Windows hardening looks different from Linux. Different tools, different attacker tradecraft, different audit surface. This module covers the baseline every production Windows server and Windows 10/11 workstation should have β without drowning you in 500 pages of MS docs.
The hardening stack
- Authentication β MFA, account policies, Credential Guard
- Network β firewall, SMB, RDP
- Endpoint protection β Defender, EDR, attack surface reduction
- Updates β WSUS / Windows Update for Business
- Privilege β UAC, LAPS, tiered admin
- Logging β Windows Event Log, Sysmon
1. Account policies (Local / via GPO)
- Minimum password length: 14 characters
- Password complexity: enabled
- Password history: 24
- Account lockout threshold: 5 attempts
- Account lockout duration: 15 min
- Reset lockout counter after: 15 min
For AD-joined machines, push via Group Policy. Fine-grained password policies (FGPP) allow tiered rules for service accounts and privileged accounts (longer passwords, no lockout).
2. Credential Guard + LSA Protection
Credential Guard (Windows 10+/Server 2016+) isolates LSASS secrets in a virtualization-based security (VBS) container. Tools like Mimikatz cannot read the protected memory. Enable via GPO:
Computer Configuration β Administrative Templates β System β Device Guard β Turn on Virtualization Based Security β Enabled β Credential Guard Configuration: Enabled with UEFI lock
LSA Protection: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1 makes LSASS a Protected Process Light, preventing most memory reads.
3. Windows Defender configuration
Modern Defender (MDE / Defender for Endpoint) is genuinely good. Key settings:
- Real-time protection: ON (default)
- Cloud-delivered protection: ON
- Automatic sample submission: ON (for your own org)
- Tamper protection: ON (prevents attacker from disabling Defender)
- Enable Attack Surface Reduction (ASR) rules β each blocks a specific attack pattern
# Enable core ASR rules via PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids `
D4F940AB-401B-4EFC-AADC-AD5F3C50688A ` # Block Office child processes
-AttackSurfaceReductionRules_Actions Enabled
# Others to enable:
# 26190899-1602-49e8-8b27-eb1d0a1ce869 Office comm app child processes
# 3B576869-A4EC-4529-8536-B80A7769E899 Office content injection
# 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Obfuscated macros
# BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Untrusted downloaded executables
# D3E037E1-3EB8-44C8-A917-57927947596D JavaScript/VBScript payloads4. Disable SMBv1, audit RDP exposure
# Check SMBv1 status
Get-SmbServerConfiguration | Select EnableSMB1Protocol
# Disable SMBv1 (if any system still has it on)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
# Require SMB signing
Set-SmbServerConfiguration -RequireSecuritySignature $true
# RDP β restrict by IP via firewall; require NLA
# Network Level Authentication prevents pre-auth attacks
Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" UserAuthentication 1Never expose RDP directly to the internet. Use a VPN, Azure Bastion, or jump host with MFA.
5. LAPS β Local Administrator Password Solution
Without LAPS, every domain-joined Windows machine typically has the same local admin password. Compromise one = LAN-wide admin. LAPS assigns each machine a unique, random, rotating local admin password, stored encrypted in AD.
Windows LAPS (built-in since Windows 10 Spring 2023) replaces the legacy add-on. Deploy via GPO.
6. UAC and privileged operations
- UAC: Enabled at highest “Always notify” level for privileged workstations
- Never run as local admin for daily use β separate “admin” account assumed via Run As
- For domain admin work: dedicated Privileged Access Workstation (PAW) without internet/email
7. Windows Event Log + Sysmon
Default Windows auditing misses a lot. Combine:
- Advanced Audit Policy via GPO β enables comprehensive logging beyond basic defaults
- Sysmon (free Microsoft tool) β adds process creation, network connections, file hash logging, registry monitoring
- SwiftOnSecurity’s Sysmon config β community-maintained, balanced noise-vs-coverage starter
# Install Sysmon with a good config
curl -O https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml
sysmon.exe -accepteula -i sysmonconfig-export.xml
# View Sysmon events
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational"Ship logs to SIEM via Windows Event Forwarding (WEF) or agent-based (MS Sentinel Agent, Splunk UF).
8. BitLocker
Every laptop and workstation should have BitLocker enabled. For stolen / lost devices, BitLocker protects data at rest. For servers in physically secure data centres, it’s less critical but still recommended.
9. PowerShell logging
Attackers heavily use PowerShell. Enable deep PowerShell logging:
- Script Block Logging β logs every PowerShell command, including obfuscated
- Module Logging β logs module activity
- Transcription β saves full session transcripts
- AMSI (Antimalware Scan Interface) β scans PowerShell content at runtime
10. CIS Benchmarks for Windows
Use CIS-CAT or Microsoft Security Compliance Toolkit (with MS Baselines) for automated scoring. Aim for 85%+ CIS Level 1 on standard endpoints; Level 2 for high-security workstations.
Quick reference summary
- 14+ char passwords, FGPP for privileged accounts, account lockout
- Credential Guard + LSA Protection β defeats most credential-theft tools
- Defender with cloud protection + tamper protection + ASR rules
- Disable SMBv1, require SMB signing, NLA on RDP, no internet-facing RDP
- LAPS for unique rotating local admin passwords
- Sysmon + Advanced Audit Policy for comprehensive logging
- BitLocker on laptops; PowerShell script-block logging + AMSI
- CIS Benchmark + Microsoft Security Compliance Toolkit scoring
Module Quiz Β· 20 questions
Pass with 70%+ to mark this module complete. Unlimited retries. Each question shows an explanation.