Intermediate System & Host Updated on Jun 25, 2025

Windows Hardening — GPO, UAC, AppLocker, and unnecessary services

Windows is the most common target in corporate environments. A default configuration exposes services, allows unrestricted program execution, and facilitates privilege escalation. Hardening reduces that risk without sacrificing usability.

Group Policy Object (GPO)

GPO lets you push security settings across the network through Active Directory — or locally via gpedit.msc.

Critical settings:

Computer Configuration > Policies > Windows Settings > Security Settings:

- Password Policy:
    Minimum length: 12 characters
    History: 10 passwords
    Maximum age: 90 days

- Account Lockout Policy:
    Threshold: 5 attempts
    Duration: 15 minutes

- Audit Policy:
    Account Logon: Success and Failure
    Object Access: Failure
    Privilege Use: Failure

UAC — User Account Control

UAC prevents processes from silently elevating privileges. Set it to the highest level that does not disrupt workflows:

Control Panel > User Accounts > Change User Account Control settings
  → "Always notify"

Equivalent GPO:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  → User Account Control: Behavior of the elevation prompt for administrators
     Value: Prompt for credentials on the secure desktop

Never disable UAC on workstations. Evaluate case by case on servers.

AppLocker — execution control

AppLocker defines which executables, scripts, and DLLs are allowed to run:

GPO: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker

Example rule (Whitelist mode):
  Type: Executable
  Action: Allow
  Condition: Path = %PROGRAMFILES%\*
  Exception: block C:\Temp\*, C:\Users\*\Downloads\*

Enable the Application Identity service for AppLocker to work:

Set-Service -Name AppIDSvc -StartupType Automatic
Start-Service AppIDSvc

Unnecessary services — reduce the surface

Disable services that are not used in your environment:

# List running services
Get-Service | Where-Object { $_.Status -eq 'Running' } | Select-Object Name, DisplayName

# Disable common unnecessary services
$unneeded = @('Fax','XblGameSave','XboxNetApiSvc','RemoteRegistry','Telnet')
foreach ($svc in $unneeded) {
    Set-Service -Name $svc -StartupType Disabled -ErrorAction SilentlyContinue
    Stop-Service -Name $svc -Force -ErrorAction SilentlyContinue
}

Windows Firewall

# Enable on all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

# Block inbound by default
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow

# Allow only what is needed
New-NetFirewallRule -DisplayName "Allow RDP" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow

Quick checklist

Windows Update enabled and automatic
SMBv1 disabled (Set-SmbServerConfiguration -EnableSMB1Protocol $false)
PowerShell running in Constrained Language Mode
LAPS deployed for local admin passwords
Defender real-time protection active
Credential Guard enabled (Windows 10/11 Enterprise)