Windows Server Hardening Checklist: 20 Essential Security Configurations

A default Windows Server installation is not a secure Windows Server installation. Microsoft ships Windows Server with backward compatibility, convenience features, and permissive defaults that make initial setup easy but leave the server exposed to well-documented attack techniques. Every penetration tester knows this, and every attacker counts on it.

Server hardening is the process of reducing the attack surface by disabling unnecessary features, enforcing secure configurations, and implementing monitoring that detects compromise attempts. The Center for Internet Security (CIS) benchmark for Windows Server contains over 300 recommendations. This checklist distills them into the 20 configurations that have the highest security impact for the effort required - the changes that block the attack techniques most commonly used in real-world breaches.

Apply these configurations through Group Policy wherever possible. GPO provides centralized management, consistent enforcement, and easy rollback. Test every change in a non-production environment before deploying to production. Document every exception with a business justification and a compensating control.

Account Security (1-5)

1. Enforce Strong Password Policies

Configure via Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.

• Minimum password length: 14 characters for standard users, 16 for administrators
• Password history: 24 passwords remembered (prevents cycling)
• Maximum password age: 365 days for standard accounts (NIST 800-63B recommends against frequent rotation unless compromise is suspected)
• Minimum password age: 1 day (prevents immediate cycling through history)
• Complexity requirements: Enabled, but length is more important than complexity

For service accounts and administrator accounts, implement Fine-Grained Password Policies that require 24+ character passphrases. Service account passwords should be managed by Group Managed Service Accounts (gMSA) where possible, which automatically rotates passwords every 30 days without manual intervention.

2. Configure Account Lockout

Account lockout prevents brute-force password attacks but must be balanced against denial-of-service (an attacker intentionally locking out accounts).

• Account lockout threshold: 10 invalid logon attempts
• Account lockout duration: 30 minutes
• Reset account lockout counter after: 30 minutes

Monitor Event ID 4740 (account lockout) for patterns indicating brute-force attacks. Burst lockouts on a single account suggest a targeted attack. Simultaneous lockouts across multiple accounts suggest password spraying.

3. Rename and Disable Default Accounts

The built-in Administrator account (SID ending in -500) is a target for brute-force attacks because it cannot be locked out by default. The Guest account provides unauthenticated access that should never be available on a server.

• Rename the local Administrator account to a non-obvious name (not Admin, ServerAdmin, or Root)
• Disable the Guest account
• Create individual named admin accounts rather than sharing the built-in Administrator
• Consider disabling the built-in Administrator entirely and using named accounts for all administrative access

4. Implement Least-Privilege Service Accounts

Services that run as Local System, Network Service, or with Domain Admin credentials represent some of the highest-risk configurations in any Windows environment. A compromised service running as Local System has full control over the server. A compromised service running as Domain Admin has full control over the entire domain.

• Audit every service: Get-WmiObject Win32_Service | Select Name, StartName, State | Sort StartName
• Replace Local System with the minimum privilege level needed: Local Service, Network Service, or a dedicated service account
• Use Group Managed Service Accounts (gMSA) for domain-joined services - automatic password rotation, no password management overhead
• Never use Domain Admin credentials for service accounts. Ever. This is the single most common path to full domain compromise
• Remove "Log on as a service" right from groups that do not need it

5. Restrict Local Administrator Group Membership

The local Administrators group should contain only the accounts that genuinely need full administrative access to that specific server. In practice, this means the server administration team's accounts and nothing else.

# Audit local admin group membership
Get-LocalGroupMember -Group "Administrators" | Select Name, PrincipalSource

Use Restricted Groups or Local Users and Groups GPO preferences to enforce membership centrally. Remove Domain Users, Domain Admins (use a dedicated server admin group instead), and any service accounts that do not require local admin access.

Network Security (6-10)

6. Configure Windows Firewall with Advanced Security

Windows Firewall should be enabled on all profiles (Domain, Private, Public) with a default deny inbound rule. Allow only the specific ports and protocols required for the server's role.

