Vulnarex | Elite Cybersecurity Learning Platform

#Hardening Windows: Putting It All Together#link

This is the final lesson of the course, and it is where everything comes together. You have learned how Windows works, how attackers exploit it, and how to detect their activities. Now you will learn how to build comprehensive defenses — hardening Windows systems against the attacks you now understand intimately.

Defense in depth is the guiding principle: no single control is sufficient. You must layer multiple security measures so that if one fails, others continue to protect the organization.

The Hardening Mindset

Hardening is the process of reducing the attack surface by disabling unnecessary features, configuring security controls, and applying the principle of least privilege. Every service running, every port open, every permission granted, and every account enabled is a potential attack vector.

Key hardening principles:

▪Least Privilege — Every user, service, and process should have only the minimum permissions needed to perform its function.
▪Minimize Attack Surface — Disable unnecessary services, features, protocols, and accounts.
▪Defense in Depth — Layer multiple security controls so no single point of failure compromises the system.
▪Secure by Default — Start from a secure baseline and only add permissions/services when explicitly needed.
▪Assume Breach — Design defenses assuming an attacker will get inside. Focus on detection, containment, and response.

Account and Authentication Hardening

Since authentication is the gateway to the system, account security is the first line of defense:

powershell

# === DISABLE DEFAULT ACCOUNTS ===
# Disable the built-in Administrator account (RID 500)
Disable-LocalUser -Name "Administrator"

# Disable the Guest account
Disable-LocalUser -Name "Guest"

# Rename the Administrator account (security through obscurity, but still recommended)
Rename-LocalUser -Name "Administrator" -NewName "SysAdmin_Reserved"

# === PASSWORD POLICY ===
# Set strong password policy via Group Policy or local security policy
# Recommended: Minimum 14 characters, complexity enabled, maximum age 90 days
net accounts /minpwlen:14 /maxpwage:90 /minpwage:1 /uniquepw:24

# === ACCOUNT LOCKOUT POLICY ===
# Lock accounts after 5 failed attempts for 30 minutes
net accounts /lockoutthreshold:5 /lockoutwindow:30 /lockoutduration:30

# === SERVICE ACCOUNT BEST PRACTICES ===
# Create a Group Managed Service Account (gMSA)
# gMSAs automatically rotate passwords — no manual management needed
New-ADServiceAccount -Name "gMSA_AppService" `
  -DNSHostName "gMSA_AppService.corp.local" `
  -PrincipalsAllowedToRetrieveManagedPassword "AppServer01$"

# Install the gMSA on the target server
Install-ADServiceAccount -Identity "gMSA_AppService"

# Configure a service to use the gMSA
# The password field is left blank — AD manages it automatically
sc.exe config "MyAppService" obj=".\gMSA_AppService$" password=""

# === PROTECTED USERS GROUP ===
# Add high-value accounts to Protected Users security group
# This enforces: no NTLM, no cached credentials, no DES/RC4, shorter ticket lifetime
Add-ADGroupMember -Identity "Protected Users" -Members "admin_jane","admin_john"

# === MARK SENSITIVE ACCOUNTS ===
# Prevent delegation of sensitive accounts
Set-ADUser -Identity "admin_jane" -AccountNotDelegated $true

STRICT SECURE AUDIT RULE

⚠️ Never use Domain Admin or Enterprise Admin accounts as service accounts. If the service is compromised, the attacker gains full domain control. Always use gMSAs or dedicated service accounts with minimal privileges. Also, never add service accounts to the Protected Users group — it will break their authentication (no NTLM, no cached credentials).

