Windows Server Hardening
A security checklist covering the most critical steps to minimize the attack surface of your Windows Server 2019, 2022, and 2025. Configuration is done via Local Security Policy, Server Manager, and PowerShell.
Lockout warning: Changes to firewall rules or account policies can result in system lockout. Implement changes incrementally and test carefully — especially when dealing with RDP.
1. User & Account Management
The most secure foundation starts with hardening all local and administrative accounts.
Step 1: Rename the Default Administrator Account
The default Administrator account is the primary target for automated brute-force attacks. Rename it immediately — or disable it entirely after creating a new dedicated admin account:
Step 2: Disable Unnecessary Accounts
The Guest account and all default accounts not explicitly required pose unnecessary risks and must be disabled:
Step 3: Enforce Password & Lockout Policies
Open Local Security Policy (secpol.msc) and configure the following under Account Policies:
| Setting | Recommended Value |
|---|---|
| Minimum Password Length | At least 12 characters |
| Password Complexity | Enabled |
| Password History | Remember last 10 passwords |
| Account Lockout Threshold | Max. 5 failed attempts within 15 minutes |
Step 4: Principle of Least Privilege
Assign only the minimum permissions necessary for users, services, and applications to perform their function. Administrative tasks should only be performed using separate, dedicated administrative accounts — never with day-to-day user accounts.
2. Windows Defender Firewall Hardening
Implement a default-deny strategy to secure all inbound network traffic.
Step 5: Set Default Inbound Policy to Block
In Windows Defender Firewall with Advanced Security, set the default policy for all profiles (Domain, Private, Public) to Block for inbound traffic. Only explicitly created rules should allow packets through.
Step 6: Harden and Restrict RDP Access
RDP (port 3389) is one of the most targeted services. Restrict access via the firewall to trusted source IP addresses only — such as your office network or VPN subnet:
Additionally, enable Network Level Authentication (NLA) in the RDP settings to enforce authentication before a full session is established.
Step 7: Enable Firewall Logging
Enable firewall logging in the advanced settings of Windows Defender Firewall to log all dropped packets. This is essential for troubleshooting and detecting intrusion attempts.
3. Server Roles & Services
Remove all features and services that unnecessarily increase the attack surface.
Step 8: Remove Unnecessary Server Roles and Features
Use Server Manager or PowerShell to remove all features not strictly required for the server's purpose — such as Fax Server, Telnet Client, or unnecessary web server components:
Step 9: Disable Legacy Protocols (SMBv1)
Legacy protocols like SMBv1 are obsolete and provide known attack vectors — including being the propagation mechanism for ransomware like WannaCry. Disable them immediately:
Step 10: Disable Unnecessary Windows Services
Open Services Management (services.msc) and set the startup type to Disabled for services not required by your server's purpose. Common candidates include:
| Service | Disable if… |
|---|---|
| Remote Registry | No remote registry access needed |
| Windows Search | Server is not used for file search |
| Print Spooler | No printing services are needed |
4. System Integrity & Monitoring
These steps ensure long-term security and event traceability.
Step 11: Regular Updates & Patch Management
Keep the Windows Server OS, all installed applications, and any hypervisor software up to date to quickly close known security vulnerabilities. This is the single most important ongoing security measure.
Step 12: Enable Advanced Audit Logging
Enable advanced audit policies via Local Security Policy or GPOs. Focus on the following critical event categories:
| Event Category | Log |
|---|---|
| Logon attempts | Success & Failure |
| User account and group changes | Success & Failure |
| Access to critical files and objects | Success & Failure |
Step 13: Ensure Antivirus & Anti-Malware is Active
Ensure that Microsoft Defender for Server (or an equivalent solution) is active, real-time protection is running, and automated scans are scheduled outside of peak operating hours.
Enterprise environments: The most comprehensive hardening is achieved by applying Microsoft Security Baselines or CIS Benchmarks via Group Policy Objects (GPOs). These provide vetted templates covering almost all security parameters.
Further Documentation
For comprehensive hardening templates and enterprise security baselines, refer to the official Microsoft resources.