This short document outlines some steps which can be performed on an SharePoint 2016 Server in order to improve the overall security (also called as hardening).
General Windows Hardening:
1.) Disable the “X-AspNet-Version” header
as explained here.
2.) Disable NTFS 8 Dot 3
as explained here.
3.) Disable non needed ports and the floppy drive
Disable any not needed ports (e.g. COM & LTP) and the Floppy drive in the BIOS (for an VMWare howto see here).
4.) Disable “NetBIOS over TCP/IP”
as explained here.
5.) Disable the “Printer Spooler” service
As the “Printer Spooler” service isn´t needed on the OS it should be disabled. To do that change the startup type from automatically to disabled. Then stop the service fully. This normally disabled also the printer sharing, however not on every environment. So open the computer management and go to “Shared Folders” then “Shares” and disable the printer share.
6.) Rename the Administrator and Guest accounts
Make sure that the default Admin Account and Guest Account are renamed (e.g. RENAdministrator and RENGuest; but you should choose your own idea here!)
7.) Make sure that the default Admin Account and Guest Account require a password.
This can be done via:
net user Administrator /PASSWORDREQ:YES
net user Guest /PASSWORDREQ:YES
8.) Disable SSL 2.0/3.0 and weak ciphers
as explained here, which will also enable TLS 1.2 in an additional section. You can also follow the howto here.
9.) Make sure you are using Microsoft Updates rather Windows Updates to update also non Windows core components installed on the OS
10.) Set a proxy to the OS
To prevent that an proxy is added to the OS which isn´t the correct one set the proxy by hand (as mentioned here) and disable the “WinHTTP Web Proxy Auto-Discovery Service” service
11.) Disable SMBv1
As SMBv1 is quite old and has some vulnerabilities you should disable that (as explained here) via the following:
Windows 2012:
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Windows 2008:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
This would still leave SMBv2 and SMBv3 active which can be used.
12.) Upgrade Diffie-Hellman Prime to 2048 bit as explained here.
13.) Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP (see here)