Essential Linux & Windows System Hardening Steps for Strong Security

Linux System Hardening

1. Modify SSH configuration to prohibit direct root login

<code>vim /etc/ssh/sshd_config
PermitRootLogin no
systemctl restart sshd</code>

2. Adjust password policy to enforce a minimum length of 8 characters

<code>vim /etc/login.defs
PASS_MIN_LEN 8</code>

Other related policies

<code>PASS_MAX_DAYS 99999   # password maximum validity (permanent)
PASS_MIN_DAYS 0       # allow immediate password change
PASS_MIN_LEN 5       # (deprecated when using pam_pwquality)
PASS_WARN_AGE 7       # days before expiration to warn user</code>

The above cannot be forcibly changed;

minlen

only sets the minimum password length.

<code>vim /etc/pam.d/system-auth
password requisite pam_pwquality.so minlen=8 try_first_pass local_users_only retry=4</code>

3. Lock account for 5 minutes after three failed login attempts

<code>vim /etc/pam.d/system-auth
auth required pam_tally2.so deny=2 lock_time=300</code>

Unlock a user

<code># pam_tally2 -r -u test1
Login           Failures Latest failure     From
test1               1    04/21/20 22:37:54  pts/4</code>

To restrict remote SSH logins, edit

/etc/pam.d/sshd

similarly:

<code>vim /etc/pam.d/sshd
auth required pam_tally2.so deny=2 lock_time=300</code>

4. Prevent unauthorized su escalation, allowing only root and wheel group

<code>vim /etc/pam.d/su
auth required pam_wheel.so group=wheel
# or
auth required pam_wheel.so use_uid</code>

5. Disable ICMP echo requests

<code>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all</code>

6. Set login timeout to 10 minutes

<code>export TMOUT=600</code>

7. Terminate illegal login sessions

<code>pkill -9 -t pts/0</code>

8. Configure firewalld to allow only essential ports

<code>firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload</code>

Windows Server Hardening

1. Change default RDP port (3389) to a non‑standard port

Modify the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\Wds\rdpwd\Tds\tcp\PortNumber

from 3389 to 5433 (decimal). Also update

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP‑Tcp\PortNumber

to the same value, then reboot.

2. Disable anonymous enumeration of SAM accounts

In "Local Security Policy" → "Security Options", enable "Network access: Do not allow anonymous enumeration of SAM accounts".

3. Block access to Registry editing tools via Group Policy

Run

gpedit.msc

, navigate to User Configuration → Administrative Templates → System → "Prevent access to registry editing tools", and enable it.

4. Enable auditing for object access, directory service access, and system events (both success and failure)

In Local Policy → Audit Policy, enable "Audit Object Access", "Audit Directory Service Access", and "Audit System Events" for both success and failure.

5. Disable SMB (445) sharing vulnerability

In Network Connections → Local Area Connection, uncheck "Microsoft network file and printer sharing".

6. Require password protection on screen saver resume

Right‑click Desktop → Properties → Screen Saver, and enable "On resume, display logon screen".

7. Enforce Windows password policy: complexity, minimum length 8, maximum age 30 days

In Local Security Policy → Password Policy, set "Maximum password age" to 30, enable "Password must meet complexity requirements", and set "Minimum password length" to 8.

8. Configure account lockout: reset counter after 30 minutes, lockout duration 30 minutes, threshold 6 failed attempts

In Domain Security Policy → Account Lockout Policy, set "Reset account lockout counter after" to 30, "Account lockout duration" to 30, and "Account lockout threshold" to 6.

9. Enable Windows Firewall, disable ping, allow necessary services (RDP, HTTP, etc.)

Open Windows Firewall, check "Turn on Windows Firewall", go to Advanced settings, adjust ICMP settings, and add exceptions for HTTP and Remote Desktop.

10. Disable default system shares

Navigate to Computer Management → Services and Applications → Services, locate the "Server" service, and disable it.

These steps collectively strengthen the security posture of both Linux and Windows servers.