This chapter covers the critical process of hardening Windows systems, a core topic in Security+ domain Security Operations (Objective 4.1). Hardening reduces the attack surface by removing unnecessary services, applying security configurations, and enforcing policies. For the SY0-701 exam, you must understand specific hardening techniques, tools like the Security Configuration Wizard (SCW) and Group Policy, and how to secure user accounts, network services, and the registry. Mastering these concepts is essential for protecting enterprise Windows environments from common attacks.
Jump to a section
Imagine you're the security director of a bank with a massive vault. The vault (Windows Server) comes from the manufacturer with many default features: multiple doors (services), windows (ports), and an intercom system (remote management). The default configuration is convenient for the bank staff but leaves many entry points for thieves. Your job is to 'harden' the vault: you weld shut any unused doors (disable unnecessary services), install bars on windows that must remain (restrict ports with firewall rules), change the default combination lock (rename default administrator account), and install a two-person rule (require multi-factor authentication). You also set up a logging system that records every access attempt (enable auditing) and create a checklist for weekly inspections (patch management). Just as a bank would never leave the vault door open overnight, you must never leave a default configuration exposed. The attackers (ransomware, hackers) are constantly testing the vault's weaknesses—they scan for open ports, try default passwords, and look for unpatched vulnerabilities. Hardening is the process of systematically reducing the attack surface, making the vault as unappealing a target as possible.
What is Windows Hardening?
Windows hardening is the process of configuring a Windows operating system to reduce its vulnerability to attacks. It involves disabling unnecessary services, closing unused ports, applying security templates, configuring user rights, and enforcing strong authentication policies. The goal is to minimize the attack surface—the sum of all points where an unauthorized user can try to enter or extract data. A default Windows installation includes many services and features enabled for convenience, but many of these are not needed in a production server or workstation environment. For example, the Print Spooler service is often not required on a domain controller, and leaving it running exposes the system to vulnerabilities like CVE-2021-34527 (PrintNightmare). Hardening systematically eliminates such risks.
How Hardening Works Mechanically
Hardening follows a layered approach, often called 'defense in depth.' Each layer addresses a different aspect of security:
Operating System Configuration: This includes disabling unnecessary services (e.g., Windows Media Player, XPS Viewer), removing default shares (e.g., ADMIN$, C$), and configuring the Local Security Policy (secpol.msc) to enforce password complexity, account lockout thresholds, and audit policies.
User Account Hardening: Renaming the default Administrator account, disabling the Guest account, implementing least privilege (users have only the permissions they need), and enforcing strong password policies (minimum 14 characters, complexity requirements, periodic changes).
Network Hardening: Configuring Windows Firewall to block all inbound traffic by default and only allow necessary ports (e.g., TCP 3389 for RDP only from specific IPs, TCP 445 for SMB only within trusted networks). Disabling NetBIOS over TCP/IP (port 137-139) and LLMNR (Link-Local Multicast Name Resolution) to prevent name resolution poisoning attacks.
Application Hardening: Using Software Restriction Policies (SRP) or AppLocker to control which executables, scripts, and installers can run. Disabling macros in Office applications, blocking execution from temporary folders, and using Windows Defender Application Control (WDAC) for advanced control.
Registry Hardening: Modifying registry keys to enhance security, such as disabling autorun (AutoRun/AutoPlay) to prevent malware from spreading via USB drives, and restricting anonymous access to the registry (RestrictAnonymous).
Patch Management: Regularly applying security updates via Windows Update or WSUS (Windows Server Update Services). Priority patches for critical vulnerabilities (e.g., CVE-2020-1472 for Netlogon) must be applied immediately.
Key Components and Standards
Security Configuration Wizard (SCW): A tool for Windows Server that creates security policies based on the server's role (e.g., file server, DNS server). It disables unnecessary services and configures firewall rules and registry settings.
Group Policy: Used in Active Directory environments to apply hardening settings across multiple systems. For example, a Group Policy Object (GPO) can enforce password policies, audit policies, and software restrictions.
Security Templates: Predefined .inf files (e.g., securews.inf, hisecdc.inf) that contain security settings that can be imported via the Security Configuration and Analysis snap-in. The 'Security Templates' snap-in allows custom templates.
Windows Defender Firewall with Advanced Security: Provides host-based firewall rules that can be configured via Group Policy or PowerShell (e.g., New-NetFirewallRule).
Windows Defender Antivirus: Built-in AV that should be kept enabled and updated. Group Policy can configure exclusions and cloud-delivered protection.
BitLocker Drive Encryption: Encrypts the entire volume to protect data at rest. Requires a TPM (Trusted Platform Module) chip for secure key storage.
User Account Control (UAC): Prompts for consent or credentials when a program tries to make system changes. Should be set to 'Always Notify' for maximum security.
How Attackers Exploit Unhardened Systems
Attackers commonly exploit: - Unnecessary Services: A service like Remote Desktop (TermService) running on default port 3389 without network-level authentication (NLA) allows brute-force attacks. The EternalBlue exploit (MS17-010) targeted the SMBv1 service. - Default Accounts: The built-in Administrator account, if not renamed, is a prime target for password spraying. The Guest account, if enabled, provides anonymous access. - Weak Password Policies: Without account lockout, attackers can brute-force passwords indefinitely. Without complexity, passwords like 'Password123' are easily cracked. - Unpatched Vulnerabilities: Missing patches for known vulnerabilities like BlueKeep (CVE-2019-0708) in RDP allows remote code execution. - Autorun/AutoPlay: Malware on USB drives can execute automatically if autorun is enabled.
Real Command/Tool Examples
- Disable a service via PowerShell:
Set-Service -Name Spooler -StartupType Disabled -Status Stopped- Rename Administrator account via Group Policy: Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > 'Accounts: Rename administrator account'. - Enable auditing via Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit File Share. - Create firewall rule to allow RDP from specific IP:
New-NetFirewallRule -DisplayName "RDP from Admin" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 192.168.1.0/24 -Action Allow- Enable BitLocker via PowerShell:
Enable-BitLocker -MountPoint "C:" -TpmProtector- Apply security template:
Open MMC > Add 'Security Configuration and Analysis' snap-in > Right-click 'Security Configuration and Analysis' > 'Open Database' > Import template (e.g., securews.inf) > 'Configure Computer Now'.
Summary
Windows hardening is a continuous process of reducing vulnerabilities by configuring the OS, user accounts, network services, and applications securely. The SY0-701 exam expects you to know specific tools (SCW, Group Policy, Security Templates), settings (password policies, account lockout, audit policies), and best practices (disable unnecessary services, rename default accounts, patch regularly). Understanding the attack vectors that hardening mitigates—such as brute-force, malware execution, and privilege escalation—is crucial for both the exam and real-world practice.
Assess the Current Configuration
Begin by evaluating the existing Windows system's configuration. Use tools like the Security Configuration and Analysis snap-in to compare the system against a baseline security template (e.g., 'securews.inf'). Run `gpresult /h gp.html` to review applied Group Policy settings. Check the Services console (services.msc) for unnecessary services that are running. Use `netstat -an` to list open ports and identify listening services. Also, review the Local Security Policy (secpol.msc) for password and account lockout settings. This assessment identifies gaps between the current state and the desired hardened state. Common findings include the Print Spooler service running on a domain controller, default Administrator account not renamed, and password policy with no complexity requirement.
Apply Security Templates and Baselines
Import and apply a security template that matches the system's role. For a domain controller, use 'DC security.inf'; for a member server, use 'securews.inf'. In a domain environment, use Group Policy Objects (GPOs) to enforce settings. For standalone systems, use the Security Configuration and Analysis snap-in: right-click 'Security Configuration and Analysis', select 'Open Database', import the template, then right-click and choose 'Configure Computer Now'. This applies settings like password complexity (minimum 14 characters, complexity enabled), account lockout (5 attempts, 30-minute lockout), and audit policies (audit logon events, audit object access). Verify with `secedit /analyze /db C:\temp\sec.sdb /cfg securews.inf`.
Disable Unnecessary Services and Features
Identify and disable services that are not required for the system's role. For example, on a web server, disable Print Spooler, Windows Media Player Network Sharing Service, and Xbox Live services. Use the Services console (services.msc) or PowerShell: `Get-Service | Where-Object {$_.StartType -eq 'Automatic' -and $_.Status -eq 'Running'}` to list running services. Set each to 'Disabled' and stop it. Also remove Windows features via 'Turn Windows features on or off' (optionalfeatures.exe) such as 'Media Features', 'XPS Services', and 'Internet Printing Client'. For domain-joined systems, use Group Policy to disable services via Computer Configuration > Windows Settings > Security Settings > System Services. This reduces the attack surface by eliminating potential entry points.
Harden User Accounts and Authentication
Rename the built-in Administrator account using Group Policy or Local Security Policy (Security Options > 'Accounts: Rename administrator account'). Disable the Guest account. Enforce strong password policies: minimum 14 characters, complexity enabled, maximum password age 60 days, minimum password age 1 day. Enable account lockout: 5 invalid logon attempts, lockout duration 30 minutes. Implement User Account Control (UAC) set to 'Always Notify' (via Local Security Policy > Local Policies > Security Options). For domain environments, enforce these via Default Domain Policy. Also, configure 'Deny log on locally' for sensitive accounts like the built-in Administrator. Use `net user administrator /active:no` to disable the built-in admin if not needed, but prefer renaming.
Configure Firewall and Network Protections
Configure Windows Defender Firewall with Advanced Security to block all inbound traffic by default, then create allow rules only for necessary services. For example, allow RDP (TCP 3389) only from a specific management subnet. Disable NetBIOS over TCP/IP (port 137-139) and LLMNR (port 5355) via network adapter settings or Group Policy to prevent name resolution poisoning (NBT-NS/LLMNR poisoning). Enable 'Prohibit installation and configuration of Network Bridge on your DNS domain network' via Group Policy. Also, disable SMBv1 via PowerShell: `Set-SmbServerConfiguration -EnableSMB1Protocol $false`. For remote management, use WinRM over HTTPS (TCP 5986) instead of HTTP (5985). Verify with `netsh advfirewall show currentprofile`.
Apply Application Control and Patch Management
Implement AppLocker or Software Restriction Policies to control which applications can execute. For example, create rules to allow execution only from 'Program Files' and 'Windows' directories, and deny everything else. Enable Windows Defender Antivirus with real-time protection and cloud-delivered protection. Configure Windows Update to automatically install updates (or use WSUS in enterprise). For critical vulnerabilities, apply patches manually via Microsoft Update Catalog. Use `Get-HotFix` to list installed updates. Also, enable Windows Defender Exploit Guard (Attack Surface Reduction rules) to block common malware behaviors like Office apps creating child processes. This prevents execution of unauthorized software and mitigates zero-day exploits.
Scenario 1: Server Hardening After a Ransomware Attack
A medium-sized company suffered a ransomware attack that encrypted their file server. The investigation revealed the attacker gained access via an unpatched SMBv1 vulnerability (EternalBlue) and then used the default Administrator account to spread laterally. The security team hardened the server: they disabled SMBv1 using Set-SmbServerConfiguration -EnableSMB1Protocol $false, renamed the local Administrator account via Group Policy, and applied the latest security patches from the Microsoft Update Catalog. They also enabled Windows Defender Firewall to block inbound SMB traffic from the internet and configured account lockout after 5 failed attempts. The mistake they initially made was assuming the default Windows Firewall rules were sufficient, but they had allowed SMB from any IP for legacy compatibility. Post-hardening, they ran a vulnerability scan with Nessus, which showed a reduction from 12 critical vulnerabilities to 2 (both low-risk). The correct response included isolating the server, applying patches, and enforcing least privilege.
Scenario 2: Workstation Hardening for Remote Workers
A company deployed laptops to remote employees without hardening. An employee's laptop was infected with malware that spread via AutoPlay from a USB drive. The malware exfiltrated data to a command-and-control server. The security team hardened all laptops: they disabled AutoPlay via Group Policy (Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies > 'Turn off AutoPlay'), enabled BitLocker encryption with TPM protector, and enforced AppLocker rules to only allow execution from trusted directories. They also configured Windows Defender Firewall to block all inbound connections and enabled 'Windows Defender Exploit Guard' with ASR rules to block Office apps from creating child processes. The common mistake was that they initially only enabled Windows Defender Antivirus but left AutoPlay enabled, allowing the initial infection. The team used Microsoft Defender for Endpoint to detect the malware and then applied the hardening via Intune for remote devices. The correct response involved a full scan, removal, and then applying the hardening policies.
Scenario 3: Domain Controller Hardening Audit
A security auditor reviewed a company's domain controllers and found several issues: the built-in Administrator account was not renamed, the Guest account was enabled (though disabled in AD, it was enabled locally), and password policy allowed 8-character passwords. The auditor recommended hardening: rename the Administrator account, disable the Guest account via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > 'Accounts: Guest account status'), and increase password length to 14 characters. They also suggested enabling advanced audit policies (e.g., Audit Kerberos Authentication Service) to detect golden ticket attacks. The mistake the company made was relying solely on domain-level policies but not applying them to local accounts. The correct response was to create a GPO linked to the Domain Controllers OU that enforced these settings. The auditor verified with gpresult /h and secedit /analyze.
