Leave a Comment / Servers & Databases / By

The Ultimate Guide to Server Hardening: A Step-by-Step Checklist for Windows and Linux

A newly deployed server is an open door. Out-of-the-box configurations prioritize ease of use over security, leaving countless unnecessary services, default accounts, and open ports exposed to the network. Server hardening is the process of systematically securing this system by reducing its attack surface, making it a fortified bastion instead of a vulnerable target.

This guide provides a comprehensive, step-by-step checklist for system administrators to harden both Windows and Linux servers. It covers essential security configurations, from disabling unnecessary services and configuring firewalls to implementing user access controls and auditing policies, effectively creating a blueprint for a secure server baseline.

Pro Tip: Always test these configurations in a non-production environment before applying them to live servers. Automation using tools like Ansible, Puppet, or PowerShell DSC is highly recommended for consistency.

Pre-Hardening Checklist: The Foundation

Before you begin, complete these critical first steps.

  1. Documentation: Note the server’s intended role, applications, and required network ports.
  2. Initial Setup: Install the latest stable version of the OS from a verified source.
  3. Network Isolation: Perform initial hardening on an isolated network segment to avoid interruptions and exposure.
  4. Backup: Take a full system snapshot or backup before making changes. This is your rollback plan.

Part 1: Windows Server Hardening Checklist

1.1. System Updates and Patches

  • Enable Automatic Updates: Configure to download and notify for install. For critical servers, a controlled, tested deployment is better.
    • Settings > Windows Update > Advanced options
  • Manual Check: Run wuauclt /detectnow in an elevated command prompt to force a check for updates.
  • Validate: Run systeminfo and check the “Hotfix(s)” list to confirm recent updates are installed.

1.2. Account Policies and Authentication

  • Rename the Local Administrator Account: Change the name from ‘Administrator’ to something less predictable.
    • Local Security Policy (secpol.msc) > Security Settings > Local Policies > Security Options > Accounts: Rename administrator account
  • Disable the Built-in Guest Account: Ensure it is disabled.
    • Computer Management > Local Users and Groups > Users > Guest > Properties > Account is disabled
  • Enforce Strong Password Policy:
    • Local Security Policy > Account Policies > Password Policy
    • Password must meet complexity requirements: Enabled
    • Minimum password length: 14 characters
    • Maximum password age: 60-90 days (based on your policy)
  • Configure Account Lockout Policy:
    • Local Security Policy > Account Policies > Account Lockout Policy
    • Account lockout threshold: 5 invalid login attempts
    • Reset account lockout counter after: 15 minutes

1.3. Network Security and Firewall

  • Configure Windows Defender Firewall:
    • Windows Defender Firewall with Advanced Security
    • Ensure the firewall is ON for all profiles (Domain, Private, Public).
    • Block all inbound connections by default. Create explicit allow rules only for required applications and ports (e.g., RDP port 3389, but only from specific management subnets).
  • Disable SMBv1: An obsolete and highly vulnerable protocol.
    • PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  • Disable LLMNR and NetBIOS: These name resolution protocols are susceptible to spoofing and poisoning attacks.
    • Done via Group Policy or network adapter properties.

1.4. Services and Features

  • Uninstall Unnecessary Features: Remove GUI components, IIS, and any other roles/features not required for the server’s function.
    • Server Manager > Manage > Remove Roles and Features
  • Disable Unnecessary Services: Stop and disable services like Print SpoolerRemote Registry, and TCP/IP NetBIOS Helper if not needed.
    • services.msc

1.5. Local Security Policies and Auditing

  • Configure Audit Policy: Enable auditing for success and failure on key events.
    • Local Security Policy > Local Policies > Audit Policy
    • Audit account logon events: Success, Failure
    • Audit account management: Success, Failure
    • Audit logon events: Success, Failure
    • Audit object access: Failure (or Success if needed for specific files)
  • Set Security Options:
    • Local Security Policy > Security Settings > Local Policies > Security Options
    • Interactive logon: Do not display last username: Enabled
    • Microsoft network server: Disconnect clients when logon hours expire: Enabled
    • Network access: Restrict anonymous access to Named Pipes and Shares: Enabled

