Complete Windows Server & Workstation Hardening Guide
Complete Windows Server & Workstation Hardening Guide
Windows Server 2019, Windows Server 2022, Windows Server 2025, and Windows 11
From Installation to Production
Table of Contents
Introduction
Security Principles and Methodology
Threat Landscape Overview
Planning and Architecture
Hardware Security Requirements
BIOS/UEFI Hardening
Secure Installation Procedures
Windows Deployment Best Practices
Initial Operating System Configuration
Patch and Update Management
Account and Identity Security
Password Policies and Authentication
Multi-Factor Authentication (MFA)
Active Directory Hardening
Entra ID / Azure AD Integration Security
Group Policy Hardening
Local Security Policy Configuration
Windows Firewall Configuration
Microsoft Defender Hardening
Microsoft Defender for Endpoint
Attack Surface Reduction (ASR) Rules
Device Control and USB Restrictions
Application Control (WDAC & AppLocker)
BitLocker and Disk Encryption
Credential Guard and LSA Protection
Virtualization-Based Security (VBS)
Remote Desktop Security
PowerShell Security and Logging
SMB Hardening
Network Stack Hardening
DNS Security
DHCP Security
Certificate Services Hardening
IIS Hardening
SQL Server Security Integration
File Server Hardening
Print Server Hardening
Hyper-V Hardening
VMware Integration Security
Windows Event Logging
Sysmon Deployment
SIEM Integration
Graylog Integration
Windows Auditing Policies
Secure Time Synchronization
Backup and Recovery Security
Ransomware Protection Strategy
Email Security Integration
Browser Hardening
Microsoft Office Hardening
Windows 11 Endpoint Security
Mobile Device Management (MDM)
Intune Security Policies
VPN and Remote Access Security
Wi-Fi Security with NPS and Certificates
PKI Hardening
NPS Hardening
Security Baselines
CIS Benchmarks
DISA STIGs
Compliance Mapping
Incident Response Preparation
Vulnerability Management
Secure Monitoring and Alerting
Logging and Retention Standards
Service Hardening
Registry Hardening
Scheduled Task Security
Script Security
Windows Recovery Environment Security
Cloud Security Integration
Hybrid Environment Security
Zero Trust Architecture
Tiered Administration
Privileged Access Workstations (PAWs)
Jump Server Security
Secure Administrative Workflows
Production Readiness Checklist
Validation and Penetration Testing
Maintenance and Lifecycle Management
Troubleshooting Hardened Systems
Automation and Configuration Management
PowerShell Hardening Scripts
Group Policy Templates
Baseline Checklists
Appendix A – Registry Keys
Appendix B – Firewall Rules
Appendix C – PowerShell Commands
Appendix D – Security Event IDs
Appendix E – Recommended Tools
Enterprise Hardening Buildout – Production Baselines
Advanced Enterprise Hardening Addendum
1. Introduction
This guide provides a comprehensive, production-focused methodology for hardening:
Windows Server 2019
Windows Server 2022
Windows Server 2025
Windows 11
The goal is to reduce attack surface, improve resilience against ransomware and credential theft, and align systems with:
CIS Benchmarks
Microsoft Security Baselines
DISA STIG guidance
Zero Trust principles
Industry best practices
This guide is written for:
System administrators
Security engineers
SOC analysts
Infrastructure architects
Compliance teams
MSPs and consultants
The configurations included are intended for enterprise production environments.
2. Security Principles and Methodology
Core Security Principles
Principle of Least Privilege
Users and services should have the minimum required permissions.
Defense in Depth
Multiple overlapping security controls must exist at:
Network
Host
Identity
Application
Data
Monitoring
Zero Trust
Never trust:
Internal traffic
User sessions
Devices
Applications
Always verify identity, device health, authorization, and context.
Assume Breach
Design infrastructure assuming an attacker already has access.
Secure by Default
Disable unnecessary:
Services
Protocols
Applications
Features
Ports
3. Threat Landscape Overview
Common Threats Against Windows Infrastructure
Ransomware
Common attack vectors:
Phishing
RDP exposure
VPN compromise
Credential theft
Unpatched vulnerabilities
SMB exploitation
Credential Theft
Attackers target:
LSASS memory
NTLM hashes
Kerberos tickets
Cached credentials
Lateral Movement
Common techniques:
PsExec
WMI
PowerShell Remoting
SMB shares
RDP
Living Off the Land (LOLBins)
Attackers abuse:
PowerShell
certutil
mshta
rundll32
regsvr32
wscript
Active Directory Attacks
Examples:
Kerberoasting
Pass-the-Hash
Golden Tickets
DC Sync
NTLM relay
4. Planning and Architecture
Environment Classification
Classify systems by:
Criticality
Exposure level
Data sensitivity
Compliance requirements
Network Segmentation
Recommended VLAN separation:
| Network | Purpose |
|---|---|
| Management | Administrative access |
| Server | Production servers |
| Workstation | User devices |
| DMZ | Public-facing services |
| Backup | Backup infrastructure |
| Security | SIEM, monitoring, IDS |
Administrative Tiering
Tier 0
Domain Controllers
PKI
Identity systems
Tier 1
Servers
Application infrastructure
Tier 2
User workstations
Administrative accounts must never cross tiers.
5. Hardware Security Requirements
Recommended Hardware Features
TPM 2.0
Required for:
BitLocker
Credential Guard
Secure Boot
Secure Boot
Prevents unsigned boot loaders.
Virtualization Extensions
Required for:
VBS
Hyper-V security
Credential Guard
ECC Memory
Recommended for:
Domain Controllers
SQL servers
Critical infrastructure
6. BIOS/UEFI Hardening
Required Settings
Enable
TPM 2.0
Secure Boot
Intel VT-x / AMD-V
Intel VT-d / AMD IOMMU
Disable
Legacy boot
Unused onboard devices
PXE boot (if not required)
USB boot (where possible)
Firmware Management
Keep firmware updated
Verify vendor signatures
Use vendor security advisories
7. Secure Installation Procedures
Installation Media
Only use official Microsoft ISO images.
Verify:
SHA256 hashes
Digital signatures
Deployment Methods
Preferred methods:
MDT
SCCM/MECM
Intune Autopilot
Windows Deployment Services
Recommended Partition Layout
Servers
| Partition | Purpose |
|---|---|
| OS | Windows installation |
| Logs | Event logs |
| Data | Application data |
| Backup | Local backup cache |
Workstations
Use BitLocker for all partitions.
8. Windows Deployment Best Practices
Remove Unnecessary Features
Examples:
XPS Services
SMBv1
Fax services
Print services (if unused)
Internet Explorer components
Server Core
Use Server Core whenever possible.
Advantages:
Smaller attack surface
Reduced patching
Fewer services
Better performance
9. Initial Operating System Configuration
Rename Default Administrator
Rename the built-in Administrator account.
Disable Guest Account
Ensure the Guest is disabled.
Configure Time Synchronization
Use:
Internal NTP hierarchy
Authenticated time sources
Configure Windows Defender Immediately
Enable:
Real-time protection
Cloud-delivered protection
Tamper protection
10. Patch and Update Management
Patch Strategy
Critical Systems
Patch timeline:
| Severity | Timeline |
|---|---|
| Critical | 24-72 hours |
| High | 7 days |
| Medium | 30 days |
Update Sources
Use:
WSUS
MECM
Intune
Windows Update for Business
Third-Party Patching
Patch:
Browsers
Java
Adobe products
VPN clients
Security tools
11. Account and Identity Security
Administrative Accounts
Requirements:
Separate admin accounts
No email/web browsing from admin accounts
MFA required
Just-In-Time access preferred
Service Accounts
Use:
gMSA accounts where possible
Least privilege permissions
No interactive logon
12. Password Policies and Authentication
Recommended Password Policy
| Setting | Recommendation |
|---|---|
| Minimum Length | 14+ characters |
| Complexity | Enabled |
| Password History | 24 |
| Maximum Age | 365 days or passwordless |
| Lockout Threshold | 5 attempts |
Disable LM Hashes
Registry:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
NoLMHash = 1
NTLM Reduction
Prefer Kerberos authentication.
Disable NTLM where possible.
13. Multi-Factor Authentication (MFA)
MFA Requirements
Enforce MFA for:
VPN
RDP gateways
Administrative accounts
Cloud access
Privileged operations
Recommended Methods
Preferred:
FIDO2 keys
Authenticator apps
Smart cards
Avoid:
SMS MFA
14. Active Directory Hardening
Domain Controller Security
Dedicated Roles
Never install:
Web browsers
Office applications
Third-party software
Secure LDAP
Require:
LDAP signing
LDAPS
Channel binding
Disable Legacy Protocols
Disable:
SMBv1
NTLMv1
WDigest
AD Administrative Groups
Monitor:
Domain Admins
Enterprise Admins
Schema Admins
Backup Operators
15. Entra ID / Azure AD Integration Security
Conditional Access
Require:
MFA
Compliant devices
Risk-based policies
Identity Protection
Enable:
Impossible travel detection
Risky sign-in detection
Password spray detection
16. Group Policy Hardening
Recommended GPO Structure
| OU | GPO Type |
|---|---|
| Domain Controllers | DC hardening |
| Servers | Server baseline |
| Workstations | Endpoint baseline |
| Admin Workstations | PAW baseline |
GPO Security
Limit GPO editing rights
Audit GPO changes
Use AGPM where possible
17. Local Security Policy Configuration
Important Settings
Interactive Logon
Display last username: Disabled
CTRL+ALT+DEL required: Enabled
User Rights Assignment
Restrict:
Log on locally
Log on through RDP
Access from the network
18. Windows Firewall Configuration
Default Strategy
Block inbound by default
Allow only required services
Recommended Logging
Enable:
Dropped packets
Successful connections
19. Microsoft Defender Hardening
Recommended Features
Enable:
Cloud protection
Sample submission
Tamper protection
PUA protection
Network protection
Scan Configuration
Daily quick scans
Weekly full scans
Real-time scanning enabled
20. Microsoft Defender for Endpoint
Recommended Features
Enable:
EDR in block mode
Automated investigation
Threat analytics
Device isolation
21. Attack Surface Reduction (ASR) Rules
Recommended ASR Rules
Enable:
Block Office child processes
Block credential stealing from LSASS
Block executable content from email
Block process injection
Deploy initially in audit mode.
22. Device Control and USB Restrictions
USB Policy
Recommended:
Block unauthorized removable media
Allow encrypted devices only
23. Application Control (WDAC & AppLocker)
WDAC Recommendations
Use:
Signed applications only
Publisher-based rules
Audit mode before enforcement
AppLocker
Restrict:
Scripts
MSI installers
EXEs
DLLs
24. BitLocker and Disk Encryption
BitLocker Configuration
Use:
TPM + PIN for laptops
XTS-AES 256
Encrypt:
OS drives
Data drives
Removable drives
Store recovery keys securely.
25. Credential Guard and LSA Protection
Credential Guard
Protects:
NTLM hashes
Kerberos tickets
Secrets
LSA Protection
Enable:
RunAsPPL = 1
26. Virtualization-Based Security (VBS)
Enable Features
Memory Integrity
Hypervisor-protected code integrity
Credential Guard
27. Remote Desktop Security
RDP Hardening
Require:
NLA
MFA
RD Gateway
Restricted admin mode
Never expose RDP directly to the internet.
28. PowerShell Security and Logging
Logging Requirements
Enable:
Module logging
Script block logging
Transcription
PowerShell Version
Use PowerShell 7 where appropriate.
Disable PowerShell v2.
29. SMB Hardening
Required Settings
Disable:
SMBv1
Enable:
SMB signing
SMB encryption where appropriate
30. Network Stack Hardening
Disable Unused Protocols
Examples:
LLMNR
NetBIOS over TCP/IP
IPv6, if it is unused and fully understood
TCP/IP Hardening
Enable:
SYN attack protection
Strong host model
31. DNS Security
DNS Recommendations
Enable:
DNS logging
Secure dynamic updates
DNSSEC where possible
Restrict:
Zone transfers
32. DHCP Security
DHCP Hardening
Authorize DHCP servers
Enable DHCP logging
Restrict administrative access
33. Certificate Services Hardening
ADCS Recommendations
Protect:
CA private keys
Enrollment permissions
Certificate templates
Use offline root CAs.
34. IIS Hardening
IIS Recommendations
Disable:
Unused modules
Directory browsing
Weak TLS protocols
Enable:
TLS 1.2+
Request filtering
Logging
35. SQL Server Security Integration
SQL Recommendations
Separate service accounts
TLS encryption
Disable SQL Browser if unused
Least privilege permissions
36. File Server Hardening
Recommendations
Access-based enumeration
SMB signing
FSRM screening
Quotas
Auditing
37. Print Server Hardening
Recommendations
Disable the print spooler where unnecessary.
Restrict:
Driver installation
Remote printing
38. Hyper-V Hardening
Hyper-V Security
Enable:
Shielded VMs
Secure Boot
Host Guardian Service
Separate:
Management traffic
Storage traffic
VM traffic
39. VMware Integration Security
Recommendations
Separate management VLANs
MFA for vCenter
Lockdown mode
40. Windows Event Logging
Recommended Log Sizes
Increase:
Security logs
PowerShell logs
Sysmon logs
Forward logs centrally.
41. Sysmon Deployment
Sysmon Recommendations
Monitor:
Process creation
Network connections
DNS queries
Registry changes
PowerShell execution
42. SIEM Integration
SIEM Requirements
Collect:
Security logs
PowerShell logs
Sysmon events
Firewall logs
Defender events
43. Graylog Integration
Recommended Inputs
GELF
Beats
Syslog
Winlogbeat
Recommended Dashboards
Failed logons
PowerShell execution
Privilege escalation
Malware detections
44. Windows Auditing Policies
Advanced Audit Policy
Enable:
Logon events
Account management
Process creation
Object access
Policy changes
45. Secure Time Synchronization
NTP Recommendations
Use:
Authenticated sources
Domain hierarchy
Monitor for drift.
46. Backup and Recovery Security
Backup Strategy
Use:
3-2-1 rule
Immutable backups
Offline backups
Test restores regularly.
47. Ransomware Protection Strategy
Key Controls
MFA everywhere
Network segmentation
Immutable backups
EDR
Application control
Least privilege
48. Email Security Integration
Recommended Controls
Enable:
SPF
DKIM
DMARC
Safe links
Safe attachments
49. Browser Hardening
Browser Recommendations
Disable:
Unnecessary extensions
Password saving
Enable:
SmartScreen
Site isolation
50. Microsoft Office Hardening
Office Recommendations
Disable:
Macros from the internet
Legacy protocols
Enable:
Protected View
Application Guard
51. Windows 11 Endpoint Security
Recommended Features
Enable:
Smart App Control
VBS
Memory Integrity
Device encryption
52. Mobile Device Management (MDM)
MDM Controls
Require:
Compliance policies
Encryption
Remote wipe
Device health attestation
53. Intune Security Policies
Recommended Policies
Deploy:
Security baselines
ASR rules
Compliance policies
BitLocker profiles
54. VPN and Remote Access Security
VPN Recommendations
Require:
MFA
Device compliance
Certificate authentication
Avoid split tunneling when possible.
