuring the entire domain remains within operational range of actual time.

5. Firewall Configuration

If you're building a web server, for example, you're only going to want web ports (80 and 443) open to that server from the internet. If anonymous internet clients can talk to the server on other ports, that opens a huge and unnecessary security risk. If the server has other functions such as remote desktop (RDP) for management, they should only be available over a VPN connection, ensuring that unauthorized people can't exploit the port at will from the net.

The Windows Defender firewall is a decent built-in software firewall that allows configuration of port-based traffic from within the OS. On a stand alone server, or any server without a hardware firewall in front of it, the Windows firewall will at least provide some protection against network based attacks by limiting the attack surface to the allowed ports. That said, a hardware firewall is always a better choice because it offloads the traffic to another device and offers more options on handling that traffic, leaving the server to perform its main duty. Whichever method you use, the key point is to restrict traffic to only necessary pathways.

6. Remove Access Configuration

As mentioned above, if you use RDP, be sure it is only accessible via VPN if at all possible. Leaving it open to the internet doesn't guarantee you'll get hacked, but it does offer potential hackers another inroad into your server.

Make sure RDP is only accessible by authorized users. By default, all administrators can use RDP once it is enabled on the server. Additional people can join the Remote Desktop Users group for access without becoming administrators.

In addition to RDP, various other remote access mechanisms such as Powershell and SSH should be carefully locked down if used and made accessible only within a VPN environment. Telnet should never be used at all, as it passes information in plain text and is woefully insecure in several ways. Same goes for FTP. Use SFTP or SSH (from a VPN) whenever possible and avoid any unencrypted communications altogether.

7. Service Configuration

Windows Server has default services that start automatically, but many are unnecessary and should be disabled to minimize the attack surface. This is especially true for older versions like 2008 or 2003.

Essential services should start automatically to ensure the server can recover without intervention. For complex applications, use Automatic (Delayed Start) to allow other services to initialize first. Set up service dependencies so services start in the correct order and can be managed together.

Each service runs under a specific user account. Default services often use Local System, Local Service, or Network Service accounts. For application and user services, create specific service accounts with minimal access to limit the impact of any potential compromise.

8. Logging and Monitoring

Ensure your logs and monitoring are properly configured to capture necessary data for effective incident response. Note that domain logons are logged by domain controllers, not local systems. Standalone servers can be configured to log security audits.

Adjust log sizes appropriately, as defaults are often too small for complex applications. Allocate disk space for logging during server builds, especially for applications like MS Exchange. Backup logs per retention policies and clear them regularly.

Consider a centralized log management solution, like a syslog server, for easier log handling in larger environments.

Establish performance baselines and set notification thresholds for key metrics such as disk space, CPU and memory usage, network activity, and temperature. Use tools like Windows Performance Monitor or third-party solutions to continuously gather and analyze performance data. This proactive monitoring helps quickly identify and address anomalies.

9. Further Hardening

Microsoft provides best practices analyzers based on role and server version that can help you further harden your systems against various attack vectors by scanning and making recommendations.

Although User Account Control (UAC) can get annoying, it serves the important purpose of abstracting executables from the security context of the logged in user. This means that even when you're logged in as an admin, UAC will prevent applications from running as you without your consent. This prevents malware from running in the background and malicious websites from launching installers or other code. Leave UAC on whenever possible.

The tips in this guide help keep Windows secure, from the Windows operating system to every application you run. These should be hardened as well. Common Microsoft server applications such as MSSQL and Exchange have specific security mechanisms that can help protect them, be sure to research and tweak each application for maximum resilience. If you're building a web server, you can also follow our hardening guide to improve its internet facing security.

CIS Benchmarks – What are They and How to Use Them

10. Automation

Defining your ideal state and security baselines is an important first step for server management.  CalCom's Hardening Suite (CHS) will map and learn your network and report to you which policy rule will result in breaking production and why. It will then automatically implement your desired policy over your entire infrastructure, from a centralized management point. CHS will keep your assets continuously hardened, preventing these often missed compliance drifts that often lead to audit failure on breaches.