Windows Server 2022 Security Hardening Guide

Tyler Maginnis | January 20, 2024

Windows Server 2022SecurityHardeningDefense

Need Professional Windows Server 2022?

Get expert assistance with your windows server 2022 implementation and management. Tyler on Tech Louisville provides priority support for Louisville businesses.

Call Now: (202) 948-8888 Email for Quote

Same-day service available for Louisville area

Windows Server 2022 Security Hardening Guide

Introduction

Windows Server 2022 introduces advanced security features designed to protect against modern threats. This guide provides a comprehensive approach to hardening your Windows Server 2022 deployment for maximum security.

Prerequisites

  • Windows Server 2022 installed (Standard or Datacenter edition)
  • Administrator access
  • Windows Admin Center (recommended)
  • Basic understanding of Windows security concepts

1. Initial Security Configuration

Enable Windows Defender

# Check Windows Defender status
Get-MpComputerStatus

# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false

# Enable cloud-delivered protection
Set-MpPreference -MAPSReporting Advanced

# Enable automatic sample submission
Set-MpPreference -SubmitSamplesConsent SendAllSamples

Configure Windows Firewall

# Enable Windows Firewall for all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

# Set default actions
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block -DefaultOutboundAction Allow

# Log dropped packets
Set-NetFirewallProfile -Profile Domain,Public,Private -LogBlocked True -LogMaxSizeKilobytes 4096

2. Secured-Core Server Features

Enable Secure Boot

  1. Verify UEFI mode:
Confirm-SecureBootUEFI
  1. Enable Secure Boot in UEFI/BIOS settings
  2. Verify Secure Boot status:
Get-SecureBootPolicy

Configure Virtualization-Based Security (VBS)

# Enable VBS
Enable-WindowsOptionalFeature -Online -FeatureName IsolatedUserMode -All

# Configure Device Guard
$DGPolicy = New-CIPolicy -Level Publisher -FilePath "C:\Windows\System32\CodeIntegrity\DeviceGuardPolicy.xml"
ConvertFrom-CIPolicy -XmlFilePath "C:\Windows\System32\CodeIntegrity\DeviceGuardPolicy.xml" -BinaryFilePath "C:\Windows\System32\CodeIntegrity\SIPolicy.p7b"

Enable Credential Guard

# Check if Credential Guard is available
Get-ComputerInfo | Select DeviceGuard*

# Enable Credential Guard
$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
New-ItemProperty -Path $RegPath -Name "EnableVirtualizationBasedSecurity" -Value 1 -PropertyType DWORD -Force
New-ItemProperty -Path $RegPath -Name "RequirePlatformSecurityFeatures" -Value 3 -PropertyType DWORD -Force

$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\LSA"
New-ItemProperty -Path $RegPath -Name "LsaCfgFlags" -Value 1 -PropertyType DWORD -Force

3. Account Security

Configure Account Policies

# Set password policy
net accounts /minpwlen:14
net accounts /maxpwage:60
net accounts /minpwage:1
net accounts /uniquepw:24

# Configure account lockout
net accounts /lockoutthreshold:5
net accounts /lockoutduration:30
net accounts /lockoutwindow:30

Implement LAPS (Local Administrator Password Solution)

# Install LAPS
Install-WindowsFeature -Name RSAT-LAPS

# Configure LAPS GPO settings
# Password Settings:
# - Password Length: 14 characters minimum
# - Password Age: 30 days
# - Password Complexity: Enabled

Disable unnecessary accounts

# Disable Guest account
Disable-LocalUser -Name "Guest"

# Rename Administrator account
Rename-LocalUser -Name "Administrator" -NewName "SysAdmin2022"

4. Service Hardening

Disable unnecessary services

# Common services to disable
$ServicesToDisable = @(
    "XblAuthManager",
    "XblGameSave",
    "XboxNetApiSvc",
    "WinRM",
    "RemoteRegistry",
    "TapiSrv",
    "RasAuto",
    "SessionEnv",
    "TermService" # Only if RDP not needed
)

foreach ($Service in $ServicesToDisable) {
    Stop-Service -Name $Service -Force -ErrorAction SilentlyContinue
    Set-Service -Name $Service -StartupType Disabled -ErrorAction SilentlyContinue
}

