Windows hardening

Question

Can anyone point me at some good resources on Windows hardening? From 2003 upwards.

Answer 1

• Baseline Server Hardening (aka, start here): http://technet.microsoft.com/en-us/library/cc526440.aspx

• Intro to Hardening Server 2000: http://technet.microsoft.com/en-us/library/dd277465.aspx

• Hardening Server 2003: http://www.microsoft.com/downloads/en/details.aspx?familyid=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en

• Infrastructure Threat Modeling Guide: http://technet.microsoft.com/en-us/library/dd941826.aspx

• Security Compliance Manager: http://technet.microsoft.com/en-us/library/cc514539.aspx

Answer 2

The Center for Internet Security publishes Benchmark configurations for several operating systems and other products, including: servers, workstations, infrastructure devices, and more.

The United States National Institute of Standards and Technology has published configurations for Windows 7 as the United States Government Configuration Baseline, and for XP/Vista as the Federal Desktop Core Configuration.

Answer 3

On the flip side of hardening guides and standards documents, you have the posture assessment angle. These audits can help you either determine how far off standard you are, or how closely you are actually following what you've decided to implement. The two that I have used, and enjoyed are:

1. Microsoft Baseline Security Analyzer (MBSA)
2. Nessus Audit Policies

MBSA is an installed application that will audit the security of a Windows system, against the Microsoft recommendations, and produce an excellent report.

The Nessus audit files are included as part of a vulnerability scan and will test against the CIS benchmark.

Both tools produce great reports and can really help with your standards development and/or compliance.

Answer 4

As mentioned on this post over on SU, another useful product if you are aiming for a locked down Kiosk is the Trishell Kiosk Edition - worth having a look at as well.