Open in app

Sign in

Write

Sign in

Essential step for hardening windows server

Irsyad Muhammad Fawwaz
9 min readMar 18, 2024

--

What is server hardening?

Server hardening is the process of enhancing the security of a server operating system to protect it from potential threats and vulnerabilities. It involves implementing various security measures and configurations to reduce the server’s attack surface and minimize the risk of unauthorized access.

Importance of hardening Windows servers

Windows servers are prime targets for cyber attacks due to their widespread use in enterprise environments. Hardening these servers helps mitigate the risk of data breaches, system compromises, and other security incidents. By implementing proactive security measures, organizations can bolster their defense mechanisms and safeguard sensitive information.

1. Windows User Configuration

Set up custom admin account

Login to admin account and go to windows setting and choose account

Click other user and click Add another person to this PC

On the navigation bar on the left section, click user and then In menu bar, choose action-new user

field the column, and click create

Next step is adding user to Administrators group.

Double click on user that you created and In the member tab, click Add

In the “Enter the object names to select” section, type administrators and click “Check Names”

After that click “OK”

In the tab “member of”, click user and remove

Click “apply” and “ok”

Disable local administrator

The reason to disable the local administrator account is that it is a popular target for attackers.

first Go to server manager on the top bar choose tools and click computer management

On the left bar click “Local user and group” and choose user

Double click on Administrator account

Checklist on “Account is disable”

Click “apply” and “ok”

Prefer to run as a regular user account

To minimize the risk of your account being compromised, it’s recommended to log in to the server with a standard user account. When tasks requiring administrative permissions arise, use the “Run As” function (similar to sudo in Linux) to temporarily elevate your privileges.

2. Windows Network Configuration

  • Secure your server by placing it behind a firewall — This is especially important for production Windows Servers, which should always operate within a protected network segment.
  • Ensure reliable name resolution by configuring two or more DNS servers — Use the nslookup tool to verify that the server can resolve hostnames correctly.
  • Verify the server’s DNS records — Make sure it has both an A record, which maps the server’s hostname to its IP address, and a PTR record, which allows for reverse DNS lookups to identify the hostname associated with an IP address.
  • Minimize the potential attack surface by disabling any unused network services, such as IPv6. This reduces the number of entry points that attackers could exploit.

disable ipv6

Open control panel choose network and sharing center

Choose change adapter settings

Choose network -> right click -> click properties

Search ipv6 and uncheck -> click “OK”

3. Network Time Protocol (NTP) Configuration

Keeping time in sync is crucial for Windows login and other features that rely on Kerberos security, as even minor discrepancies can disrupt functionality. To prevent service interruptions, ensure:

  • Automatic time synchronization — For servers within domains, this means automatically synchronizing with the domain controller.
  • External time source — Standalone servers should synchronize with a reliable external time source.
  • Ongoing synchronization — Domain controllers should continuously synchronize time with a time server.

Enable NTP Server

Win+r -> search “regedit” -> click “ok”

Find NTP Server

Open folder Computer>HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>W32Time>TimeProviders>NtpServer.

And double click on Enable section

Change value data from 0 to 1

Create announceflag5

Open the following folder

Computer>HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>W32Time>Config.

Double click on “AnnounceFlags”

Change value from a to 5 -> click “ok”

Restart NTP Server -> open service on start menu -> search Windows Time — > double click -> choose restart

Windows Server must have UDP port 123 open for NTP to connect to the clocks.

Win + r -> Search firewall.cpl -> advance settings

Choose inbound -> new rule

Choose UDP-> type port 123 and than click next

Choose allow connection -> click next

Select all rule and next

Type name and click finish

4. port recommendations that are better closed on windows server.

Low-Risk closure

  • Ports 135–139: NetBIOS over TCP/IP — These ports were used for file and printer sharing in older systems, but are rarely used in modern environments due to security concerns.
  • Port 445: SMB (Server Message Block) — This port is used for file and printer sharing. While still commonly used, consider migrating to the more secure SMBv3 (usually on port 445) if possible.
  • Ports 1024–5000: Dynamic Ports — These ports are used by various applications and services. It’s recommended to close unused ports within this range based on the specific applications you have installed on the server.