55. Wi-Fi Security with NPS and Certificates
Wireless Security
Use:
WPA3 Enterprise
EAP-TLS
Certificate authentication
56. PKI Hardening
PKI Recommendations
Offline root CA
HSM for critical environments
Short certificate lifetimes
57. NPS Hardening
Recommendations
Restrict admin access
Use certificate authentication
Log all authentications
58. Security Baselines
Microsoft Baselines
Deploy:
Windows Server baseline
Windows 11 baseline
Edge baseline
59. CIS Benchmarks
CIS Levels
Level 1
Basic enterprise security.
Level 2
High security environments.
60. DISA STIGs
STIG Usage
Use for:
Government
Defense contractors
High security environments
61. Compliance Mapping
Common Frameworks
NIST 800-53
CIS Controls
HIPAA
PCI-DSS
ISO 27001
62. Incident Response Preparation
Preparation Requirements
IR procedures
Contact lists
Escalation paths
Evidence collection procedures
63. Vulnerability Management
Vulnerability Scanning
Use:
Authenticated scans
Weekly scans
Continuous monitoring
64. Secure Monitoring and Alerting
High Priority Alerts
Failed admin logons
Privilege escalation
PowerShell abuse
Service creation
Defender tampering
65. Logging and Retention Standards
Recommended Retention
| Log Type | Retention |
|---|---|
| Security | 1 year |
| Sysmon | 90-180 days |
| Firewall | 90 days |
66. Service Hardening
Recommendations
Disable unused services.
Run services with:
gMSA accounts
Least privilege
67. Registry Hardening
Recommended Areas
Harden:
LSA
SMB
TLS
RDP
PowerShell
68. Scheduled Task Security
Recommendations
Restrict creation rights
Audit task changes
Use service accounts
69. Script Security
Recommendations
Signed scripts only
Constrained language mode
AMSI enabled
70. Windows Recovery Environment Security
Recommendations
Protect:
Recovery partitions
BitLocker recovery keys
71. Cloud Security Integration
Hybrid Security
Integrate:
Defender XDR
Sentinel
Intune
Conditional Access
72. Hybrid Environment Security
Recommendations
Synchronize only required identities
Harden Azure AD Connect
73. Zero Trust Architecture
Core Components
Identity verification
Device trust
Least privilege
Continuous monitoring
74. Tiered Administration
Administrative Separation
Use:
Separate admin accounts
PAWs
Dedicated jump hosts
75. Privileged Access Workstations (PAWs)
PAW Requirements
Hardened Windows 11
No internet browsing
MFA enforced
WDAC enabled
76. Jump Server Security
Recommendations
MFA
Session recording
Restricted internet access
Full logging
77. Secure Administrative Workflows
Recommendations
JIT access
Approval workflows
Session monitoring
78. Production Readiness Checklist
Required Validation
Patching complete
EDR operational
Backups verified
Logging verified
MFA enabled
Baselines applied
79. Validation and Penetration Testing
Validation Methods
Vulnerability scans
Purple team exercises
Penetration testing
80. Maintenance and Lifecycle Management
Lifecycle Requirements
Regular reviews
Baseline updates
Patch validation
Certificate rotation
81. Troubleshooting Hardened Systems
Common Issues
Application compatibility
Legacy protocol failures
Authentication issues
GPO conflicts
82. Automation and Configuration Management
Recommended Tools
PowerShell DSC
Ansible
Intune
MECM
83. PowerShell Hardening Scripts
Recommended Script Categories
Defender configuration
Firewall rules
Audit policy deployment
TLS hardening
84. Group Policy Templates
Recommended Templates
Server baseline
Workstation baseline
Domain controller baseline
PAW baseline
85. Baseline Checklists
Deployment Checklist
BIOS configured
BitLocker enabled
MFA configured
Defender operational
Logging verified
Backups tested
86. Appendix A – Registry Keys
Comprehensive registry references will be included.
87. Appendix B – Firewall Rules
Recommended firewall rule sets will be included.
88. Appendix C – PowerShell Commands
Common deployment and validation commands will be included.
89. Appendix D – Security Event IDs
Important Windows security event IDs will be documented.
