System Hardening Checks

— ny_wk

System hardening is the disciplined process of shrinking a machine's attack surface by removing every account, service, port, and feature it does not strictly need, then locking down what remains. This Windows system hardening checklist walks through the exact settings, commands, and Group Policy controls that turn a default "easy to use" install into a secure, reliable, production-grade host.

Why system hardening matters

Operating systems ship optimized for convenience, not security. Out of the box they enable discovery protocols, sample services, default accounts, and broad permissions so that everything "just works." Each of those conveniences is also a potential entry point. The more functions a system performs, the larger its vulnerability surface becomes.

The core principle is simple: a server or desktop is usually dedicated to one or two jobs, so anything unrelated to those jobs should be removed. Hardening is vendor-specific because every vendor installs a different default footprint, and it is iterative because new weaknesses surface constantly. Done well, system hardening improves both security and reliability, since fewer running components means fewer things that can crash, conflict, or be exploited.

A note on legacy Windows versions

The classic hardening checklists were written for Windows XP, Windows 7, and Windows Server 2003 — all of which are end of life and unsupported. They receive no security patches and must not run on any network you care about. The principles below are timeless, but where a step is tied to a dead OS or a deprecated tool, the modern equivalent is called out so you can apply the same intent on Windows 10/11 and Windows Server 2019/2022/2025.

The Windows system hardening checklist (step by step)

Work through these controls in order. They move from the highest-impact, lowest-effort changes (privilege, patching, firewall) down to deeper lockdowns (registry, auditing, service accounts).

1. Do not run as administrator

The single most effective control is to make sure the account used for daily work is not a member of the local Administrators group. Running as a standard user prevents an estimated majority of malware from installing or modifying protected areas like the HKLM registry hive and auto-start locations.

Open Settings > Accounts > Other users (or netplwiz).
Set your daily account type to Standard user.
When an admin task is needed, Windows prompts for separate admin credentials via User Account Control (UAC) — the modern, integrated replacement for the old right-click "Run as" workflow.

The less privilege you carry, the less damage you (or malware acting as you) can do.

2. Treat networks as untrusted (Public profile)

Windows assigns every connection a network profile. Private (the old "Home"/"Office") enables network discovery and File and Printer Sharing; Public hides the machine and disables sharing by default. Unless a host genuinely needs to share resources, set its profile to Public.

GUI: Settings > Network & Internet > (your adapter) > Network profile type > Public.
PowerShell: Set-NetConnectionProfile -InterfaceAlias "Ethernet" -NetworkCategory Public

3. Keep the system fully patched

Most internet-borne exploits target unpatched systems. Microsoft ships fixes on Patch Tuesday (the second Tuesday of each month), with out-of-band releases for critical issues. Patching is the highest-value security step you can take.

Enable automatic updates: Settings > Windows Update (the legacy windowsupdate.com portal is long retired).
In a domain, centralize approvals with WSUS or, for modern fleets, Windows Update for Business / Intune / Azure Update Manager.
Patch applications too, not just the OS — browsers, Java, PDF readers, and runtimes are common targets. winget upgrade --all updates many third-party apps.

4. Enable the host firewall and drop inbound by default

Windows Defender Firewall is a stateful filter and should be on for every profile. If a host does not need to accept connections, drop all inbound traffic; for high-security hosts, filter outbound traffic and application access as well.

Turn it on for all profiles: netsh advfirewall set allprofiles state on
Default-deny inbound: netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
PowerShell equivalent: Set-NetFirewallProfile -All -DefaultInboundAction Block -Enabled True

5. Keep memory-protection features on

Data Execution Prevention (DEP) stops code from running in memory pages reserved for data, a classic exploitation technique. It is on by default; verify it covers all programs except ones you deliberately exclude. On modern Windows, pair DEP with the broader Exploit Protection mitigations (ASLR, CFG, hardware-enforced stack protection) under Windows Security > App & browser control > Exploit protection.

6. Disable remote access you do not use

Remote Assistance and Remote Desktop are powerful and frequently abused. Disable them unless they are an authorized requirement.

Open Advanced system settings > Remote, uncheck Allow Remote Assistance connections, and select Don't allow connections to this computer.
If RDP is required: require Network Level Authentication, set encryption to High, restrict access to a named admin group, place RDP behind a VPN or gateway, and consider moving it off the default port to cut down on automated scans and password-guessing.

7. Raise User Account Control to its highest level

Setting UAC to Always notify prompts on more administrative actions. You see a few more dialogs, but you also get the chance to refuse anything you did not initiate. Configure it under User Accounts > Change User Account Control settings.

8. Disable legacy protocols (NetBIOS / SMBv1)

If a host does not share files over the network, remove the sharing stack entirely. Uncheck File and Printer Sharing for Microsoft Networks on the adapter, and disable NetBIOS over TCP/IP (adapter properties > IPv4 > Advanced > WINS > Disable NetBIOS over TCP/IP). This closes some of the most exploited ports on Windows.

Critically, also ensure SMBv1 is removed — it is the vulnerable protocol behind WannaCry and is disabled/removed by default on current Windows: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol.