Part 2: Linux Server Hardening Checklist

2.1. System Updates and Repositories

  • Update Package Lists:
    • sudo apt update (Debian/Ubuntu) or sudo dnf check-update (RHEL/Rocky/AlmaLinux)
  • Upgrade Installed Packages:
    • sudo apt upgrade (Debian/Ubuntu) or sudo dnf upgrade (RHEL/Rocky/AlmaLinux)
  • Configure Unattended Upgrades (Debian/Ubuntu):
    • sudo apt install unattended-upgrades
    • Enable and configure: sudo dpkg-reconfigure --priority=low unattended-upgrades
  • Remove Obsolete Packages:
    • sudo apt autoremove && sudo apt autoclean

2.2. SSH Server Security (Critical!)

  • Change SSH Port: Edit /etc/ssh/sshd_config and change Port 22 to a non-standard port (e.g., Port 6022).
  • Disable Root Login: Prevent direct SSH login as root.
    • PermitRootLogin no
  • Use Key-Based Authentication: Enforce SSH keys and disable password authentication.
    • PubkeyAuthentication yes
    • PasswordAuthentication no
  • Limit User Access: Only allow specific users to SSH into the server.
    • AllowUsers username1 username2
  • Restrict Protocol Version: Use only SSH protocol version 2.
    • Protocol 2
  • Reload SSH Service: sudo systemctl reload sshd

⚠️ Warning: When changing SSH settings, always have a separate console connection open to test. A misconfiguration can lock you out.

2.3. User Accounts and Authentication

  • Enforce Strong Password Policy:
    • Edit /etc/security/pwquality.conf or use chage to set:
    • Minimum password length: minlen=12
    • Password complexity: minclass=4 (requires lower, upper, digit, special char)
    • Maximum password age: sudo chage -M 90 <username>
  • Configure sudo Access: Use visudo to edit the /etc/sudoers file securely.
    • Avoid using ALL=(ALL) ALL. Grant specific privileges per user/group.
    • Consider requiring a password for sudo commands.

2.4. Network Security and Firewall

  • Configure UFW (Uncomplicated Firewall) or firewalld:
    • UFW (Debian/Ubuntu):
      • sudo ufw enable
      • sudo ufw default deny incoming (Block all inbound by default)
      • sudo ufw default allow outgoing
      • sudo ufw allow <your_ssh_port>/tcp
      • sudo ufw allow 80/tcp (If a web server)
      • sudo ufw allow 443/tcp (If a web server)
    • firewalld (RHEL/Fedora):
      • sudo systemctl enable --now firewalld
      • sudo firewall-cmd --permanent --add-port=<your_ssh_port>/tcp
      • sudo firewall-cmd --reload
  • Disable IPv6 if not used: If your network doesn’t use IPv6, consider disabling it to reduce attack surface.
    • Edit /etc/sysctl.conf and add:textnet.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
    • Apply: sudo sysctl -p

2.5. Filesystem and Services

  • Disable Unused Services: Identify and stop services that are not required.
    • sudo systemctl list-unit-files --state=enabled
    • sudo systemctl disable --now <service_name>
  • Check Listening Ports: See what’s exposed to the network.
    • sudo ss -tulpn
  • Set Strict Permissions on Critical Files:
    • sudo chmod 600 /etc/shadow (Read/write for root only)
    • sudo chmod 644 /etc/passwd (World-readable)

Part 3: Universal Post-Hardening Steps

  1. Reboot: Reboot the server to ensure all changes take effect and that required services start correctly.
  2. Scan: Run a vulnerability scan (e.g., using Lynis for Linux or OpenVAS for both) against the server to identify any remaining misconfigurations.
  3. Document: Record all changes made from the baseline. This is crucial for auditing and replicating the setup.
  4. Create a Golden Image: Use this hardened server as a template for all future deployments.

Conclusion: Maintenance is Key

Server hardening is not a one-time event. It’s an ongoing process that integrates into your IT lifecycle.

  • Patch Regularly: Continuously apply security updates.
  • Audit Periodically: Re-scan and audit your servers quarterly or biannually.
  • Review Policies: As your software and network evolve, revisit your hardening policies to ensure they remain effective.

By following this definitive checklist, you transform your servers from vulnerable default installations into resilient, secure foundations for your critical applications.

Tags: #ServerHardening #WindowsSecurity #LinuxSecurity #ITOps #Cybersecurity #SysAdmin

Download the Free PDF Checklist

Get a printer-friendly, condensed version of this guide to keep with your documentation.
[Download the Ultimate Server Hardening Checklist (PDF)]

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe