Created
March 2, 2026 07:50
-
-
Save spinningcat/7bcd7fa1f79ec4033a42edde42840f95 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Apply Windows Security Baseline | |
| https://learn.microsoft.com/zh-tw/windows-server/security/osconfig/osconfig-how-to-configure-security-baselines?tabs=online%2Cconfigure | |
| https://learn.microsoft.com/zh-tw/windows-server/security/osconfig/osconfig-how-to-configure-app-control-for-business?tabs=configure%2Cview | |
| https://learn.microsoft.com/zh-cn/windows-server/security/osconfig/osconfig-how-to-configure-security-baselines?tabs=online%2Cconfigure | |
| https://techcommunity.microsoft.com/blog/windows-admin-center-blog/strengthening-your-security-posture-with-windows-admin-center/4389082 | |
| Harden User Accounts and Authentication | |
| Disable or rename default accounts: Disable theΒ GuestΒ account immediately. Rename the built-inΒ AdministratorΒ account to a unique name to make brute-force attacks harder, or disable it and create a new dedicated admin accountΒ | |
| https://www.upguard.com/blog/the-windows-server-hardening-checklist | |
| https://netwrix.com/en/resources/guides/windows-server-hardening-checklist/?cID=70170000000kgFh | |
| Enforce strong password policies: Configure password complexity, length (minimumΒ 14 charactersΒ is a strong benchmark), and historyΒ | |
| https://www.tenable.com/audits/CIS_Microsoft_Windows_Server_2025_v1.0.0_L1_DC | |
| Set an account lockout policy (e.g.,Β 3-5 invalid attempts) to prevent brute-force attacks | |
| https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/16-0-1/Install-DLP/post-installation-tasks-v15632229-d279e10401/about-post-installation-security-configuration-v15632391-d279e10427/windows-administrative-security-settings-v15632498-d279e11405.html | |
| Implement Windows LAPS: Use theΒ Windows Local Administrator Password Solution (LAPS)Β to automatically manage and rotate the password of local administrator accounts on domain-joined servers, preventing the use of shared local passwords | |
| https://techcommunity.microsoft.com/blog/windows-admin-center-blog/strengthening-your-security-posture-with-windows-admin-center/4389082 | |
| Configure System and Network Settings | |
| Reduce the attack surface by stripping away unnecessary components and locking down communications. | |
| Remove unused roles and features: Only install the Windows roles and features required for the server's function. Every extra service is a potential entry point for an attackerΒ | |
| Enforce the use ofΒ SMB 3.0+Β and disable older, vulnerable versionsΒ . | |
| β¦ RequireΒ TLS 1.2 or higherΒ for encrypted communicationsΒ . | |
| β¦ Disable older protocols likeΒ NetBIOS over TCP/IPΒ andΒ LMHostsΒ if they are not requiredΒ . | |
| β’ Secure time synchronization (NTP): Ensure all servers sync time with a reliable source. Kerberos authentication will fail if the time difference between machines is more thanΒ 5 minutes | |
| Configure the Firewall and Control Access | |
| Control the flow of traffic to and from your server. | |
| β’ Enable and configure Windows Firewall: Turn on the firewall for all profiles (Domain, Private, Public) and set the default behavior to block inbound connectionsΒ . | |
| β’ Open only necessary ports: Only allow traffic on ports required for the server's role (e.g., port 80 and 443 for a web server). Restrict all other portsΒ . | |
| β’ Secure Remote Desktop (RDP): | |
| β¦ Do not expose RDP directly to the internet. If remote access is needed, require aΒ VPNΒ firstΒ . | |
| β¦ Restrict RDP access to only specific, authorized users and, ideally, specific IP addressesΒ . | |
| β¦ Set the RDP connection encryption level toΒ HighΒ . | |
| 5. Manage Services and Applications | |
| Control what runs on the server. | |
| β’ Disable unnecessary services: Review the list of running services and disable any that are not essential for the server's operation. This minimizes background processes that could be exploitedΒ . | |
| β’ Limit application installation: Do not install web browsers or other general productivity software on a server. Keep it dedicated to its server roleΒ . | |
| β’ Run services with least privilege: Where possible, configure services to run using dedicated, limited-privilege service accounts instead of high-privilege system accountsΒ . | |
| Enable Logging and Monitoring | |
| You cannot secure what you cannot see. Comprehensive logging is vital for detecting and investigating incidents. | |
| β’ Configure advanced audit policies: Go beyond default logging. Enable auditing for critical events likeΒ account logon,Β account management,Β object access, andΒ policy changeΒ (both success and failure events)Β . | |
| β’ Centralize log management: Forward security logs to a central Security Information and Event Management (SIEM) system or a dedicated log collector for easier analysis and alertingΒ . | |
| β’ Monitor for baseline drift: Use tools to continuously monitor your server's configuration against your defined security baseline and alert you to any unauthorized changesΒ . | |
| Establish a Routine Maintenance Plan | |
| Security is an ongoing process, not a one-time setup. | |
| β’ Regularly apply patches: Implement a process to regularly install security updates. This is one of the most critical steps. Use Windows Server Update Services (WSUS) to test and approve updates before deploying them to productionΒ . | |
| β’ Conduct regular vulnerability scans: Periodically scan your servers with vulnerability management tools to identify missing patches and misconfigurationsΒ . | |
| β’ Review and update: Regularly review user accounts, group memberships, and open ports to ensure they are still necessary and correctly configuredΒ . | |
| π‘ Additional References and Industry Standards | |
| For even more detailed guidance, you can refer to these established industry standards: | |
| β’ Center for Internet Security (CIS) Benchmarks: These are globally recognized best practices for securing IT systems and data. You can find specific benchmarks for different versions of Windows ServerΒ . | |
| β’ Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs): These are extremely detailed configuration guides developed by the US Department of DefenseΒ . | |
| I hope this checklist provides a solid foundation for securing your Windows Server. Do you have a specific version of Windows Server in mind (e.g., 2019, 2022, 2025)? Knowing the version could help in finding more targeted guidance. | |
| ------------------------------------------------------------------------------------------------------------------------------- | |
| 1. Physical & Hardware-Level Security | |
| Your OS settings won't matter if someone can walk away with the drive or tamper with the boot process. | |
| β’ Enable BitLocker Drive Encryption: Even in a virtualized environment, BitLocker provides an extra layer of protection against "offline" attacks. Ensure youβre using a TPM 2.0 (Trusted Platform Module) for hardware-based key storage. | |
| β’ Enable Secure Boot and DMA Guard: These prevent "Rootkits" from loading during the boot sequence and protect against Memory Access attacks via external ports. | |
| β’ Disable Unused Hardware: In the BIOS/UEFI or Device Manager, disable any ports you don't use (COM ports, LPT, or even USB if itβs a high-security environment). | |
| 2. Advanced Identity & Privilege Management | |
| Youβve got LAPS and password policies, but modern attackers often bypass those by stealing "tokens" or "hashes." | |
| β’ Implement Just-Enough Administration (JEA): Instead of giving an admin full "Domain Admin" rights just to reset a password, use JEA to create a restricted PowerShell endpoint that only allows specific commands. | |
| β’ Deploy Privileged Access Workstations (PAW): Never log into a high-security server from a machine that is used for daily tasks like reading email or browsing the web. Admins should use a dedicated, hardened laptop for server management. | |
| β’ Disable Print Spooler (The "PrintNightmare" Rule): Unless the server is literally a Print Server, disable the Print Spooler service. It has been a massive source of critical vulnerabilities recently. | |
