edit-icon download-icon

Harden operating system security for Windows

Last Updated: May 08, 2018

This article is intended to guide system administrators and security inspectors in performing security compliance inspection and configuration on Windows.


1. Account management and authentication

1.1 Account

Default account security

  • Disable guest account.
  • Disable or delete other idle accounts.
    • We recommend disabling accounts for three months, and then delete them after ascertaining that no problems occur.

Procedure

Open Control Panel > Administrative Tools > Computer Management, go to System Tools > Local Users and Groups > Users, and double click Guest account. Select Account is disabled in Attributes, and click OK.

Distribute accounts according to users

Distribute accounts according to the users. Set different users and user groups according to service requirements. For example, administrator, database user, audit user, and guest user.

Procedure

Open Control Panel > Administrative Tools > Computer Management, go to System Tools > Local Users and Groups. Set different users and user groups, including administrator, database user, audit user, and guest user, according to your requirements.

Inspect and delete irrelevant accounts regularly

Regularly delete or lockout accounts that are irrelevant to the operation and maintenance of the device.

Procedure

Open Control Panel > Administrative Tools > Computer Management, go to System Tools > Local Users and Groups. Delete or lockout accounts that are irrelevant to the operation and maintenance of the device.

Hide last user name

Configure to hide the user name after logging on and off.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > Security Options. Double click Interactive logon: Do not display last user name, select Enabled, and click OK.

Interactive logon: Do not display last user name

1.2 Password

Password complexity

Your password must meet the following requirements:

  • Password contains at least eight characters.
  • Password must satisfy the complexity policy when enabling local group policy.
    Specifically, the password must contain at least two of the following four types of characters:
    • Upper case letters: A, B, C, … Z
    • Lower case letters: a, b, c, … z
    • Arabic numerals: 0, 1, 2, … 9
    • Non-alphanumeric characters, such as symbols(@, #, $, %, &, and *)

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Account Policies > Password Policy. Make sure the Password must meet complexity requirements is enabled.

Maximum password age

For devices using static password verification technology, the maximum password age for an account must be no longer than 90 days.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Account Policies > Password Policy. Set the Maximum password age to 90 days.

Maximum password age

Account lockout policy

For devices using static password verification technology, configure user accounts to be locked out after 10 consecutive invalid logon attempts.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Account Policies > Account Lockout Policy. Set the Account lockout threshold to 10 invalid logon attempts.

Account lockout threshold

1.3 Authorization

Remote shutdown

The permission to force shutdown from a remote system must be assigned to only the Administrators group in the Local Security Settings.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > User Permission Assignment. Assign the permission for Force shutdown from a remote system to the Administrators group only.

Local shutdown

The permission to shut down the system must be assigned to only the Administrators group in the Local Security Settings.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > User Permission Assignment. Assign the permission for Shut down the system to the Administrators group only.

User permissions assignment

The permission to take ownership of files or other objects must be assigned to only the Administrators group in the Local Security Settings.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > User Permission Assignment. Assign the permission for Take ownership of files or other objects to the Administrators group only.

Authorize accounts to log on

The permission to log on to a computer locally must be assigned to only authorized users in the Local Security Settings.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > User Permission Assignment. Assign the permissions for Allow log on locally to authorized users.

Authorize accounts to access from the network

The permission to access a computer from the network (including network sharing, but not including remote desktop services) must be assigned to only authorized accounts in the Local Security Settings.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > User Permission Assignment. Assign the permission for Access this computer from the network to authorized users.

User permission assignment

2. Log configuration operation

2.1 Log configuration

Audit logon

Devices must be provided with the log feature to record user logon. The recorded log includes the user’s logon account, indicating whether logon was successful, logon time, and the IP address used when logging on remotely.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > Audit Policy, and set Audit logon events.

Audit policy

Enable the Audit policy change for Windows to audit successes and failures in the Local Security Policy.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > Audit Policy, and set Audit policy change.

Audit object access

Enable the Audit object access for Windows to audit successes and failures in the Local Security Policy.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > Audit Policy, and set Audit object access.

Audit directory service access

Enable the Audit directory service access for Windows to audit successes and failures in the Local Security Policy.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > Audit Policy, and set Audit directory service access.

Audit privilege use

Enable the Audit privilege use for Windows to audit both successes and failures in Local Security Policy.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > Audit Policy, and set Audit privilege use.

Audit system events

Enable the Audit system events for Windows to audit successes and failures in the Local Security Policy.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > Audit Policy, and set Audit system events.

Audit account management

Enable the Audit account management for Windows to audit successes and failures in the Local Security Policy.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > Audit Policy, and set Audit account management.

Audit process tracking

Enable the Audit process tracking for Windows to audit only failures in the Local Security Policy.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > Audit Policy, and set Audit process tracking.

Audit policy

Log file size

Set the Application log file size to at least 8,192 KB. You can configure the log file size according to disk space. We recommend recording as many logs as possible. Additionally, set to overwrite events as needed, when the maximum log size is reached.

Procedure

Open Control Panel > Administrative Tools > Event Viewer, and configure the log size in the Log Properties of Applications, System, and Security. Set the corresponding policies to be followed when maximum event log size is reached.
Log properties

3. IP protocol security configuration

3.1 IP protocol security

Enable SYN attack protection

Enable SYN attack protection.

