Harden Windows Server 2025: Baseline Settings You Need to Know
Microsoft just rolled out the updated security baseline for Windows Server 2025, and it’s packing more than your usual set of tweaks. The update, now available through the Security Compliance Toolkit, takes a major step forward in locking down enterprise environments against evolving threats.
There’s a strong focus on tightening configurations around account lockout, authentication methods, endpoint protection, and network protocols. The good news? Many of these changes can be deployed via Group Policy or Intune. The caveat? Some settings are not for the faint-hearted or legacy-dependent environments.
Account Lockout Says Goodbye to Brute Force
Microsoft lowered the default threshold for invalid logon attempts:
- Lockout threshold: 3 attempts (down from 10)
- Lockout duration: 15 minutes
- Reset counter: 15 minutes
This significantly hardens defense against brute-force attacks while remaining manageable for users who fumble their passwords before lunch.
Kerberos & Smart Card: Get Your Hash Together
Smart card authentication is now more customizable. Admins can define allowed hash algorithms—encouraging a move from SHA-1 to SHA-2.
- New setting:
Allow signature hash algorithms during certificate-based logon - Default still includes SHA-1 for compatibility
- Consider testing and moving toward SHA-2 for stronger security
Also worth noting: Delegated Managed Service Accounts (dMSA) make their debut. They require both client and DCs to be on Server 2025, so plan upgrades accordingly.
Event Log Lockdown
Remote access to the Event Log service can now be limited:
This adds protection against lateral movement, but may affect services like remote log forwarding. Test thoroughly before deploying.
LAPS Gets Buffed
Microsoft is beefing up Local Administrator Password Solution (LAPS). You now have options for:
- Managing password history
- Actions after password use (logoff, reboot, process kill)
- Custom naming for managed accounts
These features reduce the risk of lateral movement due to reused or unmanaged credentials.
Updated Logon Rights
Changes to logon permissions for domain controllers:
- Now includes
AdministratorsandEnterprise Domain Controllersgroups - Ensures compatibility with newer PKINIT behavior and internal DC operations
LDAP Signing Policies
Admins can now define default behaviors for LDAPClientIntegrity and LDAPServerIntegrity. This helps mitigate man-in-the-middle attacks while preserving legacy compatibility when necessary.
Defender Antivirus Gets Tactical
There’s a brand-new ASR (Attack Surface Reduction) rule targeting server webshell creation:
- New rule: Blocks creation of potentially malicious webshells
- Removed client-side rules that don’t apply to servers
Also introduced:
- Setting to hide AV exclusion settings from users (including local admins)
- New Group Policies to select update channels (Current Channel, Monthly, etc.)
Device Control & Removable Media
[IMAGE PLACEHOLDER – “Defender Device Control GPO Settings”]
Defender for Servers now supports native Device Control—finally allowing you to lock down USBs, CD drives, Bluetooth, and other ports:
- Fine-grained control per device class
- Prevents data exfiltration and rogue device usage
Network Protection: A Shift in Policy
Microsoft moved away from client-specific registry paths. Now:
- Servers use their own path:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\NetworkProtection - Default recommendation: Enable “Block” mode for threat sites
EDR in Block Mode
You can now enable EDR (Endpoint Detection and Response) in block mode—even when Defender isn’t your primary AV:
- Allows Defender to take action post-compromise
- No user interaction required
SMB Protocol: Major Upgrades
The baseline now enforces:
- Audit rules for unencrypted/signing-less SMB traffic
- Guest logon detection
- Support for alternate SMB ports via registry
- New NTLM blocking policies with per-server overrides
- Default: Remote mailslots disabled
Pro tip: test NTLM changes on your crusty old apps before you commit.
Virtualization-Based Security (VBS) Improvements
Not enforced yet, but Microsoft encourages testing:
- Kernel-mode hardware-enforced stack protection
- Machine identity isolation via AuthIP policies
Enable in audit mode first—these features are potent but can break things if rushed.
Printing Hardened with WPP
The print subsystem also gets a security facelift. Introducing Windows Protected Print (WPP):
- Only uses Mopria-certified printer drivers
- Blocks legacy drivers and insecure print paths
It’s not enforced by default yet, but don’t be surprised if it shows up in future baselines.
Bottom Line
Microsoft isn’t playing nice anymore. This update pushes security-first policies while still giving admins enough flexibility to test and roll out changes safely. If you’re still running legacy systems or old protocols, now’s the time to start planning your migration. Otherwise, you might find yourself in the crosshairs of your next pen test—or worse, a real attacker.
