Hardening a Windows Server is one of those topics where the gap between “we have antivirus” and “this would survive an actual penetration test” is enormous. The good news: the U.S. Department of Defense has already done most of the thinking for you, and they publish it for free.
This post is the playbook I follow when I harden a Windows Server: DoD STIGs as the checklist, SCAP as the scanner, LGPO as the policy applier, and ESET as the AV/EDR layer that the rest of the stack assumes is in place.
DoD STIGs: the public hardening playbook
STIGs (Security Technical Implementation Guides) are configuration documents published by the Defense Information Systems Agency. They’re written for defense systems, but they’re public, free, and they cover most of the Microsoft stack: Windows Server 2016/2019/2022, IIS, SQL Server, Active Directory, plus Linux, network gear, and dozens of common applications.
For Windows Server specifically, a STIG is several hundred individual security checks, each with:
- A category (CAT I = critical, CAT II = high, CAT III = moderate)
- A description of the check
- The fix steps (registry keys, group policy settings, etc.)
- The test procedure (how to verify the fix worked)
It’s the most thorough free hardening checklist I’ve found.
SCAP: automating the audit
Reading 600 STIG checks by hand is a non-starter. The SCAP scanner automates it.
SCAP (Security Content Automation Protocol) is a suite of standards for representing security content in a machine-readable format. Run the SCAP scanner against a Windows Server with the relevant STIG content loaded, and it produces a report:
- Which checks pass
- Which checks fail
- Which checks need manual review (some don’t have a programmatic test)
The output is XCCDF + ARF (XML files) that you can read programmatically or open in a viewer. For most teams, the workflow is: run the scan, read the failed-check list, fix what matters, re-scan. Iterate until the failed list is short and intentional.
LGPO: applying the policy in bulk
Microsoft’s LGPO tool takes a Group Policy Object (GPO) backup directory and applies it to a Windows machine via the Local Group Policy. Useful for Windows servers that aren’t joined to a domain, and for testing GPO bundles before pushing them through Active Directory.
The DoD also publishes Group Policy Objects that pair with the STIGs. The workflow:
- Download the relevant Windows Server GPO bundle from DISA.
- Run
LGPO.exe /g <path>to apply it. - Run the SCAP scan to confirm the configuration matches the STIG.
You go from “fresh Windows Server install” to “STIG-compliant baseline” in about two minutes once you’ve done it a few times.
ESET: the AV/EDR layer the rest of the stack expects
STIGs assume you have antivirus and EDR running, but they don’t supply one. For business workloads I default to ESET, specifically the Endpoint Protection plus Server Security combination.
What I look for in this layer:
- Multi-platform support. Most agencies have a mix of Windows Server, Linux, Windows desktops, macOS, and mobile. ESET covers all of it from one console, which beats running three different EDR products.
- Lightweight footprint. AV products that consume 30% of a server’s CPU during a scan are net-negative for security, because admins disable them. ESET’s overhead is modest enough that it stays installed.
- Real EDR features. Detection plus the ability to investigate and roll back, not just signature matching.
- Cloud admin console. Managing 50 endpoints from one dashboard, not 50 individual machines.
ESET Protect Complete bundles the protection across all platforms with cloud-app security for Microsoft 365 and Google Workspace. For most agencies that’s the right tier.
What STIGs don’t cover
A STIG-compliant server is a hardened starting line, not a finish line. The pieces I add on top:
- Patch discipline. Windows Update set to install patches automatically on a maintenance window. STIGs catch missing patches at audit time; you want them installed before then.
- Least-privilege accounts. No more “everyone is admin”. Service accounts get only what the service needs.
- Monitoring. A real SIEM (Wazuh, Splunk, Sentinel, take your pick) collecting Windows Event Log into a place you’ll actually look. Logs you don’t review aren’t logs.
- Backup with tested restore. STIGs care about prevention; backups care about recovery. You need both. (See Borg Backups for the tool I default to.)
- Network segmentation. Don’t put the AD domain controller on the same VLAN as the dev sandbox. Hardening the host doesn’t help if the network treats every host as trusted.
When this is the right approach
The STIG + SCAP + LGPO + ESET stack is the right answer when:
- You handle regulated data (PCI, HIPAA, defense contracts).
- You’re being audited and need a defensible baseline.
- You run more than a handful of Windows Servers and need consistency across them.
It’s overkill when:
- You run one Windows Server for a small office and an AD-joined laptop fleet of five. The CIS Benchmarks (lighter, also free) might fit better.
- Your environment is mostly Linux. STIGs cover Linux too, but my Linux server security fundamentals baseline (SSH keys, sudo user, UFW) is the faster starting point for a Linux-first fleet.
For the broader Zero Trust context this fits inside, the Zero Trust security overview is the conceptual primer, and the DISA STIG compliance explainer from Titania is a useful background read.
Closing the loop
DoD STIGs plus the supporting tools are the most rigorous, free, public hardening playbook for Windows Server. The combination of STIG content, SCAP-driven audits, LGPO-driven configuration, and a real AV/EDR layer like ESET is what a serious Windows Server posture looks like.
If you’d rather not spend a week setting this up, the Cloud Infrastructure Audit & Hardening engagement covers the Windows Server side of the playbook end-to-end. For more on the security side, the cybersecurity & hardening category has the rest.
