User Manual
Cybersecurity Concepts – How to Secure the System
Windows Hardening
3
A6V11646120_enUS_b_40
67 | 85
3.11 Windows Hardening
First of all, let's define hardening. When you harden a system, you are attempting to
reduce its surface of vulnerability. Ideally, you want to be able to leave it exposed to
the general public on the Internet without any other form of protection. This is not a
system you will use for a wide variety of services. A hardened system should serve
only one purpose—it is a web server or DNS or Exchange Server and nothing else.
You do not typically harden a file and print server, a domain controller, or a
workstation. These systems need too many functions to be properly hardened.
System Hardening Steps
To harden a Windows server, you must perform the following steps, at a bare
minimum:
● Disable all unnecessary services. To do this, you first need to determine which
services can be disabled. Sounds simple enough, but it is not. For example, it is
not possible to disable the Remote Procedure Call (RPC) service. Also, little
documentation exists to identify what services a given purpose will require. Even if
we had such a list, it would likely change depending on a vendor's specific
implementation (say, of a DNS or mail server). In the end, knowing which services
are required and which can be disabled is largely a matter of trial and error.
● Remove all unnecessary executables and registry entries. Forgetting to
remove unneeded executables and registry entries might allow an attacker to
invoke something that had previously been disabled.
● Apply appropriately restrictive permissions to files, services, end points,
and registry entries. Inappropriate permissions could give an attacker an
opening. For example, the ability to launch CMD.EXE as Local System is a classic
backdoor.
The benefits of OS hardening a Windows server are that you will have fewer patches
to apply, you will be less likely to be vulnerable to the average exploit, and you will
have fewer records to review in the logs. You can focus your attention on what the
server is doing, not on unnecessary services it may have running.
On the other hand, it is very difficult to properly harden/configure a system and keep it
running effectively. Documentation is scarce and permissions are required to make it
effective. Finally, even a hardened Windows server will probably have far too many
resident files and registry entries to effectively monitor and maintain.