Windows Server Hardening: Stop Guessing, Start Baselining

Most Windows Servers Are One Misconfiguration Away From a Breach

We inherited an environment last year where the client had been running Windows Server 2019 domain controllers with NTLMv1 still enabled, SMBv1 wide open, and zero Group Policy security baselines applied. The previous vendor called it “stable.” We called it a liability. Windows Server hardening isn’t a one-time project you schedule between fiscal quarters — it’s a continuous operational posture. And most environments we walk into are years behind where they should be.

Here’s my position: if you don’t have a documented, tested, and enforced hardening baseline, you don’t have a security posture. You have a wishlist. This guide covers what actually works — specific configurations, real tools, and the sequencing that won’t take down production when you apply them. No theory, no marketing. Just the work.

Start With a Baseline, Not a Random Checklist

The first mistake I see is organizations building hardening checklists from scratch. Someone reads a blog post, copies 30 registry keys into a GPO, and calls it a standard. That’s not a standard — that’s cargo-culting.

The right starting point is the NIST Cybersecurity Framework for overall risk posture, combined with Microsoft’s Security Compliance Toolkit (SCT). The SCT is a free download from Microsoft and ships with pre-built GPO baselines for every major Windows Server version. These aren’t suggestions pulled from a forum thread. They’re the same configurations Microsoft’s internal security teams use on production infrastructure.

The Microsoft Security Compliance Toolkit

The SCT ships with baselines for multiple tiers and roles. It also includes Policy Analyzer — a tool that diffs your current GPO configuration against the baseline so you can see exactly where your environment diverges before touching a single setting. That diff step is non-negotiable. You need to understand what you’re about to change.

The baselines are organized by operational tier:

• Domain Controller: Hardening for DC hosts and Privileged Access Workstations (PAWs) used to administer Tier 0 assets.
• Domain Security: Password policies, account lockout thresholds, and logon timeout configurations that apply domain-wide.
• Member Server: Hardening for application and file servers, plus PAWs administering Tier 1 assets.
• Computer/User: Endpoint-level hardening for workstations and terminal servers in Tier 2.

There are also standalone baselines for BitLocker, Credential Guard, and Windows Defender Antivirus. Each is independently composable — you don’t have to apply everything at once, and you shouldn’t.

Apply Baselines With a Plan, Not Enthusiasm

A word of caution that I can’t stress enough: don’t blast these baselines into production without a structured rollout plan. I’ve watched this go sideways in the field. A client engagement we ran involved a team that applied the Domain Controller baseline without first reviewing the monitoring configuration changes it included. The baseline enables additional Security event log auditing categories — great for detection, brutal for unprepared log pipelines. Their SIEM was ingesting roughly 40x its normal event volume within an hour. Their log retention budget was gone in three days. Know what you’re applying before you apply it. Test in a staging OU first, review the delta in Policy Analyzer, document the expected behavioral changes, then roll out in phases.

Kill the Protocols Nobody Should Still Be Running

Any production Windows Server environment still running SSLv3, TLS 1.0, or TLS 1.1 is operating outside acceptable risk tolerance. Full stop. Same with SMBv1 — it’s been the delivery mechanism for some of the most destructive malware campaigns in recent history, and Microsoft has been officially recommending its removal since 2017. If it’s still enabled in your environment, the question isn’t whether you’ll have a problem. It’s when.

Disabling legacy protocols is straightforward. For TLS, you’re modifying the Schannel registry hive. You can push this via GPO or script it with PowerShell:

# Disable TLS 1.0 - Server role
# HACK: Reboot required for changes to take effect. Schedule during maintenance window.
$tls10Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server"
New-Item -Path $tls10Path -Force
New-ItemProperty -Path $tls10Path -Name "Enabled" -Value 0 -PropertyType DWORD -Force
New-ItemProperty -Path $tls10Path -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force

# Disable SMBv1 - no reboot required, but validate dependent services first
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

Repeat the TLS registry block for TLS 1.1. On Windows Server 2022, these are disabled by default — but if you’re managing 2016 or 2019 boxes, audit them. Don’t assume.

Cipher Suite Priority Order Matters

Beyond protocol versions, audit your cipher suite priority list. Older servers often have weak ciphers sitting high in the priority order — they’ll get negotiated even when stronger options exist. The goal is to prioritize ECDHE key exchange with AES-256-GCM. Anything using RC4, DES, or 3DES gets removed.

You can enumerate and reorder cipher suites using Get-TlsCipherSuite and Set-TlsCipherSuite, or push the ordering via Group Policy under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings. GPO is the better approach at scale — local cipher suite changes drift. GPO-managed ones don’t.

