How to Configure Windows Server 2019 Security Settings

Introduction to Windows Server 2019 Security Configuration

Securing Windows Server 2019 requires a defense-in-depth approach that addresses operating system hardening, network security, access control, and monitoring. Windows Server 2019 includes significant security enhancements over previous versions including Windows Defender System Guard for firmware protection, Windows Defender Credential Guard for protecting credentials, Windows Defender Application Guard for browser isolation, and Shielded VMs for protecting virtual machines from compromised hypervisor administrators. Properly configuring these security features significantly reduces attack surface and limits the blast radius of security incidents. This guide covers the essential security configuration tasks for hardening a Windows Server 2019 deployment.

Applying Security Baselines with Microsoft SCT

The Microsoft Security Compliance Toolkit (SCT) provides pre-built Group Policy Object baselines for Windows Server 2019. Download the toolkit from the Microsoft Download Center and apply the appropriate baseline. The Windows Server 2019 Security Baseline contains over 300 security settings tested and validated by Microsoft. Import and apply the baseline GPO:

$toolkitPath = "C:SecurityBaselinesWindows Server 2019"
Import-Module GroupPolicy
Import-GPO -BackupGpoName "MSFT Windows Server 2019 - Domain Controller Baseline" -Path "$toolkitPathGPOs" -MigrationTable "$toolkitPathmigration.migtable" -CreateIfNeeded
New-GPLink -Name "MSFT Windows Server 2019 - Domain Controller Baseline" -Target "OU=Domain Controllers,DC=contoso,DC=com"

Use the Policy Analyzer tool included in SCT to compare current settings against the baseline and identify deviations.

Disabling Unnecessary Services and Features

Reduce the attack surface by disabling services and features that are not required. Follow the principle of minimal functionality. Common services to disable on servers that do not need them:

$servicesToDisable = @("Print Spooler","RemoteRegistry","Browser","Messenger","Alerter","Clipbook","DHCP Client","Computer Browser","Fax","LltdSvc","UPNPHOST","SSDPSRV","WMPNetworkSvc","WSearch","XblAuthManager","XblGameSave","XboxNetApiSvc","TabletInputService")
foreach ($svc in $servicesToDisable) {
    if (Get-Service -Name $svc -ErrorAction SilentlyContinue) {
        Stop-Service -Name $svc -Force -ErrorAction SilentlyContinue
        Set-Service -Name $svc -StartupType Disabled -ErrorAction SilentlyContinue
        Write-Host "Disabled: $svc"
    }
}

Remove Windows features not needed on the server role:

Uninstall-WindowsFeature FS-SMB1
Uninstall-WindowsFeature Telnet-Client
Uninstall-WindowsFeature TFTP-Client
Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol" -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName "TelnetClient" -NoRestart

Configuring Windows Defender Credential Guard

Credential Guard uses hardware-based virtualization security to isolate LSASS secrets including NTLM password hashes and Kerberos tickets, preventing Pass-the-Hash and Pass-the-Ticket attacks. Enable it via Group Policy or PowerShell. The server requires UEFI, Secure Boot, and Hyper-V or Device Guard capable hardware. Using the Device Guard and Credential Guard Hardware Readiness Tool to check compatibility and enable:

DG_Readiness_Tool.ps1 -Capable
DG_Readiness_Tool.ps1 -Enable -AutoReboot

Alternatively enable via registry:

reg add "HKLMSYSTEMCurrentControlSetControlDeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLMSYSTEMCurrentControlSetControlDeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLMSYSTEMCurrentControlSetControlLsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f

Verify Credential Guard is running:

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace rootMicrosoftWindowsDeviceGuard | Select-Object SecurityServicesRunning

Hardening SMB Configuration

SMB security misconfigurations are a major attack vector. Disable SMBv1 completely, enforce SMB signing, and configure proper SMB encryption for sensitive shares:

Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Set-SmbServerConfiguration -EnableSMB2Protocol $true -Force
Set-SmbServerConfiguration -RequireSecuritySignature $true -EnableSecuritySignature $true -Force
Set-SmbServerConfiguration -EncryptData $true -Force
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol, EnableSMB2Protocol, RequireSecuritySignature, EncryptData

Disable SMBv1 via registry to ensure persistence across updates:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" -Name "SMB1" -Type DWORD -Value 0 -Force

Configuring Windows Firewall with Advanced Security

Configure Windows Defender Firewall to allow only necessary traffic. Start by enabling the firewall on all profiles and setting the default behavior to block inbound and allow outbound:

Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True
Set-NetFirewallProfile -Profile Domain -DefaultInboundAction Block -DefaultOutboundAction Allow
Set-NetFirewallProfile -Profile Private -DefaultInboundAction Block -DefaultOutboundAction Allow
Set-NetFirewallProfile -Profile Public -DefaultInboundAction Block -DefaultOutboundAction Block -AllowLocalFirewallRules False

Create specific rules for required services:

New-NetFirewallRule -DisplayName "Allow RDP" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow -Profile Domain -RemoteAddress 192.168.1.0/24
New-NetFirewallRule -DisplayName "Allow HTTPS" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow
New-NetFirewallRule -DisplayName "Allow Ping" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -Action Allow -Profile Domain

Implementing Local Administrator Password Solution (LAPS)

LAPS manages unique, random local administrator passwords for each domain-joined computer, preventing lateral movement attacks that exploit reused local admin passwords. Install LAPS and configure it:

Install-Module LAPS -Force
Update-LapsADSchema
Set-LapsADComputerSelfPermission -Identity "OU=Servers,DC=contoso,DC=com"
Set-LapsADReadPasswordPermission -Identity "OU=Servers,DC=contoso,DC=com" -AllowedPrincipals "CONTOSOServer Admins"

Deploy the LAPS client via Group Policy Software Installation or SCCM. Configure the LAPS policy settings: Computer Configuration > Administrative Templates > LAPS. Set the password age, complexity, and account name. Retrieve a managed password:

Get-LapsADPassword -Identity "SERVER01" -AsPlainText

Configuring Account Lockout and Password Policies

Set strong account lockout and password policies via Default Domain Policy or Fine-Grained Password Policies. Using Fine-Grained Password Policy for privileged accounts:

New-ADFineGrainedPasswordPolicy -Name "PrivilegedAccountPolicy" -Precedence 1 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -MinPasswordLength 16 -PasswordHistoryCount 24 -MaxPasswordAge "60.00:00:00" -MinPasswordAge "1.00:00:00" -LockoutThreshold 5 -LockoutDuration "00:30:00" -LockoutObservationWindow "00:30:00"
Add-ADFineGrainedPasswordPolicySubject -Identity "PrivilegedAccountPolicy" -Subjects "Domain Admins","Enterprise Admins","Server Admins"

Configuring User Rights Assignment

Restrict sensitive user rights to only the accounts that require them. Use secedit or Group Policy to configure user rights. Review and restrict who can log on locally, access the computer from the network, and manage auditing:

secedit /export /cfg C:SecurityAuditcurrent-security.cfg /areas USER_RIGHTS
# Edit the cfg file to restrict rights
secedit /configure /cfg C:SecurityAudithardened-security.cfg /db secedit.sdb /areas USER_RIGHTS /log secedit.log

Verify current user rights assignments:

whoami /priv
Get-LocalGroupMember -Group "Administrators"
Get-LocalGroupMember -Group "Remote Desktop Users"

Enabling and Configuring Auditing

Configure comprehensive security auditing to detect suspicious activity. Use Advanced Audit Policy to enable specific subcategories:

auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable
auditpol /set /subcategory:"Privilege Use" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Security Group Management" /success:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Object Access" /success:enable /failure:enable
auditpol /get /category:* | findstr "enabled"

Configure Security event log size to retain sufficient history:

wevtutil sl Security /ms:1073741824
wevtutil sl System /ms:209715200
wevtutil sl Application /ms:209715200