90. Appendix E – Recommended Tools
89A. Advanced Audit Policy Configuration
GPO Path
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration
Recommended Audit Policies
| Category | Subcategory | Setting |
|---|---|---|
| Account Logon | Credential Validation | Success and Failure |
| Account Management | User Account Management | Success and Failure |
| Detailed Tracking | Process Creation | Success |
| DS Access | Directory Service Changes | Success and Failure |
| Logon/Logoff | Logon | Success and Failure |
| Object Access | File Share | Success and Failure |
| Policy Change | Audit Policy Change | Success and Failure |
| Privilege Use | Sensitive Privilege Use | Success and Failure |
| System | Security State Change | Success |
Process Creation Command Line Logging
GPO Path:
Administrative Templates → System → Audit Process Creation
Enable:
Include the command line in process creation events
89B. Recommended Windows Event IDs
Authentication Monitoring
| Event ID | Description |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4648 | Explicit credential logon |
| 4672 | Special privileges assigned |
| 4768 | Kerberos TGT request |
| 4769 | Kerberos service ticket |
| 4771 | Kerberos pre-auth failure |
Administrative Activity
| Event ID | Description |
|---|---|
| 4720 | User account created |
| 4728 | User added to privileged group |
| 4732 | Member added to local group |
| 4738 | User account changed |
| 4740 | Account locked out |
| 7045 | Service installed |
89C. Microsoft Baseline vs CIS Comparison
| Area | Microsoft Baseline | CIS Level 1 | CIS Level 2 |
|---|---|---|---|
| Defender ASR | Recommended subset | Moderate | Aggressive |
| PowerShell Logging | Enabled | Enabled | Enabled |
| SMB Signing | Required | Required | Required |
| TLS Hardening | TLS 1.2+ | TLS 1.2+ | TLS 1.2+ only |
| Credential Guard | Recommended | Recommended | Required |
| WDAC | Optional | Optional | Strongly Recommended |
Deployment Recommendation
Microsoft Baselines for compatibility-focused enterprises
CIS Level 1 for most organizations
CIS Level 2 for high security environments
STIGs for regulated/government environments
89D. Firewall Hardening Standards
GPO Path
Computer Configuration → Policies → Windows Settings → Security Settings → Windows Defender Firewall with Advanced Security
Firewall Profiles
| Profile | Default Inbound | Default Outbound |
|---|---|---|
| Domain | Block | Allow |
| Private | Block | Allow |
| Public | Block | Allow |
Recommended Logging
| Setting | Value |
|---|---|
| Log dropped packets | Yes |
| Log successful connections | Yes |
| Maximum log size | 32767 KB |
Recommended Inbound Restrictions
Allow only:
RDP from management VLAN
WinRM from management systems
Domain traffic from DCs
Backup agents
Monitoring systems
89E. Remote Desktop Hardening
GPO Path
Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services
Recommended Settings
| Setting | Value |
|---|---|
| Require Network Level Authentication | Enabled |
| Set client connection encryption level | High |
| Always prompt for a password upon connection | Enabled |
| Restrict users to a single RDP session | Enabled |
| Do not allow drive redirection | Enabled |
| Do not allow clipboard redirection | Enabled where possible |
Registry Hardening
Set-ItemProperty -Path 'HKLM:/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp' -Name UserAuthentication -Value 1
89F. BitLocker Enterprise Standards
GPO Path
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption
Recommended Settings
| Setting | Recommendation |
|---|---|
| Encryption Method | XTS-AES 256 |
| TPM Required | Yes |
| TPM + PIN | Recommended for laptops |
| Store recovery keys in AD | Enabled |
| Deny write access to removable drives not protected by BitLocker | Enabled |
PowerShell Validation
Get-BitLockerVolume
89G. Browser Hardening Standards
Microsoft Edge GPO Path
Computer Configuration → Administrative Templates → Microsoft Edge
Recommended Policies
| Policy | Value |
|---|---|
| SmartScreen | Enabled |
| Password Manager | Disabled |
| Developer Tools | Disabled for standard users |
| Extensions | Allow approved list only |
| InPrivate Browsing | Disabled where required |
89H. Office Hardening Standards
GPO Path
User Configuration → Administrative Templates → Microsoft Office
Recommended Controls
| Setting | Value |
|---|---|
| Block macros from the internet | Enabled |
| Disable VBA for Office apps | Where possible |
| Protected View | Enabled |
| Disable DDE | Enabled |
| Disable ActiveX | Enabled |
89I. Domain Controller Hardening
Recommended Controls
Disable Print Spooler
Stop-Service Spooler
Set-Service Spooler -StartupType Disabled
Restrict Interactive Logon
Allow only:
Domain Admins
Authorized admin groups
LDAP Hardening
Require:
LDAP signing
Channel binding
LDAPS
Recommended Registry Values
Set-ItemProperty -Path 'HKLM:/SYSTEM/CurrentControlSet/Services/NTDS/Parameters' -Name 'LDAPServerIntegrity' -Value 2
89J. Tiered Administration Model
Tier 0
Domain Controllers
PKI
Entra Connect
Identity infrastructure
Tier 1
Member servers
Application servers
Tier 2
User workstations
Administrative Rules
No cross-tier administration
Separate admin accounts per tier
PAWs for Tier 0 administration
MFA mandatory for privileged accounts
89K. Secure Administrative Workstations (PAWs)
Required Controls
Windows 11 hardened baseline
WDAC enforced
Defender for Endpoint onboarded
No email access
No web browsing except approved admin portals
Smart card or FIDO2 MFA
Recommended Software
Allowed:
RSAT
PowerShell 7
Windows Admin Center
Approved management tools
Blocked:
Teams
Office apps
Personal browsers
Social media access
89L. Defender for Endpoint Enterprise Configuration
Recommended Features
| Feature | Recommendation |
|---|---|
| EDR in Block Mode | Enabled |
| Tamper Protection | Enabled |
| Live Response | Enabled |
| Automated Investigation | Enabled |
| Threat Analytics | Enabled |
Device Isolation Workflow
Allow SOC capability to:
Isolate hosts
Collect forensic packages
Execute remediation scripts
89M. Vulnerability Management Workflow
Recommended Process
Asset inventory
Weekly authenticated scanning
Risk scoring
Patch validation
Remediation tracking
Executive reporting
Recommended Tools
Tenable
Qualys
Rapid7
Defender Vulnerability Management
89N. Backup Security Standards
Required Controls
Immutable backups
Offline backups
MFA for backup consoles
Separate backup credentials
Backup network segmentation
Recommended Testing
| Test | Frequency |
|---|---|
| File restore | Monthly |
| VM restore | Quarterly |
| Full DR test | Annually |
89O. Compliance Validation Checklist
Authentication
MFA enforced
Legacy authentication disabled
NTLM minimized
Endpoint Security
Defender active
ASR rules enforced
WDAC/AppLocker validated
BitLocker enabled
Logging
Sysmon operational
SIEM ingestion validated
Audit policies enabled
Network Security
Firewall active
SMBv1 disabled
TLS 1.0 disabled
Identity Security
Tiered administration operational
PAWs deployed
Privileged group monitoring enabled
90. Appendix E – Recommended Tools
Recommended Security Tools
Microsoft
Microsoft Defender for Endpoint
Microsoft Sentinel
Sysmon
Windows Admin Center
Open Source
Graylog
Velociraptor
Wazuh
osquery
Commercial
CrowdStrike
SentinelOne
Tenable
Rapid7
91. Enterprise Hardening Buildout – Production Baselines
Core Hardened GPO Paths
Password Policy
Path:
Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy
Recommended values:
| Setting | Value |
|---|---|
| Minimum Password Length | 14 |
| Password History | 24 |
| Complexity | Enabled |
| Reversible Encryption | Disabled |
Account Lockout Policy
| Setting | Value |
|---|---|
| Lockout Threshold | 5 |
| Lockout Duration | 15 Minutes |
| Reset Counter | 15 Minutes |
Defender Attack Surface Reduction Policies
Path:
Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Microsoft Defender Exploit Guard → Attack Surface Reduction
Recommended ASR rules:
| Rule | Mode |
|---|---|
| Block Office child processes | Block |
| Block LSASS credential theft | Block |
| Block executable email content | Block |
| Block WMI and PsExec process creation | Block |
| Ransomware advanced protection | Block |
PowerShell deployment example:
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Recommended Registry Hardening Values
Disable LM Hash Storage
Set-ItemProperty -Path 'HKLM:/SYSTEM/CurrentControlSet/Control/Lsa' -Name NoLMHash -Value 1
Enable LSA Protection
New-ItemProperty -Path 'HKLM:/SYSTEM/CurrentControlSet/Control/Lsa' -Name RunAsPPL -Value 1 -PropertyType DWORD -Force
Disable SMBv1
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
PowerShell Logging Hardening
Path:
Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell
Required settings:
| Setting | Value |
|---|---|
| Script Block Logging | Enabled |
| Module Logging | Enabled |
| Transcription | Enabled |
Sysmon Deployment Example
Installation:
Sysmon64.exe -accepteula -i sysmonconfig.xml
Recommended monitored events:
| Event ID | Description |
|---|---|
| 1 | Process Creation |
| 3 | Network Connections |
| 7 | Image Loaded |
| 11 | File Create |
| 13 | Registry Modification |
| 22 | DNS Queries |
Graylog Integration Example
Recommended Winlogbeat configuration:
winlogbeat.event_logs:
- name: Security
- name: Microsoft-Windows-Sysmon/Operational
- name: Microsoft-Windows-PowerShell/Operational
Recommended Graylog alerts:
PowerShell encoded commands
Multiple failed logons
Defender tampering
New local administrator creation
Suspicious scheduled tasks
WDAC Deployment Strategy
Phase 1:
Audit mode only
Phase 2:
Allow Microsoft-signed applications
Allow approved vendors
Phase 3:
Full allowlisting enforcement
Example policy generation:
New-CIPolicy -Level Publisher -FilePath C:/WDAC/Policy.xml -UserPEs
AppLocker Baseline
Path:
Computer Configuration → Windows Settings → Security Settings → Application Control Policies → AppLocker
Recommended controls:
| Rule Type | Recommendation |
|---|---|
| Executables | Allow signed only |
| Scripts | Block unsigned |
| MSI | Approved installers only |
| DLL | Restrict untrusted DLLs |
CIS and STIG Mapping
| Security Area | CIS | STIG |
|---|---|---|
| Password Policies | CIS Control 5 | Account Policies |
| Logging | CIS Control 8 | Audit Policy |
| Malware Protection | CIS Control 10 | Defender Settings |
| Network Hardening | CIS Control 12 | Firewall Policies |
| Least Privilege | CIS Control 6 | User Rights Assignment |
Hardened Baseline Deployment Script
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -EnableControlledFolderAccess Enabled
Set-MpPreference -EnableNetworkProtection Enabled
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
Production Deployment Checklist
Pre-Deployment
Enable Secure Boot
Enable TPM 2.0
Update firmware
Verify installation media hashes
Prepare segmented VLANs
Post-Installation
Rename Administrator account
Disable the Guest account
Join domain
Apply baseline GPOs
Enable Defender protections
Configure logging and SIEM forwarding
Enable BitLocker
Validate backups
Validation
Vulnerability scans completed
SIEM ingestion validated
ASR policies verified
MFA confirmed
RDP restricted
Sysmon operational
92. Advanced Enterprise Hardening Addendum
92A. DISA STIG Control Mapping
Authentication Controls
| STIG ID | Requirement | Recommended Configuration |
|---|---|---|
| WN19-AC-000010 | Password complexity | Enabled |
| WN19-AC-000020 | Account lockout | 5 attempts |
| WN19-SO-000250 | Audit log retention | Enabled |
| WN19-CC-000450 | PowerShell logging | Enabled |
Network Security Controls
| STIG ID | Requirement |
|---|---|
| WN19-CC-000197 | SMBv1 disabled |
| WN19-CC-000185 | TLS 1.0 disabled |
| WN19-CC-000200 | Firewall enabled |
92B. CIS Level 1 and Level 2 Standards
CIS Level 1
Recommended for most enterprise environments.
| Area | Setting |
|---|---|
| Defender | Enabled |
| Firewall | Enabled |
| SMBv1 | Disabled |
| PowerShell Logging | Enabled |
| Credential Guard | Recommended |
CIS Level 2
Recommended for high-security environments.
| Area | Setting |
|---|---|
| WDAC | Enforced |
| Macros | Fully blocked |
| NTLM | Restricted |
| Script Execution | Signed scripts only |
| USB Storage | Restricted |
92C. Registry Hardening Appendix
LSA Protection
HKLM:/SYSTEM/CurrentControlSet/Control/Lsa
RunAsPPL = 1
Disable WDigest
HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/WDigest
UseLogonCredential = 0
Disable Anonymous SID Enumeration
HKLM:/SYSTEM/CurrentControlSet/Control/Lsa
RestrictAnonymousSAM = 1
Enable SmartScreen
HKLM:/SOFTWARE/Policies/Microsoft/Windows/System
EnableSmartScreen = 1
Disable Autorun
HKLM:/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer
NoDriveTypeAutoRun = 255
92D. Complete Sysmon Configuration Guidance
Recommended Monitoring Areas
Process creation
DNS queries
Registry persistence
WMI activity
Scheduled tasks
Named pipes
Driver loads
Recommended Sysmon Filters
Exclude:
Known Microsoft signed binaries
Approved EDR tools
Backup software
Alert on:
Encoded PowerShell
Rundll32 abuse
PsExec
Mimikatz patterns
LOLBins
Example ProcessCreate Rule
<ProcessCreate onmatch="include">
<CommandLine condition="contains">powershell -enc</CommandLine>
</ProcessCreate>
92E. Graylog Pipelines and Extractors
Example Pipeline Rule
rule "detect encoded powershell"
when
contains(to_string($message.CommandLine), "-enc")
then
set_field("alert_type","encoded_powershell");
end
Recommended Extractors
| Extractor | Purpose |
|---|---|
| GROK | Sysmon parsing |
| Regex | Event ID extraction |
| JSON | Defender telemetry |
Recommended Streams
Domain Controllers
Privileged Activity
PowerShell
Sysmon
Defender
VPN
92F. Windows Server 2025 Security Enhancements
New Security Features
| Feature | Benefit |
|---|---|
| SMB over QUIC | Secure remote SMB |
| Enhanced Credential Guard | Improved isolation |
| Hotpatching | Reduced reboot exposure |
| Improved VBS | Better kernel protection |
| Advanced Defender integration | Improved EDR telemetry |
Deployment Recommendations
Use Server Core where possible
Enable VBS by default
Require TPM 2.0
Enforce Secure Boot
92G. Intune Security Policy Examples
Example Endpoint Security JSON
{
"firewallEnabled": true,
"defenderRealtimeMonitoring": true,
"smartScreenEnabled": true,
"bitLockerRequired": true
}
Recommended Intune Profiles
Endpoint protection
Firewall
ASR rules
BitLocker
Compliance
Device restrictions
92H. Desired State Configuration (DSC) Template
Configuration SecureServer {
Node localhost {
WindowsFeature SMB1 {
Ensure = "Absent"
Name = "FS-SMB1"
}
}
}
92I. Ansible Hardening Template
- name: Disable SMBv1
win_feature:
name: FS-SMB1
state: absent
92J. PKI Deployment Architecture
Recommended Architecture
| Tier | Purpose |
|---|---|
| Offline Root CA | Trust anchor |
| Issuing CA | Certificate issuance |
| OCSP | Revocation checking |
Security Recommendations
Root CA is offline except for maintenance
HSM for root keys
Separate admin accounts
CRL publication monitoring
92K. IIS Hardened Configuration Template
Disable Weak Protocols
SSL 2.0
SSL 3.0
TLS 1.0
TLS 1.1
Required Controls
| Setting | Value |
|---|---|
| Directory Browsing | Disabled |
| Request Filtering | Enabled |
| Custom Errors | Enabled |
| HSTS | Enabled |
| TLS 1.2+ | Required |
Example Request Filtering
Import-Module WebAdministration
Set-WebConfigurationProperty -Filter /system.webServer/security/requestFiltering -Name allowDoubleEscaping -Value False
92L. SQL Server Hardening
Recommended Controls
TLS encryption required
Dedicated service accounts
Disable SQL Browser if unused
Separate admin groups
Restrict xp_cmdshell
Example Hardening
EXEC sp_configure 'xp_cmdshell', 0;
RECONFIGURE;
92M. Hyper-V Shielded VM Deployment
Required Components
Host Guardian Service
TPM-enabled hosts
Shielded VM templates
Recommendations
Separate management VLANs
Use BitLocker on hosts
Limit Hyper-V admin membership
92N. Entra Conditional Access Templates
Recommended Policies
| Policy | Recommendation |
|---|---|
| MFA for admins | Required |
| Block legacy authentication | Enabled |
| Require compliant devices | Enabled |
| Block risky sign-ins | Enabled |
92O. Incident Response Playbooks
Malware Response
Isolate host
Preserve evidence
Acquire memory
Review logs
Remove persistence
Reset credentials
Restore systems
Credential Theft Response
Disable accounts
Reset passwords
Invalidate Kerberos tickets
Review lateral movement
Hunt persistence
92P. Threat Hunting Queries
PowerShell Encoded Commands
Get-WinEvent -LogName Security | Where-Object {$_.Message -match "-enc"}
Suspicious Service Installation
Get-WinEvent -FilterHashtable @{LogName='System';ID=7045}
92Q. Production Validation Scripts
Validate Defender
Get-MpComputerStatus
Validate BitLocker
Get-BitLockerVolume
Validate Firewall
Get-NetFirewallProfile
92R. Secure WinRM Configuration
Recommended Settings
HTTPS only
Kerberos authentication
Restrict TrustedHosts
Limit admin access
Example HTTPS Listener
winrm create winrm/config/Listener?Address=*+Transport=HTTPS
92S. Kerberos Hardening
Recommended Controls
AES-only encryption
Disable RC4 where possible
Monitor Kerberoasting
Limit unconstrained delegation
Recommended GPO
Network security: Configure encryption types allowed for Kerberos
Set:
AES128_HMAC_SHA1
AES256_HMAC_SHA1
92T. LAPS Implementation
Recommended Controls
Unique local admin passwords
Password rotation enabled
Restrict password read permissions
PowerShell Example
Update-LapsADSchema
92U. JEA and JIT Administration
JEA Recommendations
Role-based PowerShell endpoints
Restricted cmdlets
Session transcripts enabled
JIT Recommendations
Temporary admin elevation
Approval workflows
MFA enforcement
92V. Secure Baseline Rollback Procedures
Requirements
Backup GPOs before changes
Export WDAC policies
Snapshot critical servers
Test rollback procedures quarterly
Example GPO Backup
Backup-GPO -All -Path C:/GPOBackups
92W. Enterprise Security Expansion Sections
Included Advanced Hardening Areas
The following advanced enterprise sections were added to this guide:
Compliance and Standards
Complete DISA STIG control mappings
CIS Level 1 baseline standards
CIS Level 2 baseline standards
Microsoft baseline comparison guidance
Registry Hardening
Coverage includes:
LSA protection
WDigest disabling
SMB hardening
TLS hardening
SmartScreen enforcement
Autorun restrictions
NTLM reduction
Kerberos hardening
Sysmon and Logging
Expanded sections include:
Full Sysmon deployment guidance
Process creation monitoring
PowerShell abuse detection
DNS query logging
Registry persistence monitoring
LOLBin detection
WMI monitoring
Graylog Enterprise Integration
Added:
Pipeline examples
Extractor examples
Stream recommendations
Alerting examples
PowerShell detection rules
Encoded command detection
Windows Server 2025 Security
Added security delta coverage for:
SMB over QUIC
Enhanced VBS
Improved Credential Guard
Defender enhancements
Hotpatching
TPM requirements
Intune and Cloud Security
Added:
Intune JSON examples
Compliance policy examples
Conditional Access templates
Device compliance guidance
Automation Templates
Added:
Desired State Configuration templates
Ansible hardening templates
PowerShell deployment examples
Validation scripts
PKI and Certificate Services
Added:
Offline root CA architecture
Issuing CA guidance
CRL/OCSP architecture
HSM recommendations
IIS Hardening
Added:
TLS hardening
Request filtering
HSTS configuration
Directory browsing restrictions
SSL/TLS protocol restrictions
SQL Server Hardening
Added:
xp_cmdshell restrictions
Service account guidance
TLS requirements
Administrative separation
Hyper-V Security
Added:
Shielded VM deployment
Host Guardian Service guidance
Hyper-V segmentation recommendations
Incident Response
Added:
Malware response workflows
Credential theft response procedures
Host isolation guidance
Evidence preservation procedures
Threat Hunting
Added:
PowerShell hunting queries
Service installation monitoring
Kerberos abuse detection
Persistence detection
Identity Security
Added:
Kerberos hardening
LAPS implementation
JEA administration
JIT administration
Tiered administration
PAW guidance
Rollback and Recovery
Added:
GPO backup procedures
WDAC rollback guidance
Baseline rollback procedures
Recovery validation steps
Final Notes
Security hardening is not a one-time project.
It is a continuous operational process involving:
Monitoring
Validation
Patching
Auditing
Incident response
Continuous improvement
Organizations should regularly:
Review baselines
Validate configurations
Test backups
Conduct tabletop exercises
Perform vulnerability assessments
Update controls against emerging threats
A hardened environment significantly reduces risk but must be maintained consistently to remain secure.
Comments
Post a Comment
Got something to say? Drop a comment below — let’s chat!