Server Security & Hardening — Complete Guide | ITVedas

Server Security & Hardening

Server security isn't optional—it's mandatory. A single compromised server can expose your entire organization to data theft, ransomware, and regulatory violations. Security hardening means reducing attack surface by removing unnecessary services, enforcing strong authentication, and implementing defense-in-depth strategies.

Security Fundamentals

The CIA Triad:

  • Confidentiality: Only authorized people access information
  • Integrity: Information isn't modified without authorization
  • Availability: Systems remain operational for authorized users

All security measures exist to protect one or more of these principles. A good security posture protects all three simultaneously.

Windows Defender Configuration

Windows Defender provides built-in antimalware protection. Proper configuration ensures comprehensive protection without impacting performance.

Configuring Windows Defender via Group Policy

  1. Open Group Policy Management
  2. Edit a GPO for your servers
  3. Navigate to: Computer Configuration → Policies → Administrative Templates → Windows Components → Windows Defender
  4. Configure these settings:
    • Real-time protection: Enabled
    • Scan incoming mail: Enabled
    • Scan downloads: Enabled
    • Signature updates: Download daily
    • Quarantine suspicious files: Enabled
  5. Schedule scans: Quick scan daily at 2:00 AM
  6. Apply GPO to all servers
# PowerShell: Configure Windows Defender # Enable real-time protection Set-MpPreference -DisableRealtimeMonitoring $false # Enable scan incoming files Set-MpPreference -DisableBehaviorMonitoring $false # Schedule daily quick scan at 2 AM Add-ScheduledTaskFolder -Path "Antivirus" -Force Register-ScheduledTask -TaskName "Daily Quick Scan" -Action ( New-ScheduledTaskAction -Execute "C:\Program Files\Windows Defender\MpCmdRun.exe" ` -Argument "-Scan -ScanType 1" ) -Trigger (New-ScheduledTaskTrigger -Daily -At 02:00:00) -Force

Windows Firewall Management

Windows Firewall is a host-based firewall that controls inbound and outbound traffic. Proper configuration allows legitimate traffic while blocking threats.

Firewall Profiles:

  • Domain: Applied when connected to domain network (typically most permissive)
  • Private: Applied on private/trusted networks
  • Public: Applied on public networks (most restrictive)

Creating Firewall Rules via Group Policy

  1. Open Group Policy Management
  2. Edit a GPO targeting servers
  3. Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Windows Firewall with Advanced Security
  4. Right-click Inbound Rules and select New Rule
  5. Select "Port" and enter listening port (e.g., 443 for HTTPS)
  6. Allow the connection
  7. Apply to all profiles (Domain, Private, Public)
  8. Name the rule descriptively (e.g., "Allow HTTPS for Web Server")
  9. Repeat for all necessary services
# PowerShell: Create firewall rules # Allow RDP (port 3389) New-NetFirewallRule -Name "Allow-RDP" -DisplayName "Allow Remote Desktop" ` -Enabled True -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow # Allow HTTP and HTTPS for web server New-NetFirewallRule -Name "Allow-Web" -DisplayName "Allow HTTP/HTTPS" ` -Enabled True -Direction Inbound -Protocol TCP -LocalPort 80,443 -Action Allow # Block all other inbound traffic by default Set-NetFirewallProfile -Profile Domain,Private -DefaultInboundAction Block # List all active firewall rules Get-NetFirewallRule | Where-Object {$_.Enabled -eq "True"}

User Account Control (UAC)

UAC prompts administrators when changes require elevated privileges. This prevents malware from making unauthorized system changes even if user clicks malicious link.

💡 Pro Tip: Don't disable UAC. Instead, configure it to "Prompt for password on Secure Desktop" which provides security without excessive prompts on servers.
# PowerShell: Configure UAC on servers # Set UAC to notify for all changes Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` -Name "ConsentPromptBehaviorAdmin" -Value 2 # Require Secure Desktop for UAC prompts Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` -Name "PromptOnSecureDesktop" -Value 1

Security Updates and Patching

Unpatched systems are immediately vulnerable. Patch management must be automated and enforced.

