Windows Server Hardening
Lock Down Your Configuration
Configuration hardening entries — no CVE required. These are security best practices that reduce your attack surface regardless of patch level.
Hardening entries modify Windows configuration rather than applying patches. Most take effect immediately or at next logon. All include rollback instructions.
10Hardening Guides Available
Showing 1–10 of 10 results
| Severity | Title | CVSS | |||||
|---|---|---|---|---|---|---|---|
CRITICAL | Disable SMBv1 to Remove the Attack Surface Exploited by EternalBlue and WannaCryMicrosoft Windows Server — SMBv1 Protocol Disabled (Hardening) | — | — | Actively abused in attacks | Reboot Recommended | ✓ Script | |
HIGH | Enable PPL Protection on LSASS to Prevent Credential Dumping via MimikatzMicrosoft Windows Server — LSASS Protected Process Light Enabled (Hardening) | — | — | Actively abused in attacks | Reboot Required | ✓ Script | |
HIGH | Enforce NLA on RDP to Require Credentials Before the Remote Desktop Session LoadsMicrosoft Windows Server — RDP Network Level Authentication Enforced (Hardening) | — | — | Actively abused in attacks | No Reboot | ✓ Script | |
HIGH | Disable NTLMv1 to Prevent Weak Authentication Hash Cracking and Relay AttacksMicrosoft Windows Server — NTLMv1 Protocol Disabled (Hardening) | — | — | Actively abused in attacks | No Reboot | ✓ Script | |
HIGH | Require SMB Signing to Prevent NTLM Relay and Man-in-the-Middle AttacksMicrosoft Windows Server — SMB Signing Required (Hardening) | — | — | Actively abused in attacks | No Reboot | Script | |
HIGH | Disable WDigest to Prevent Plaintext Credential Caching in LSASS MemoryMicrosoft Windows Server — WDigest Authentication Disabled (Hardening) | — | — | Actively abused in attacks | Logon Required | ✓ Script | |
HIGH | Enable Script Block Logging to Capture All PowerShell Commands for Forensic InvestigationMicrosoft Windows Server — PowerShell Script Block Logging Enabled (Hardening) | — | — | Actively abused in attacks | No Reboot | ✓ Script | |
HIGH | Ensure Windows Defender Is Active on All Servers Without Third-Party AVMicrosoft Windows Server — Windows Defender Antivirus Enabled (Hardening) | — | — | Actively abused in attacks | No Reboot | Script | |
HIGH | Ensure the Built-In Guest Account Is Disabled and RenamedMicrosoft Windows Server — Guest Account Disabled (Hardening) | — | — | Actively abused in attacks | No Reboot | Script | |
HIGH | Disable the Remote Registry Service to Prevent Remote Registry Enumeration and ModificationMicrosoft Windows Server — Remote Registry Service Disabled (Hardening) | — | — | Actively abused in attacks | No Reboot | Script |