Windows Server Hardening

Last updated on September 3rd, 2022

Microsoft is a leading name in the world of operating systems. Almost everyone with a personal computer has come across some versions of MS Operating System. They are very popular. They provide an easy user interface.

It’s no wonder that Windows OS is similarly widely used for servers. As of 2020, Microsoft has released eight versions of server OS. The latest is Windows Server 2019.

It becomes critical to secure your windows server. For that, You have to use the latest version. But it’s not always possible. Many web owners prefer older versions as it can run the necessary software. You need time during upgrading because you have to test a new version to check whether it supports your applications.

There are many online threats. Malware or hackers can breach your windows server. You have to pay attention to windows server hardening that helps you to reduce the attack surface. Attackers are on the lookout to points through which they can gain access or damage the server.

These points are software and network interfaces. They form the attack surface of the server that you have to minimize. Reduced attack surface means hackers have less opportunity to mount an attack.

Windows Server 2019 comes with an excellent level of inbuilt hardening. It’s more secure compared to previous versions. Now, you don’t have to rely on external solutions for patching. Still, you need to do hardening to be more secure. It will help you against the threat of unauthorized access and changes. 

You have to do optimum hardening. Too much of it will be undesirable. It can harm the functionality of windows. You have to follow an incremental approach. Here, implement one hardening step, then test the entire server and applications. You have to repeat this procedure. Testing is critical after every hardening step.

Mistakes to Avoid:

As we have discussed, your main goal is to reduce the surface area of vulnerabilities. This area is like a porous membrane. Hackers can gain entry here. To prevent that, you have to avoid some common mistakes. Many people make these mistakes unknowingly.

These malpractices increase the surface area. You have to avoid them to get enhanced security for windows server. 

1) Many people disable User Access Control (UAC). It will save you some extra clicks while installing a new software. But it makes your system compromised. You have to enable UAC. You can do it by moving the UAC slider to the top. 

You have to select always notify option in UAC. It will ask for permission during changing system settings that result in increased security. A new application will require administrative privilege before installation. 

2) You should not install unnecessary software. These include JAVA, Adobe Flash, Web browser, PDF Viewer, etc. Install these if only you need them.

3)You should avoid installing features and roles that are not necessary. For example, if you need the IIS role, then install it with the features you require. Do not enable all of them. 

4)You have to regularly fully patch windows server OS. It’s paramount that you do it once every month. Patch and reboot of OS highly recommended.


The first step in hardening includes installing the core version of the windows server. For windows server 2019 edition, you have to install windows 2019 server core.

The main benefit of the core version is it removes GUI Interface. Graphical User Interface (GUI) allows users to interact with physical machines. No doubt, it is necessary for personal computers. Microsoft OS is famous for its great GUI. 

But GUI increases the attack surface area. Hence, the core version without GUI proves beneficial as it decreases the attack surface. Core version needs fewer software updates. You will also get improved compatibility features for applications.

You can manage the core version by installing a new Windows Admin Center. People are resistant to any change. You may feel apprehensive initially while using the core version as it lacks familiarity. 

You don’t have to worry about the difficulty of operation. You can install a new Windows Admin Center for free. It’s easy to use app. You can easily manage clusters, servers, etc.

Windows Admin Center is compatible with Windows Server 2008 R2 and following editions. You can also install it on Windows 10 or past Windows OS. It provides you an easy way to look after servers and clusters. 

You will get a lot of security benefits with the core version of Windows server. Along with free Windows Admin Center, it also offers easy to use user interface. 

Local Administrator Password Solution (LAPS):

Sometimes, hackers able to gain access to the windows server. In that case, your server gets compromised. Now, hackers will try to move laterally in your network. The main objective of an attack is finding valuable information. 

The most common type of attack is pass-the-hash. Here, hackers get login information from compromised computers. Then, hackers try to use this information to gain access to other computers on the network.

It used to happen due to the same login credentials on different computers in the network. To tackle this problem, Microsoft released a free tool in 2015 named Local Administrator Password Solution (LAPS).

Here, after installing the LAPS, each computer on your network will have a separate local admin account. LAPS will automatically set a random password for each PC. 

These random passwords get stored in a secure location. Only authorized persons can access them via LAPS GUI or PowerShell.

LAPS provides a great solution. It helps you by thwarting lateral hacker attack. You can use the same account across all servers and work stations with LAPS. 

Enable Windows Defender Credential Guard:

In your windows server, you have to protect some vital points. They include NTLM password hashes, credentials, and Kerberos tickets.

New technology LAN Manager (NTLM) is a critical suite for security. It provides authentication to users. In general, NTLM passwords are prone to brute-force attacks. They are not very strong. You have to protect NTLM password hashes. 

Hackers always target your credentials. In case, they manage to get authentication credentials that will grant them access to your windows server. Kerberos tickets used to establish connections between user and server. They provide a secure connection over a non-secure network. 

As we have discussed, you have to provide extra security to these vital security points. Windows Defender Credential Guard offers that security by creating a separate virtual container. This section partitioned from the operating system. 

Credential guard stores your credential, Kerberos tickets, NTLM in separate container. They are safe even if malware infects your system. Thus, malware with administrative privilege unable to access information stored in credential guard. Only special system software has access to this sensitive section. 

You can get this benefit by enabling Windows Defender Credential Guard. It will offer many advantages like enhanced hardware security with secure boot. It protects you from Advanced Persistent Threats (APT) by blocking targeted attacks.

Enable Windows Defender Exploit Guard:

windows server hardening

Attackers always look for new ways to execute their attacks. Now, there is a great deal of improvement in anti-virus detection technology. But, you are still at grave risk from various attacks. You may face credential-stealing attacks or ransomware attacks despite having working anti-virus software.

Attackers have invented new fileless attack. Here, they don’t have to write anything on the disk. Half of the attacks are now fileless. They usually manage to evade traditional anti-virus software.

Fileless attack work using documents with malicious content or by exploiting vulnerabilities. Microsoft Intelligent Security Graph (ISG) continuously works to identify new malware threats. ISG provides threat information to Windows Defender Exploit Guard.

You can gain a substantial level of security by enabling an exploit guard. It has the latest threat information given by ISG. Three salient benefits include:

  • Reduction in attack surface: Exploit guard blocks scripts, MS office, and email threats. Thus reduces attack surface. 
  • Protection of network: It blocks any outbound process to untrusted hosts. It uses Windows Defender SmartScreen.
  • Safeguard sensitive folder: It prevents the untrusted process from gaining access to your protected folders.


The protection of your windows server is very critical for the success of your online business. We have discussed some simple steps to enhance server security. There are many grave online threats. They can easily cause you a great deal of business loss.

You have to strike an optimum balance while hardening the windows server. You don’t want to harm the functionality of the necessary application. It’s key to follow the mantra of testing after every step.

First, you should avoid some malpractices that increase your attack surface. You should be using a standard user account for email help to thwart attacks by document with malicious content. You should install useful tools like LAPS. It will protect you from a lateral attack.

You should enable Windows Defender Credential Guard to protect your sensitive information. Windows Defender exploit guard will offer you the highest level of protection. Microsoft ISG is always at work to protect you against new threats. 

Get in Touch

Arpit Saini

He is the Director of Cloud Operations at Serverwala Cloud Data Centers Pvt Ltd and also follows a passion to break complex tech topics into practical and easy-to-understand articles. He loves to write about Web Hosting, Software, Virtualization, Cloud Computing, and much more.

Related Articles

Adblock Detected

Please consider supporting us by disabling your ad blocker