Credential Guard: The Feature Most Teams Skip

Credential Guard is underdeployed. We see it missing in probably two-thirds of environments we assess during security reviews. It uses Virtualization-Based Security (VBS) to isolate the LSASS process — the target of every pass-the-hash and pass-the-ticket attack in the standard lateral movement playbook. When Credential Guard is active, credential material lives in a protected VM container that the host OS cannot directly read. Tools that rely on LSASS memory access — you know the ones — stop working against it. That alone should put it on your priority list.

Hardware requirements: UEFI firmware with Secure Boot enabled, a 64-bit CPU with virtualization extensions (Intel VT-x or AMD-V), and TPM 2.0 for maximum protection. Most server hardware purchased in the last five years qualifies. Enable it through Group Policy under Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security. You can also enforce it via PowerShell DSC if you’re managing state declaratively across a server fleet.

The caveat: Credential Guard breaks certain legacy authentication scenarios. It’s incompatible with NTLMv1 and DES/RC4 Kerberos encryption types. Older line-of-business applications sometimes depend on those. Before rolling out Credential Guard, audit your Kerberos encryption types with Get-ADComputer and Get-ADUser pulling msDS-SupportedEncryptionTypes, and look for NTLM usage in your Security event log (Event ID 4776). Remediate the dependencies first or you’ll generate authentication failures and support tickets instead of security improvements.

UAC Configuration Is Not Optional

User Account Control is either ignored entirely or misconfigured in almost every environment we inherit. The most egregious pattern: organizations disabling UAC on servers because admins find the prompts disruptive. That’s trading a 30-second friction point for your entire blast radius. UAC exists specifically to prevent privilege escalation — to stop a malicious process from silently acquiring admin rights without explicit approval from a human.

The key UAC settings on Windows Server live under Security Settings > Local Policies > Security Options in the local security policy, or pushed via GPO:

• Admin Approval Mode for the built-in Administrator account: Enable it. The RID-500 account should require approval just like any other admin.
• Behavior of elevation prompt for administrators in Admin Approval Mode: Set to “Prompt for credentials” — not “Prompt for consent.” The former requires re-entering credentials, making it harder to automate or socially engineer. Consent prompts are a single click.
• Detect application installations and prompt for elevation: Enable on servers where you control the software stack. Unexpected installation attempts are a detection signal.

Also watch for automatic privilege elevation of applications signed by Microsoft or trusted publishers. That’s a known bypass path. If you’re seeing it in environments with misconfigured signing trust, flag it during your next review.

Hardening Windows Defender Firewall With Advanced Security

Most environments have the Windows Defender Firewall switched on with default rules and call it done. That’s not hardening — that’s hoping. The firewall with Advanced Security (WDFW) is significantly more capable than most engineers realize, and most of that capability goes unused.

Start with the three profiles: Domain, Private, and Public. In a production server context you’re almost always in Domain profile — but lock down Private and Public too. A server that temporarily loses domain connectivity falls back to an alternative profile. If that profile allows broad inbound traffic, you’ve created a gap. Set all three profiles to default-deny inbound with explicit allow rules only for documented, required services.

IPsec Policies for Server Isolation

Beyond basic rules, WDFW supports IPsec connection security rules for server isolation. You can require that all inbound connections to a server are Kerberos-authenticated before the firewall passes them through — this is a strong lateral movement control. If an attacker compromises a workstation and tries to reach a server directly, they need a valid Kerberos ticket. Without domain membership and valid credentials, the connection is dropped at the network layer, before any application-layer authentication even occurs.

This is documented behavior, but rarely implemented. If you’re running Group Policy in an Active Directory environment, the Kerberos infrastructure is already there — you’re just not using it for network-layer enforcement yet.

Push all firewall rules through GPO. Local rule drift is a real operational problem — server teams add exceptions for specific applications and those exceptions never get documented or reviewed. We covered what happens when Group Policy gets applied without proper change management in our Windows Group Policy incident post-mortem. GPO-managed firewall rules give you a single source of truth and an audit trail that local rules don’t provide.

SMB Hardening: Your File Server Attack Surface

SMB keeps showing up in breach reports because it keeps being left misconfigured. After disabling SMBv1, the next step is locking down SMB server configuration on your file servers. The Set-SmbServerConfiguration cmdlet exposes a range of settings that ship with permissive defaults — here’s the baseline configuration we apply to file servers during client engagements:

# SMB server hardening baseline
# TODO: Benchmark throughput before enabling EncryptData on high-IOPS file servers
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbServerConfiguration -EnableSecuritySignature $true -Force
Set-SmbServerConfiguration -EncryptData $true -Force
Set-SmbServerConfiguration -RejectUnencryptedAccess $true -Force

SMB signing prevents NTLM relay attacks — an attacker in a man-in-the-middle position can’t forge or modify SMB traffic when signing is enforced. SMB encryption protects file data in transit, which matters more in environments where lateral movement is a concern. The tradeoff is CPU overhead on the file server. Both signing and encryption add processing cost, so test the performance impact in your environment before enforcing it across all shares.