High-Risk closure

  • Port 21: FTP (File Transfer Protocol) — This port is used for file transfers but is not secure and vulnerable to attacks. Consider using secure alternatives like SFTP (port 22) instead.
  • Port 25: SMTP (Simple Mail Transfer Protocol) — Used for email but susceptible to spam and malware exploitation. If used, implement strong authentication and security measures. Consider alternatives like secure SMTP (port 587) if available.
  • Port 80: HTTP (Hypertext Transfer Protocol) — Used for unencrypted web traffic. While commonly used, prioritize using HTTPS (port 443) for secure web connections.
  • Port 110: POP3 (Post Office Protocol 3) — Used for retrieving email but is insecure and vulnerable. Consider using secure alternatives like IMAP (port 143) or POP3S (port 995).

Consider closing the port

  • Application Usage: Before closing any port, verify its usage by critical applications on the server. Closing a port used by a necessary application can disrupt functionality.
  • Firewall Management: Use a firewall to block access to unused ports instead of directly closing them within the operating system. This allows for easier management and potential future adjustments.
  • Log Monitoring: Monitor server logs for suspicious activity, especially after closing ports. This helps identify potential security breaches or unintended consequences.
  • Port Scanning: Utilize tools like Nmap to scan open ports on your server and identify potential vulnerabilities.

How to block port on windows server

Open control panel -> System and Security -> Windows firewall

Choose security and maintenance

Select advanced setting

Choose inbound rules for setting incoming network traffic and outbound for outgoing network traffic rules. For exemple we will use outbound

Choose new rule -> and select “port” and then click “next”

Choose TCP/UDP, and fill the port you want to block

Click next and choose “block the connection”

And choose network location eg. Private/public, or domain

Fill name for the rule and click finish

5. Registry Configuration

Maintaining a secure server requires meticulous attention to detail, including the Windows Registry. Here’s how to fortify your defenses:

Remote Registry

This service enables remote access to the registry. If not essential, disable it completely to minimize potential attack avenues. If needed, strictly regulate access by granting permissions only to authorized users and implementing robust authentication methods.

here’s how to disable it

Windows -> search “service” -> open service -> choose Service on the left tab -> double click on “remote registry”

In the general tab choose disable on startup type -> apply and ok

Anonymous Access

The “NullSessionPipes” and “NullSessionShares” settings permit anonymous access to specific network resources. Disabling them restricts unauthorized individuals from exploiting this vulnerability. However, carefully assess potential impacts as they might affect legitimate applications relying on these settings.

Guarding Critical Registry Keys

Granting write permissions to critical registry keys and subkeys only to authorized users and administrators is paramount. This ensures that only individuals with legitimate needs can modify these sensitive settings, mitigating the risk of unauthorized alterations compromising server security.

here’s how to do it

Search regedit in windows search and On the left tab left click on regedit you want to change permission -> click permission

Choose group or names you wanted to change permission and choose permission -> apply and ok.

Conclusion

Effective server hardening is essential for maintaining the security and integrity of your Windows server infrastructure. By implementing robust security measures, such as user authentication, access control, patch management, firewall configuration, encryption, and auditing, organizations can mitigate the risk of cyber attacks and safeguard sensitive data. Continuous monitoring, regular maintenance, and proactive threat detection are key to maintaining a strong security posture in today’s dynamic threat landscape.

Would you like to see more insightful articles like this? Your support enables me to create valuable content. Consider buying me a coffee to fuel the creation of more free prompts. Your contribution is greatly appreciated! ❤️❤️❤️

Windows
Hardening
Windows Server
Windows Defender
Soc

--

--

Irsyad Muhammad Fawwaz
Irsyad Muhammad Fawwaz

Written by Irsyad Muhammad Fawwaz

101 Followers
14 Following

https://github.com/irsyadsec

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams