Windows Hardening
Windows system hardening techniques covering attack surface reduction, access controls, authentication, credential protection, and security monitoring for defensive operations.
Mar 27, 2026
Updated Dec 11, 2025
2 min read
WindowsHardeningSecurity ConfigurationDefenseBlue TeamActive DirectoryGroup PolicyCredential Protection
Introduction
Windows environments prioritize usability by default, creating security gaps that attackers routinely exploit. Local administrator accounts, legacy protocols, disabled security features, and improper service configurations provide paths to privilege escalation and lateral movement.
This guide covers hardening techniques for Windows 10, Windows 11, and Windows Server environments, addressing vulnerabilities commonly exploited during penetration tests and real-world attacks.
Defense Priority
Focus on high-impact controls first: patch management, credential protection, and disabling legacy protocols. These address the most common attack vectors.
Patch Management
Windows Update Configuration
Keep systems current with security patches. Unpatched vulnerabilities like EternalBlue (MS17-010) and PrintNightmare remain exploited years after patches were released.
# Check for pending updates
Get-WindowsUpdate
# Install all updates
Install-WindowsUpdate -AcceptAll -AutoReboot
# View update history
Get-WUHistory | Select-Object Date, Title, Result | Format-Table
# Enterprise: Configure WSUS via Group Policy
# Computer Configuration > Administrative Templates > Windows Components > Windows UpdateGroup Policy Settings:
- Configure Automatic Updates: Enabled
- Specify intranet Microsoft update service location (WSUS)
- No auto-restart with logged on users: Disabled (security over convenience)
Vulnerability Scanning
# Windows Security baseline compliance
# Download Microsoft Security Compliance Toolkit
# https://www.microsoft.com/en-us/download/details.aspx?id=55319
# Run LGPO to apply baselines
LGPO.exe /g ".\Windows 11 - 23H2\GPOs"Attack Surface Reduction
Disable Unnecessary Services
# Disable Print Spooler (if not needed - PrintNightmare target)
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
# Disable Remote Registry
Set-Service -Name RemoteRegistry -StartupType Disabled
# Disable Remote Desktop (if not needed)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 1
# Review enabled services
Get-Service | Where-Object {$_.StartType -eq 'Automatic'} | Select-Object Name, DisplayName, StatusDisable Legacy Protocols
SMBv1 and NetBIOS are frequent attack targets:
# Disable SMBv1 (WannaCry, EternalBlue target)
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
# Verify SMBv1 disabled
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
# Disable NetBIOS over TCP/IP (LLMNR poisoning mitigation)
# Network adapter properties > IPv4 > Advanced > WINS > Disable NetBIOS
# Disable LLMNR via Group Policy
# Computer Configuration > Administrative Templates > Network > DNS Client
# Turn off multicast name resolution: Enabled
# Disable WPAD
# Computer Configuration > Administrative Templates > Network > Internet Explorer
# Disable caching of auto-proxy scripts: EnabledRemove Unnecessary Features
# List installed features
Get-WindowsOptionalFeature -Online | Where-Object {$_.State -eq 'Enabled'}
# Disable PowerShell v2 (can bypass security controls)
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
# Disable Windows Subsystem for Linux (if not needed)
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-LinuxAccess Control
Least Privilege Implementation
Local Administrator Password Solution (LAPS):
# Install LAPS (Windows LAPS built into Windows 11/Server 2022+)
# Or legacy LAPS for older systems
# Configure via Group Policy
# Computer Configuration > Administrative Templates > LAPS
# Configure password backup directory
# Enable local admin password management
# Set password complexity and length
# Retrieve LAPS password (requires permissions)
Get-LapsAADPassword -DeviceIds <device-id>Just-In-Time (JIT) Access:
# Enable Privileged Access Management (Windows Server)
Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target (Get-ADForest)
# Create time-limited group membership
Add-ADGroupMember -Identity "Domain Admins" -Members "User" -MemberTimeToLive (New-TimeSpan -Minutes 30)User Rights Assignment
Configure via Local Security Policy or Group Policy:
# Restrict dangerous privileges
# Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
# Debug programs (SeDebugPrivilege) - Administrators only or remove
# Act as part of the operating system - Remove all
# Create a token object - Remove all
# Take ownership of files or objects - Administrators only
# Load and unload device drivers - Administrators onlyAppLocker / Windows Defender Application Control
# Enable AppLocker (requires Enterprise/Education SKU)
# Create default rules first
Get-AppLockerPolicy -Effective | Set-AppLockerPolicy -PolicyObject $_ -Merge
# Block executables from user-writable locations
# %USERPROFILE%\*
# %APPDATA%\*
# %TEMP%\*
# Enable WDAC policy (Windows 10/11)
# Use WDAC Wizard: https://webapp-wdac-wizard.azurewebsites.net/Credential Protection
Windows Credential Guard
Protects NTLM hashes and Kerberos tickets in isolated memory:
# Check Credential Guard status
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
# Enable via Group Policy
# Computer Configuration > Administrative Templates > System > Device Guard
# Turn On Virtualization Based Security: Enabled
# Credential Guard Configuration: Enabled with UEFI lock
# Requirements: UEFI, Secure Boot, TPM 2.0, Hyper-VProtected Users Security Group
# Add sensitive accounts to Protected Users group
Add-ADGroupMember -Identity "Protected Users" -Members "SensitiveUser"
# Protections applied:
# - No NTLM authentication
# - No DES or RC4 in Kerberos pre-authentication
# - No delegation
# - No credential caching
# - 4-hour TGT lifetimeLSA Protection
Prevent credential dumping from LSASS:
# Enable LSA Protection (RunAsPPL)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f
# Enable via Group Policy (Windows 11 22H2+)
# Computer Configuration > Administrative Templates > System > Local Security Authority
# Configure LSASS to run as a protected process: Enabled
# Verify protection
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name RunAsPPLDisable WDigest
Prevent plaintext password storage in memory:
# Disable WDigest authentication
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
# Verify
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name UseLogonCredentialAuthentication Hardening
Multi-Factor Authentication
# Windows Hello for Business (Domain-joined)
# Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business
# Use Windows Hello for Business: Enabled
# Use certificate for on-premises authentication: Enabled
# Azure AD MFA for cloud-joined devices
# Configure via Azure AD Conditional AccessPassword Policy
# Domain password policy
Get-ADDefaultDomainPasswordPolicy
# Set strong policy
Set-ADDefaultDomainPasswordPolicy -Identity "domain.local" `
-MinPasswordLength 14 `
-PasswordHistoryCount 24 `
-MaxPasswordAge "90.00:00:00" `
-LockoutThreshold 5 `
-LockoutDuration "00:30:00" `
-LockoutObservationWindow "00:30:00"
# Fine-Grained Password Policy for privileged accounts
New-ADFineGrainedPasswordPolicy -Name "AdminPasswordPolicy" `
-Precedence 1 `
-MinPasswordLength 20 `
-MaxPasswordAge "30.00:00:00" `
-LockoutThreshold 3Account Lockout
# Via Group Policy
# Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
# Recommended settings:
# Account lockout duration: 30 minutes
# Account lockout threshold: 5 invalid attempts
# Reset account lockout counter after: 30 minutesWindows Defender Configuration
Enable All Protection Features
# Enable Real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
# Enable cloud-delivered protection
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
# Enable behavior monitoring
Set-MpPreference -DisableBehaviorMonitoring $false
# Enable script scanning
Set-MpPreference -DisableScriptScanning $false
# Enable AMSI
Set-MpPreference -DisableAntispyware $falseAttack Surface Reduction Rules
# Enable ASR rules (Windows 10/11 Enterprise)
# Block Office applications from creating executable content
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
# Block credential stealing from LSASS
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
# Block process creations from PSExec and WMI
Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled
# View all ASR rules
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_IdsControlled Folder Access
Protect against ransomware:
# Enable Controlled Folder Access
Set-MpPreference -EnableControlledFolderAccess Enabled
