This article will focus on real security hardening, for instance when most basics if not all, are already in place (see previous article: http://social.technet.microsoft.com/wiki/contents/articles/12432.general-security-advice-and-best-practices.aspx).
Obviously, the changes to be made on the systems to Harden may have a higher impact on applications and specific business environments, therefore testing before hardening is crucial and highly recommended.

Operational security hardening items  

- Use double factor authentication for privileged accounts, such as domain admin accounts, but also critical accounts (but also accounts having the SeDebug right). See http://technet.microsoft.com/fr-fr/library/ff404294(v=ws.10).aspx. You might also want to consider deploying smartcard logon for VPN: http://technet.microsoft.com/en-us/library/cc875840.aspx

- Harden security administration leveraging admin bastions: those machines are especially hardened, and the administrators first connects to the bastion, then from the bastion connects to the remote machine (server/equipment) to be administrated. Traceability can be enforced this way (even generic admin accounts could be linked to nominative accounts), as well as authentication (smart card logon to be used on the remote server). Great measure to defend against keylogging, pass-the-hash attack, and administrators potentially unwanted actions.

- Enhance network isolation with Network Access Control technologies, for instance NAP, at least for critical assets and infrastructure servers: http://technet.microsoft.com/library/cc512682.aspx and http://technet.microsoft.com/en-us/library/cc753550(v=ws.10).aspx

- Harden Outlook Web App (OWA) access by publishing it through reverse proxies, and automatically deploy a component to check remote clients security. Forefront UAG could be an example to do so, see: http://www.microsoft.com/en-us/download/confirmation.aspx?id=302

- Run offline scans of antivirus, after a compromise and on a regular basis (sensitive machines). Here is an implementation example made of SCCM and System Sweeper: http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/launching-a-windows-defender-offline-scan-with-configuration-manager-2012-osd.aspx

- Enable Network Level Authentication: http://technet.microsoft.com/en-us/library/cc732713.aspx

- Mitigate unpatched applications vulnerabilities exploitation with DEP, ALSR (if applicable). Deploy the EMET: http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx depending on the versions of Windows you're running.

- White/blacklisting applications, through AppLocker for example: http://technet.microsoft.com/en-us/library/ee791890(v=ws.10).aspx

- Use strong algorithms to cypher network communications: from the list of implemented SSL/TLS versions, depending on the versions of Windows you have got, enable and prioritize the strongest cyphering suite possible (see http://blogs.msdn.com/b/benjaminperkins/archive/2011/10/07/secure-channel-compatibility-support-with-ssl-and-tls.aspx). By default, our recommendation is TLS 1.1 or 1.2, both client and server side.

- Use IpSec at least between domain controlers (AD replication, etc), and for critical application servers: http://technet.microsoft.com/en-us/library/deploy-ipsec-firewall-policies-step-by-step(v=ws.10).aspx

• For internal network communications, that you might want to harden with NIPS filtering, we recommend you to only enable IPSec authentication (not cyphering). This will allow network traffic inspection, as well as client authentication..
• For external network communications, at a higher risk of interception, we recommend you to enable both IPSec authentication and cyphering. This may apply to WAN links for instance. In that case, NIPS will most likely not be efficient. NIPS filtering should be then locally done on both sides of the IPsec tunnel.

 

 

Specific security guides/best practices to harden systems or environments

- Win XP Threats and countermeasures guide: http://www.microsoft.com/en-us/download/confirmation.aspx?id=24696
- Win Vista security guide: http://www.microsoft.com/download/en/details.aspx?id=18328 (Vista being pretty close to 7, NT6.0 / NT6.1)
- Win 7 security features: http://technet.microsoft.com/en-us/library/dd571075(WS.10).aspx
- Win 7 Security Compliance Manager, and security guide: http://technet.microsoft.com/en-us/library/ee712767.aspx
- Win Server 2003 Security guide: http://www.microsoft.com/en-us/download/details.aspx?id=8222
- Win server 2008 r2 Security guide: http://technet.microsoft.com/en-us/library/gg236605.aspx
- Win Server 2012 Security Baseline: http://technet.microsoft.com/en-us/library/jj898542.aspx
- IIS security guide: http://technet.microsoft.com/fr-fr/library/dd450371(v=ws.10).aspx
- SSL/TLS configuration in IIS: http://technet.microsoft.com/en-us/library/dd163531.aspx
- MS Exchange (2010) Security guide: http://technet.microsoft.com/en-us/library/bb691338.aspx
- Lync Server 2010 Security guide: http://www.microsoft.com/en-us/download/details.aspx?id=2729
- Sharepoint Server (2010) security guide: http://technet.microsoft.com/en-us/library/cc263215.aspx
- MS SQL Server 2008 R2 Security best practices: http://download.microsoft.com/download/1/2/A/12ABE102-4427-4335-B989-5DA579A4D29D/SQL_Server_2008_R2_Security_Best_Practice_Whitepaper.docx
- AD 2003 security best practices: http://technet.microsoft.com/en-us/library/cc778219(v=ws.10).aspx
- Best practices for securing Active Directory: http://www.microsoft.com/en-us/download/details.aspx?id=38785
- WSUS best practices (complete doc): http://technet.microsoft.com/en-us/library/cc720525(v=ws.10).aspx
- Office365 security whitepaper: http://download.microsoft.com/download/6/6/2/662F89E4-9340-4DDE-B28E-D1643681ADEB/Security%20in%20Office%20365%20Whitepaper.docx.