Configure critical services

# Ensure Windows Defender service cannot be stopped
Set-Service -Name "WinDefend" -StartupType Automatic
sc.exe config WinDefend start= auto

# Configure Windows Update
Set-Service -Name "wuauserv" -StartupType Automatic

5. Network Security

SMB Hardening

# Disable SMB 1.0
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

# Enable SMB signing
Set-SmbServerConfiguration -RequireSecuritySignature $True -Force
Set-SmbClientConfiguration -RequireSecuritySignature $True -Force

# Enable SMB encryption
Set-SmbServerConfiguration -EncryptData $True -Force

DNS Security

# Enable DNS over HTTPS
Add-DnsClientDohServerAddress -ServerAddress "8.8.8.8" -DohTemplate "https://dns.google/dns-query"
Add-DnsClientDohServerAddress -ServerAddress "1.1.1.1" -DohTemplate "https://cloudflare-dns.com/dns-query"

# Configure DNS client settings
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "8.8.8.8","1.1.1.1"

6. Audit and Logging

Configure Advanced Audit Policies

# Enable audit policies
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Account Management" /success:enable /failure:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol /set /category:"Object Access" /success:enable /failure:enable
auditpol /set /category:"Policy Change" /success:enable /failure:enable
auditpol /set /category:"Privilege Use" /success:enable /failure:enable
auditpol /set /category:"System" /success:enable /failure:enable

Configure Windows Event Forwarding

# Configure event log sizes
wevtutil sl Security /ms:1073741824
wevtutil sl Application /ms:536870912
wevtutil sl System /ms:536870912

# Enable PowerShell logging
$basePath = 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell'
if(-not (Test-Path $basePath)) {
    New-Item $basePath -Force
}

# Module logging
New-Item -Path "$basePath\ModuleLogging" -Force
New-ItemProperty -Path "$basePath\ModuleLogging" -Name EnableModuleLogging -Value 1 -PropertyType DWORD -Force
New-Item -Path "$basePath\ModuleLogging\ModuleNames" -Force
New-ItemProperty -Path "$basePath\ModuleLogging\ModuleNames" -Name "*" -Value "*" -PropertyType STRING -Force

# Script block logging
New-Item -Path "$basePath\ScriptBlockLogging" -Force
New-ItemProperty -Path "$basePath\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1 -PropertyType DWORD -Force

7. Application Control

Configure AppLocker

# Import AppLocker module
Import-Module AppLocker

# Create default rules
Get-AppLockerFileInformation -Directory C:\Windows\System32 -Recurse -FileType Exe, Script, Dll | New-AppLockerPolicy -RuleType Publisher, Path -User Everyone -Optimize | Set-AppLockerPolicy -Merge

# Enable AppLocker
Set-Service -Name "AppIDSvc" -StartupType Automatic
Start-Service -Name "AppIDSvc"

Windows Defender Application Control (WDAC)

# Create WDAC policy
New-CIPolicy -Level Publisher -FilePath "C:\WDAC\WDAC_Policy.xml" -UserPEs

# Convert to binary
ConvertFrom-CIPolicy -XmlFilePath "C:\WDAC\WDAC_Policy.xml" -BinaryFilePath "C:\WDAC\WDAC_Policy.bin"

