IT Security

Windows Server Hardening Guide

(English Version)

August 2022

Education Bureau

1
Table of Contents
1. Windows Installation ............................................................................................................. 3

2. Security Configuration ........................................................................................................... 3

2.1 Network Security and Access Management ................................................................ 3

2.2 Account Security ........................................................................................................ 20

2.2.1 User Account and Rights ........................................................................................ 20

2.2.2 Password Policy ...................................................................................................... 24

2.2.3 Account Lockout Policy........................................................................................... 26

2.2.4 Screen Saver ........................................................................................................... 28

2.3 Local Security Policy .................................................................................................. 30

2.4 Registry Security Configuration ................................................................................. 33

2.5 Firewall ...................................................................................................................... 42

2.6 NTP (Time Synchronization) ...................................................................................... 45

2.7 Remote Desktop Configuration ................................................................................. 47

2.8 Unquoted Service Path .............................................................................................. 53

2.9 Event Log Setting ....................................................................................................... 55

2
1. Windows Installation
 Disable any unneeded services included in the default installation
 Remove unnecessary Windows Server roles and features
 Consider to use EFS with NTFS file system or BitLocker encryption for restricted
data
 Assign a static IP for server
 Run Windows update to install all security updates or patches
 Run Antivirus update to install the latest antivirus definition
 Enable automatic notification of patch availability and make sure that all
appropriate patches, hotfixes and service packs are reviewed, tested and
applied in a timely manner
 It is not recommended to install client-side software, such as Chrome, Adobe
Flash, pdf viewers etc. on server

2. Security Configuration
2.1 Network Security and Access Management

In All Control Panel Items , click Administrative Tools

3
Click Local Security Policy

Navigate to

Security Settings – Local Policies – User Rights Assignment

4
Click Access this computer from the network

Remove Everyone

5
Click Bypass traverse checking

Remove Everyone

6
Navigate to

Security Settings – Local Policies – Security Options

Click Microsoft network client : Digitally sign communications (always)

Select Disabled

7
Click Microsoft network client : Digitally sign communications (if server agrees)

Select Enabled

Click Microsoft network server : Digitally sign communications (always)

Select Enabled

8
Click Microsoft network server : Digitally sign communications (if client agrees)

Select Enabled

Click network security : Allow LocalSystem NULL session fallback

Select Disabled

9
Click Network security: Configure encryption types allowed for Kerberos

Select AES128_HMAC_SHA1, AES256_HMAC_SHA1 and Future encryption types

Run regedit.exe (registry editor)

10
Navigate to

HKEY_LOCAL_MACHINE \SYSTEM\ CurrentControlSet\ Control\Lsa

Set restrictanonymous=1

Navigate to

HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Set restrictnullsessaccess=1

11
Navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Para
meters

NullSessionPipes

Remove BROWSER if have

12
In All Control Panel Items, click Network and Sharing Center

Click Change adapter settings

13
Right click the Ethernet and click properties

14
Select Internet Protocol Version 4(TCP/IPv4)

Click Properties

15
Click Advanced

16
Select Disable NetBIOS over TCP/IP

17
Run gpedit.msc
Navigate to
Computer Configuration – Administrative Templates – System – Power
Management – Sleep Settings

Click Require a password when a computer wakes (plugged in)

Select Enabled

Navigate to
Computer Configuration – Administrative Templates – System – Power
Management – Sleep Settings

Click Require a password when a computer wakes (on battery)

Select Enabled

18
Run gpedit.msc

Navigate to
Computer Configuration – Windows Settings – Security Settings – Local Policy –
Security Options

Click System cryptography: Use FIPS compliant algorithms for encryption, hashing,
and signing
Select Enabled

Go to Server Manager Dashboard

Deselect the SMB 1.0/CIFS File Sharing Support option

19
2.2 Account Security
2.2.1 User Account and Rights

In All Control Panel Items , click Administrative Tools

Click Computer Management

Click Local Users and Groups and Users

Disable or remove any unused accounts, such as DefaultAccount and Guest etc.

