Windows Server security guide: hardening & best practices

Infrastructure-centric attacks are surging. The Verizon 2025 Data Breach Investigations Report found that exploitation of vulnerabilities has grown to roughly 20% of breaches as an initial access method, reflecting sustained attacker focus on the on-premises estate.

Windows Server, the backbone of Active Directory, file services, and authentication in most enterprises, remains a frequent target.

Strong Windows Server security begins with hardening: removing unnecessary functionality, locking down defaults, and enforcing the configurations that block the paths attackers actually use.

The challenge is that Windows Server still ships optimized for ease of use, not security. Permissive defaults, legacy protocols, and minimal auditing all give an attacker more room to move once inside. An out-of-the-box installation of any version of Windows Server is only about 30% in line with the matching CIS benchmark for hardening that release.

This guide explores Windows Server security hardening, why it matters in the current threat landscape, and walks through best practices that cover the full attack surface.

What is Windows Server security hardening?

Windows Server security hardening is the process of configuring a Windows Server system to reduce its attack surface. That means disabling unused features, tightening default settings, enforcing least privilege, and applying secure configuration baselines aligned to recognized standards.

Hardening is distinct from patching: patches close specific known vulnerabilities, while hardening reduces the exploitable surface that patches would otherwise need to defend.

A hardened Windows Server is one where only the services, ports, users, and permissions required by its role remain enabled. Everything else (legacy protocols, default shares, anonymous access, unused roles) is removed or restricted.

Three standards govern most Windows Server hardening programs:

• CIS Benchmarks from the Center for Internet Security provide consensus-driven, version-specific hardening guidance for each Windows Server release. CIS is the most widely adopted baseline for commercial enterprises.
• DoD STIG (Security Technical Implementation Guides) from the U.S. Department of Defense define hardening requirements for federal, defense, and defense-adjacent organizations. STIG overlaps substantially with CIS but is more prescriptive.
• NIST SP 800-123 and 800-171 provide the underlying configuration management principles that inform both CIS and STIG, and are referenced directly in compliance frameworks such as CMMC and FedRAMP.

Most organizations start with CIS and supplement with additional requirements as their regulatory footprint demands. For that, cybersecurity bodies in countries like Australia, France and Germany also have developed detailed technical hardening guides. And Microsoft’s own security baselines address hardening as well.

Why Windows Server security matters

Hardening Windows Server is not a box-checking exercise. Four realities make it one of the highest-leverage security investments available.

1. Windows Server is the authentication backbone

Active Directory runs on Windows Server and functions as the central credential store for most enterprises. A compromised Windows Server running a domain controller role gives an attacker the keys to every application, share, and workload that trusts the domain. Hardening the servers that run AD is therefore not just a server-security task. It is an identity-security task with domain-wide consequences.

2. On-premises infrastructure is a concentrated target

Windows Server sits at the center of most on-premises IT estates, which concentrates the exploitation pressure described above into a single surface. That concentration makes Windows Server a high-value target, and hardening reduces the number of viable entry points an attacker can exploit before any endpoint detection fires.

3. Default configurations create exploitable surface

A freshly installed Windows Server grants the Everyone group the right to access the computer from the network. By default, it allows anonymous enumeration of Security Account Manager (SAM) accounts and shares, may store LAN Manager hashes, and may have NTLMv1 enabled.

Each default is a known technique in attacker playbooks, and configuration alone closes each one, with no license purchase required. Hardening converts these defaults into deliberate, role-appropriate settings.

4. Compliance frameworks require it

Compliance frameworks from PCI DSS to HIPAA, SOX, NIST SP 800-171, and CMMC all require documented secure configurations, configuration management, and audit trails for systems handling regulated data.

Utility-sector standards such as North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) require the same. Hardening Windows Server against a recognized baseline, and monitoring for drift, is the most efficient way to satisfy these requirements across multiple regulations simultaneously.

Windows Server security best practices

The practices below group into six categories that together cover the full Windows Server attack surface. Apply them sequentially when standing up new servers; apply them continuously against existing ones.

1. Start with a hardened baseline

Baseline hardening begins before the operating system is installed and extends through initial configuration. Treat every new server as a project (or as code if you think Intune), not a deployment.

Server preparation

• Establish and maintain a detailed inventory of all servers, including baseline configuration and make sure to detect every subsequent change (drift).
• Provide just-enough network and internet connectivity to new servers until they are fully hardened.
• Make sure UEFI Secure Boot is used to protect firmware to prevent unauthorized changes to boot-level settings.
• Secure WinRE and require Bitlocker recovery keys
• Configure the device boot order to prevent booting from alternate media such as USB or optical drives.
• Control and verify virtualized setups of servers.

Patching and updates

A hardened configuration is only as strong as the patch level beneath it. Apply updates early, apply them centrally, and test before deployment.

