Scribd
Upload
1K views3 pages

Windows Server 2012 R2 Hardening Checkli

The document is a checklist for hardening a Windows Server 2012 R2 system. It contains over 60 individual security configuration steps across various categories like user account policies, network access controls, audit policies, and physical security. The checklist ensures all critical security configurations are addressed to properly secure the server. It is used by an Enterprise Security Staff to verify servers meet security standards during risk assessments.

Uploaded by

Shankar Khandade
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
1K views3 pages

Windows Server 2012 R2 Hardening Checkli

The document is a checklist for hardening a Windows Server 2012 R2 system. It contains over 60 individual security configuration steps across various categories like user account policies, network access controls, audit policies, and physical security. The checklist ensures all critical security configurations are addressed to properly secure the server. It is used by an Enterprise Security Staff to verify servers meet security standards during risk assessments.

Uploaded by

Shankar Khandade
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Windows Server 2012 R2 Hardening Checklist

Print the checklist and check off each item you complete to ensure that you cover the critical steps for
securing your server. The Enterprise Security Staff uses this checklist during risk assessments as part of
the process to verify that servers are secure.

Server Information
MAC Address
IP Address
Machine Name
Asset Tag
Administrator Name
Date

Step

Preparation and Installation


1. If machine is a new install, protect it from hostile
network traffic, until the operating system is installed
and hardened
2. Consider using the Security Configuration Wizard to
assist in hardening the host
Service Packs and Hotfixes
3. Install the latest service packs and hotfixes from
Microsoft
4. Enable automatic notification of patch availability
User Account Policies
5. Set minimum password length
6. Enable password complexity requirements
7. Do not store passwords using reversible encryption
8. Configure account lockout policy
User Rights Assignment
9. Restrict the ability to access this computer from the
network to Administrators and Authenticated Users.
10. Do not grant any users the 'act as part of the operating
system' right.
11. Restrict local logon access to Administrators.
12. Deny guest accounts the ability to logon as a service, a
batch job, locally, or via RDP.
Security Settings
13. Place the Secretariat warning banner in the Message
Text for users attempting to log on.
14. Disallow users from creating and logging in with
Microsoft accounts.
15. Disable the guest account.
16. Require Ctrl+Alt+Del for interactive logins.
17. Configure machine inactivity limit to protect idle
interactive sessions.
18. Configure Microsoft Network Client to always digitally
sign communications
19. Configure Microsoft Network Client to digitally sign
communications if server agrees.
20. Disable the sending of unencrypted passwords to third
party SMB servers.
21. Configure Microsoft Network Server to always digitally
sign communications.
22. Configure Microsoft Network Server to digitally sign
communications if client agrees.
Network Access Controls
23. Disable anonymous SID/Name translation.
24. Do not allow anonymous enumeration of SAM
accounts.
25. Do not allow anonymous enumeration of SAM
accounts and shares.
26. Do not allow Everyone permissions to apply to
anonymous users.
27. Do not allow any named pipes to be accessed
anonymously.
28. Restrict anonymous access to named pipes and shares.
29. Do not allow any shares to be accessed anonymously.
30. Require the "Classic" sharing and security model for
local accounts.
31. Allow Local System to use computer identity for NTLM
32. Disable Local System NULL session fallback.
33. Configure allowable encryption types for Kerberos
34. Do not store LAN Manager hash values.
35. Set LAN Manager authentication level to only allow
NTLMv2 and refuse LM and NTLM.
36. Enable the Windows Firewall in all profiles (domain,
private, public).
37. Configure the Windows Firewall in all profiles to block
inbound traffic by default
Active Directory Domain Member Security Settings
38. Digitally encrypt or sign secure channel data (always).
(Default)
39. Digitally encrypt secure channel data (when possible).
(Default)
40. Digitally sign secure channel data (when possible).
(Default)
41. Require strong (Windows 2000 or later) session keys.
42. Configure the number of previous logons to cache.
Audit Policy Settings
43. Configure Account Logon audit policy.
44. Configure Account Management audit policy.
45. Configure Logon/Logoff audit policy.
46. Configure Policy Change audit policy.
47. Configure Privilege Use audit policy.
Event Log Settings
48. Configure Event Log retention method and size.
49. Configure log shipping
Additional Security Protection
50. Disable or uninstall unused services
51. Disable or delete unused users.
52. Configure User Rights to be as secure as possible.
53. Ensure all volumes are using the NTFS file system.
54. Configure file system permissions.
55. Configure registry permissions.
56. Disallow remote registry access if not required.
Additional Steps
57. Set the system date/time and configure it to
synchronize against DC time servers
58. Install and enable security software
59. Configure security software to update daily
60. If RDP is utilized, set RDP connection encryption level
to high.
Physical Security
61. Set a BIOS/firmware password to prevent alterations
in system start up settings.
62. Disable automatic administrative logon to recovery
console.
63. Configure the device boot order to prevent
unauthorized booting from alternate media.
64. Configure a screen-saver to lock the console's screen
automatically if the host is left unattended

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy