How to complete Windows 2016 Hardening in 5 minutes

Refer to the tutorial below on how to complete Windows 2016 Hardening in 5 Minutes

Preparation of Windows 2016 Server

Preparation of Security Template

  1. Open MMC and go to file – Add/Remove Snap-In to add Security Template
  2. Create a New Security Template by right click on C:\Users\Administrator\Documents\Security\Template – New Template

How to complete Windows 2016 Hardening in 5 minutes

The following policies are available

  • Account Policies – Password, Account Lockout & Kerberos Policy
  • Local Policies – Audit Policy, User Right Assignment & Security Options
  • Event Log & System Services (Startup Mode)

Configure the Account & Local Policies based on CIS Benchmark and save the Security Template in C:\CIS\CIS-WINSRV.inf

Preparation of Advanced Audit Policy

Open Local Group Policy Editor with gpedit.msc and go to Computer Configuration – Windows Settings – Security Settings – Advanced Audit Policy Configuration – System Audit Policies

Configure the System Audit Policies based on CIS Benchmark and Export it to C:\CIS\CIS-WINSRV.csv

Customize Administrative Templates

  1. Download Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip and extract it to C:\Temp

  2. Copy the Customize Administrative Templates to C:\CIS

  • MSS-Legacy
  • AdmPwdLocal Administrator Password Solution
  • SecGuide – GPO Setting for SCM: Pass the Hash Mitigation Group
# Copy 
Copy-Item -Recurse C:\Temp\Windows-10-RS1-and-Server-2016-Security-Baseline\Templates\*  C:\CIS\

Group Policy for Machines & Users

  1. Download LGPO.zip & LAPS x64.msi and export it to C:\CIS

  2. Open Local Group Policy Editor with gpedit.msc and configure the GPO based on CIS Benchmark

  3. Export the configured GPO to C:\Temp

#Export existing Local GPO , /b specify the path for the exported GPO setting, /n for notes only
LGPO.exe /b c:\Temp /n "CIS"

LGPO.exe v2.2 - Local Group Policy Object utility
Creating LGPO backup in "c:\Temp\{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}"
  1. Parse the machine & user pol files to TXT and copy it to C:\CIS for reference
#Parse Machine Setting 
LGPO.exe /parse /m C:\Temp\{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}\DomainSysvol\GPO\Machine\registry.pol > C:\Temp\Machine.txt

LGPO.exe v2.2 - Local Group Policy Object utility
Parse machine registry.pol: C:\Temp\{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}\DomainSysvol\GPO\Machine\registry.pol

#Parse User Setting
LGPO.exe /parse /u C:\Temp\{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}\DomainSysvol\GPO\Machine\registry.pol > C:\Temp\User.txt

LGPO.exe v2.2 - Local Group Policy Object utility
Parse machine registry.pol: C:\Temp\{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}\DomainSysvol\GPO\User\registry.pol

#Copy to C:\CIS
Copy-Item C:\Temp\Machine.txt C:\CIS\Machine.txt
Copy-Item C:\Temp\User.txt C:\CIS\User.txt
  1. Copy the machine & user pol files to C:\CIS
Copy-Item "C:\Temp{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}\DomainSysvol\GPO\Machine\registry.pol" "C:\CIS\machine.pol"
Copy-Item "C:\Temp{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}\DomainSysvol\GPO\User\registry.pol" "C:\CIS\user.pol"
  1. The following files are prepared in C:\CIS

Preparation of Installation Script

  1. Prep.ps1 – Copy Customize Administrative Templates to C:\Windows\PolicyDefinitions and install LAPSx64.msi silently
#Copy ADMX & ADML File to %SystemRoot%\PolicyDefination
Get-ChildItem -Path C:\CIS | ? Name -like "*.admx" | ForEach-Object {Copy-Item C:\CIS\$_ -Destination C:\Windows\PolicyDefinitions}
Get-ChildItem -Path C:\CIS | ? Name -like "*.adml" | ForEach-Object {Copy-Item C:\CIS\$_ -Destination C:\Windows\PolicyDefinitions\en-US}

#Silent Install LAPS 
msiexec.exe /i C:\CIS\LAPS.x64.msi /quiet
  1. Install.bat – to apply the Security, Advance Audit, Machine & User GPO policies
@echo off
C:\CIS\LGPO.exe /s C:\CIS\CIS-WINSRV.inf
C:\CIS\LGPO.exe /ac C:\CIS\CIS-WINSRV.csv
C:\CIS\LGPO.exe /m C:\CIS\Machine.pol
C:\CIS\LGPO.exe /u C:\CIS\user.pol

Local Administrator will be renamed to myadmin

Logoff and login with myadmin to continue

  1. Firewall.ps1 – Allow incoming connection for identified ports

Allow RDP (Port 3389) and ICMP / Ping

#Change RDP Ports
Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -Enabled True
Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (UDP-In)" -Enabled True

