Windows Server 2012 R2 server hardening and best practices

You can search for Windows Server hardening until you’re blue in the face, and find a little bit here and there. The sum of the parts are still less than the whole of this article. I’m going to provide you with my own personal hardening guidelines, as well as the Powershell code/GPO settings to easily implement them. In addition, I’m going to throw in some best practices. That said, every environment is different… so… do your own testing and research, but feel free to use this as your baseline.

Powershell

Set TcpTimedWait to 30 seconds to avoid running out of ephemeral ports

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -name TcpTimedWaitDelay -propertytype dword -value 30 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -name TcpTimedWaitDelay -value 30 -errorAction SilentlyContinue | Out-Null

Set Priority Separation to background services

Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\PriorityControl' -name Win32PrioritySeparation -value 24 -errorAction SilentlyContinue | Out-Null

Disable NIC power management

new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null

Turn UAC off since it just gets in the way and doesn’t add as much security as Microsoft tried to sell us on

Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name ConsentPromptBehaviorAdmin -value 0 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name EnableLUA -value 0 -errorAction SilentlyContinue | Out-Null

Set DEP to Opt-In

bcdedit /set nx OptIn | Out-Null

Configure WinRM

winrm quickconfig -quiet | Out-Null

Enable Windows Firewall

netsh advfirewall set allprofiles state on | Out-Null

Disable Server Manager from running at login

schtasks /change /disable /tn "\Microsoft\Windows\Server Manager\ServerManager" | Out-Null

Disable IE (make sure you have Chrome installed… or don’t use web browsing at all on the server and use a central software repo)

dism /online /disable-feature /featurename:Internet-Explorer-Optional-amd64 | Out-Null

Disable SMBv1. If you have any vendors at all still using SMBv1, open up a support ticket every day until they fix it. That’s just stupid.

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi | Out-Null
sc.exe config mrxsmb10 start= disabled | Out-Null
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force | Out-Null
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart | Out-Null

Rename the Administrator account

$admin=[adsi]“WinNT://./Administrator,user”
$admin.psbase.rename(“therealadmin”)

Configure NTP

sc config w32time start= auto > nul
sc start w32time > nul
timeout 5
w32tm /config /syncfromflags:domhier /update > nul

Configure Windows to dump full memory.dmp file

wmic recoveros set debuginfotype = 1 > nul

Group Policy

Disable last username (because there are python scripts out there that can scrub usernames using OCR via RDP). Yea, it’s that easy for people to find usernames to bruteforce on your network. We’re also going to disable cached logons, it’s too easy for attackers to exploit these saved credentials.

Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Interactive Logon

Interactive logon: Do not display last username: Enabled
Interactive logon: Number of previous logons to cache: 0

Enable SMB signing. Without it you’re basically giving your network away to attackers.


Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Microsoft Network Client

Microsoft Network client: Digitally sign communication (if server agrees): enabled

Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Microsoft Network Server

Microsoft Network server: Digitally sign communication (always): enabled
Microsoft Network server: Digitally sign communication (if client agrees): enabled

Full paranoia mode… let’s clear that pagefile at shutdown.


Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Shutdown

Shutdown: Clear virtual memory pagefile: enabled

Disable WPAD because it leaks NTLMv1 hashes which are easy to crack.


Computer>Policies>Windows Settings>Security Settings>System Services

WinHTTP Web Proxy Auto-Discovery Service (Startup Mode: Disabled)

Turn off LLMNR, because poisoning is bad mmmmkay.


Computer>Policies>Administrative Templates>Network/DNS Client

Turn off multicast name resolution: enabled

Turn off wdigest, another leaky NTLM hash hole.


Computer>Preferences>Windows Settings>Registry

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
UseLogonCredential 0x0 (DWORD)

Enable NLA for Remote Desktop. There’s zero reason NOT to do this.


Computer>Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session Host/Security

Require user authentication for remote connections by using Network Level Authentication

Change DNS TTL to 300 seconds (5 minutes) instead of the default. If something happens and the IP changes, this will minimize the outage for clients.


Computer>Administrative Templates>Network>DNS Client

TTL value for A and PTR records: enabled, 300 seconds

… and that’s all I have. These are lessons learned through various security audits and technical issues I’ve run into over the years. I deploy these to every server that gets spun up, and recently received praise from the guys at Rapid7 during our last security audit. I made it very difficult for them 🙂

Did you find value in this article?
Feel free to donate!
BTC 13QFVycCaP3QV8uRXKSm7picypE1a2gLYx
LTC LPA3M2mHcwJG5WpKi8oyS2RiJoLHt1bXyw
ETH 0x0cd8434f8C47fC2d92197748958824B8e7bFD2f2