Securing Windows Server: Hardening Checklist
Hardening your Kazepute Breeze running Windows Server is critical to reducing your attack surface and protecting your data. This guide provides a comprehensive checklist of security measures you should implement on every Windows Server deployment.
Account Security
Rename and Disable Default Accounts
# Rename the built-in Administrator account
Rename-LocalUser -Name "Administrator" -NewName "SrvAdmin"
# Disable the Guest account
Disable-LocalUser -Name "Guest"
# Create a decoy Administrator account (disabled, no permissions)
New-LocalUser -Name "Administrator" -Password (ConvertTo-SecureString "DecoyPass!" -AsPlainText -Force) -Description "Honeypot"
Disable-LocalUser -Name "Administrator"Enforce Strong Password Policies
# Configure password policy via secpol.msc or PowerShell
# Set via Local Security Policy:
# - Minimum password length: 14 characters
# - Password complexity: Enabled
# - Maximum password age: 90 days
# - Enforce password history: 24 passwords
# Configure account lockout
net accounts /lockoutthreshold:5 /lockoutduration:30 /lockoutwindow:30Windows Update Configuration
# Check for available updates
Install-Module PSWindowsUpdate -Force
Get-WindowsUpdate
# Install all updates
Install-WindowsUpdate -AcceptAll -AutoReboot
# Schedule automatic updates via Group Policy or registry
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "AUOptions" -Value 4Firewall Hardening
# Ensure all firewall profiles are enabled
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
# Set default to block inbound, allow outbound
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block -DefaultOutboundAction Allow
# Log dropped packets
Set-NetFirewallProfile -Profile Domain,Public,Private -LogBlocked True -LogAllowed False -LogFileName "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -LogMaxSizeKilobytes 16384
# Only open ports you need — review existing rules
Get-NetFirewallRule -Direction Inbound -Enabled True | Format-Table DisplayName, ActionRemote Desktop Security
# Enable NLA (Network Level Authentication)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1
# Change RDP port
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "PortNumber" -Value 3390
# Limit RDP access to specific users
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "SrvAdmin"
# Set idle session timeout (in milliseconds, 15 minutes)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name "MaxIdleTime" -Value 900000Disable Unnecessary Services
# Disable services not needed on a server
$servicesToDisable = @(
"XblAuthManager", # Xbox Live Auth Manager
"XblGameSave", # Xbox Live Game Save
"MapsBroker", # Downloaded Maps Manager
"lfsvc", # Geolocation Service
"SharedAccess", # Internet Connection Sharing
"WMPNetworkSvc", # Windows Media Player Network Sharing
"RemoteRegistry" # Remote Registry
)
foreach ($svc in $servicesToDisable) {
$service = Get-Service -Name $svc -ErrorAction SilentlyContinue
if ($service) {
Stop-Service -Name $svc -Force -ErrorAction SilentlyContinue
Set-Service -Name $svc -StartupType Disabled
Write-Host "Disabled: $svc"
}
}Enable Auditing
# Enable audit policies
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Privilege Use" /success:enable /failure:enable
# View current audit settings
auditpol /get /category:*TLS and Encryption
# Disable TLS 1.0 and 1.1
$protocols = @("TLS 1.0", "TLS 1.1")
foreach ($proto in $protocols) {
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$proto\Server"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 0
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 1
}
# Disable SSL 2.0 and 3.0
$sslProtocols = @("SSL 2.0", "SSL 3.0")
foreach ($proto in $sslProtocols) {
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$proto\Server"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 0
}
# Enable TLS 1.2 and 1.3 explicitly
$modernProtocols = @("TLS 1.2", "TLS 1.3")
foreach ($proto in $modernProtocols) {
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$proto\Server"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 1
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 0
}SMB Security
# Disable SMBv1
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
# Require SMB signing
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
# Require SMB encryption
Set-SmbServerConfiguration -EncryptData $true -ForceHardening Checklist Summary
- Rename and disable default accounts (Administrator, Guest).
- Enforce strong password policies with account lockout.
- Keep Windows Server updated with the latest patches.
- Enable and configure Windows Firewall on all profiles.
- Secure RDP with NLA, port change, and IP restrictions.
- Disable unnecessary services and roles.
- Enable comprehensive auditing and review logs regularly.
- Disable legacy protocols (SSL, TLS 1.0/1.1, SMBv1).
- Enable SMB signing and encryption.
- Use BitLocker for disk encryption where applicable.
- Install and configure antimalware protection.
- Regularly review user accounts and group memberships.