#Allow Ping Response for IPv4 - Optional 
New-NetFirewallRule -DisplayName "Allow inbound ICMPv4" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -Action Allow

Allow File Sharing & WMI (TCP 135,139 & 445) – Optional

#File Sharing - Optional 
Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True
Set-NetFirewallRule -Displaygroup "Windows Management Instrumentation (WMI)" -Enabled True
  1. PostInstall.ps1 – Additional Registry settings for CIS Compliance
#Disable Online Tips
$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer"
$OnlineTips = "AllowOnlineTips"
New-ItemProperty -Path $RegPath -Name $OnlineTips -Value "0" -PropertyType DWord

#Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')
$NodeType = "NodeType"
$RegPathNodeType = "HKLM:\System\CurrentControlSet\Services\NetBT\Parameters"
New-ItemProperty -Path $RegPathNodeType -Name NodeType -Value "0x2" -PropertyType DWord

#Remote host allows delegation of non-exportable credentials' is set to 'Enabled
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows"
$CredentialDelegation = "CredentialsDelegation"
New-Item -Path $RegPath -Name $CredentialDelegation
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -Name AllowProtectedCreds -Value "1" -PropertyType DWord

#Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection"
$DisableAuthProxy = "DisableEnterpriseAuthProxy"
New-ItemProperty -Path $RegPath -Name $DisableAuthProxy -Value "1" -PropertyType DWord

#Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' (Scored)
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\"
$Messaging = "Messaging"
New-Item -Path $RegPath -Name $Messaging
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging -Name AllowMessageSync -Value "0" -PropertyType DWord

#Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\"
$MicrosoftAccount = "MicrosoftAccount"
New-Item -Path $RegPath -Name $MicrosoftAccount
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount -Name DisableUserAuth -Value "1" -PropertyType DWord

#Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\"
$WindowsSearch = "Windows Search"
New-Item -Path $RegPath -Name $WindowsSearch
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -Name AllowCloudSearch -Value "0" -PropertyType Dword
  1. Hardening.reg – To disable insecure DES, 3DES, and RC4 Chiphers, TLS 1.0, TLS 1.1, SSL 3.0 and enable TLS 1.2

How to complete Windows 2016 Hardening in 5 minutes

Login to the Windows 2016 Server, and run the following script

All the sources files can be downloaded from CIS.zip

Open PowerShell with Administrator Right

  1. Prep.ps1
  2. Install.bat
  3. Firewall.ps1
  4. PostInstall.ps1
  5. Hardening.reg

Reboot the Windows 2016 Server

Verification with Nessus Scanner

Refer to How to Setup Tenable Core + Nessus on VMware ESXito prepare Nessus Scanner

Prerequisite

  1. The following Firewall ports are required to be opened in the Windows 2016 Server

Replace the IP Address with the IP Address of Nessus Scanner

#File and Printer Sharing (SMB-In) - TCP 135
Set-NetFirewallRule -DisplayName "Windows Management Instrumentation (WMI-In)" -Direction Inbound -RemoteAddress 192.168.1.126/32 -Action Allow -Enabled True

# File and Printer Sharing (NB-Session-In) - TCP 139
Set-NetFirewallRule -DisplayName "File and Printer Sharing (NB-Session-In)" -Direction Inbound -RemoteAddress 192.168.1.126/32 -Action Allow -Enabled True

#TCP 445- File and Printer Sharing (SMB-In)
Set-NetFirewallRule -DisplayName "File and Printer Sharing (SMB-In)" -Direction Inbound -RemoteAddress 192.168.1.126/32 -Action Allow -Enabled True
  1. Credential for Local Administrator (myadmin)
  2. Ensure that install EndPoint, like Symantec IPS is NOT filtering the Scanning performed by Nessus Scanner

Result of Vulnerability

There should be only 1 x Medium Severity mentione that SSL Certificate Cannot Be Trusted as the CA Certificated is issued by our Internal Microsoft CA.

Refer to Fixes for Vulnerabilities Detected by Nessus Scanner to resolve other vulnerabilities (if any)

Result of CIS Compliance

Notes

  • It is NOT recommended to disable IPv6
  • Removed Local Account from Deny Access this computer from the network & Deny log on through Remote Desktop Service
  • Do NOT disabled the local Administrator Account
  • User Account Control : Admin Approval mode for Build-In Administrator is NOT enabled as accessible to C$ is required for Nessus Pro Scanning
  • C$ is NOT accessible with UAC enabled even with the correct username & password
C:\Users\admin>net use T: \\192.168.1.127\c$ /user:admin XXXXXXXXXXXXXXXX
System error 5 has occurred.
Access is denied.

We had completed the Hardening for standalone Windows 2016 Server.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top