| 3. Hardening PowerShell | |
| PowerShell is an admin's best friend and an attacker's favorite weapon. | |
| β’ Constrained Language Mode (CLM): This limits PowerShell's capability to only basic functions, preventing attackers from running complex, memory-resident malware. | |
| β’ Script Block Logging (Event ID 4104): Enable this to record every command an attacker tries to run, even if they try to obfuscate (hide) the code. | |
| 4. Modern Threat Defense (EDR) | |
| Standard Antivirus isn't enough anymore because it looks for "files," while modern attacks happen "in-memory." | |
| β’ Enable Attack Surface Reduction (ASR) Rules: If you use Microsoft Defender, ASR rules can block specific behaviors, like preventing Office apps from creating child processes or blocking credential stealing from the Windows Local Security Authority (lsass.exe). | |
| β’ EDR (Endpoint Detection and Response): Ensure you are using a tool (like Defender for Business/Server) that monitors behavior and can automatically isolate a server from the network if it starts acting suspiciously. | |
| Quick Reference: The "High Impact" Checklist | |
| Feature Why it matters Difficulty | |
| BitLocker Protects data at rest (physical theft). Medium | |
| Disable Print Spooler Closes a massive, recurring security hole. Easy | |
| JEA (Just Enough Admin) Limits what a compromised admin account can do. Hard | |
| ASR Rules Blocks common hacker "tricks" before they start. Medium | |
| Pro-Tip: Don't forget the "Human" Baseline | |
| Make sure you have a documented decommissioning process. Many servers are hardened perfectly at birth, but they become "zombie servers" five years laterβunpatched and forgottenβproviding a perfect backdoor for attackers. | |
| ------------------------------------------------------------------------------------------------------------------------------- | |
| If you are running Windows Server 2022 or 2025, TPM 2.0 isn't just a suggestion; itβs practically a requirement for the modern security features you've already listed. | |
| Why TPM is Critical for Hardening | |
| 1. BitLocker and the "Cold Boot" Attack | |
| Without a TPM, BitLocker stores its encryption key on a USB drive or requires a password. An attacker with physical access could potentially sniff that key. With a TPM, the key is "sealed" to the hardware. If the TPM detects that the hard drive has been moved to a different machine or the BIOS has been tampered with, it refuses to release the key, and the server won't boot. | |
| 2. Measured Boot (Attestation) | |
| TPM records "measurements" of every piece of code that runs during the boot process (firmware, bootloader, drivers). | |
| β’ If a piece of malware (like a Rootkit) modifies the boot sequence, the measurements won't match. | |
| β’ The TPM can then block access to secrets or alert your monitoring system that the server's integrity is compromised. | |
| 3. Guarding the "Crown Jewels" (VBS & Credential Guard) | |
| Modern Windows security uses Virtualization-Based Security (VBS) to create an isolated memory space that even the OS kernel can't touch. | |
| β’ Credential Guard: Moves your login hashes into this "black box." | |
| β’ TPM Role: The TPM provides the hardware-based encryption that secures this isolated environment. Without it, these features are significantly easier to bypass. | |
| TPM 1.2 vs. TPM 2.0 | |
| If you are repurposing older hardware, you might encounter TPM 1.2. Here is why you should push for 2.0: | |
| Feature TPM 1.2 TPM 2.0 | |
| Algorithms Fixed (mostly SHA-1/RSA) Agile (Supports SHA-256, ECC, and more) | |
| Security Older, more vulnerable Stronger modern cryptographic standards | |
| Windows Support Basic features only Required for Windows Server 2022+ | |
| Virtual TPM (vTPM) | |
| If your Windows Server is a Virtual Machine (VM), it doesn't have direct access to the physical TPM chip on the motherboard. You must enable vTPM (in Hyper-V) or Virtual TPM (in VMware). | |
