Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
Windows operating system security configuration is one of the most critically important topics. Properly configuring Windows (across Windows 7, 8, 10, and Server editions) involves a number of steps. Disabling unnecessary services, properly configuring the registry, enabling the firewall, hardening the browser, and many more measures all fall under this scope.
We have previously covered firewall concepts, including stateful and stateless packet inspection, on our blog. In this article, we will draw attention to the other important factors in Windows security configuration.
A Windows operating system comes with certain default user accounts and groups. These accounts will typically serve as a starting point for intruders looking to gain unauthorised access to systems, crack passwords, and log into servers or the network. At this point, renaming or disabling some of the default accounts will, of course, enhance your security.
In Windows 7 or 8, you can find user accounts by navigating to Start, Settings, Control Panel, Users and Groups. In Windows 10, they are located under Start, Settings, and Accounts.
The default administrator account has administrative privileges, and hackers commonly attempt to obtain login credentials for an administrator account. To log into Windows, you must first provide a username and then a password — a two-step process. Default accounts, of course, allow a hacker to skip the first step in this process. System administrators typically disable these accounts.
You will need an account with administrative privileges to maintain your server. The next step should be to add a new account with a different username rather than a standard account, and then grant that account administrative privileges. Doing this makes a hacker’s job more difficult, because before they can compromise or crack the password of that account, they must first discover which account actually has administrative privileges — complicating the task considerably.
The administrator account is the most frequently targeted by hackers, but Windows also includes other default user accounts. It is a good idea to apply equally rigorous scrutiny to all default accounts. Any account can become a gateway for a hacker to compromise a system. Accounts to be aware of include the following:
When adding new accounts, it is always safest to grant the user or group of that account the minimum number and type of privileges needed to perform their work — even for IT staff accounts.
Some examples are as follows:
These are just a few examples to bear in mind when setting user rights.
Always grant the person in question the minimum access needed to do their job. This concept is commonly known as the principle of least privilege and is one of the cornerstones of security.
Setting appropriate security policies is the next critical step in hardening a Windows server. This does not refer to written policies that an organisation may have regarding its security standards and procedures. The term “security policies” here refers to the policies contained within each individual machine.
The first concern is setting secure password policies. The default settings for Windows passwords are not secure. The table below shows the default password policies. The maximum password age refers to how long a password remains in effect before the user is forced to change it.
Enforce password history means how many previous passwords the system remembers, preventing users from reusing passwords. Minimum password length defines the minimum number of characters allowed for a password. Of course, enforcing these requirements can at times hinder operational efficiency. Business continuity must also be considered when setting policies.
Password complexity means that the user must use a password that combines numbers, letters, and other characters. These are the default security settings for all versions of Windows from Windows NT 4.0 onwards. If your system is protected within a business environment, the settings in Local Security may come into effect and indicate that you do not have permission to make changes.
| Policy | Default Setting |
|---|---|
| Enforce password history | 1 password |
| Maximum password age | 42 days |
| Minimum password age | 0 |
| Minimum password length | 0 |
| Passwords must meet complexity requirements | Disabled |
| Store passwords using reversible encryption for all users in the domain | Disabled |
The default password policies are not sufficiently secure — so what policies should you use instead? Different experts answer this question differently. The table below shows the recommendations of Microsoft and the National Security Agency (NSA).
| Policy | Microsoft | NSA |
|---|---|---|
| Enforce password history | 3 passwords | 5 passwords |
| Maximum password age | 42 days | 42 days |
| Minimum password age | 2 days | 2 days |
| Minimum password length | 8 characters | 12 characters |
| Passwords must meet complexity requirements | No recommendation | Yes |
| Store passwords using reversible encryption for all users in the domain | No recommendation | No recommendation |
Developing appropriate password policies depends largely on the requirements of your network environment. If your network stores and processes highly sensitive data and represents an attractive target for hackers, you should always lean your policies and settings towards greater security. However, you should also bear in mind that if security measures are too complex, your users will struggle to comply. For example, very long, complex passwords (such as +%&//(6865Vgddw^%46) make your network extremely secure — but such passwords are nearly impossible for users to remember.
When you open the Local Security Settings dialogue, your options are not limited to setting password policies. You can also set account lockout policies. These policies determine how many times a user can attempt to log in before being locked out, and for how long they remain locked out. The default Windows settings are shown in the table below.
| Policy | Default Setting |
|---|---|
| Account lockout duration | Not defined |
| Account lockout threshold | 0 invalid logon attempts |
| Reset account lockout counter after | Not defined |
These default policies are not secure. They essentially allow an unlimited number of login attempts, making the use of password-cracking tools extremely easy — and practically guaranteeing that someone will eventually crack one or more passwords and gain access to your system. The table below presents the recommendations of Microsoft and the NSA.
| Policy | Microsoft | NSA |
|---|---|---|
| Account lockout duration | 0 (admin must unlock) | Not less than 15 minutes |
| Account lockout threshold | Not more than 5 attempts | 3 attempts |
| Reset account lockout counter after | Not defined | Not less than 15 minutes |
Windows installs a large number of services by default, many of which are not required for most server environments. Every running service is a potential attack surface. Disabling unnecessary services reduces the number of entry points available to an attacker and minimises the risk of exploitation through a service vulnerability.
To view and manage Windows services, navigate to Control Panel → Administrative Tools → Services, or run services.msc from the Run dialogue. Each service has a startup type: Automatic, Manual, or Disabled. Services that are not required should be set to Disabled.
Commonly disabled services in a hardened Windows environment include Telnet, Remote Registry, Messenger, and Print Spooler (on servers that do not need printing). Always verify the function of a service before disabling it to avoid disrupting system operations.
The Windows registry is a centralised configuration database for the operating system. Certain registry settings have significant security implications. Key areas to review include:
Registry changes should be made with caution, as incorrect modifications can destabilise the system. It is strongly recommended to back up the registry before making changes.
Windows includes a built-in firewall that should be enabled and properly configured on all systems. The Windows Firewall can be configured to allow only necessary inbound and outbound connections, and to block all others by default.
For servers, the firewall should be configured to permit only the specific ports and protocols required for the services being offered. For example, a web server should permit TCP port 80 (HTTP) and 443 (HTTPS), while blocking all other inbound connections.
Web browsers are a common attack vector. On Windows systems, browser hardening involves configuring security zones in Internet Explorer or Edge, disabling unnecessary browser extensions, enabling pop-up blocking, and ensuring that browsers are kept up to date. Where possible, restricting the use of outdated or unsupported browsers is also recommended.
You May Be Interested In These
