Windows hardening: NLA, PowerShell, Defender and code signing
Windows hardening consists of enabling available protections, disabling unused features, and applying the principle of least privilege. Microsoft publishes Security Baselines (available in the Security Compliance Toolkit) providing recommended configurations for each version of Windows Server and Windows Client. The CIS Windows Benchmark is an independent complementary reference.
NLA for Remote Desktop connections
Network Level Authentication (NLA) requires the user to authenticate before the RDP session is fully established. Without NLA, the RDP session is established up to the Windows login screen without prior authentication. This exposes the graphical layer's attack surface and allows attacks against RDP vulnerabilities without a valid account (BlueKeep, DejaBlue). NLA must be enabled on all servers that expose RDP.
Checking and enabling NLA
# Vérifier via PowerShell :
(Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp').UserAuthentication
# 1 = NLA activé
# Activer NLA via GPO :
# Configuration ordinateur > Modèles d'administration > Composants Windows
# > Services Bureau à distance > Hôte de session Bureau à distance
# > Sécurité > Exiger l'authentification utilisateur...
PowerShell security controls
PowerShell is the favourite administration tool of pentesters and attackers in Windows environments. Available security controls: Execution Policy (don't rely on it as security protection, easily bypassed), AMSI (Antimalware Scan Interface) analyses scripts before execution, ScriptBlock Logging logs executed scripts, Constrained Language Mode restricts PowerShell capabilities, JEA (Just Enough Administration) limits accessible cmdlets by role.
Enabling PowerShell logging via GPO
# Via GPO : Configuration ordinateur > Modèles d'administration
# > Composants Windows > Windows PowerShell
# Activer via registre :
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' `
-Name 'EnableScriptBlockLogging' -Value 1
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' `
-Name 'EnableTranscripting' -Value 1
Microsoft Defender and advanced protection
Microsoft Defender Antivirus is enabled by default on Windows but its advanced features require configuration. Points to check: signature definition updates (frequency and state), cloud-delivered protection for zero-day threats, ransomware protection (Controlled Folder Access), Microsoft Defender for Endpoint for advanced EDR capabilities. In environments with third-party solutions, verify they don't disable Defender without replacing it.
Digital signatures on executables
Digital signatures on executables allow verifying the code hasn't been modified since signing and comes from a known publisher. Unsigned executables may come from unknown sources or have been modified. AppLocker and Windows Defender Application Control (WDAC) allow restricting execution to executables signed by trusted publishers.
Account management: inactive, local and service accounts
Inactive accounts that aren't disabled and misconfigured local admin accounts are common attack vectors. Inactive accounts: disable or delete accounts that haven't logged in for more than 90 days. Local admins: deploy LAPS (Local Administrator Password Solution) for unique passwords per machine. Service accounts: use Managed Service Accounts (MSA) or Group Managed Service Accounts (gMSA) to avoid static passwords.
SQL Server audit
SQL Server with excessive privileges (service account with SYSTEM or local administrator rights) amplifies the impact of a compromise. SQL Server Audit allows logging database access, schema changes, and failed authentication attempts. These logs are essential for incident detection and forensic investigations.
Further reading
A question after reading?
Want to assess or harden your Windows systems? Send a message.
Or book a 30-minute scoping call directly
Book a call →