• After installing Windows Server, immediately apply the latest patches through Windows Autopatch or Microsoft Intune for modern deployments, or through Microsoft Endpoint Configuration Manager (formerly SCCM) where legacy infrastructure requires it. Use continuous monitoring to verify patch state across the fleet.
• Use centralized patch orchestration, and tools like SCCm only when if legacy requires it.
• Before deploying any patch, hotfix, or service pack to production, test it thoroughly in a staging environment.

Role, feature, and service reduction

Every role, feature, application, and service running on a server adds code an attacker can probe. Strip the server down to what it actually needs to do its job.

• Remove Windows Server roles and features outside the server's intended purpose.
• Remove unused applications, services, and protocols.
• Avoid browsers on servers, or block by policy, and limit internet access for all users.
• Use Bitlocker to protect the Windows swap file, and use RAM-only workloads should the server have sufficient RAM.

System configuration

Several default Windows behaviors assume a friendlier environment than a production server actually runs in. These settings close low-level gaps that attackers reliably exploit.

• Protect the registry from anonymous access, and disable Remote Registry if it is not required.
• Disable NullSessionPipes and NullSessionShares to limit anonymous access to network resources.
• Grant only authorized users and administrators the ability to modify critical registry keys.
• Require Ctrl+Alt+Del for interactive logins and configure an inactivity timeout to end idle sessions automatically, but make sure to monitor these changes to detect malicious drift.
• Display a legal notice before user login, such as: "Unauthorized use of this computer and network resources is prohibited."
• Disable removable media such as USB drives to reduce data exfiltration and malware injection risk using policies.

2. Lock down user accounts and access

Access management determines who can reach which resources and what they can do once they arrive. This category closes the identity-based paths attackers use to move laterally once inside.

User account security

Default user accounts and predefined groups carry permissions that are almost always too permissive for production. Tighten these before any other access work.

• Disable the guest account on every server.
• Disablethe local Administrator account where possible, use LAPS, orcreate a new, named account with just-in-time privileges.
• Audit the membership of predefined groups such as Administrators, Backup Operators, and Everyone, and remove accounts that don't belong. Do not modify the permissions of built-in service accounts such as Local System and Network Service, as changes to these can break core Windows functionality.
• Change the default that grants Everyone the "Access this computer from the network" right. That one default exposes shared folders to every authenticated and anonymous user.
• Ensure system and administrator account passwords are at least 15 characters, combining letters, numbers, and special characters. Enforce MFA on all privileged accounts. Do not mandate periodic rotation unless there is evidence of compromise, per NIST SP 800-63B guidance.
• Ensure system and administrator account passwords are at least 15 characters, combining letters, numbers, and special characters. Enforce MFA on all privileged accounts. Do not mandate periodic rotation unless there is evidence of compromise, per NIST SP 800-63B guidance.
• Configure an account lockout policy in Group Policy to throttle brute-force attempts.
• Disable anonymous SID/Name translation.
• Disable or delete unused user accounts promptly.
• Use tiered administrative accounts (Tier 0 for domain and forest admin, Tier 1 for server admin, Tier 2 for workstation admin) and access those accounts through a Privileged Access Workstation. Never use domain admin accounts for routine server maintenance.

Access management

With accounts cleaned up, the next question is what those accounts can actually do. Access management controls answer that question, and they are where least privilege and authentication hygiene live.

• Enforce the principle of least privilege by granting users and processes only the minimum rights required. Be especially conservative with permissions granted to the Everyone group.
• Allow only authenticated users to access any computer from the network.
• Configure the encryption types allowed for Kerberos authentication, disabling weaker legacy options.
• Avoid storing LAN Manager hash values.
• Disable file and printer sharing if it is not required.
• Disable NTLMv1 unless a legacy technology requires it.

Remote access

Remote Desktop Protocol is convenient for administrators and equally convenient for attackers. Treat it as a last-resort interface and wrap it in strong authentication when it is used at all.

• Enable Remote Desktop Protocol (RDP) only when necessary. Attackers commonly exploit RDP as an initial-access vector.
• Where RDP is required, set the connection encryption level to high.
• Grant remote access only to specific users who need it.
• Require multi-factor authentication (MFA) to add a second factor beyond the password.

Netwrix Change Tracker: CIS-Certified Configuration Hardening. Launch a demo in your browser.

3. Configure network and firewall defensively

Network architecture determines how exposed a hardened server actually is. A well-hardened server behind an over-permissive firewall still gets attacked.

Network configuration

Network-level controls decide who can even attempt to talk to the server. Segment aggressively, and close the legacy name-resolution protocols that still create unnecessary exposure.

• Isolate servers by using approaches like Zero-Trust network segmentation, micro-segmentation or identity-based segementation. .
• Verify DNS and hostname configurations to prevent DNS-based manipulation, employ DNSSEC or DNS over TLS/HTTPS..
• Implement IP restrictions and filtering rules to control which addresses or ranges can communicate with each server.
• Where remote administration is required, restrict RDP access to specific IP addresses or networks and use PAWs (privileged access workstations) for the task.
• Disable NetBIOS over TCP/IP and LMHosts lookup unless a legacy application requires them.

Firewall configuration

Windows Firewall is the server's last line of defense against unsolicited traffic that makes it past network-level controls. Default-deny is the posture that keeps it useful.

• Enable Windows Firewall on every server.
• Configure each firewall profile (Domain, Private, and Public) to block inbound traffic by default. When inbound access is required, limit it to essential protocols, ports, and IP ranges. Consider outbound filtering as well.
• Open only the network ports actually in use for the time they are in use, and deny access to all others.

Network Time Protocol (NTP)

Accurate time is a security control. Kerberos authentication enforces tight clock skew tolerances, and log correlation during incident investigation depends on synchronized timestamps across every server and workstation.

• Designate a primary time server synchronized with a reliable atomic clock source.
• Require all servers and workstations to synchronize exclusively with that server In virutalized environments, the NTP source should not be .virtualized.

4. Encrypt data at rest and in transit

Encryption converts a successful system-level compromise into a much narrower outcome, because the data itself remains protected.

• Enable and configure BitLocker disk encryption on the system disk and any disks containing sensitive data.
• Where granular file-level protection is required beyond disk encryption, use Microsoft Purview Information Protection to apply sensitivity labels and rights management policies that travel with the file.
• Implement IPsec to encrypt network traffic between servers, protecting data in transit across the network.

5. Enforce audit policy and monitor for drift

Hardening without monitoring decays. Audit policy provides the raw visibility; drift detection provides the discipline to keep baselines intact.

Audit policy configuration

Audit policy determines what the server records about its own activity. Without a deliberate policy, the events you need during an investigation will not be there.

• Configure an audit policy that captures authentication events, privileged account use, account management, policy changes, and object access on sensitive resources. Native logs viewed through Windows Event Viewer provide a starting point.
• Set the event log retention method to overwrite as needed, and reserve adequate log storage (4 GB or more per server).
• Ship security logs to a security information and event management (SIEM) platform to enable correlation across servers and retention beyond local log rotation.

Continuous monitoring

Logs tell you what happened; continuous monitoring tells you what is happening right now and whether it is authorized. This is where drift detection turns hardening from a project into a practice.

• Deploy file integrity monitoring (FIM) to detect unauthorized changes to the filesystem, registry, services, and local accounts in real time.
• Correlate configuration changes with authorized change-management tickets to separate legitimate administrator activity from suspicious changes.
• For comprehensive visibility, implement an enterprise auditing solution that offers user behavior analytics (UEBA), real-time alerting, and automated incident response. These capabilities go beyond what native logs can provide.

6. Maintain hardening over time

Hardening is not a project with an end date. Several practices keep baselines intact as administrators, software, and adversaries make changes.

• Run regular IT risk assessments and feed the results into your risk management plan.
• Deploy an endpoint security solution across servers and workstations. Windows Server includes Windows Defender by default; third-party options extend detection and response coverage.
• Install a data loss prevention (DLP) solution to protect sensitive information from inappropriate access or exfiltration.
• Keep every server at the same revision level to simplify configuration management and patch testing.
• Review hardened baselines against current CIS or STIG versions at least annually, and update standards when Microsoft releases major Windows Server versions.

Harden Windows Server configurations with Netwrix Change Tracker

Hardening a Windows Server is only half the work. Keeping it hardened as administrators, software, and adversaries make changes is the discipline that separates organizations that stay secure from those that drift back into exposure.

Netwrix Change Tracker is purpose-built for that discipline. It ships with CIS-certified configuration templates aligned to Center for Internet Security benchmarks and DoD STIG guidance, so security teams can establish a vetted baseline without authoring one from scratch.

Once the baseline is in place, Change Tracker uses file integrity monitoring to detect drift in real time across the filesystem, registry, Windows security and audit policy, installed software, local users and groups, open network ports, and service states.

Unexpected changes surface with full context, and integration with IT service management (ITSM) platforms helps distinguish authorized changes from suspicious activity.

For audit policy visibility and forensic investigation, Netwrix Auditor complements Change Tracker by capturing searchable before-and-after audit trails across Active Directory, Entra ID, file servers, and other Windows Server workloads.

Change Tracker gives security teams:

• CIS-certified hardening templates plus 250+ preconfigured reports covering NIST, PCI DSS, CMMC, STIG, and NERC CIP.
• Real-time drift detection paired with ITSM context, so investigation focuses on unexpected changes rather than authorized ones.
• Unified Windows coverage across filesystem, registry, audit policy, services, ports, and local accounts from a single platform.
• Flexible deployment through the Netwrix 1Secure platform across on-premises, SaaS, and hybrid.

More than 13,500 organizations, including nearly 25% of the Fortune 500, rely on Netwrix to secure identities, data, and infrastructure. See Netwrix Change Tracker in action.