# Add protected folders
Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\CriticalData"
# Allow trusted applications
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\TrustedApp\app.exe"Windows Firewall
Enable and Configure
# Enable firewall for all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
# Set default deny inbound
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block -DefaultOutboundAction Allow
# Allow specific services
New-NetFirewallRule -DisplayName "Allow RDP from Admin Network" -Direction Inbound -LocalPort 3389 -Protocol TCP -Action Allow -RemoteAddress "10.0.0.0/8"
# Block unnecessary outbound (defense in depth)
New-NetFirewallRule -DisplayName "Block PowerShell Outbound" -Direction Outbound -Program "%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -Action BlockAuditing and Monitoring
Enable Advanced Audit Policies
# Via Group Policy
# Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration
# Critical events to audit:
# Account Logon: Credential Validation - Success and Failure
# Account Management: All - Success and Failure
# Logon/Logoff: Logon - Success and Failure
# Logon/Logoff: Special Logon - Success
# Object Access: File System - Failure (at minimum)
# Policy Change: Audit Policy Change - Success
# Privilege Use: Sensitive Privilege Use - Success and Failure
# System: Security State Change - SuccessPowerShell Logging
# Enable PowerShell Script Block Logging
# Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
# Turn on PowerShell Script Block Logging: Enabled
# Enable PowerShell Transcription
# Turn on PowerShell Transcription: Enabled
# Transcript output directory: \\logserver\pslogs$
# Enable Module Logging
# Turn on Module Logging: Enabled
# Module Names: *
# Verify logging
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"Key Event IDs to Monitor
| Event ID | Description |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4648 | Explicit credential logon |
| 4672 | Special privileges assigned |
| 4688 | Process creation |
| 4698 | Scheduled task created |
| 4720 | User account created |
| 4732 | Member added to local group |
Security Baselines
Apply Microsoft Security Baselines:
# Download Security Compliance Toolkit
# https://www.microsoft.com/en-us/download/details.aspx?id=55319
# Import baseline GPOs
Import-GPO -BackupGpoName "MSFT Windows 11 23H2 - Computer" -TargetName "Windows 11 Hardening" -Path ".\GPOs"
# Apply local policy with LGPO
LGPO.exe /g ".\Windows Server 2022\GPOs"Quick Reference: Hardening Checklist
- Enable automatic updates (WSUS for enterprise)
- Disable SMBv1 and NetBIOS
- Disable Print Spooler (if not needed)
- Enable Windows Credential Guard
- Enable LSA Protection (RunAsPPL)
- Disable WDigest authentication
- Implement LAPS for local admin passwords
- Enable Windows Defender ASR rules
- Enable Controlled Folder Access
- Configure Windows Firewall (default deny inbound)
- Enable PowerShell Script Block Logging
- Enable advanced audit policies
- Apply Microsoft Security Baselines
- Add sensitive accounts to Protected Users group
Related Resources
- DLL Injection - Process injection techniques
- Event Log Readers - Log access privilege abuse
- Scheduled Tasks - Task-based persistence
- SeBackup Privilege - Backup privilege abuse
- PrintNightmare - Print Spooler vulnerability
- LLMNR/NBT-NS Poisoning - Network poisoning attacks
References
MITRE ATT&CK Techniques (Defensive Context)
- T1547 - Boot or Logon Autostart Execution - Persistence mechanisms
- T1562 - Impair Defenses - Security tool tampering
- T1112 - Modify Registry - Registry-based attacks
- T1003 - OS Credential Dumping - Credential theft
- T1550 - Use Alternate Authentication Material - Pass-the-Hash
Common Weakness Enumeration
- CWE-250 - Execution with Unnecessary Privileges - Least privilege violations
- CWE-269 - Improper Privilege Management - Access control issues
- CWE-522 - Insufficiently Protected Credentials - Credential protection
Official Documentation
Last updated on
Event Log Readers Group Exploitation
Comprehensive guide to exploiting the Event Log Readers group membership in Windows, from credential harvesting to intelligence gathering and attack path enumeration.
Hyper-V Administrators Group Exploitation
Comprehensive guide to exploiting Hyper-V Administrators group membership, from VM manipulation to privilege escalation and domain compromise techniques.