Windows Server Hardening Security Checklist (Windows 2016 / 2019 / 2022)

Windows Server Hardening Security Checklist (Windows 2016 / 2019 / 2022). In this blog, we will talk about server hardening. Furthermore we will also prepare a checklist subjecting area that require protecting the server against the most common exploits.

Servers are the backbone of any organization. They run the business and help employees share data and keep up their work. But, they are not impervious to cyber attacks. Many companies hand build or deploy physical servers for their small business, but don’t know how to keep them safe from attackers and data breaches.

To reduce costly breaches or your attack surface and improve server security, follow our comprehensive checklist of Windows Server Hardening Security Checklist (Windows 2016 / 2019 / 2022).

What is Server Hardening?

Server hardening is the act of protecting a server from security threats. It is a collection of techniques that help reduce vulnerability and strengthen the security of several, components, functions and ports of a server.

The Server Hardening process involves implementing security measures such as firewalls, recovery procedures, and virus protection to decrease the chance of a cyber attack. Server hardening is fundamentally about protecting critical computer systems by putting in place protection mechanisms while also making them more difficult to attack.

Windows Server Hardening Security Checklist

Cyber attackers always try to access the data and resources held on the servers. Hence, to protect it in real time, we have penned down a few controls and processes one must always implement for server security. Our general security checklist will help pinpoint vulnerabilities and errors, increase security awareness and improve the security of your servers.

1. User Configuration

Image Source: Business vector created by gstudioimagen freepik

The Guest account is a low privilege account used by users who do not have a defined account and require it for occasional access. But the guest accounts are less secure and are a good source for attack. Hence, it is best to disable guest accounts and rename them on each server so that attackers cannot discover and misuse them.

Similarly, there are local Administrator accounts responsible for managing all files, directories and other resources available on your local computer. Being full of information and a popular target for attack, make sure to disable it whenever possible and change the password to something secure.

Moreover , use a strong password policy for each account on the server. Just make sure the chosen password is at least 15 characters long with low and uppercase letters, numbers, and special characters. Also, change your passwords every 90 days to keep your system and administrator accounts safe and secure.

2. Network Configuration

First and foremost, disable all the network services the server is not using and make sure only authenticated users have permission to access systems from the network. Enable the network firewall to protect your system from external attacks and block inbound traffic. Secondly, have a static IP for your production servers so that clients can easily discover them.

For protection purposes, enable the Windows firewall and configure the default behaviour to block the inbound traffic. Additionally, conduct an analysis to discover the ports that must remain open. At the same time, restrict access to ports and block them at the network setting level.

Make sure to have at least two DNS servers and if you want to make changes to it, establish production changes beforehand as it is time consuming. Also, verify the name resolution using nslookup from the command prompt.

3. Windows Features and Roles Configuration

There are specific roles and features incorporated by Microsoft to manage OS packages. Make sure each server role or a set of software programs is properly configured and installed. They include supported features, such as Internet Information Services, etc., that are customizable.

To make sure the functions are working smoothly and quickly, you must perform the recommended things:

  • Check everything you require is properly installed, such as the .NET framework version or IIS.
  • Remove or uninstall any piece that an application does not require, as unnecessary options can work as a great entry point to launch attacks or gain unauthorized access.

Hence, make sure your server design includes things that are necessary.

4. Update Installation

Make sure to update your server from time to time to keep it secure. It does not mean as and when a new update is release, you update without seeing results or checking the test reports. But, you will also implement critical updates as soon as possible after going through the test results.

You can find different types of updates rolling out for servers, including:

  • Rollups for addressing multiple but related vulnerabilities
  • Service packs for various vulnerabilities

Do not update before confirming the test results. To get more details about the updates and user experience, join Microsoft user forums. These forums give an idea about how the new update is rolling out, what are its advantages and drawbacks, etc. It will help you make an informed decision, and accordingly, you can make changes for your server.

5. NTP Configuration

If your functions rely on Kerberos authentication, then a minimum time difference will also be enough to break Windows logons and other functions. Hence, domain controllers need to get their time synched to a time server to avoid any breakdown or problem.

A member server gets its time synched with a domain controller automatically after joining the domain. But there are a few servers that stand alone and require NTP to sync with an external source for accurate timing.

Consistent timekeeping across the network is essential for security mechanisms, file system updates, and network management systems. Hence, if your server is not properly synced, set up Network Time Protocol (NTP). The configuration helps synchronize the computer clock time across a network.

6. Firewall Configuration

A firewall is important for network security and must be properly configured to prevent cyberattacks. Improper configuration can result in attackers gaining access to protected network resources. Hence, proper configuration of domain names and Internet Protocol (IP) addresses is a must. Firewall policy configuration helps restrict incoming traffic to only essential ports and pathways.

Additionally Windows firewall has a built in software firewall that limits the attack surface to the allowed ports and protects network resources. Generally, these firewalls are set up on stand alone servers with security rules that block or allow access and prevent attackers from exploiting the ports.

7. Remote Access Configuration

If your server supports remote desktop (RDP) functions for management, it can be accessed only via a VPN. If left open, chances are high that the potential hackers can make a way via it into your server. Hence, it is important to ensure that RDP is accessible only to authorized users.

Once enabled on the server, it can be accessed by all administrators and other people by default. Hence, change its settings and make sure RDP is accessible only to trusted administrators.

Apart from RDP, you can find many more remote access mechanisms accessible only via VPN, including PowerShell and SSH, that must also be managed carefully. Lastly, avoid making unencrypted communications, instead, we recommend SFTP server or SSH (from a VPN).

8. Service Configuration

There are a set of services provided by the Windows server that automatically starts running in the background by default. Most of these services are used for the proper functioning of the operating system. But, there are many that must be disabled so that hackers cannot make a way into the server or compromise other domains. Make sure to disable services other than the ones necessary for primary functionality.

If you use 2008 or 2003 servers, make sure to double check them as they may include unneeded services. Another advantage of running only vital services is it helps recover the server without human interaction after failure. Complex applications can try the Automatic (Delayed Start) option or set up service dependencies.

Lastly, set up service specific accounts with fewer privileges to keep malicious actors in control and prevent them from extending the compromise in other areas of the server.

9. Further Hardening

Make sure to harden all your applications to protect them against cyberattacks.

Microsoft Windows supports various practices that aid in further hardening the system. It supports scanning and User Account Control (UAC) features that prevent applications from running without your consent. In simple terms, even when you have logged in as an admin, this UAC feature will ask for your consent. Thus, preventing malicious websites or attackers from running or installing code in the background.

Also, enforce the least privilege principle under which only limited user or group will gain the access to specific functions. Additionally, enable anti spyware software, DLP software, anti virus software and scan all attachments for real time protection.

10. Logging and Monitoring

Due to the hectic nature of production schedules, analyzers often miss out on the last and the most important point, i.e., to ensure all the logs and monitoring are properly configured. It is important to configure this feature so that you can quickly remediate your data in case a problem arises.

Stand alone servers include security audit that displays passes and failures. Important factor is to create an audit policy to track which events are written and gain better visibility into each activity. Also, a centralized event viewer can boost troubleshooting and remediation for various environments.

For collecting performance data of each ever, you can also use the built in Windows performance monitor or use a third party solution for the same.

Monitor network activity, disk space, processor, and memory use to identify hidden anomalies and fix the issue.

Thank you for reading Windows Server Hardening Security Checklist (Windows 2016 / 2019 / 2022).

Windows Server Hardening Security Checklist Conclusion

In this Windows Server Hardening Security Checklist post, we have listed a few other key controls, processes, and practices that one must implement to strengthen server security. The above listed basic practices will help harden your server and protect against security threats in real time.

Servers are used to store and share sensitive data and resources to other computers over the network. If you have weak server security, chances are high that the cyber attackers will target it and attack to get hold of your sensitive data.

The attackers believe servers hold maximum and most valuable information. Hence, it is important to implement techniques and tools that will protect your server from hacking and malicious actions.

Summarizing, by implementing strong server security best practices, you can protect your crucial data on time. The server hardening process helps protect your vital systems/data and reduces your attack surface.

Make sure to disable guest accounts and apply a strong password policy for each account on the server. For network resources, enable the Windows firewall and configure the default behavior to block the inbound traffic. Also, keep the server up to date and avoid running new updates without confirming the test results. You can also join Microsoft forums to learn about user experience.

Avatar for Hitesh Jethva
Hitesh Jethva

I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x