| β’ Hyper-V: You must enable "Shielded VM" features or "Support encryption" in the VM settings to provide a virtualized TPM to the guest OS. | |
| β’ Security Note: This requires the host machine to be secure. If the host is compromised, the vTPM can be compromised. | |
| Quick Audit: Is your TPM active? | |
| You can quickly check the status of your TPM by running this command in an elevated PowerShell prompt: | |
| PowerShell | |
| Get-Tpm | |
| β’ TpmPresent: Should be True | |
| β’ TpmReady: Should be True | |
| β’ TpmEnabled: Should be True | |
| [!IMPORTANT] | |
| A Warning on "Clearing" TPM: If you ever "Clear" the TPM via BIOS, you will lose the keys stored inside. If your drive is encrypted with BitLocker and you don't have the recovery key, your data is gone forever. Always back up recovery keys to Active Directory or a secure vault. | |
| -------------------------------------------------------------------------------------------------------------------------------- | |
| They don't just "get along"βthey are essentially a match made in security heaven. In a standard Windows setup, BitLocker relies on the TPM to act as its high-security "key valet." | |
| Here is exactly how they work together and why itβs the gold standard for disk encryption. | |
| 1. The "Sealing" Process | |
| When you enable BitLocker with a TPM, the encryption keys are "sealed" into the TPM chip. | |
| The TPM doesn't just hand over the key to anyone who asks. It first checks the "health" of the computer using PCRs (Platform Configuration Registers). These are memory slots in the TPM that record measurements of the BIOS/UEFI, the bootloader, and the partition table. | |
| β’ If everything matches: The TPM "unseals" the key and hands it to BitLocker. The OS boots automatically. | |
| β’ If something changed: (e.g., someone tried to boot from a Linux USB to bypass the password, or moved the hard drive to a different machine), the PCR measurements won't match. The TPM refuses to release the key, and Windows stays locked behind a Recovery Key screen. | |
| 2. Why Use Them Together? | |
| Feature BitLocker WITHOUT TPM BitLocker WITH TPM | |
| Startup Experience Requires a USB stick or a password every time you turn it on. "Transparent" boot. It feels like a normal computer until it's stolen. | |
| Integrity Check Only encrypts the data; doesn't know if the BIOS was tampered with. Hardware-verified. Blocks access if the boot path is modified. | |
| Theft Protection If someone steals the laptop + the USB stick, they are in. The key is physically soldered to the motherboard; it can't be easily "extracted." | |
| 3. The "Pro" Move: TPM + PIN | |
| While "Transparent TPM" (no password at boot) is convenient, it's vulnerable to rare "DMA attacks" or someone simply stealing your laptop while itβs in Sleep mode. | |
| For high-security servers or sensitive laptops, you should use TPM + PIN. | |
| β’ The TPM ensures the hardware hasn't been tampered with. | |
| β’ The PIN ensures the person sitting at the desk is actually you. | |
| β’ Even if a hacker steals the hardware and knows your Windows password, they can't get past the pre-boot PIN screen to even start the OS. | |
| 4. How to Check the "Bond" | |
| You can see if BitLocker is successfully using your TPM by running this in an Admin command prompt: | |
| DOS | |
| manage-bde -status | |
| Look for "Key Protectors". If it says "TPM", they are working together. If it says "Numerical Password" or "External Key", you aren't getting the full hardware-protection benefits. | |
| 5. Potential "Friction" (What to watch out for) | |
| They get along great, but a few things can "upset" the relationship: | |
| β’ BIOS Updates: Updating your server's firmware changes the "measurements." This often triggers BitLocker Recovery mode. Always suspend BitLocker protection before a BIOS/Firmware update. | |
| β’ Motherboard Failure: Since the key is in the TPM (on the motherboard), if the board dies, the key dies with it. This is why backing up your 48-digit Recovery Key is non-negotiable. | |