Credential Protection Hardening

Protecting credentials is the single most important defensive priority. Implement these controls to defend against the credential attacks you learned about in Lesson 2:

powershell

# === ENABLE LSA PROTECTION (RunAsPPL) ===
# Prevents non-protected processes from accessing LSASS memory
# This blocks Mimikatz credential dumping (unless the attacker loads a driver)
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
  -Name "RunAsPPL" -Value 1 -PropertyType DWord -Force

# === ENABLE CREDENTIAL GUARD ===
# Uses virtualization-based security to isolate LSASS
# Requires UEFI, Secure Boot, and VT-x/AMD-V
# Enable via Group Policy or DSC:
# Computer Config > Admin Templates > System > Device Guard
# Or via registry:
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" `
  -Name "EnableVirtualizationBasedSecurity" -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" `
  -Name "RequirePlatformSecurityFeatures" -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
  -Name "LsaCfgFlags" -Value 1 -PropertyType DWord -Force

# === DISABLE NTLM (OR RESTRICT IT) ===
# NTLM is the weakest authentication protocol
# Via Group Policy: Computer Config > Windows Settings > Security Settings >
# Local Policies > Security Options > Network security: Restrict NTLM
# Audit first, then restrict:
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" `
  -Name "AuditReceivingNTLMTraffic" -Value 2 -PropertyType DWord -Force

# === DISABLE LM HASH STORAGE ===
# Ensure LM hashes are not stored (should be default on modern Windows)
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
  -Name "NoLMHash" -Value 1 -PropertyType DWord -Force

# === REDUCE CACHED CREDENTIALS ===
# Minimize the number of cached domain logons
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" `
  -Name "CachedLogonsCount" -Value "2" -PropertyType String -Force

# === ENABLE RESTRICTED ADMIN MODE FOR RDP ===
# Prevents credentials from being sent to the remote server during RDP
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\LSA" `
  -Name "DisableRestrictedAdmin" -Value 0 -PropertyType DWord -Force

info

💡 Credential Guard is the most effective defense against credential dumping, but it has requirements: UEFI firmware, Secure Boot, virtualization extensions (VT-x/AMD-V), and compatible drivers. Test thoroughly before deploying to production. Some legacy applications may not work with Credential Guard enabled.

Service and Privilege Hardening

Reducing unnecessary services and privileges directly reduces the attack surface:

powershell

# === DISABLE UNNECESSARY SERVICES ===
# Print Spooler (often exploited — PrintNightmare)
# Disable on systems that don't need printing (especially servers)
Stop-Service -Name "Spooler" -Force
Set-Service -Name "Spooler" -StartupType Disabled

# Remote Registry (often used for lateral movement and persistence)
Stop-Service -Name "RemoteRegistry" -Force
Set-Service -Name "RemoteRegistry" -StartupType Disabled

# Windows Remote Management (WinRM) — disable if not needed
# (Required for PowerShell remoting)
Stop-Service -Name "WinRM" -Force
Set-Service -Name "WinRM" -StartupType Disabled

# SMBv1 (legacy protocol, used by EternalBlue/WannaCry)
# Verify it's disabled:
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
# Disable if enabled:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

# === REMOVE UNNECESSARY PRIVILEGES ===
# Remove SeImpersonatePrivilege from IIS app pools (prevents Potato attacks)
# Use Group Policy: Computer Config > Windows Settings > Security Settings >
# Local Policies > User Rights Assignment

# Remove SeDebugPrivilege from non-admin users
# Remove SeTakeOwnershipPrivilege from non-admin users

# === CONFIGURE WINDOWS FIREWALL ===
# Block all inbound by default, allow only required ports
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block

# Allow specific inbound rules
New-NetFirewallRule -DisplayName "Allow RDP from Management Subnet" `
  -Direction Inbound -Protocol TCP -LocalPort 3389 `
  -RemoteAddress "10.0.1.0/24" -Action Allow

# Block outbound connections to known malicious ports
New-NetFirewallRule -DisplayName "Block Outbound SMB" `
  -Direction Outbound -Protocol TCP -RemotePort 445 -Action Block

# === ENABLE SMB SIGNING ===
# Prevents NTLM relay attacks on SMB
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force

# === ENABLE LDAP SIGNING AND CHANNEL BINDING ===
# Prevents LDAP relay attacks
# Via Group Policy: Domain Controller > LDAP Server Integrity = Require signing