  • Specify the threshold for TCP connection requests to 5 for triggering SYN flood attack protection.
  • Specify the threshold for TCP connection in SYN_RCVD status to 500.
  • Specify the threshold for TCP connection in SYN_RCVD status to 400 so that at least one retransmission is sent.

Procedure

Open Registry Editor, and modify the registry key value according to the recommended values.

Windows Server 2012

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
    Recommended value: 2
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen
    Recommended value: 500

Windows Server 2008

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SynAttackProtect
    Recommended value: 2
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpMaxPortsExhausted
    Recommended value: 5
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpMaxHalfOpen
    Recommended value: 500
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpMaxHalfOpenRetried
    Recommended value: 400

4. File permission

4.1 Shared folders and access permissions

Disable default share

Disable Windows hard disk sharing, such as C$, D$, in a non-domain environment.

Procedure

Open Registry Editor, and modify the registry key value according to the recommended value.

Note: By default, Windows hard disk sharing is disabled in Windows Server 2012, and the corresponding registry key does not exist.

  • HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer
    Recommended value: 0

Authorized access to shared folders

Share permission for each shared folder is owned only by the authorized account.

Procedure

Share permission for each shared folder is limited to service requirements, do not set to Everyone.
Open Control Panel > Administrative Tools > Computer Management, and go to Shared Folders to view the share permissions of each shared folder.

5. Service security

5.1 Disable NetBIOS on TCP/IP

To disable NetBIOS protocol on TCP/IP, you can disable the listening ports UDP 137 (netbios-ns), UDP 138 (netbios-dgm), and TCP 139 (netbios-ssn).

Procedure

  1. Go to Computer Management > Services and Applications > Services to disable the TCP/IP NetBIOS Helper service.
  2. In Network properties, double click Internet Protocol Version 4 (TCP/IPv4), and then click Advanced. In the WINS tag, set as follows.
    Disable NetBIOS on TCP/IP

Disable unnecessary services

Disable unnecessary services as follows.

Service name Suggestions
DHCP Client If a dynamic IP is not used, disable this service.
Background Intelligent Transfer Service If auto update is not enabled, disable this service.
Computer Browser Disable.
Diagnostic Policy Service Manual.
IP Helper This service is used for converting IPv6 to IPv4. Disable it.
Print Spooler If printing is not required, disable this service.
Remote Registry This service is used to manage the registry remotely. Disable it.
Server If file sharing is not used, disable this service. Disabling this service will disable default share, such as ipc$, admin$, and C$.
TCP/IP NetBIOS Helper Disable.
Windows Remote Management (WS-Management) Disable.
Windows Font Cache Service Disable.
WinHTTP Web Proxy Auto-Discovery Service Disable.
Windows Error Reporting Service Disable.

6. Security options

6.1 Enable security options

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > Security Options, and set as follows.

Security options Configuration
Interactive logon: Message title of users attempting to log on Notice.
Interactive logon: Message text of users attempting to log on Inner system can only be used for service requirements and with authorization from management. Management may monitor the use of this system at any time.
Microsoft network server: Digitally sign communications (if client agrees) Enabled.
Microsoft network server: Digitally sign communications (always) Enabled.
Microsoft network client: Digitally sign communications (if server agrees) Enabled.
Microsoft network client: Digitally sign communications (always) Enabled.
Network security: Minimum session security for NTLM SSP (including secure RPC) servers Requires NTLMv2 session security. Requires 128-bit encryption.
Network security: Minimum session security for NTLM SSP (including secure RPC) clients Requires NTLMv2 session security. Requires 128-bit encryption.
Network security: LAN Manager verification level Send NTLMv2 responses only, and refuse LM & NTLM.
Network access: Do not allow anonymous enumeration of SAM accounts Disable (by default.)
Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled.
Network access: Shares that can be accessed anonymously Null (by default).
Network access: Named Pipes that can be accessed anonymously Null (by default).
Network access: Remotely accessible registry paths Null, and do not allow remote registry access.
Network access: Remotely accessible registry paths and sub-paths Null, and do not allow remote registry access.

6.2 Disable shutdown without logon

By default, shutdown without logon is disabled on the server. It is strongly recommended that this service is not enabled as it significantly decreases server security.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > Security Options, and disable Shutdown: Allow system to be shut down without having to log on.
Disable shutdown without logon

7. Other security configuration

7.1 Anti-virus management

Windows requires anti-virus software to be installed.

Procedure

Install enterprise level anti-virus software and enable virus library updating and real-time protection.

7.2 Set screen saver password and waiting time

Set the password to be required when resuming from the screen saver, and set the wait time for the screen saver to five minutes.

Procedure

Enable screen saver, set the wait time to five minutes, and enable On resume, use password protection.

7.3 Restrict the idle time for remote logon

For accounts logged on remotely, set to automatically disconnect if suspended for more than 15 minutes.

Procedure

Open Control Panel > Administrative Tools > Local Security Policy, go to Local Policies > Security Options. Set the Microsoft network server: Amount of idle time required before suspending session property to 15 minutes.

7.4 Operating system hotfix management

Make sure that your operating system has the latest Hotfix package installed.

Procedure

Install the latest hotfix package for the operating system. Before installing the hotfix, perform a compatibility test for the server system.

Note: For a production environment, we recommend using notifications and downloading the update automatically. Then, the administrator chooses whether to install, rather than automatically, to prevent the auto-updated hotfix from affecting the production environment.
Update setting

Thank you! We've received your feedback.