How to complete Windows 2016 Hardening in 5 minutes

It is very time consuming when performing Windows Server hardening for some of our projects and we had tested the following method on how to complete Windows 2016 Hardening in 5 minutes

  1. Install Windows Server 2016 (Long-Term Servicing Channel) – 1607 as Virtual Machines (VM) in VMware
  2. Install KB4132216-11.6MB
  3. Install KB4103720 – OS Buiild(17 May, 2018) – 1.3GB

Configure the Timezone, enable RDP and change the priority to IPv4 as below

#Enable Remote Desktop Connection     
set-ItemProperty -Path 'HKLM:System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0  

#Change Time Zone 
tzutil.exe /s "Singapore Standard Time"

#Change Default TCP from IPv6 to IPv4, Since Microsoft do NOT recommend to disable IPv6 
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name "DisabledComponents" -Value "0x20" -PropertyType DWord

Preparation of Security Template

  1. Take a snapshot of the VM as we will need to revert back for other configuration later
  2. Open MMC and add Security Template
  3. Create a New Security Template with all the settings that you would like to include

Policies that included in Security Template

  • Account Policies – Password, Account Lockout & Kerberos Policy
  • Local Policies – Audit Policy, User Right Assignment & Security Options
  • Event Log & System Services (Startup Mode)
  1. Save the Security Template as UAT.inf in C:\Temp once we had completed all the settings

Preparation of Advanced Audit Policy

  1. Open Local Group Policy Editior – gpedit.msc
  2. Configure the System Audit and export the setting to C:\temp\audit.csv

Preparation of other GPO Configuration for Machine / User followig the hardening guide provided

  1. Make a copy of the UAT.inf & Audit.csv file in C:\Temp to other Server
  2. Revert the VM to previous snapshot created
  3. Download Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip, LGPO.zip & PolicyAnalyzer.zip and copy all files located in Template to %SystemRoot%/PolicyDefinitions
  4. Download Local Administrator Password Solution (LAPS)
    #Copy ADMX & ADML File to %SystemRoot%\PolicyDefination
    $MSS_ADMX = "C:\temp\MSS-legacy.admx"
    $MSS_ADML = "C:\Temp\MSS-legacy.adml"
    $AdmPwd_ADMX = "C\Temp\AdmPwd.admx"
    $AdmPwd_ADML = "C\Temp\AdmPwd.adml"
    $SecGuide_ADMX = "C:\Temp\SecGuide.admx"
    $SecGuide_ADML = "c:\Temp\SecGuide.adml"
    
    Copy-Item $MSS_ADMX -Destination C:\Windows\PolicyDefinitions
    Copy-Item $AdmPwd_ADMX -Destination C:\Windows\PolicyDefinitions
    Copy-Item $SecGuide_ADMX -Destination C:\Windows\PolicyDefinitions
    
    Copy-Item $MSS_ADML -Destination C:\Windows\PolicyDefinitions\en-US
    Copy-Item $AdmPwd_ADML -Destination C:\Windows\PolicyDefinitions\en-US
    Copy-Item $SecGuide_ADML -Destination C:\Windows\PolicyDefinitions\en-US
    
    #Silent Install LAPS 
    msiexec.exe /i LAPS.x64.msi /quiet
    

Customize Administrative Template

  1. Open Local Group Policy Editior – gpedit.msc and configuration the setting you want

Export the GPO Setting by using LGPO.exe

  1. Export GPO Settings with LGOP.exe
    #Export existing Local GPO , /b specify the path for the exported GPO setting, /n for notes only
    LGPO.exe /b c:\Temp /n "Clean"
    
    LGPO.exe v2.2 - Local Group Policy Object utility
    Creating LGPO backup in "c:\Temp\{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}"
    
  2. Parse the pol file to TXT file for reference
    #Parse Machine Setting 
    LGPO.exe /parse /m C:\Temp\{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}\DomainSysvol\GPO\Machine\registry.pol > C:\Temp\Machine.txt
    
    LGPO.exe v2.2 - Local Group Policy Object utility
    Parse machine registry.pol: C:\Temp\{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}\DomainSysvol\GPO\Machine\registry.pol
    
    #Parse User Setting
    LGPO.exe /parse /u C:\Temp\{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}\DomainSysvol\GPO\Machine\registry.pol > C:\Temp\User.txt
    
    LGPO.exe v2.2 - Local Group Policy Object utility
    Parse machine registry.pol: C:\Temp\{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}\DomainSysvol\GPO\User\registry.pol
    
  3. Copy & rename the C:\Temp{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}\DomainSysvol\GPO\Machine\registry.pol to C:\temp\Machine.pol & C:\Temp{B2D69F1D-DA2B-469F-B4BC-F07C5C712D43}\DomainSysvol\GPO\User\User.pol to C:\temp\User.pol

Keep all the necessary files to a new folder, like C:\temp\UAT and keep a copy to other server

  • All .admx & .adml files
  • LAPS_x64.msi, LGPO.exe, UAT.inf, UAT.csv, Machine.pol, User.pol, Machine.txt & User.txt

Applied Prepared Hardening policies to new Windows 2016 Server

  1. Copy the UAT folder to C:\temp\ in the new Windows 2016 Server
  2. Open PowerShell with Administrative Right
        #Apply Machines Policy 
        cmd /c "C:\Temp\UAT\LGPO.exe /m C:\temp\UAT\machine.pol"
    
        #Apply USer Policy
        cmd /c "C:\Temp\UAT\LGPO.exe /u C:\temp\UAT\user.pol"
    
        #Apply Security Template
        cmd /c "C:\Temp\UAT\LGPO.exe /s C:\temp\UAT\UAT.inf"
    
        #Apply Advanced Audit Policy
        cmd /c cmd /c "C:\Temp\UAT\LGPO.exe /ac C:\temp\UAT\UAT.csv"
    

Run "gpedit.msc" to verify all the settings are applied successfully.

Leave a Comment