What is the best practice process (steps) for implementing Windows Server 2016 hardening

James Ander 1 Reputation point
2021-04-16T04:24:43.83+00:00

Hi,

  1. What is the best practice process (steps) for implementing Windows Server 2016 hardening using SCT (Security Compliance Toolkit)?
  2. How do we verify if SCT implemented properly and it works? Is there a tool that we can use to check?
  3. In case of issues encountered, what is the recommended way to roll-back and restore previous working settings?

thanks,
James

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Daisy Zhou 12,921 Reputation points Microsoft Employee
    2021-04-16T09:54:25.633+00:00

    Hello @James Ander ,

    Thank you for posting here.

    We are researching on the questions in this post, and if there is any update, we will post it here.

    Thank you for your understanding and support.

    Best Regards,
    Daisy Zhou

    No comments

  2. Daisy Zhou 12,921 Reputation points Microsoft Employee
    2021-04-19T02:36:52.01+00:00

    Hello @James Ander ,

    Thank you for your patience.

    Here are the answers for your references.

    What is the best practice process (steps) for implementing Windows Server 2016 hardening using SCT (Security Compliance Toolkit)?
    A:

    1. Download the corresponding version of security baseline.
    2. Check if you need to export ADMX or ADML file to DC.
    3. Creat an OU and put one machine to this OU (for test).
    4. Create an new GPO and link this GPO to the OU above.
    5. Export the GPO settings from download you want to this new GPO.

    How do we verify if SCT implemented properly and it works? Is there a tool that we can use to check?
    A:

    1. After you deploy the GPO.
    2. Run gpupdate /force on the machine in the OU or restart the machine in the OU.
    3. Open CMD and run as Administrator, run gpresult /h C:\report.html and click Enter to check GPO settings.
    4. Or check if the corresponding registry value of the GPO settings changes.

    In case of issues encountered, what is the recommended way to roll-back and restore previous working settings?
    A:You can unlink the new GPO or delete the new GPO.

    Tip: It is recommended to test in the test environment first, if successful, then deploy it in the production environment.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    No comments