It is not recommended to use a default administrator account name, such as

“administrator” or “admin”. You may either rename the default administrator
account or create an account and set it as an administrative account.

20
In All Control Panel Items , click Administrative Tools

Click Local Security Policy

21
Navigate to
Local Policies-User Rights Assignment

Click Allow log on locally, remove all groups except Administrators, you may add
your administrative account(s) to this group.

22
Reminders:
 Full permissions should NOT be granted to everyone or guest group in the
configuration of file or folder.
 Sharing should NOT be allowed for anonymous access.
 The principle of least privilege (POLP) should always be strictly executed.

23
 2.2.2 Password Policy

In All Control Panel Items , click Administrative Tools

Click Local Security Policy

24
Navigate to

Security Settings – Account Policies – Password Policy

Policy Security Setting

Enforce password history 8 passwords remembered
Maximum password age 180 days
Minimum password age 3 days
Minimum password length 8 characters
Password must meet complexity Enabled
requirements
Store passwords using reversible Disabled
encryption

Result is

25
 2.2.3 Account Lockout Policy

In All Control Panel Items , click Administrative Tools

Click Local Security Policy

26
Navigate to

Security Settings – Account Policies – Account Lockout Policy

Policy Security Setting

Account lockout duration 10 minutes
Account lockout threshold 5 invalid logon attempts
Reset account lockout counter after 10 minutes

Result is

27
 2.2.4 Screen Saver

Run regedit.exe (registry editor)

28
Navigate to

HKEY_USERS – .DEFAULT – Control Panel – Desktop

Right click to add new String Value as

ScreenSaveActive 1
ScreenSaveIsSecure 1
ScreenSaveTimeOut 900

Result is

29
2.3 Local Security Policy

In All Control Panel Items , click Administrative Tools

Click Local Security Policy

30
 Navigate to Local Policies-Security Options

Set the additional Security Options by referring below table.

Policy Security Setting
Accounts: Guest account status Disabled
Accounts: Rename guest account Assign any name other than the default
name such as schrnd
Audit: Shut down system immediately if Disabled
unable to log security audits
Domain member: Digitally encrypt or Enabled
sign secure channel data (always)
Domain member: Digitally encrypt Enabled
secure channel data (when possible)
Domain member: Digitally sign secure Enabled
channel data (When possible)
Interactive logon: Do not display Enabled
username at sign-in
Interactive logon: Message text for “Authenticated User Only”

31
users attempting to log on
Interactive logon: Message title for “Authenticated User Only”
users attempting to log on
Interactive logon: Number of previous 0 logons
logons to cache (in case domain
controller is not available)
Interactive logon: Prompt user to 5 days
change password before expiration
Recovery console: Allow automatic Disabled
administrative logon
Recovery console: Allow floppy copy Disabled
and access to all drives and all folders

32
2.4 Registry Security Configuration

1. Run regedit.exe (registry editor)

2. Navigate to
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management]

3. Configure the following Dwords

If Hyper-Threading enabled

"FeatureSettingsOverride"=dword:00000048
"FeatureSettingsOverrideMask"=dword:00000003

If Hyper-Threading disabled

"FeatureSettingsOverride"=dword:00002048
"FeatureSettingsOverrideMask"=dword:00000003

33
4. Navigate to
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingTyp
e 0\CertDllCreateCertificateChainEngine\Config\default]

5. Configure the following binary value

"WeakSha1ThirdPartyAfterTime"=0018df076244d101

6. Navigate to
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProvide
rs\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]

7. Configure the following Dword

"ClientMinKeyBitLength"=dword: 00000800

34
Run regedit.exe (registry editor)

Navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\
Parameters

Change enablesecuritysignature to 1

35
Change requiresecuritysignature to 1

Result is

36
Run regedit.exe (registry editor)

Navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\
SCHANNEL\Ciphers

Set 0 to
NULL
DES 56/56
RC2 40/128
RC2 56/128
RC2 128/128
RC4 40/128
RC4 56/128
RC4 64/128
RC4 128/128
Triple DES 168

37
Take DES 56/56 as example

38
Navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Protocols

Set key as below

SSL 2.0
Key: Client DWORD: DisabledByDefault (1)
Key: Client DWORD: Enabled (0)
Key: Server DWORD: DisabledByDefault (1)
Key: Server DWORD: Enabled (0)

SSL 3.0
Key: Client DWORD: DisabledByDefault (1)
Key: Client DWORD: Enabled (0)
Key: Server DWORD: DisabledByDefault (1)
Key: Server DWORD: Enabled (0)

TLS 1.0 *
Key: Client DWORD: DisabledByDefault (1)
Key: Client DWORD: Enabled (0)
Key: Server DWORD: DisabledByDefault (1)
Key: Server DWORD: Enabled (0)

TLS 1.1
Key: Client DWORD: DisabledByDefault (1)
Key: Client DWORD: Enabled (0)
Key: Server DWORD: DisabledByDefault (1)
Key: Server DWORD: Enabled (0)

TLS 1.2
Key: Client DWORD: DisabledByDefault (0)
Key: Client DWORD: Enabled (1)
Key: Server DWORD: DisabledByDefault (0)
Key: Server DWORD: Enabled (1)

39
Result is

SSL 2.0

SSL 3.0

TLS 1.0

40
TLS1.1

TLS1.2

41
2.5 Firewall

In All Control Panel Items , click Windows Defender Firewall

Activate firewall

42
Result is

43
Run gpedit.msc

Navigate to
Computer Configuration – Administrative Template – Windows Components –
Windows Defender SmartScreen – Explorer

Click Configure Windows Defender SmartScreen

Select Enabled

44
2.6 NTP (Time Synchronization)

Open Control Panel, navigate to Clock and Region, click Date and Time

45
Click Change settings
Set your prefered time source, such as your internal domain server or internet
time server.

46
2.7 Remote Desktop Configuration
Run gpedit.msc

47
Navigate to

Computer Configuration - Administrative Templates - Windows Components -

Remote Desktop Services - Remote Desktop Session Host - Security

48
Click Set client connection encryption level

Select High Level

49
Click Require use of specific security layer for remote (RDP) connections

Select SSL

50
Click Require secure RPC communication

Select Enabled

51
Click Require user authentication for remote connections by using Network Level
Authentication

Select Enabled

52
2.8 Unquoted Service Path
Run regedit.exe (registry editor)

Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

For each key (service), check if the path to the executable file in the ImagePath is
double quoted.

53
If there is any service executable not double quoted, double click on ImagePath
and edit the value data to double quote it.

54
2.9 Event Log Setting

In All Control Panel Items , click Administrative Tools

Click Local Security Policy

55
Navigate to

Security Settings – Local Policies – Audit Policy

Check both “Success” & “Failure” options :

(1) Audit account logon events
(2) Audit account management
(3) Audit directory service access
(4) Audit logon events
(5) Audit object access
(6) Audit policy change
(7) Audit system events

Check “Failure” option for :

(1) Audit privilege use

Uncheck both “Success” & “Failure” options, which means “No auditing” option
for :
(1) Audit process tracking

56
Result is

Run gpedit.msc

57
Navigate to

Computer Configuration – Administrative Templates – System – Audit Process

Creation

Click Include command line in process creation events

Select Enabled

Navigate to
Computer Configuration – Administrative Templates – Windows Components –
Windows PowerShell

Click Turn on PowerShell Script Block Logging

Select Enabled

58
Run eventvwr

Go to Event Viewer(Local) – Windows Logs, right click System and selectProperty,

set Maximum log size, such as 2GB for System log as below. Apply the same setting
for all components under Windows Logs.

59