# Deploy policy
Copy-Item -Path "C:\WDAC\WDAC_Policy.bin" -Destination "C:\Windows\System32\CodeIntegrity\SIPolicy.p7b"

8. Security Baselines

Download and Apply Microsoft Security Baselines

# Download Security Compliance Toolkit
# Visit: https://www.microsoft.com/en-us/download/details.aspx?id=55319

# Import Security Baseline
Import-Module SecurityPolicyDsc

# Apply baseline using DSC
Configuration SecurityBaseline {
    Import-DscResource -ModuleName SecurityPolicyDsc

    Node localhost {
        AccountPolicy AccountPolicies {
            Name = 'AccountPolicies'
            Enforce_password_history = 24
            Maximum_password_age = 60
            Minimum_password_age = 1
            Minimum_password_length = 14
            Password_must_meet_complexity_requirements = 'Enabled'
        }
    }
}

# Generate MOF
SecurityBaseline -OutputPath "C:\DSC"

# Apply configuration
Start-DscConfiguration -Path "C:\DSC" -Wait -Verbose -Force

9. Regular Maintenance

Automated Security Updates

# Configure Windows Update for automatic installation
$AutoUpdateSettings = (New-Object -ComObject Microsoft.Update.AutoUpdate).Settings
$AutoUpdateSettings.NotificationLevel = 4  # Automatic download and scheduled installation
$AutoUpdateSettings.ScheduledInstallationDay = 0  # Every day
$AutoUpdateSettings.ScheduledInstallationTime = 3  # 3 AM
$AutoUpdateSettings.Save()

# Enable Microsoft Update
$ServiceManager = (New-Object -ComObject Microsoft.Update.ServiceManager)
$ServiceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d", 7, "")

Security Scanning Script

# Create scheduled task for security scanning
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-NoProfile -Command `"Start-MpScan -ScanType QuickScan`""
$Trigger = New-ScheduledTaskTrigger -Daily -At 2AM
$Settings = New-ScheduledTaskSettingsSet -StartWhenAvailable
Register-ScheduledTask -Action $Action -Trigger $Trigger -Settings $Settings -TaskName "DailySecurityScan" -Description "Daily Windows Defender Quick Scan"

10. Monitoring and Response

Enable Attack Surface Reduction Rules

# Enable all ASR rules in audit mode first
$ASRRules = @(
    "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550", # Block executable content from email client and webmail
    "D4F940AB-401B-4EFC-AADC-AD5F3C50688A", # Block Office applications from creating child processes
    "3B576869-A4EC-4529-8536-B80A7769E899", # Block Office applications from creating executable content
    "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84", # Block Office applications from injecting code into other processes
    "D3E037E1-3EB8-44C8-A917-57927947596D", # Block JavaScript or VBScript from launching downloaded executable content
    "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC", # Block execution of potentially obfuscated scripts
    "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B"  # Block Win32 API calls from Office macros
)

foreach ($Rule in $ASRRules) {
    Add-MpPreference -AttackSurfaceReductionRules_Ids $Rule -AttackSurfaceReductionRules_Actions AuditMode
}

Security Event Monitoring

# Create custom event log for security monitoring
New-EventLog -LogName "SecurityMonitoring" -Source "SecurityScript"

# Monitor for suspicious events
$Query = @"
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4624 or EventID=4625 or EventID=4634 or EventID=4648 or EventID=4672)]]
    </Select>
  </Query>
</QueryList>
"@

# Register event watcher
Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.Logfile = 'Security'" -Action {
    Write-EventLog -LogName "SecurityMonitoring" -Source "SecurityScript" -EventId 1000 -Message "Security event detected: $($Event.SourceEventArgs.NewEvent.TargetInstance.Message)"
}

Conclusion

This guide provides a comprehensive approach to hardening Windows Server 2022. Remember to:

  1. Test all changes in a non-production environment first
  2. Document all modifications for compliance and troubleshooting
  3. Regularly review and update security configurations
  4. Monitor logs and alerts for suspicious activity
  5. Keep the server updated with the latest security patches

For additional security, consider implementing: - Microsoft Defender for Endpoint - Azure Security Center integration - Third-party security tools - Regular security assessments and penetration testing

Additional Resources