Patch Categories:

  • Critical: Deploy immediately (within 48 hours)
  • Important: Deploy within 1-2 weeks
  • Moderate: Deploy within monthly update cycle
  • Low: Deploy with normal update cycle

🔐 Windows Update via Group Policy

Policy Path: Computer Configuration → Policies → Administrative Templates → Windows Components → Windows Update

Key Settings:

  • Configure Automatic Updates: Enabled (Auto download and install)
  • Install updates for other Microsoft products: Enabled
  • No auto-restart with logged-in users: Disabled (force restart)
  • Allow Immediate installation of auto updates: Enabled
  • Notify for download and auto install: Set notification time

Account Security and Access Control

Local Administrator Account:

  • Rename from "Administrator" to something non-obvious
  • Disable it (don't delete—needed for recovery)
  • Use domain admin account for administration instead

Password Policy Requirements:

  • Minimum 12 characters (longer is better: 16+)
  • Must contain: Uppercase, lowercase, numbers, symbols
  • Password history: Remember at least 24 previous passwords
  • Maximum age: 90 days (forces periodic changes)
  • Minimum age: 1 day (prevents password reuse)
  • Account lockout: 5 failed attempts, 30-minute lockout

Audit Logging and Monitoring

Audit logs are your detective—they record what happened after an incident. Enable comprehensive logging and review regularly.

Enabling Security Audit Policies

  1. Open Group Policy Management
  2. Edit GPO for servers
  3. Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy
  4. Enable these audit policies:
    • Account Logon: Success and Failure
    • Logon/Logoff: Success and Failure
    • Object Access: Success and Failure
    • Privilege Use: Failure
    • Process Creation: Success
  5. Configure event log retention: 30-90 days minimum
  6. Configure log size: At least 100MB

Network Security

Network Segmentation:

  • Separate critical servers onto isolated networks
  • Use VLANs to segregate traffic by department
  • Implement network access control (NAC)
  • Require network authentication for device access

Encryption:

  • In Transit: Use HTTPS/TLS for all remote connections
  • At Rest: Enable BitLocker for disk encryption
  • SMB Signing: Enable for file server connections

Server Hardening Checklist

✅ Pre-Production Hardening Tasks

Operating System:

  • ☐ Install latest Windows updates
  • ☐ Configure Windows Defender with real-time protection
  • ☐ Configure Windows Firewall with rules
  • ☐ Enable UAC
  • ☐ Disable unnecessary services and features
  • ☐ Enable full disk encryption (BitLocker)

Network:

  • ☐ Configure network adapters with static IPs
  • ☐ Configure DNS servers
  • ☐ Disable IPv6 if not needed
  • ☐ Configure NIC teaming for redundancy

Access Control:

  • ☐ Disable default Administrator account
  • ☐ Rename administrator account to non-obvious name
  • ☐ Configure strong password policies
  • ☐ Require multi-factor authentication for sensitive accounts
  • ☐ Limit admin access via Group Policy

Auditing and Logging:

  • ☐ Enable security event auditing
  • ☐ Configure event log retention (minimum 30 days)
  • ☐ Configure centralized log collection
  • ☐ Set up alerts for critical events

Hardening and Security:

  • ☐ Run Microsoft Security Baseline
  • ☐ Disable unnecessary protocols (SMBv1, NTLMv1)
  • ☐ Enable LSA Protection
  • ☐ Enable Windows Defender Exploit Guard
  • ☐ Configure Data Execution Prevention (DEP)
  • ☐ Configure Address Space Layout Randomization (ASLR)

Backup and Recovery:

  • ☐ Configure automated backups
  • ☐ Test backup restoration
  • ☐ Document recovery procedures
  • ☐ Verify off-site backup copies

Common Security Issues and Solutions

Problem: Suspected Security Breach

Immediate Actions:

  1. Isolate affected system from network immediately
  2. Preserve evidence: Don't shut down, leave running for investigation
  3. Review security event logs for suspicious activity
  4. Check for unauthorized accounts or processes
  5. Scan with multiple antivirus tools
  6. Notify stakeholders and incident response team

Recovery:

  • Restore from clean backup
  • Change all passwords on affected accounts
  • Review and strengthen security policies
  • Implement additional monitoring

Key Takeaways

  • Security is multi-layered defense-in-depth approach
  • Windows Defender and Firewall provide essential protection
  • Regular patching closes vulnerability windows
  • Strong passwords and access control prevent unauthorized access
  • Comprehensive auditing enables breach detection
  • Hardening checklist ensures consistent security posture
  • Regular testing validates security effectiveness