What SY0-701 Tests on This Objective
Objective 4.1 (Security Operations) includes 'Hardening' as a key concept. The exam specifically tests: - Disabling unnecessary services: You must know which services are commonly targeted (e.g., Print Spooler, SMBv1, RDP, LLMNR, NetBIOS). The exam may present a scenario where a service is not needed and ask what to do (disable it). - User account hardening: Renaming default accounts, disabling Guest, enforcing password policies (complexity, length, history), and account lockout. The exam loves questions about the built-in Administrator account and Guest account. - Network hardening: Host-based firewall rules, disabling protocols like SMBv1, NetBIOS, LLMNR. Know that Windows Firewall can be configured via Group Policy or PowerShell. - Application control: AppLocker vs. Software Restriction Policies. Know that AppLocker is more granular and available in Enterprise/Education editions. - Registry hardening: Disabling AutoPlay, restricting anonymous access (RestrictAnonymous). - Tools: Security Configuration Wizard (SCW), Security Templates, Group Policy, Local Security Policy (secpol.msc).
Common Wrong Answers and Why 1. 'Enable SMBv1 for compatibility': Many candidates think legacy compatibility is more important than security. The exam will test that SMBv1 should be disabled due to vulnerabilities like EternalBlue. 2. 'Use the Guest account for temporary access': The Guest account should be disabled, not used. Candidates confuse it with a temporary user account. 3. 'Set password expiration to 0 days (never expires)': While sometimes used for service accounts, the exam expects passwords to expire periodically (e.g., 60 days) for user accounts. 4. 'Disable UAC entirely': UAC should be enabled at maximum level. Disabling it reduces security.
Specific Terms and Values
- Ports: TCP 3389 (RDP), TCP 445 (SMB), UDP 137-138 (NetBIOS), TCP 139 (NetBIOS session), UDP 5355 (LLMNR).
- Services: Spooler (Print Spooler), Remote Registry, Telnet, TFTP.
- Tools: SCW, Group Policy Management Console (GPMC), secpol.msc, Security Templates, AppLocker.
- Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun.
Trick Questions - 'Which tool should you use to apply security settings to multiple computers?' Answer: Group Policy (not Local Security Policy, which is for a single system). - 'You need to prevent users from running unauthorized software. What should you use?' Answer: AppLocker (not Windows Defender Firewall). - 'A server is vulnerable to EternalBlue. What should you disable?' Answer: SMBv1 (not SMBv2 or SMBv3).
Decision Rule for Eliminating Wrong Answers On scenario questions, ask: 'Does this option reduce the attack surface?' If it enables something (e.g., enables a service, allows more access), it's likely wrong. If it restricts or disables, it's likely correct. Also, if an option suggests using a default account (Guest, Administrator), it's almost always wrong. Finally, if the option involves a tool that is not appropriate for the scope (e.g., using Local Security Policy for 100 computers), eliminate it.
Hardening reduces the attack surface by disabling unnecessary services, closing unused ports, and enforcing security policies.
The built-in Administrator account should be renamed and the Guest account disabled.
Password policies must enforce complexity, minimum length (14+ characters), and account lockout after a small number of failed attempts.
SMBv1, NetBIOS, and LLMNR should be disabled to prevent common network attacks like EternalBlue and NBT-NS poisoning.
AppLocker provides more granular application control than Software Restriction Policies and is available in Enterprise/Education editions.
Security Configuration Wizard (SCW) creates role-based security policies for Windows Server.
Security templates (.inf files) can be applied via the Security Configuration and Analysis snap-in or Group Policy.
Windows Defender Firewall can block inbound and outbound traffic and should be configured to allow only necessary ports from specific IPs.
AutoPlay and AutoRun should be disabled via Group Policy or registry to prevent malware spreading from removable media.
BitLocker Drive Encryption protects data at rest and requires a TPM for secure key storage.
User Account Control (UAC) should be set to 'Always Notify' to prevent unauthorized system changes.
Patch management is critical; prioritize patches for critical vulnerabilities like PrintNightmare and BlueKeep.
These come up on the exam all the time. Here's how to tell them apart.
AppLocker
Available in Windows Enterprise and Education editions only
Supports rules based on publisher, path, hash, and file attributes
More granular control (e.g., allow only signed executables from specific publishers)
Can enforce rules for executables, scripts, Windows Installer files, and packaged apps
Managed via Group Policy or Local Security Policy (secpol.msc)
Software Restriction Policies (SRP)
Available in all Windows editions (including Pro)
Supports rules based on path, hash, and zone (Internet, Intranet, etc.)
Less granular; cannot distinguish between different publishers of the same file
Only applies to executables and scripts (not MSI or packaged apps)
Managed via Group Policy or Local Security Policy (secpol.msc)
Local Security Policy (secpol.msc)
Used for standalone computers not in a domain
Settings apply only to the local machine
Cannot be centrally managed or deployed to multiple systems
Accessed via secpol.msc (for security settings) or gpedit.msc (for all settings)
Limited to account policies, local policies, and firewall rules
Group Policy (gpedit.msc / GPMC)
Used in Active Directory domain environments
Settings apply to all computers in a GPO's scope (OU, domain, site)
Centrally managed via Group Policy Management Console (GPMC)
Accessed via gpedit.msc for local group policy or GPMC for domain GPOs
Covers a wider range of settings including software installation, folder redirection, and scripts
Mistake
Hardening is a one-time setup that never needs updating.
Correct
Hardening is an ongoing process. New vulnerabilities emerge (e.g., PrintNightmare), and system roles change. Regular audits and patch management are required to maintain a hardened state. The SY0-701 exam emphasizes continuous monitoring and updating.
Mistake
Disabling all services is the best way to secure a system.
Correct
Disabling necessary services can break functionality. The goal is to disable only services that are not required for the system's role. For example, a web server needs the World Wide Web Publishing Service (W3SVC), but not the Print Spooler. Over-hardening can lead to denial of service.
Mistake
Renaming the Administrator account is sufficient to secure it.
Correct
Renaming helps but does not prevent brute-force attacks if the account is still enabled. Additional measures like account lockout, strong passwords, and restricting logon rights are necessary. The exam tests that renaming is just one step.
Mistake
Windows Firewall is only for blocking inbound traffic from the internet.
Correct
Windows Firewall can block both inbound and outbound traffic, and can be configured per profile (Domain, Private, Public). It can also block traffic between internal systems. The exam expects you to know it can be used for host-based segmentation.
Mistake
Security templates apply automatically without any action.
Correct
Security templates must be imported and applied using the Security Configuration and Analysis snap-in or via Group Policy. Simply having the .inf file does nothing. The exam may test the steps to apply a template.
To disable SMBv1, run PowerShell as Administrator and execute `Set-SmbServerConfiguration -EnableSMB1Protocol $false`. Then verify with `Get-SmbServerConfiguration | Select EnableSMB1Protocol`. You can also disable it via Windows Features: open 'Turn Windows features on or off' and uncheck 'SMB 1.0/CIFS File Sharing Support'. For the exam, remember that SMBv1 is vulnerable to EternalBlue and should be disabled unless legacy compatibility is absolutely required.
AppLocker is more granular and supports rules based on publisher (digital signature), path, hash, and file attributes. It can control executables, scripts, Windows Installer files, and packaged apps. Software Restriction Policies (SRP) are older and less granular, supporting only path, hash, and zone rules. AppLocker is available in Windows Enterprise and Education editions, while SRP is available in all editions. For the exam, know that AppLocker is preferred for application control in enterprise environments.
Open Group Policy Management Console, create or edit a GPO, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options, and set 'Accounts: Rename administrator account' to a new name like 'SecAdmin'. This applies to all computers in the GPO's scope. For a standalone computer, use Local Security Policy (secpol.msc) and the same setting. The exam tests that renaming helps obscure the account but does not replace other protections like strong passwords.
Common ports to block or restrict include TCP 3389 (RDP) to only specific IPs, TCP 445 (SMB) to trusted subnets, UDP 137-138 and TCP 139 (NetBIOS) and UDP 5355 (LLMNR) should be disabled entirely. Also block TCP 23 (Telnet), TCP 21 (FTP), and TCP 1433 (SQL Server) if not needed. Use Windows Firewall with Advanced Security to create inbound rules that block all traffic except necessary ports. For the exam, remember that disabling NetBIOS and LLMNR prevents name resolution poisoning attacks.
For domain-joined computers, import the security template into a Group Policy Object (GPO) via the Security Settings extension. Navigate to Computer Configuration > Windows Settings > Security Settings, right-click 'Security Settings', and select 'Import Policy' to load the .inf file. Then link the GPO to the relevant OU. For standalone computers, use the Security Configuration and Analysis snap-in: open a database, import the template, and configure the computer. The exam may ask about using Group Policy for centralized deployment.
The Security Configuration Wizard (SCW) is a tool for Windows Server (2008 R2 and later) that creates a security policy based on the server's role (e.g., file server, DNS server, Active Directory). It disables unnecessary services, configures firewall rules, and sets registry values. The policy can be applied via Group Policy or the SCW command-line tool (scwcmd). The exam expects you to know that SCW is role-based and reduces the attack surface for servers.
Navigate to Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies. Enable 'Turn off AutoPlay' and set it to 'All drives'. Also enable 'Default behavior for AutoRun' and set it to 'Do not execute any autorun commands'. This prevents malware from spreading via USB drives. For the exam, remember that AutoPlay is a common vector for malware and should be disabled in hardened environments.
You've just covered Hardening Windows Systems — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?