# Verify firewall is enabled on all profiles
Get-NetFirewallProfile | Select Name, Enabled, DefaultInboundAction

# Set default deny inbound on all profiles
Set-NetFirewallProfile -Profile Domain,Private,Public -DefaultInboundAction Block -DefaultOutboundAction Allow

Create explicit allow rules for each required service. For a web server: TCP 80, 443. For a file server: TCP 445 (restrict source IPs to management networks). For a database server: the database port (1433 for SQL Server) from application servers only, not from the entire network. Log dropped connections for forensic analysis.

7. Disable Unnecessary Network Protocols and Services

• Disable SMBv1. SMBv1 is the protocol exploited by WannaCry, NotPetya, and EternalBlue. It has no place on any modern server: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
• Disable LLMNR. Link-Local Multicast Name Resolution enables credential interception on the local network. Disable via GPO: Computer Configuration > Administrative Templates > Network > DNS Client > Turn off Multicast Name Resolution = Enabled
• Disable NetBIOS over TCP/IP. Another name resolution protocol that enables credential interception. Disable via DHCP options or per-adapter in network properties
• Disable WPAD (Web Proxy Auto-Discovery). WPAD enables man-in-the-middle attacks. Disable via GPO or by setting the WinHttpAutoProxySvc service to Disabled

8. Enforce SMB Signing and Encryption

SMB signing prevents relay attacks. SMB encryption prevents eavesdropping. Both should be enforced on all servers.

# Enable SMB signing (require, not just enable)
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force

# Enable SMB encryption for sensitive shares
Set-SmbShare -Name "FinanceData" -EncryptData $true

GPO path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Set both "Microsoft network server: Digitally sign communications (always)" and "Microsoft network client: Digitally sign communications (always)" to Enabled.

9. Restrict Remote Desktop Access

RDP is one of the most commonly exploited services on Windows servers. If RDP is required, harden it significantly:

• Enable Network Level Authentication (NLA) - requires authentication before establishing the RDP session
• Restrict RDP access to specific IP ranges using Windows Firewall rules
• Use an RDP gateway (Remote Desktop Gateway) for all external access rather than exposing RDP directly
• Set session timeout and idle disconnect policies to prevent abandoned sessions
• Enable "Restrict clients allowed to connect" to machines running Remote Desktop with NLA
• Consider disabling RDP entirely on servers that do not require it and using PowerShell remoting or other management tools instead

10. Configure TLS and Cipher Suite Settings

Disable legacy protocols and weak cipher suites that are vulnerable to known attacks:

• Disable SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 - these protocols have known vulnerabilities. Only TLS 1.2 and TLS 1.3 should be enabled
• Disable NULL cipher suites, RC4, DES, 3DES, and export-grade ciphers
• Prioritize ECDHE and DHE key exchange algorithms for forward secrecy
• Use IISCrypto (free tool from Nartac Software) to configure cipher suites through a GUI, or deploy via registry settings through GPO

Audit and Monitoring (11-15)

11. Configure Advanced Audit Policy

Enable Advanced Audit Policy Configuration (not basic audit policy) via GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration.

Critical subcategories to enable (Success and Failure):

• Account Logon: Credential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations
• Account Management: Computer Account Management, Security Group Management, User Account Management
• Logon/Logoff: Logon, Logoff, Special Logon, Account Lockout, Network Policy Server
• Object Access: File System (for sensitive directories), Registry, Kernel Object
• Policy Change: Audit Policy Change, Authentication Policy Change
• Privilege Use: Sensitive Privilege Use
• System: Security State Change, Security System Extension, System Integrity

12. Increase Security Log Size and Configure Forwarding

The default Security log maximum size of 20 MB is insufficient for production servers generating thousands of events per hour. Increase it to at least 1 GB:

# Set Security log to 1 GB with overwrite-as-needed
wevtutil sl Security /ms:1073741824

Forward security events to a SIEM or centralized log management platform using Windows Event Forwarding (WEF) or a log collection agent (Elastic Agent, Splunk Universal Forwarder, Wazuh agent). Local logs can be cleared by an attacker with admin access. Forwarded logs survive compromise.

13. Enable PowerShell Logging

PowerShell is both the most powerful administration tool and the most popular attack tool on Windows. Full logging is essential for detecting malicious use.

• Module logging: Records all PowerShell module activity. GPO: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on Module Logging = Enabled (specify * for all modules)
• Script block logging: Records the content of all scripts and commands executed, including dynamically generated and obfuscated code. GPO: Turn on PowerShell Script Block Logging = Enabled
• Transcription: Creates a full text transcript of every PowerShell session. GPO: Turn on PowerShell Transcription = Enabled (specify output directory)

14. Enable Windows Defender Credential Guard

Credential Guard uses virtualization-based security to isolate credential material (NTLM hashes, Kerberos tickets) in a protected container that even a compromised kernel cannot access. This prevents the credential theft attacks (Mimikatz, PtH, PtT) that are the foundation of lateral movement in most breaches.

Requirements: UEFI firmware with Secure Boot, Windows Server 2016 or later, TPM 2.0 (recommended), and Hyper-V enabled. Deploy via GPO: Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security.

15. Configure Windows Defender Antivirus and Attack Surface Reduction

Windows Defender is a capable endpoint protection solution when properly configured. Enable these features on every server:

• Real-time protection: Enabled (default)
• Cloud-delivered protection: Enabled - provides faster detection of emerging threats
• Automatic sample submission: Enabled (review for compliance requirements)
• Attack Surface Reduction (ASR) rules: Enable rules that block Office macros from creating child processes, block credential stealing from lsass.exe, block process creations from PSExec and WMI commands, and block untrusted processes from USB
• Controlled Folder Access: Enabled on servers with sensitive data - prevents ransomware from encrypting protected directories

# Enable key ASR rules in audit mode first
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions AuditMode
# Block credential stealing from LSASS
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions AuditMode

System Hardening (16-20)

16. Remove Unnecessary Roles and Features

Every installed role and feature adds code, services, and potential vulnerabilities. A file server does not need IIS. A database server does not need the Print and Document Services role. An application server does not need the Fax Server feature.

# List installed features
Get-WindowsFeature | Where-Object {$_.Installed -eq $true} | Select Name, DisplayName

# Remove unnecessary features
Remove-WindowsFeature -Name Fax, XPS-Viewer, TFTP-Client

Consider using Server Core or Nano Server installations for servers that do not require a graphical interface. Server Core has a dramatically smaller attack surface - no desktop shell, no Windows Explorer, no Internet Explorer, and far fewer installed components. Most server roles work correctly on Server Core, and the security benefit is substantial.

17. Configure Windows Update and Patch Management

Unpatched servers are the number one entry point for ransomware. Configure automatic update delivery and establish a patching cadence:

• Configure WSUS or SCCM/Intune as the update source for centralized control
• Test patches in staging within 48 hours of Patch Tuesday release
• Deploy to production within 14 days for standard updates
• Deploy critical and actively exploited patches within 48-72 hours
• Schedule a monthly maintenance window for patching and reboot
• Track patch compliance and investigate any server that falls more than 30 days behind

18. Harden Registry and File System Permissions

• Remove the Everyone group from permissions on system directories and registry keys
• Restrict write access to the Windows directory, System32, and Program Files to administrators only
• Protect the SAM, SECURITY, and SYSTEM registry hives from non-administrator access
• Enable file system auditing on sensitive directories (finance data, customer data, intellectual property)
• Use NTFS permissions, not just share permissions, as the primary access control mechanism

19. Disable Unnecessary Scheduled Tasks and Startup Programs

Attackers frequently use scheduled tasks and startup programs for persistence. Audit both regularly:

# List all scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -ne 'Disabled'} | Select TaskName, TaskPath, State, Author

# List startup programs
Get-CimInstance Win32_StartupCommand | Select Name, Command, Location

Disable any task or startup entry that is not required for the server's role. Pay particular attention to tasks created by non-Microsoft authors, tasks that run PowerShell or cmd.exe with encoded commands, and tasks that were created outside of change management windows.

20. Implement BitLocker or Storage Encryption

Physical theft or unauthorized disk access can bypass every logical access control. Encrypt server storage to protect data at rest:

• Enable BitLocker on all drives with TPM-based unlocking for automatic decryption at boot
• Store BitLocker recovery keys in Active Directory or a secure key management system
• Enable BitLocker on external and removable drives (BitLocker To Go)
• For virtual machines, use host-level encryption (BitLocker on the Hyper-V host, vSAN encryption for VMware)
• Verify encryption status regularly: manage-bde -status