Essential Linux & Windows System Hardening Steps for Strong Security

Linux System Hardening

1. Modify SSH configuration to prohibit direct root login

vim /etc/ssh/sshd_config
PermitRootLogin no
systemctl restart sshd

2. Adjust password policy to enforce a minimum length of 8 characters

vim /etc/login.defs
PASS_MIN_LEN 8

Other related policies

PASS_MAX_DAYS 99999   # password maximum validity (permanent)
PASS_MIN_DAYS 0       # allow immediate password change
PASS_MIN_LEN 5       # (deprecated when using pam_pwquality)
PASS_WARN_AGE 7       # days before expiration to warn user

The above cannot be forcibly changed; minlen only sets the minimum password length.

vim /etc/pam.d/system-auth
password requisite pam_pwquality.so minlen=8 try_first_pass local_users_only retry=4

3. Lock account for 5 minutes after three failed login attempts

vim /etc/pam.d/system-auth
auth required pam_tally2.so deny=2 lock_time=300

Unlock a user

# pam_tally2 -r -u test1
Login           Failures Latest failure     From
test1               1    04/21/20 22:37:54  pts/4

To restrict remote SSH logins, edit /etc/pam.d/sshd similarly:

vim /etc/pam.d/sshd
auth required pam_tally2.so deny=2 lock_time=300

4. Prevent unauthorized su escalation, allowing only root and wheel group

vim /etc/pam.d/su
auth required pam_wheel.so group=wheel
# or
auth required pam_wheel.so use_uid

5. Disable ICMP echo requests

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

6. Set login timeout to 10 minutes

export TMOUT=600

7. Terminate illegal login sessions

pkill -9 -t pts/0

8. Configure firewalld to allow only essential ports

firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload

Windows Server Hardening

1. Change default RDP port (3389) to a non‑standard port

Modify the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\Wds\rdpwd\Tds\tcp\PortNumber

from 3389 to 5433 (decimal). Also update

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP‑Tcp\PortNumber

to the same value, then reboot.

2. Disable anonymous enumeration of SAM accounts

In "Local Security Policy" → "Security Options", enable "Network access: Do not allow anonymous enumeration of SAM accounts".

3. Block access to Registry editing tools via Group Policy

Run gpedit.msc, navigate to User Configuration → Administrative Templates → System → "Prevent access to registry editing tools", and enable it.

4. Enable auditing for object access, directory service access, and system events (both success and failure)

In Local Policy → Audit Policy, enable "Audit Object Access", "Audit Directory Service Access", and "Audit System Events" for both success and failure.

5. Disable SMB (445) sharing vulnerability

In Network Connections → Local Area Connection, uncheck "Microsoft network file and printer sharing".

6. Require password protection on screen saver resume

Right‑click Desktop → Properties → Screen Saver, and enable "On resume, display logon screen".

7. Enforce Windows password policy: complexity, minimum length 8, maximum age 30 days

In Local Security Policy → Password Policy, set "Maximum password age" to 30, enable "Password must meet complexity requirements", and set "Minimum password length" to 8.

8. Configure account lockout: reset counter after 30 minutes, lockout duration 30 minutes, threshold 6 failed attempts

In Domain Security Policy → Account Lockout Policy, set "Reset account lockout counter after" to 30, "Account lockout duration" to 30, and "Account lockout threshold" to 6.

9. Enable Windows Firewall, disable ping, allow necessary services (RDP, HTTP, etc.)

Open Windows Firewall, check "Turn on Windows Firewall", go to Advanced settings, adjust ICMP settings, and add exceptions for HTTP and Remote Desktop.

10. Disable default system shares

Navigate to Computer Management → Services and Applications → Services, locate the "Server" service, and disable it.

These steps collectively strengthen the security posture of both Linux and Windows servers.