Application Control and Exploit Protection

Application control prevents unauthorized software from running, and exploit protection mitigates common exploitation techniques:

powershell

# === WINDOWS DEFENDER APPLICATION CONTROL (WDAC) ===
# WDAC (formerly AppLocker's more secure replacement) controls what can run
# Create a base policy that allows Windows and signed applications
New-CIPolicy -FilePath "C:\Policies\BasePolicy.xml" -Rules "BaseRules" -UserPEs

# Merge with additional allowed rules
Merge-CIPolicy -PolicyPaths "C:\Policies\BasePolicy.xml" `
  -OutputFilePath "C:\Policies\MergedPolicy.xml"

# Convert to binary policy
ConvertFrom-CIPolicy -XmlFilePath "C:\Policies\MergedPolicy.xml" `
  -BinaryFilePath "C:\Policies\SiPolicy.p7b"

# Deploy the policy
# Copy SiPolicy.p7b to C:\Windows\System32\CodeIntegrity\SiPolicy.p7b
# Reboot to apply

# === EXPLOIT PROTECTION (EMET successor) ===
# Configure system-wide exploit protection via PowerShell
# Enable ASLR (Address Space Layout Randomization) — Force for all processes
Set-ProcessMitigation -System -Enable ForceRelocateImages

# Enable DEP (Data Execution Prevention)
Set-ProcessMitigation -System -Enable DEP

# Enable CFG (Control Flow Guard)
Set-ProcessMitigation -System -Enable CFG

# Enable Attack Surface Reduction (ASR) rules via Group Policy or PowerShell
# Block Office applications from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
  -AttackSurfaceReductionRules_Actions Enabled

# Block Office applications from creating executable content
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 `
  -AttackSurfaceReductionRules_Actions Enabled

# Block credential stealing from LSASS
Add-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 `
  -AttackSurfaceReductionRules_Actions Enabled

# Block process creations from PSExec and WMI commands
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C `
  -AttackSurfaceReductionRules_Actions Enabled

# === MICROSOFT DEFENDER FOR ENDPOINT ===
# Enable all protection features
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
Set-MpPreference -PUAProtection Enabled
Set-MpPreference -CloudBlockLevel High
Set-MpPreference -CloudExtendedTimeout 50

callout

Attack Surface Reduction (ASR) rules are one of the most effective defenses against malware and fileless attacks. They block common attacker techniques at the OS level. However, test ASR rules in audit mode first — some legitimate business applications may be blocked. Use the ASR report in Microsoft Defender for Endpoint to identify false positives before enabling in block mode.

Active Directory Hardening

Since AD is the crown jewels, it requires the most comprehensive hardening:

powershell

# === DOMAIN CONTROLLER HARDENING ===
# Ensure all DCs are running the latest supported OS
Get-ADDomainController -Filter * | Select-Object Name, OperatingSystem, OperatingSystemVersion

# Disable legacy protocols on DCs
# Disable LDAP signing bypass (ensure LDAP signing is required)
# Via Group Policy on Domain Controllers OU:
# Domain controller: LDAP server signing requirements = Require signing

# === KRBTGT ACCOUNT ===
# Change the KRBTGT password twice to invalidate any existing Golden Tickets
# First change:
Set-ADAccountPassword -Identity "krbtgt" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "TempPassword1!@#" -Force)
# Wait 12+ hours (ticket lifetime)
# Second change:
Set-ADAccountPassword -Identity "krbtgt" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "TempPassword2!@#" -Force)

# === AD ACL AUDITING ===
# Use ADACLScanner or similar tools to audit all AD object permissions
# Look for:
# - Non-standard users with GenericAll/GenericWrite on privileged groups
# - Users with WriteDacl on domain objects
# - Users with ExtendedRight (DS-Replication-Get-Changes) on the domain

# === TIERED ADMINISTRATION ===
# Implement the Enhanced Security Admin Environment (ESAE) / Red Forest model
# Tier 0: Domain Controllers, AD admins, PAM systems
# Tier 1: Server admins, application admins
# Tier 2: Workstation admins, help desk
# NEVER allow Tier 0 accounts to log on to Tier 1 or Tier 2 systems

