windows-hardening

Secure Windows servers following Microsoft security baselines and CIS benchmarks.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "windows-hardening" with this command: npx skills add bagelhole/devops-security-agent-skills/bagelhole-devops-security-agent-skills-windows-hardening

Windows Hardening

Secure Windows servers following Microsoft security baselines and CIS benchmarks.

When to Use This Skill

Use this skill when:

  • Hardening Windows servers

  • Implementing security baselines

  • Meeting compliance requirements

  • Configuring Windows security features

Security Baseline

Download Microsoft Security Baseline

Apply via Group Policy or LGPO tool

Install Security Compliance Toolkit

Install-Module -Name SecurityPolicyDsc

Account Policies

Password policy via Group Policy

Computer Configuration > Policies > Windows Settings > Security Settings

PowerShell alternative

net accounts /minpwlen:14 /maxpwage:90 /minpwage:1 /uniquepw:24

Disable Administrator account

Rename-LocalUser -Name "Administrator" -NewName "LocalAdmin" Disable-LocalUser -Name "Guest"

Windows Firewall

Enable firewall

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

Default deny

Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow

Allow specific rules

New-NetFirewallRule -DisplayName "Allow RDP" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow

Audit Configuration

Enable advanced audit policy

auditpol /set /subcategory:"Logon" /success:enable /failure:enable auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable auditpol /set /subcategory:"Security Group Management" /success:enable

Enable PowerShell logging

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

Windows Defender

Enable real-time protection

Set-MpPreference -DisableRealtimeMonitoring $false

Enable cloud protection

Set-MpPreference -MAPSReporting Advanced

Configure scans

Set-MpPreference -ScanScheduleDay Everyday Set-MpPreference -ScanScheduleTime 02:00:00

Best Practices

  • Apply security baselines

  • Enable Windows Defender ATP

  • Configure AppLocker

  • Disable SMBv1

  • Enable Credential Guard

  • Regular Windows updates

  • Implement LAPS for local admin passwords

Related Skills

  • cis-benchmarks - Compliance scanning

  • windows-server - Server administration

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

sops-encryption

No summary provided by upstream source.

Repository SourceNeeds Review
-31
bagelhole
Security

linux-administration

No summary provided by upstream source.

Repository SourceNeeds Review
-29
bagelhole
Security

linux-hardening

No summary provided by upstream source.

Repository SourceNeeds Review
-26
bagelhole