9. Disable unnecessary services

Reducing the attack surface means turning off services the host will never use. Common candidates on a non-sharing workstation include the TCP/IP NetBIOS Helper, Server, Computer Browser, Remote Registry, and the HomeGroup services (HomeGroup is removed on Windows 10 1803+).

Inspect and stop a service: Get-Service Remote* | Stop-Service
Prevent it from starting: Set-Service -Name RemoteRegistry -StartupType Disabled

Disable rather than delete when unsure, so you can recover quickly — but document every change.

Server and account hardening for system administrators

The desktop checklist tightens an individual machine; the controls below harden a fleet and the domain. This is where system hardening pays off most for sysadmins managing many hosts.

10. Use antivirus and endpoint protection

Antivirus (Microsoft Defender Antivirus is built in and effective) must be installed and kept current with up-to-date signatures and real-time protection enabled. Confirm scheduled updates succeed and that real-time and tamper protection are on. Modern equivalents add EDR/XDR (Defender for Endpoint) and controlled folder access for ransomware resistance.

11. Enforce a strong password and lockout policy

Weak or default passwords are a leading cause of compromise. Enforce policy centrally through Group Policy (or Microsoft Entra/Intune for cloud-joined devices). A practical baseline:

Setting	Recommended value
Enforce password history	10 or more passwords
Minimum password length	14+ characters (15+ for privileged accounts)
Complexity requirements	Enabled
Store passwords with reversible encryption	Disabled
Account lockout threshold	5 bad attempts
Account lockout duration	15+ minutes
Reset lockout counter after	15+ minutes

Modern guidance note: NIST SP 800-63B now recommends against forced periodic password expiration and arbitrary complexity rules, favoring long passphrases, screening against breached-password lists, and multi-factor authentication (MFA). Add MFA for all remote and privileged access — it is the highest-impact account control available today.

12. Remove software, accounts, and components you do not need

Every installed program, default account, and optional component is attack surface. Uninstall unused software with its official uninstaller, then verify leftover files, folders, and registry keys are gone. Disable or remove default and service accounts that are not required, and always change default passwords on accounts you keep.

Note that Windows Resource Protection (the successor to Windows File Protection) will restore protected OS files automatically, so do not try to "harden" by deleting them — use permissions and policy instead.

13. Use NTFS and least-privilege permissions

All partitions should use NTFS (or ReFS where appropriate), never FAT, because only NTFS supports access control and auditing. Use NTFS permissions to enforce least privilege:

Set permissions at the folder level and let them inherit downward.
Grant Modify or Read & Execute instead of Full Control — most users never need Full Control.
Remove (do not Deny) permissions from groups that should not have access; Windows drops a principal from the ACL when it has no rights set.
Be careful with Deny on broad groups like Everyone or Authenticated Users — admins belong to those groups too, so a blanket Deny can lock out accounts you did not intend.
Assign rights to groups, never to individual users (the AGDLP model), and use the Advanced Security Settings dialog to see effective permissions.

14. Reduce the attack surface and harden the boot path

Install only the components a host's role requires; on a web server, for example, strip out office and graphics packages. Harden the physical and boot layer too:

Set firmware (UEFI) to boot from the internal drive first and disable booting from removable media to stop offline tampering and password resets.
Protect firmware with a password and enable Secure Boot and (on capable hardware) a TPM.
Encrypt drives with BitLocker on laptops and any device at risk of theft, and define a recovery key escrow before deployment. This is the modern, robust replacement for EFS-only file encryption, which still needs a defined Data Recovery Agent if used.

15. Restrict what can execute (application control)

Preventing unauthorized code from running is one of the best controls you can apply. The legacy approach used Software Restriction Policies via Group Policy to block scripts and tools like cmd.exe and regedit.exe. The modern, far stronger equivalents are Windows Defender Application Control (WDAC) and AppLocker, which can deny everything except explicitly allowed, signed applications.

16. Harden the registry and Explorer behavior

A few registry-level tweaks remove easy footholds:

Disable AutoRun/AutoPlay for removable media so a malicious drive cannot auto-execute.
Restrict remote registry access (winreg key) to System, Administrators, and Backup Operators.
Disable storage of the weak LM hash: set Network security: Do not store LAN Manager hash value on next password change to Enabled, then force a password change so existing LM hashes are cleared.
In File Explorer, turn off Hide extensions for known file types so a file like invoice.txt.exe cannot masquerade as a harmless document.

17. Configure auditing and protect the event logs

You cannot respond to what you cannot see. Enable an audit policy that records both success and failure for the events that matter, and size the logs so they are not silently overwritten:

Audit Account Logon, Logon, Account Management, and Policy Change for Success and Failure; audit Object Access and Privilege Use for Failure (and Success on critical files).
Increase Application, Security, and System log sizes well beyond the tiny defaults.
Forward logs to a central SIEM or Windows Event Forwarding collector so an attacker cannot erase local evidence.
Use the modern Advanced Audit Policy Configuration for granular control instead of the basic audit categories.

18. Harden privileged accounts and service accounts

Administrative accounts are the prize attackers want, so apply extra controls:

Give privileged accounts long (15+ character), unique, complex passwords and never reuse passwords across admin accounts (to prevent "island hopping" between systems).
Separate Domain Admin, Enterprise Admin, and Schema Admin roles across different accounts.
Use the Restricted Groups GPO (or modern equivalents) to control membership of privileged groups, and do not let admin accounts sit in groups they don't need.
Run services under least-privileged accounts — prefer Group Managed Service Accounts (gMSA), LocalService, or NetworkService over LocalSystem or domain admin accounts.
Reduce cached logons on shared or kiosk machines, and do not save passwords inside RDP connection files.

19. Back up, validate, and decommission securely

Hardening assumes things will still go wrong. Maintain regular, tested backups sized to the data's importance and change rate, and keep at least one copy offline or immutable to survive ransomware. When retiring hardware, sanitize the drives — formatting does not remove data; use secure-erase or cryptographic erasure (BitLocker key destruction) so sensitive files cannot be recovered.

Verification: confirm the system is actually hardened

A hardening checklist is only complete once you have proven it took effect. Validate, don't assume:

Confirm effective Group Policy with gpresult /h C:\report.html (use gpresult /v when Local Computer Policy is in play; it reports effects RSoP cannot).
Check firewall state: netsh advfirewall show allprofiles.
List remaining auto-start services: Get-Service | Where-Object {$_.StartType -eq 'Automatic'}.
Run a vulnerability scan from outside any firewall on the scan path. The free Microsoft Baseline Security Analyzer (MBSA) is deprecated; use the Microsoft Security Compliance Toolkit with the official security baselines, plus a scanner such as OpenVAS/Greenbone, Nessus, or Qualys.
Analyze every finding — there are almost always a few — remediate, and rescan until nothing significant remains.

When the scan comes back clean and your baseline report matches policy, you have a hardened, production-ready system.

Common pitfalls to avoid

Hardening a dead OS. No amount of configuration makes Windows XP, 7, or Server 2003 safe; migrate to a supported release first.
Blanket Deny ACLs. Denying Everyone or Authenticated Users can silently lock out admins, since those broad groups include privileged accounts.
Disabling services without documenting them. Undocumented changes turn into outages no one can diagnose months later.
Relying on security by obscurity. Renaming an executable or moving a port slows scripted attacks but is not a real control — pair it with permissions, application control, and MFA.
One-and-done hardening. New vulnerabilities appear constantly; bake hardening into automation (baselines, GPO, Intune, scripts) so it reapplies consistently and is never left to manual memory.
Skipping backups and recovery keys. Encrypting drives or tightening accounts without escrowed recovery keys can lock you out as surely as an attacker.

Key Takeaways

Least privilege first: standard-user daily accounts plus strong, MFA-protected admin accounts stop the majority of attacks.
Patch everything: keep both the OS and applications current; unpatched software is the most-exploited weakness.
Shrink the attack surface: remove unused software, accounts, services, and legacy protocols (SMBv1, NetBIOS) the host doesn't need.
Enforce, audit, and verify centrally: use Group Policy/Intune, NTFS least-privilege permissions, application control, logging, and a vulnerability scan to prove the baseline holds.
Modernize legacy steps: swap MBSA for the Security Compliance Toolkit, SRP for WDAC/AppLocker, and EFS-only for BitLocker, while applying the same timeless principles.

Frequently Asked Questions

What is system hardening in simple terms?

System hardening is the process of securing a computer by reducing its attack surface — removing or disabling every account, service, port, application, and feature that the system does not need for its intended role, then tightening permissions and configuration on what remains. The result is a host that is both more secure against attackers and more reliable in production.

What are the first steps to harden a Windows machine?

Start with the highest-impact, lowest-effort controls: run daily as a standard (non-admin) user, enable automatic updates for the OS and applications, turn on Windows Defender Firewall with a default-deny inbound policy, disable remote access you don't use, and remove unused software and services. These five steps eliminate most everyday risk before you move to deeper Group Policy and registry hardening.

Is the old Windows 7 / XP hardening advice still valid?

The principles — least privilege, patching, attack-surface reduction, strong authentication, auditing — are timeless and still apply. The specific tools are not: Windows XP, 7, and Server 2003 are end of life and unsafe, MBSA and Software Restriction Policies are deprecated, and modern guidance discourages forced password expiry in favor of long passphrases plus MFA. Apply the same intent using current tools like Intune, WDAC/AppLocker, BitLocker, and the Microsoft Security Compliance Toolkit.

How do I verify that hardening actually worked?

Confirm applied policy with gpresult /h report.html, check the firewall with netsh advfirewall show allprofiles, review auto-start services with PowerShell, and run a vulnerability scanner (OpenVAS, Nessus, or Qualys) from outside the firewall. Compare results against an official security baseline, remediate findings, and rescan until the system is clean.

For more hands-on IT, system administration, and security walkthroughs, subscribe to @explorenystream on YouTube.