# Create authentication policies to enforce tier boundaries
New-ADAuthenticationPolicy -Name "Tier0Policy" `
  -EnforcementProtectedFromAccidentalInclusion $true `
  -UserTGTLifetimeMins 240  # 4-hour max ticket lifetime for Tier 0

# === PRIVILEGED ACCESS WORKSTATIONS (PAWs) ===
# Admins should use dedicated, hardened workstations for AD administration
# PAWs should:
# - Not have internet access
# - Run only approved administrative tools
# - Have Credential Guard, WDAC, and all ASR rules enabled
# - Be in a separate OU with restrictive GPOs

Monitoring and Incident Response Readiness

Hardening is incomplete without monitoring. Ensure you can detect and respond to attacks that bypass your preventive controls:

▪Deploy Sysmon with a well-tuned configuration (SwiftOnSecurity or Olaf Hartong's config)
▪Enable PowerShell Script Block Logging, Module Logging, and Transcription
▪Configure Advanced Audit Policies for all critical categories
▪Forward all logs to a SIEM with correlation rules for the attack techniques covered in this course
▪Enable Microsoft Defender for Endpoint (or equivalent EDR) with all protection features
▪Create incident response playbooks for common Windows attack scenarios
▪Conduct regular purple team exercises to validate detection coverage
▪Perform periodic vulnerability assessments and penetration tests against your own environment

powershell

# === COMPREHENSIVE SECURITY CHECKLIST SCRIPT ===
# Run this script to assess the security posture of a Windows system

Write-Host "=== WINDOWS SECURITY ASSESSMENT ===" -ForegroundColor Cyan

# Check UAC
$uac = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -ErrorAction SilentlyContinue).EnableLUA
Write-Host "UAC Enabled: $(if($uac -eq 1){'YES ✓'}else{'NO ✗ CRITICAL'})" -ForegroundColor $(if($uac -eq 1){'Green'}else{'Red'})

# Check LSA Protection
$runAsPPL = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -ErrorAction SilentlyContinue).RunAsPPL
Write-Host "LSA Protection: $(if($runAsPPL -eq 1){'ENABLED ✓'}else{'DISABLED ✗'})" -ForegroundColor $(if($runAsPPL -eq 1){'Green'}else{'Red'})

# Check Credential Guard
$cg = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard -ErrorAction SilentlyContinue
Write-Host "Credential Guard: $(if($cg.SecurityServicesConfigured -contains 1){'CONFIGURED ✓'}else{'NOT CONFIGURED ✗'})" -ForegroundColor $(if($cg.SecurityServicesConfigured -contains 1){'Green'}else{'Yellow'})

# Check SMBv1
$smb1 = Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -ErrorAction SilentlyContinue
Write-Host "SMBv1: $(if($smb1.State -eq 'Disabled'){'DISABLED ✓'}else{'ENABLED ✗ CRITICAL'})" -ForegroundColor $(if($smb1.State -eq 'Disabled'){'Green'}else{'Red'})

# Check Windows Defender status
$defender = Get-MpComputerStatus
Write-Host "Defender Real-time: $(if($defender.RealTimeProtectionEnabled){'ENABLED ✓'}else{'DISABLED ✗'})" -ForegroundColor $(if($defender.RealTimeProtectionEnabled){'Green'}else{'Red'})

# Check for disabled default accounts
$admin = Get-LocalUser -Name "Administrator" -ErrorAction SilentlyContinue
Write-Host "Built-in Admin: $(if($admin.Enabled -eq $false){'DISABLED ✓'}else{'ENABLED ✗'})" -ForegroundColor $(if($admin.Enabled -eq $false){'Green'}else{'Red'})

$guest = Get-LocalUser -Name "Guest" -ErrorAction SilentlyContinue
Write-Host "Guest Account: $(if($guest.Enabled -eq $false){'DISABLED ✓'}else{'ENABLED ✗'})" -ForegroundColor $(if($guest.Enabled -eq $false){'Green'}else{'Red'})

# Check NTLM settings
$ntlmLevel = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -ErrorAction SilentlyContinue).LmCompatibilityLevel
Write-Host "NTLM Level: $ntlmLevel $(if($ntlmLevel -ge 5){'✓'}else{'✗ Consider level 5'})" -ForegroundColor $(if($ntlmLevel -ge 5){'Green'}else{'Yellow'})

# Check cached credentials
$cachedLogons = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "CachedLogonsCount" -ErrorAction SilentlyContinue).CachedLogonsCount
Write-Host "Cached Logons: $cachedLogons $(if([int]$cachedLogons -le 4){'✓'}else{'✗ Reduce to 2-4'})" -ForegroundColor $(if([int]$cachedLogons -le 4){'Green'}else{'Yellow'})

# Check PowerShell logging
$scriptBlockLogging = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -ErrorAction SilentlyContinue).EnableScriptBlockLogging
Write-Host "PS Script Block Logging: $(if($scriptBlockLogging -eq 1){'ENABLED ✓'}else{'DISABLED ✗'})" -ForegroundColor $(if($scriptBlockLogging -eq 1){'Green'}else{'Red'})

Write-Host "\n=== ASSESSMENT COMPLETE ===" -ForegroundColor Cyan

Course Summary and Next Steps

Congratulations — you have completed the Windows Fundamentals for Security course. Let us review what you have learned:

Lesson	Key Takeaway
1. Windows Architecture	Understanding kernel/user mode, processes, tokens, and integrity levels — the foundation of all Windows security
2. Users & Authentication	How Windows identifies users (SIDs), authenticates them (NTLM/Kerberos), and stores credentials — and how attackers steal them
3. NTFS Permissions	How file system ACLs control access, how inheritance works, and how misconfigurations enable privilege escalation
4. Windows Registry	The registry as a configuration database and attack surface — autorun keys, service configs, and security policies
5. PowerShell	The most powerful tool for Windows security — enumeration, AD reconnaissance, and defensive monitoring
6. Active Directory	The enterprise identity system — architecture, trusts, delegation, GPOs, and the attack paths that target them
7. Event Logging	How to detect attacks through Security event logs, Sysmon, and log correlation
8. Hardening & Defense	Comprehensive hardening strategies — credential protection, service hardening, application control, and monitoring

To continue your learning journey, consider these next steps:

▪Set up a home lab with VirtualBox/Hyper-V: Create a domain controller, member server, and workstation. Practice the commands from this course in a safe environment.
▪Study for CEH, CompTIA Security+, or OSCP — this course covers foundational knowledge for all of these certifications.
▪Learn BloodHound for Active Directory attack path analysis.
▪Practice with platforms like HackTheBox, TryHackMetry, and PentesterLab for hands-on Windows security challenges.
▪Explore advanced topics: Windows kernel exploitation, hypervisor security, cloud identity (Azure AD/Entra ID), and threat hunting.

quiz BLOCK (★ 50 XP)

You are hardening a Windows Server that runs a critical database application. Which of the following is the MOST impactful single change to prevent credential theft via LSASS memory dumping?

Select your proof vectors above

quiz BLOCK (★ 50 XP)

An organization wants to implement the tiered administration model. Which of the following is the CORRECT implementation?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

Comprehensive Hardening Assessment

Select your proof vectors above

Hardening Windows and Building Defenses

#Hardening Windows: Putting It All Together#link

The Hardening Mindset

Account and Authentication Hardening

Credential Protection Hardening

Service and Privilege Hardening

Application Control and Exploit Protection

Active Directory Hardening

Monitoring and Incident Response Readiness

Course Summary and Next Steps

You are hardening a Windows Server that runs a critical database application. Which of the following is the MOST impactful single change to prevent credential theft via LSASS memory dumping?

An organization wants to implement the tiered administration model. Which of the following is the CORRECT implementation?

Comprehensive Hardening Assessment

Verification Proof Checkpoint