For clients running high-throughput file workloads — this comes up frequently in environments built on RAID 10 storage arrays with sustained high-IOPS demand — benchmark before mandating encryption. In most cases the overhead is manageable, but quantify it rather than assuming.

On the permissions side: lock down share-level permissions to specific security groups with least-privilege access. The pattern of Everyone:Full Control at the share with NTFS doing all the enforcement is one inheritance misconfiguration away from a significant exposure. Use the NTFSSecurity PowerShell module to enumerate and update ACLs programmatically across your file server fleet — it’s far more scriptable than the native cmdlets for bulk ACL work.

Automate the Baseline or It Drifts

Manual hardening doesn’t stay hardened. A new server gets deployed from an unconfigured base image. Someone adds a firewall exception for testing and never removes it. An application vendor asks you to disable a security control “just temporarily” and three months later it’s still disabled. Configuration drift is the enemy, and in most environments it’s losing.

The answer is PowerShell Desired State Configuration (DSC) or equivalent infrastructure-as-code. DSC lets you define the target security state of a server declaratively and enforce it continuously. When a server’s configuration drifts from the defined baseline, DSC detects it and remediates — automatically, without a ticket or a change window. DSC 3.0 (current as of 2024) has improved cross-platform support and cleaner resource handling compared to earlier versions. Define your hardening state once, apply it across every member server class, and let the enforcement loop run.

This is the same feedback loop pattern that makes CI/CD pipelines reliable. If you’re already thinking in terms of automated state enforcement for application deployments — and if you’re not, our guide on GitHub CI/CD automation is worth reading — apply that same discipline to infrastructure configuration. Ship a known-good state, detect deviation, remediate fast.

Pair DSC enforcement with your SIEM. When a server drifts from its security baseline outside a change window, that’s a detection signal worth investigating — not just a configuration problem to silently fix. Unexpected changes to firewall rules, disabled audit policies, or modified registry security settings can indicate active intrusion. We covered how to build that detection discipline in our SOC readiness audit guide.

Backup Integrity Is Part of Your Hardening Posture

Hardening reduces your attack surface. It doesn’t eliminate it. For production Windows Server environments — especially those running Active Directory, file services, or business-critical applications — your backup chain is part of your security posture. A well-hardened server that gets hit by ransomware with no viable recovery path is just a faster route to a prolonged outage and a difficult conversation with the business.

We’ve deployed immutable backup targets for clients using Veeam Cloud Connect repositories — offsite storage tiers that ransomware cannot reach even with domain admin credentials, because the backup infrastructure sits outside the domain trust boundary. Immutability in the backup chain is a hardening control, not just an operational best practice. If attackers compromise your domain, your backups should remain outside their blast radius.

The Practical Takeaway

Windows Server hardening is not a project with a completion date. It’s an operational discipline. Here’s the sequenced starting point for environments being hardened from scratch or inherited from a previous vendor:

1. Download the Microsoft Security Compliance Toolkit. Run Policy Analyzer against your current GPOs before touching anything. Understand the delta.
2. Disable SMBv1, TLS 1.0, TLS 1.1, and any cipher suites using RC4, DES, or 3DES. These are zero-controversy cuts with no legitimate reason to leave them enabled.
3. Audit Kerberos encryption types and NTLM usage. Remediate legacy dependencies, then enable Credential Guard on all qualifying hardware.
4. Review UAC configuration — Admin Approval Mode on, elevation prompt behavior set to credential prompt, automatic elevation disabled.
5. Configure WDFW to default-deny inbound on all profiles. Push rules via GPO. Evaluate IPsec server isolation for high-sensitivity tiers.
6. Enable SMB signing on all file servers. Evaluate SMB encryption based on performance testing for your specific workloads.
7. Codify the target state in PowerShell DSC. Treat configuration drift as a detection signal, not just a maintenance item.

If you’ve got an environment that needs a hardening assessment or a baseline rollout to plan, reach out to us at SSE. We’ve run this process across environments ranging from small business file servers to government contractor Active Directory forests — the methodology scales, but the sequencing and pre-change testing discipline is what separates a clean rollout from a 2AM incident call.