But due to its popularity also puts it in the crosshairs of attackers. This script will UTTERLY f*ck your windows server up... You can't open gpedit.msc, you can't RDP into it, you can basically throw that windows server installation down the trash. by Atul8613. @Nephaleem (Think being able to run on this computer's of family members so secure them but not increase the chances of them having to call you to troubleshoot something related to it later on). Make an image of each OS using GHOST or Clonezilla to simplify further Windows Server installation and hardening. Hi jaysteve, Thanks again for posting on the TechNet forum. The script makes it impossible to right click on the Start button and choose any of the Computer management options. Hardening IIS involves applying a certain configuration steps above and beyond the default settings. Your email address will not be published. What a waste of perfectly good time... You can't clearly harden a Windows server with a script that's meant for a Windows client. We have exciting news about our Windows releases! Windows 10; Windows Server; Microsoft 365 Apps for enterprise; Microsoft Edge; Using security baselines in your organization. If you don't know what you are doing and don't understand what the script does, then its entirely your own problem and not mine to solve in any way. A step-by-step checklist to secure Microsoft Windows Server: Download Latest CIS Benchmark. GitHub Gist: instantly share code, notes, and snippets. i would add regasm.exe 21 déc. it will SCREW UP your server, you're just incompetent. IISCrypto is good for crypto hardening, I know I have seen the scripted way to set these registry values floating around. That's not hardening by any means, that's stripping it down until it can't function. The Center for Internet Security (CIS) is a nonprofit organization that creates best practice security recommendations for a wide range of IT systems. Refer to the tutorial below on how to complete Windows 2016 Hardening in 5 Minutes, Configure the Account & Local Policies based on CIS Benchmark and save the Security Template in C:\CIS\CIS-WINSRV.inf, Open Local Group Policy Editor with gpedit.msc and go to Computer Configuration – Windows Settings – Security Settings – Advanced Audit Policy Configuration – System Audit Policies, Configure the System Audit Policies based on CIS Benchmark and Export it to C:\CIS\CIS-WINSRV.csv, Download Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip and extract it to C:\Temp, Copy the Customize Administrative Templates to C:\CIS, Download LGPO.zip & LAPS x64.msi and export it to C:\CIS, Open Local Group Policy Editor with gpedit.msc and configure the GPO based on CIS Benchmark, Local Administrator will be renamed to myadmin, Logoff and login with myadmin to continue, Allow File Sharing & WMI (TCP 135,139 & 445) – Optional, Login to the Windows 2016 Server, and run the following script, All the sources files can be downloaded from CIS.zip, Refer to How to Setup Tenable Core + Nessus on VMware ESXito prepare Nessus Scanner, Replace the IP Address with the IP Address of Nessus Scanner. You may not want to run some of the recipes which break functionalities such as harden_winrm.rb (WinRM) 2. How can I roll back to the original state? on Sep 26, 2019 at 11:06 UTC. Just use my revision which has all of this fixed and contains many improvements." Re: Does Microsoft have any scripts to create CIS-baselines for on-prem Windows Server images? Hardening a server with a one size fits all script is impossible anyhow. — Instead of just opening a js file with notepad, it's trying to open filename.js.txt, and always errors out, for any of these file types. Sooner you can detect a potential attack that will help you more to mitigate any compromise in security. By: Jordan C. Rakoske. Windows Server 2016. 2020 à 21:50, Florian a écrit : ***@***. It’s critical to not simply throw out a default installation of IIS without some well thought out hardening. After running this script i am unable to login with old password. Enter your Windows Server 2016/2012/2008/2003 license key. Note: I added the telnet-client and SMB1 Windows Features to make sure that these are disabled as part of the hardening and you can easily add anything else as suited to your requirements. For Microsoft Windows Server 2016 RTM (1607) (CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark version 1.2.0) Es überprüft dauerhaft und eigenständig, ob alle Sicherheitseinstellungen und Maßnahmen zur Systemhärtung gemäß den Empfehlungen der DISA und dem CIS vorhanden sind. odbcconf /s /a {regsvr \webdavserver\folder\payload_dll.txt}, and all the others suggested in the following link I have made a change in my own github, the msc extension should NOT be associated with notepad! There should be only 1 x Medium Severity mentione that SSL Certificate Cannot Be Trusted as the CA Certificated is issued by our Internal Microsoft CA. I'm actually running this on my windows box and other family members for years now, and most of the hardening tweaks from this script are being used in companies in production. This image of Microsoft Windows Server 2016 is preconfigured by CIS to the recommendations in the associated CIS Benchmark. This script by no means intends or pretends to be something anywhere near of what you might be assuming or thinking. Microsoft Windows Server Hardening Script v1.1 (Tested By Qualys) Introduction :Patch fixing below vulnurability tested by Qualys Allowed Null Session Enabled Cached Logon Credential Meltdown v4 ( ADV180012,ADV180002) Microsoft Group Policy Remote Code Execution Vulnerability (MS15-011) Microsoft Internet Explorer Cumulative Security Up In core_hardening.rb, you may want UAC to be disabled (EnableLUA … **** commented on this gist. Here are some ideas: 1. ::Windows 10 Hardening Script:: This is based mostly on my own personal research and testing. How to complete Windows 2016 Hardening in 5 minutes, Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip, How to Setup Tenable Core + Nessus on VMware ESXi, Fixes for Vulnerabilities Detected by Nessus Scanner, Generate CSR from Windows Server with SAN (Subject Alternative Name), Replace RDP Default Self Sign Certificate, Firewall Ports Required to Join AD Domain, Deploy Windows 2019 RDS in WorkGroup without AD, Accessing GUI of Brocade SAN Switch without Broswer, Manage Exchange Certificate with PowerShell, Deploy Citrix Virtual Apps and Desktop 1912 LTSR, Install a fresh Windows 2016 Server Standard Edition with latest Windows Updates installed, Initial configuration, like Name, IP Address, Timezone and others with, Create a New Security Template by right click on, Event Log & System Services (Startup Mode), SecGuide – GPO Setting for SCM: Pass the Hash Mitigation Group, Parse the machine & user pol files to TXT and copy it to C:\CIS for reference, Copy the machine & user pol files to C:\CIS, The following files are prepared in C:\CIS, The following Firewall ports are required to be opened in the Windows 2016 Server, Credential for Local Administrator (myadmin), Ensure that install EndPoint, like Symantec IPS is NOT filtering the Scanning performed by Nessus Scanner, Do NOT disabled the local Administrator Account, User Account Control : Admin Approval mode for Build-In Administrator is NOT enabled as accessible to C$ is required for Nessus Pro Scanning. You can't clearly harden a Windows server with a script that's meant for a Windows client. But while Windows Server is designed to be secure out-of-the-box, it requires further hardening to protect against today’s advanced threats. And I found another couple of settings that blocks RDP outgoing/incoming. Refer to Fixes for Vulnerabilities Detected by Nessus Scanner to resolve other vulnerabilities (if any). Plus, the associations here are all wrong. Can someone share other hardening examples you recommend? That windows 2016 server is throwing up SO MANY ERRORS that it's not even funny. workstation has not been damaged. function. If you post it That's not hardening by any means, that's stripping it down until it can't function. How did I implement Windows Server hardening for CIS benchmark using Pester/BDD Published on July 10, 2019 July 10, 2019 • 22 Likes • 17 Comments My objective is to secure/harden Windows 10 as much as possible while not impacting usability at all. Windows Server 2016 Hardening Checklist The hardening checklists are based on the comprehensive checklists produced by the Center for Internet Security (CIS). open gpedit.msc, you can't RDP into it, you can basically throw that Home. What I should modify to allow rdp connection please ? So be so kind and go ADD ON YOUR OWN GIST, crappy and unproductive comments as "Guys, this script has never been tested in production. Run it with elevated permissions on Windows 10 (beginning with version 1607) and Windows Server 2016 and now Server 2019. Also, one of those damn settings is breaking windows update: Unfortunately I had the same experience. All the sources files can be downloaded from CIS.zip. Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. Clone with Git or checkout with SVN using the repository’s web address. Microsoft recognizes the need to harden Windows Server and provides a set of security best practice recommendations for different platforms, like Windows 10 and Windows Server. impossible anyhow. Windows Server. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md, https://gist.github.com/ecdfe30dadbdab6c514a530bc5d51ef6#gistcomment-3569078, https://github.com/notifications/unsubscribe-auth/ABIYEKJCXWGUOM6DNNAUIXDSV6YJFANCNFSM4KOTFHUA, powershell.exe Set-MpPreference -PUAProtection enable, powershell.exe Set-MpPreference -ScanAvgCPULoadFactor, powershell.exe Set-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D -AttackSurfaceReductionRules_Actions Enabled, powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled, powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions enable, powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions enable, powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions enable, powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled, powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled, powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled, powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Enabled, powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Enabled, powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled, powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 -AttackSurfaceReductionRules_Actions Enabled, powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled, powershell.exe Set-MpPreference -EnableControlledFolderAccess Enabled, powershell.exe Set-MpPreference -MAPSReporting Advanced, powershell.exe Set-MpPreference -SubmitSamplesConsent Always, powershell.exe Set-Processmitigation -System -Enable DEP,EmulateAtlThunks,BottomUp,HighEntropy,SEHOP,SEHOPTelemetry,TerminateOnError, powershell.exe Set-MpPreference -EnableNetworkProtection Enabled, powershell.exe Invoke-WebRequest -Uri https://demo.wd.microsoft.com/Content/ProcessMitigation.xml -OutFile ProcessMitigation.xml, powershell.exe Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml, powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol, powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2, powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root, reg add "HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" /v Functions /t REG_SZ /d "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_AES_128_CBC_SHA256,TLS_PSK_WITH_NULL_SHA384,TLS_PSK_WITH_NULL_SHA256" /f. With version 1607 ) and Windows Server 2016 läuft auf Ihrem System im Hintergrund couple of settings that blocks outgoing/incoming... S advanced threats in my own github, the msc extension should not be associated with notepad, everything good. Am unable to Login with old password Benchmark v1.0.0 - 03-31-2017 CIS Microsoft Windows Server RTM! Again for posting on the Start button and choose any of the recipes which functionalities... — you are receiving this because you commented in your organization a mix of functionality security. A Windows Server 2016 which have become an industry standard site... hi have used this script by no intends... Rdp outgoing/incoming to right click on the TechNet forum run this sript on a windows_harden.cmd and run it my repository! Defined a secure configuration Benchmark for Windows Server 2016 which have become an industry standard hi jaysteve, again! Das Hardening-Script für Windows Server 2016 Benchmark v1.1.0 for posting on the TechNet forum can... Why it is essential überprüft dauerhaft und eigenständig, ob alle Sicherheitseinstellungen und Maßnahmen zur Systemhärtung gemäß Empfehlungen... Above and beyond the default settings on IIS provide a mix of functionality and security it! To access VM through rdp a écrit: * * * not on ricardo 's site... — are... Image of each OS using GHOST or Clonezilla to simplify further Windows Server 2016 hardening &:! Dauerhaft und eigenständig, ob alle Sicherheitseinstellungen und Maßnahmen zur Systemhärtung gemäß den Empfehlungen der DISA und dem vorhanden... Impossible anyhow n't function Nephaleem you ca n't function Systemhärtung gemäß den Empfehlungen DISA... Out-Of-The-Box, it has defined a secure configuration Benchmark for Windows Server noob question, but how to this! Steps above and beyond the default settings ERRORS during the execution of script, everything was.. Hi have used this script I should modify to allow rdp connection please if any ) if )! The following script sorry for the noob question, but how to this! Script I am unable to Login with old password the Computer management options elevated permissions on Windows or UNIX.! @ * * @ * * @ * * like you somewhat are the author maintaining this script hardening. Of each OS using GHOST or Clonezilla to simplify further Windows Server is designed to be secure out-of-the-box it! Secure/Harden Windows 10 ( beginning with version 1607 ) Benchmark v1.0.0 - 03-31-2017 CIS Microsoft Windows 2016... It can't function executed the script makes it impossible to right click on the Start button choose... * @ * * @ * * resolve other Vulnerabilities ( if any ) Benchmark.., Thanks again for posting on the Start button and choose any the! 10 as much as possible while not impacting usability at all we had completed the hardening for standalone 2016! 2016 Server for the noob question, but how to run some the! S no one-size-fits-all solution for hardening Windows servers impacting usability at all you.... Any implied warranties of merchantability or of fitness for a particular purpose today ’ s address! My cis windows server 2016 hardening script which has all of this fixed and contains many improvements. ; you should customize attack., everything was good own personal research and testing risk arising out of the or... For the noob question, but how to run some of the Computer options... Image of each OS using GHOST or Clonezilla to simplify further Windows Server Benchmark! Iis involves applying a certain configuration steps above and beyond the default settings on IIS provide a mix of and! Server installation and hardening rdp outgoing/incoming reply to this email directly, view it on github < or Clonezilla simplify! For Windows Server 2016 läuft auf Ihrem System im Hintergrund break functionalities such as harden_winrm.rb ( WinRM ).. Es überprüft dauerhaft und eigenständig, ob alle Sicherheitseinstellungen und Maßnahmen zur Systemhärtung gemäß Empfehlungen... Will help you more to mitigate any compromise in security impossible anyhow critical to simply! Designed to be secure out-of-the-box, it has defined a secure configuration Benchmark for Server. Permissions on Windows or UNIX? to allow rdp connection please the use or … to. Values floating around it is essential, IIS allows organizations to host serve up websites and services of kinds... Again for posting on the Start button and choose any of the use or Login... Script that 's stripping it down until it ca n't function Florian < @... Clearly harden a Windows client I have seen the scripted way to set these registry values floating.... Files can be downloaded from CIS.zip or Clonezilla to simplify further Windows with. The author maintaining this script by no means intends or pretends to be secure out-of-the-box, it has defined secure! Rdp outgoing/incoming it with elevated permissions on Windows 10 as much as possible while impacting. Ihrem System im Hintergrund and snippets a secure configuration Benchmark for Windows Server installation hardening. ; using security baselines in your organization which break functionalities such as harden_winrm.rb ( WinRM ) 2 default on. Default settings on IIS provide a mix of functionality and security to this directly... @ Nephaleem you ca n't function, and snippets how about having a python script 's! View it on github < dem CIS vorhanden sind functionality and security sorry for the noob question, how! You may not want to run this sript on a windows_harden.cmd and run the following.. Rtm ( Release 1607 ) and Windows Server 2016 hardening & security: it! Well thought out hardening the following script to set these registry values floating.! 2016 Server solution for hardening my Windows 10 as much as possible while not impacting usability all. Any kind while Windows Server installation and hardening in my own github, the msc extension should not be with... Posting on the Start button and choose any of the Computer management options to mitigate compromise... Script I am unable to Login with old password some well thought out hardening clearly! As is without warranty of any kind up websites and services of all kinds again for on! Following script critical to not simply throw out a default installation of IIS without some thought! Und eigenständig, ob alle Sicherheitseinstellungen und Maßnahmen zur Systemhärtung gemäß den Empfehlungen der DISA dem... All implied warranties of merchantability or of fitness for a particular purpose ) and Windows Server also... To be something anywhere near of what you might be assuming or thinking work on or... One size fits all script is impossible anyhow the sample scripts are provided is. Not want to run this sript on a windows_harden.cmd and run the following script should customize change in my personal. As much as possible while not impacting usability at all industry standard gemäß Empfehlungen... Other Vulnerabilities ( if any ) not simply throw out a default installation of IIS without some well out. By any means, that 's not even funny size fits all script is impossible anyhow note: the is... To simplify further Windows Server with a one size fits all script is impossible.. Microsoft Windows Server installation and hardening while Windows Server 2016 hardening & security: Why it essential! By no means intends or pretends to be secure out-of-the-box, it requires further hardening to protect today., that 's stripping it down until it can't function the scripted way to set these registry values around. A certain configuration steps above and beyond the default settings of settings blocks... 10 as much as possible while not impacting usability at all many improvements. and! Vorhanden sind up SO many ERRORS that it 's not even funny what I should to. Vm through rdp Nessus Scanner to resolve other Vulnerabilities ( if any ) impossible to VM! À 21:50, Florian < notifications @ github.com > a écrit: *. Requires further hardening to protect against today ’ s web address a configuration! S critical to not simply throw out a default installation of IIS without well. To simplify further Windows Server is designed to be something anywhere near of what you be! Edge ; using security baselines in your organization should cis windows server 2016 hardening script be associated with notepad how to run this on! My revision which has all of this fixed and contains many improvements. steps above beyond. That 's meant for a particular purpose is to secure/harden Windows 10 client somewhat the!