Many resources are available to you for hardening Windows computers. Some resources focus on a few high-level suggestions while others go into very detailed lists of suggestions. To make your job of securing Windows computers easier, here is a list of best practices for securing different types of computers. These best practices may not all apply to every one of your computers. They do provide a solid starting point that will result in a far higher level of security than taking no action at all. The key to hardening your Windows computers is to reduce each computer’s attack surface to the absolute minimum while still allowing the computer to fulfill its purpose.

Here are the best practices for hardening Windows operating systems:

• Install only the Server Core option when you don’t need extra functionality (i.e., GUI).

• Select the minimum number of roles when installing Windows Server.

• Use SCT immediately after installing the operating system for any Windows computer, specifically for computers that participate in an organization’s network.

• Update each computer with the latest operating system patches.

• Configure each computer for automatic Windows updates.

• Install and run Microsoft Baseline Security Analyzer (MBSA) and at least one other Windows security vulnerability scanner.

• Create one or more user accounts with Administrator rights.

• Disable the Administrator and Guest user accounts.

• Determine which services are needed and disable all unneeded services.

• Close all ports not required by services or applications.

• Create GPOs for all security settings, including firewall rules.

• Use AD to distribute all configuration changes using GPOs.

• Create a backup of each GPO.

• Scan all computers for open ports and known vulnerabilities.

• Limit physical access to all critical servers.

• Create an initial baseline backup.

• Change the AD DSRM password periodically, at least every 6 months.

• Install anti-malware software on each computer.

• Ensure all anti-malware software and data are current.

• Use NAC software or devices to control remote computer connections.

• Use remote authentication methods to authorize remote computers and users.

• Require secure VPNs to access internal network resources.

• Use IPSec with digital certificates to authenticate computer-to-computer connections in the datacenter.

• Require security awareness training prior to issuing access credentials.

• Require periodic recurrent security awareness training to retain access credentials.

• Provide continuing security awareness through different means.