The Windows Server hardening guide: what to do and how to do it

From startups to medium-sized businesses to corporations: servers running Windows are found in all sizes of companies. This makes the operating system interesting for cyber-gangsters. System Hardening of Windows Server is therefore eminently important.

We explain the background here and give tips on Windows Server hardening.

What is Windows server hardening?

In IT, the abbreviated term “hardening” refers to System Hardening. System Hardening reduces the attack surface of your systems – for example, your Windows Server system – and closes “doors” that could otherwise be used for an attack.

Why is Windows server hardening so important?

Along with various Linux derivatives, Microsoft Windows Server (in its various versions) is the operating system for data center server landscapes. Here, more recent versions such as Windows Server 2016, Windows Server 2019 or even the current version Windows Server 2022 are often used.

Occasionally, Windows Server 2008 (R2) or Windows Server 2012 (R2) is still running in companies and data centers, although support for these ended.

Each version of Windows Server is configured at the factory for maximum compatibility and user experience. What is good for the user is not necessarily good for IT security. Cyber criminals as well as companies that like to collect data then often have an easy game and take advantage of that.

By hardening your Windows Server systems, you can improve information security and data protection in your company, while at the same time meeting existing compliance requirements.

Any questions? Contact us!

Windows Server hardening: What does that mean in summary?

By hardening your Windows servers, you reduce, among other things, the risk of your systems being hacked and thus data stolen. Because the leakage of important business information or customer data causes great damage. You can be threatened with high fines and severe damage to your image.

In the worst case scenario, the consequences of inadequately hardened or unhardened Windows Server systems can jeopardize your company’s reputation.

You should determine how well your system is hardened – for example, with AuditTAP. The result for a poorly hardened Windows Server system, for example, is as follows:

Best practices: How to harden a Windows server?

For this, you have a wide range of measures to choose from. These include, for example these Windows Server hardening best practices:

    • Updating (“patching”) the operating system and relevant server applications as quickly as possible.
    • Shutting down all services that are not required. You should pay particular attention to old Windows Server versions!
    • The clear restriction of access rights, e.g. by deactivating local administrator rights.
    • The use of strong passwords, supplemented by measures such as fairly short expiration periods and few account lockouts.
    • Logging of successful and faulty logins. Set the number of logs high and make regular backups of them.
    • Blocking special or all types of scripts and disabling insecure algorithms like RC4 and MD5.
    • A reduction of file permissions, for example for “normal” employees. Also implement a detailed file check when saving data.
    • Configure the firewall so that only the ports that are really needed are released. Pay attention to special access via VPN.

These and other implementations ensure that you harden your Windows servers and make them more resilient against “data octopuses” and attacks.

Windows Server hardening: checklists and guides

Several industry standards and recommendations for server hardening exist worldwide. These include the CIS benchmarks and DISA STIGS, for example.

In addition,  government bodies such as BSI (from Germany) and ACSC (Australia) make recommendations and publish Windows Server hardening checklists. Microsoft itself also regularly publishes its own hardening recommendations – for example, for Windows 10 System Hardening, Windows 11 hardening, and Windows Server hardening.

Tip: Use the “Windows Server 2012 Security Guide”, download the “Windows Server 2016 Security Guide” or the “Windows Server 2019 Hardening Guide” from Microsoft, study them and apply the tips. This will teach you how to secure Windows Server 2019 and others, for example.

How to reduce the time required for server hardening?

OS Hardening and Windows Server hardening can be very time-consuming, especially in large organizations with complex IT infrastructures. In addition, you need to perform hardening of your Windows servers on a regular basis to keep the systems up to the state of the art techniques. So a one-time hardening by using a Windows Server hardening checklist is not enough!

In addition, it is necessary to monitor the systems during operation and to react to (intentional or unintentional) deviations. These tasks take up a lot of time if IT experts perform them manually.

Configuration, monitoring and control become faster, easier and more transparent through the use of special hardening tools for companies!

Check the status of your Windows Server hardening!

There are several things you can do to speed up Windows Server hardening. The first is to determine how well hardened your systems currently are.

You can perform an automatic analysis very well with the free AuditTAP. This checks your Windows Servers system as well as other systems and applications (e. g. Windows 10, MS Office and popular browsers) for the current System Hardening status.

As a result, you get a transparent and clear report with a management summary. Learn how to create this report in this video:

Windows Server hardening: Which tools are suitable?

After you know where and what you should improve in terms of Windows Server hardening, it’s time to carry out the recommendations. With a professional enterprise hardening tool like Enforce Administrator, you can easily harden your Windows Server systems and other systems automatically.

With the Enforce Administrator you cover the entire security configuration management cycle. This creates a kind of “self-healing system”.

This means that each system independently checks in the background whether hardening settings have been changed. If this is the case, the target state is restored independently.

Enforce Administrator: Get here more information!

How complicated is automated Windows Server System Hardening?

Windows Server System Hardening is easy and time-saving with the Enforce Administrator. This is because the included functions do most of the work for you.

You do not have to program any Windows Server hardening scripts! Instead, with just a few clicks you can set the standards (BSI, CIS, DISA, etc.) according to which your Windows servers should be hardened.

No matter if you are running Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 or Windows Server 2022 – the hardening tool knows how to configure your system aligned to Windows Server hardening standards.

This simple system is called #NoCodeHardening. Learn more about that in this video:

Hardening for Windows Server: Do you need support?

Do you want to harden your Windows Server professionally? The expert team of FB Pro GmbH will be happy to assist you with words and deeds! We audit your systems, implement the Enforce Administrator or perform regular System Hardening to the highest standards.

Contact us!


Leave a Reply