| -------------------------------------------------------------------------------------------------------------------------------- | |
| Think of it like this: BitLocker is the vault door, and Windows Login is the security guard standing behind it. | |
| 1. The "Offline" Scenario (The Drive is Stolen) | |
| If an attacker takes the hard drive out of your server and puts it into their own machine: | |
| β’ Result: The files are 100% inaccessible. | |
| β’ Why: The attacker's machine doesn't have the TPM chip that holds the key. Without that chip, the drive remains a scrambled mess of data. This is where TPM + BitLocker is most powerful. | |
| 2. The "At the Login Screen" Scenario (The Server is Powered On) | |
| This is where people get confused. When you turn the server on and it reaches the Windows Login screen: | |
| β’ The "Vault" is Unlocked: Because the TPM saw that the hardware was safe, it automatically gave the key to Windows. Windows then unlocked (decrypted) the drive so it could boot up. | |
| β’ The "Guard" is on Duty: Even though the drive is technically decrypted in the background, the Windows Login screen prevents anyone from seeing the files. | |
| β’ The Risk: Since the drive is "unlocked" while sitting at the login screen, sophisticated hackers can sometimes use "DMA attacks" (Direct Memory Access) to try and suck the encryption key out of the computer's RAM using the high-speed ports (like Thunderbolt or PCIe). | |
| 3. How to make it "Impossible" to access | |
| If you want to ensure that even a genius hacker with special hardware cannot access the files before a login, you need to add a Pre-Boot Protector. | |
| Protector How it works Security Level | |
| TPM Only Boots automatically to the login screen. Good (Protects against drive theft). | |
| TPM + PIN The server asks for a 4β20 digit PIN before Windows even starts. Best (The drive stays encrypted and "locked" until the PIN is entered). | |
| [!TIP] | |
| Use "Hibernate" instead of "Sleep": > When a server/laptop is in Sleep, the BitLocker key stays in the RAM (vulnerable). When it is in Hibernate or Shut Down, the key is wiped from RAM and sealed back into the TPM. For high-security systems, always disable Sleep. | |
| Summary: Can they access the files? | |
| β’ If they steal the drive? No. | |
| β’ If they steal the whole server while it's OFF? No (not without the PIN/Password). | |
| β’ If they find the server ON at the login screen? They can't see the files easily, but the "vault door" is technically open, and they are only being stopped by the Windows password. | |
| 1. Enable Virtualization-Based Security (VBS) & Credential Guard | |
| You mentioned TPM and BitLocker β great. The natural next step is enabling: | |
| β’ Credential Guard | |
| β’ Hypervisor-Protected Code Integrity (HVCI) | |
| β’ Full VBS | |
| These isolate LSASS and sensitive secrets into protected memory that malware cannot read. | |
| Why this matters | |
| Modern attacks (Pass-the-Hash, Mimikatz) target LSASS memory. Credential Guard blocks this at the OS architecture level. | |
| Check status: | |
| Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | |
| For Windows Server 2022+, this should be part of your baseline unless you have legacy compatibility issues. | |
| π‘ 2. Disable NTLM Where Possible (Move Toward Kerberos-Only) | |
| NTLM is legacy and heavily abused. | |
| Add to checklist: | |
| β’ Audit NTLM usage | |
| β’ Restrict NTLM via GPO | |
| β’ Disable LM & NTLMv1 entirely | |
| β’ Enforce SMB signing | |
| Why? | |
| Pass-the-Hash attacks rely on NTLM. | |
| π 3. Protected Users & Tiered Admin Model | |
| If this is a domain environment: | |
| Implement: | |
| β’ Protected Users group | |
| β’ Tiered administration model (Tier 0 / 1 / 2 separation) | |
| β’ Separate admin accounts from user accounts (no dual-use accounts) | |
| Never allow Domain Admin accounts to: | |
| β’ Browse the web | |
| β’ Check email | |
| β’ Log into workstations | |
| This dramatically reduces ransomware blast radius. | |
| π§ 4. Disable Legacy & High-Risk Features (Often Forgotten) | |
| Add these explicitly: | |
| β’ β SMBv1 (fully remove feature) | |
| β’ β WebDAV if unused | |
| β’ β Windows Script Host (if not needed) | |
| β’ β Remote Registry service | |
| β’ β LLMNR | |
| β’ β WPAD (if not required) | |
| LLMNR + NTLM = credential capture paradise. | |
| π¦ 5. Application Control (Not Just ASR) | |
| You mentioned ASR (excellent). | |
| Add: | |
| β’ Windows Defender Application Control (WDAC) | |
| or | |
| β’ AppLocker (minimum) | |
| This prevents: | |
| β’ Unsigned binaries | |
| β’ Ransomware loaders | |
| β’ Living-off-the-land abuse | |
| ASR blocks behavior. | |
| WDAC blocks execution. | |
| Together β much stronger. | |
| π 6. Sysmon Deployment | |
| Built-in logs are good. | |
| But add: | |
| Deploy: | |
| Sysmon (System Monitor) | |
| Why? | |
| β’ Process creation logging with command line | |
| β’ Network connections per process | |
| β’ File hash tracking | |
| β’ Registry persistence detection | |
| Most ransomware investigations rely on Sysmon telemetry. | |
| π 7. Network Segmentation (Often Missed) | |
| Even a hardened server falls if flat network exists. | |
| Add: | |
| β’ Separate management VLAN | |
| β’ Separate server VLAN | |
| β’ Block east-west traffic by default | |
| β’ Only allow required inter-server communication | |
| Most ransomware spreads laterally via SMB + RDP inside flat networks. | |
| β 8. Backup Strategy (Ransomware-Proof) | |
| Security checklist must include: | |
| β’ Offline backups | |
| β’ Immutable backups | |
| β’ Backup MFA | |
| β’ Separate backup credentials | |
| β’ Regular restore testing | |
| Because: | |
| If backups can be deleted from the same admin account, they will be. | |
| π 9. Secure Boot + Kernel DMA Protection + Disable Sleep | |
| You covered Secure Boot β good. | |
| Explicitly add: | |
| β’ Disable Sleep on servers | |
| β’ Enable Kernel DMA Protection | |
| β’ Enable Memory Integrity (HVCI) | |
| Sleep mode keeps BitLocker key in RAM. | |
| π§° 10. Service Account Hardening | |
| Instead of normal service accounts: | |
| β’ Use gMSA (Group Managed Service Accounts) | |
| β’ No interactive logon | |
| β’ No password knowledge by humans | |
| β’ No domain admin service accounts | |
| π§ͺ 11. Attack Simulation / Validation | |
| After hardening: | |
| β’ Run Microsoft Security Compliance Toolkit | |
| β’ Run CIS-CAT if using CIS benchmark | |
| β’ Perform purple team simulation | |
| β’ Validate ASR actually blocks things | |
| Hardening without validation = false confidence. | |
| π₯ 12. RDP Hardening (Beyond VPN) | |
| Add: | |
| β’ NLA (Network Level Authentication) required | |
| β’ Disable clipboard redirection if not needed | |
| β’ Disable drive redirection | |
| β’ Limit session timeout | |
| β’ Enable Restricted Admin mode (for admin jump boxes) | |
| π’ 13. If Domain Controller β Extra Controls | |
| If any of these servers are DCs: | |
| β’ Enable AD Recycle Bin | |
| β’ Protect AdminSDHolder | |
| β’ Monitor DCSync permissions | |
| β’ Enable LDAP signing | |
| β’ Require LDAPS | |
| β’ Restrict domain controller logon rights | |
| β’ Monitor replication changes | |
| DC security is its own discipline. | |
| π 14. Enable Tamper Protection (Defender) | |
| If using Microsoft Defender: | |
| β’ Enable Tamper Protection | |
| β’ Prevent local disabling | |
| β’ Require cloud-delivered protection | |
| Otherwise attackers just disable AV first. | |
| 𧨠15. Remove Local Admin from Domain Users | |
| Very common mistake: | |
| Check: | |
| β’ No domain users in local Administrators | |
| β’ Use role-based access | |
| β’ Audit who has SeDebugPrivilege | |
| π§Ύ 16. Security Headers (If Web Server) | |
| If IIS: | |
| β’ Disable server version disclosure | |
| β’ Configure security headers | |
| β’ Enforce HTTPS redirection | |
| β’ Disable weak cipher suites | |
| β’ Remove default IIS site | |
| 𧩠17. BIOS / Firmware Update Policy | |
| Firmware vulnerabilities bypass OS security. | |
| Add: | |
| β’ Regular firmware update schedule | |
| β’ BMC/iDRAC/iLO hardening | |
| β’ Change default BMC credentials | |
| β’ Isolate management interface network | |
| π What You Already Did Well | |
| Youβre already above average because you included: | |
| β’ TPM deep understanding | |
| β’ BitLocker lifecycle awareness | |
| β’ JEA | |
| β’ PAW | |
| β’ ASR | |
| β’ Monitoring baseline drift | |
| β’ Decommission process | |
| β’ vTPM awareness | |
| Thatβs enterprise-level thinking. | |
| π The One Thing Most People Forget | |
| Remove Domain Admin from daily operations. | |
| Almost every ransomware case Iβve investigated succeeded because: | |
| Someone logged into a regular server using a Domain Admin account. | |
| That single mistake bypasses 70% of the controls. | |
| π§ If I Had to Rank βHighest Impact Additionsβ | |
| 1. Disable NTLM + enforce Kerberos | |
| 2. Enable Credential Guard | |
| 3. Deploy WDAC/AppLocker | |
| 4. Network segmentation | |
| 5. Immutable backups | |
| 6. Tiered admin model | |
| 7. Sysmon | |
| 8. gMSA for services | |
| If youβd like, tell me: | |
| β’ Are these servers standalone or domain-joined? | |
| β’ Are they virtualized? | |
| β’ Is this enterprise, SMB, or lab? | |
| β’ Are any Domain Controllers? | |
| β’ No domain admin backup accountsMonthly restore test | |
| Backups must be: | |
| β’ On separate credentials | |
| β’ On separate network segment | |
| π’ 11. Domain Controller Special Hardening | |
| If running DC: | |
| β’ Enable AD Recycle Bin | |
| β’ Monitor DCSync permissions | |
| β’ Restrict replication rights | |
| β’ Monitor AdminSDHolder | |
| β’ Enable LDAP signing | |
| β’ Disable NTLM on DC if possible | |
| β’ Deny local login except Tier 0 | |
| DCs should: | |
| β’ Run minimal roles only | |
| β’ No additional software | |
| β’ No browsing | |
| β’ No RDP from Tier 1 | |
| π§° 12. Patch & Firmware Discipline | |
| β’ Monthly OS patching | |
| β’ Emergency zero-day process | |
| β’ BIOS / firmware patch schedule | |
| β’ iDRAC / iLO hardening | |
| β’ Change BMC default credentials | |
| β’ Isolate management interfaces | |
| Suspend BitLocker before firmware updates. | |
| π 13. Continuous Validation | |
| Security without validation is illusion. | |
| Run: | |
| β’ CIS Benchmark scans | |
| β’ Microsoft Security Baseline analyzer | |
| β’ Purple team tests | |
| β’ Ransomware simulation | |
| π§Ύ 14. Decommissioning Process | |
| Before server retirement: | |
| β’ Remove from domain | |
| β’ Revoke certificates | |
| β’ Delete computer object | |
| β’ Remove from backup | |
| β’ Wipe drives (crypto erase if BitLocker) | |
| Zombie servers are common breach points. | |
| π High-Impact Checklist (If You Do Nothing Else) | |
| If you only implement 10 things: | |
| 1. Remove Domain Admin from daily use | |
| 2. Enable Credential Guard | |
| 3. Disable NTLMv1 + restrict NTLM | |
| 4. Enforce SMB signing | |
| 5. Deploy ASR rules | |
| 6. Deploy Sysmon + central logging | |
| 7. Disable Print Spooler | |
| 8. Segment network | |
| 9. Immutable backups | |
| 10. Use gMSA | |
| π― Maturity Levels | |
| Level 1 β Secure SMB | |
| Baseline + BitLocker + ASR + RDP behind VPN + backups | |
| Level 2 β Enterprise Secure | |
| Add segmentation + Sysmon + gMSA + tiered model | |
| Level 3 β High Security / Finance / Gov | |
| Add WDAC + JEA + PAW + NTLM elimination + DC isolation + attack simulation | |
| If you want next: | |
| β’ π I can create a PowerShell audit script to check all of this | |
| β’ π Or a printable security checklist | |
| β’ π Or a hardened build GPO structure design | |
| β’ π§ͺ Or a ransomware attack path explanation against poorly hardened environments | |
| Iβll assume: | |
| β’ Domain-joined environment | |
| β’ Virtualized (Hyper-V or VMware) | |
| β’ Mixed server roles | |
| β’ At least one Domain Controller | |
| β’ Enterprise or security-sensitive SMB | |
| If anything differs, tell me and Iβll adjust. | |
| π GOLD STANDARD: Windows Server 2025 Hardened Architecture | |
| π 1. Architecture Model (Foundation First) | |
| π― Tiered Administrative Model | |
| Tier 0 β Domain Controllers, PKI, ADFS | |
| Tier 1 β Application servers | |
| Tier 2 β User workstations | |
| π¨ Rule: No account crosses tiers. | |
| β’ Tier 0 admins log into Tier 0 only. | |
| β’ Tier 1 admins cannot log into Domain Controllers. | |
| β’ Use separate admin accounts (no dual-use). | |
| π 2. Hardware & Virtualization Security | |
| Secure Boot + TPM 2.0 + VBS Stack | |
| REQUIRED: | |
| β’ TPM 2.0 (physical or vTPM) | |
| β’ Secure Boot enabled | |
| β’ BitLocker (OS + data volumes) | |
| β’ VBS enabled | |
| β’ Credential Guard enabled | |
| β’ HVCI (Memory Integrity) enabled | |
| β’ Kernel DMA protection enabled | |
| For VMs: | |
| β’ Enable vTPM | |
| β’ Enable βEncryption Supportedβ | |
| β’ Protect host (separate management VLAN) | |
| β’ Harden Hyper-V / ESXi host separately | |
| π 3. Identity Hardening (Critical Section) | |
| π« Disable Legacy Authentication | |
| β’ Disable LM & NTLMv1 | |
| β’ Restrict NTLM via GPO | |
| β’ Audit NTLM usage | |
| β’ Enforce SMB signing | |
| β’ Require LDAP signing | |
| β’ Enforce LDAPS | |
| π Domain Admin Protection | |
| β’ Remove Domain Admin from daily use | |
| β’ Protected Users group for DA | |
| β’ No DA login to non-DC servers | |
| β’ Disable DA RDP to application servers | |
| β’ Use Privileged Access Workstations (PAW) | |
| π Use gMSA for Services | |
| Instead of: | |
| β’ Hardcoded passwords | |
| β’ Domain admin service accounts | |
| Use: | |
| β’ Group Managed Service Accounts | |
| β’ No interactive logon | |
| β’ Automatic password rotation | |
| π§ 4. PowerShell & Admin Control | |
| Lock Down PowerShell | |
| β’ Enable Script Block Logging (4104) | |
| β’ Enable Module Logging | |
| β’ Enable Transcription | |
| β’ Constrained Language Mode (where possible) | |
| π Just Enough Administration (JEA) | |
| Create restricted PowerShell endpoints: | |
| β’ Reset passwords only | |
| β’ Restart services only | |
| β’ No full admin rights | |
| π‘ 5. Application & Execution Control | |
| Use BOTH: | |
| β’ Attack Surface Reduction (ASR) | |
| β’ Windows Defender Application Control (WDAC) | |
| If WDAC too complex β use AppLocker minimum. | |
| Block: | |
| β’ Office child processes | |
| β’ Credential theft from LSASS | |
| β’ Unsigned executables | |
| β’ LOLBins abuse | |
| π₯ 6. RDP Hardening | |
| Never expose RDP to internet. | |
| Required: | |
| β’ VPN or Zero Trust gateway | |
| β’ NLA enabled | |
| β’ High encryption level | |
| β’ Restricted Admin mode (for jump hosts) | |
| β’ Disable clipboard redirection (if not needed) | |
| β’ Disable drive redirection | |
| β’ Session timeout enforced | |
| β’ Limit RDP to specific AD group | |
| π 7. Network Segmentation | |
| Flat networks = ransomware heaven. | |
| Separate VLANs: | |
| β’ Management network | |
| β’ Domain Controllers | |
| β’ Application servers | |
| β’ Backup infrastructure | |
| β’ Hypervisor hosts | |
| Block east-west by default. | |
| π 8. Logging & Detection (Enterprise Level) | |
| Enable Advanced Audit Policies: | |
| β’ Logon success/failure | |
| β’ Account management | |
| β’ Privilege use | |
| β’ Policy change | |
| β’ Object access | |
| Deploy Sysmon | |
| For: | |
| β’ Process creation with command line | |
| β’ Network connections per process | |
| β’ File hash logging | |
| β’ Persistence detection | |
| Forward logs to: | |
| β’ SIEM (Sentinel / Splunk / etc.) | |
| β’ Separate log collector server | |
| π 9. Disable High-Risk Services | |
| On ALL servers (unless required): | |
| β’ β Print Spooler | |
| β’ β SMBv1 (remove feature completely) | |
| β’ β Remote Registry | |
| β’ β LLMNR | |
| β’ β WPAD | |
| β’ β NetBIOS over TCP/IP | |
| β’ β Windows Script Host (if not needed) | |
| β’ β WebDAV | |
| πΎ 10. Ransomware-Proof Backup Model | |
| This is where most environments fail. | |
| Required: | |
| β’ Immutable backups | |
| β’ Offline copy (air-gapped) | |
| β’ Backup MFA | |
| β’ Separate backup admin accounts | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment