This article will focus on real security hardening, for instance when most basics if not all, are already in place (see previous article: http://social.technet.microsoft.com/wiki/contents/articles/12432.general-security-advice-and-best-practices.aspx).

Obviously, the changes to be made on the systems to Harden may have a higher impact on applications and specific business environments, therefore testing before hardening is crucial and highly recommended.

Operational security hardening items

MFA for Privileged accounts  

Use dual factor authentication for privileged accounts, such as domain admin accounts, but also critical accounts (but also accounts having the SeDebug right). See http://technet.microsoft.com/fr-fr/library/ff404294(v=ws.10).aspx. You might also want to consider deploying smartcard logon for VPN: http://technet.microsoft.com/en-us/library/cc875840.aspx

Admin bastions

Harden security administration leveraging admin bastions: those machines are especially hardened, and the administrators first connects to the bastion, then from the bastion connects to the remote machine (server/equipment) to be administrated. Traceability can be enforced this way (even generic admin accounts could be linked to nominative accounts), as well as authentication (smart card logon to be used on the remote server). Great measure to defend against keylogging, pass-the-hash attack, and administrators potentially unwanted actions. (you might want to read this documentation: Implementing secure administrative hosts: http://technet.microsoft.com/en-us/library/dn487449.aspx )

Microsoft recommends the use of hardened, dedicated administrative workstations, which are known as Privileged Administrative Workstations ( for guidance see https://aka.ms/cyberpaw ). Bastion hosts, otherwise commonly known as jump servers, can not be considered secure unless the admin's session, from the keyboard all the way to the Exchange server, are protected and secured. If an Exchange Administrator's source workstation is compromised, and they attempt a session with a bastion or jump server, it is possible that an attacker can intercept, surveil and potentially hi jack the remote session.

EMET

Mitigate the risk of successful unpatched applications vulnerabilities exploitation with DEP, ALSR, SEHOP, etc (if applicable). Deploy the EMET: https://support.microsoft.com/en-us/kb/2458544 and set it up depending on the versions of Windows you're running.

OWA

 Harden Outlook Web App (OWA) access by publishing it through reverse proxies, and automatically deploy a component to check remote clients security. Windows Server WAP (see: https://technet.microsoft.com/en-us/library/dn584107%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396) could be an option: https://blogs.technet.microsoft.com/jrosen/2013/12/28/setting-up-windows-application-proxy-for-exchange-2013/

Antivirus

Run offline scans of antivirus, after a compromise and on a regular basis (sensitive machines). Here is an implementation example made of SCCM and System Sweeper: http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/launching-a-windows-defender-offline-scan-with-configuration-manager-2012-osd.aspx

Network

Advance Threats

Deploy an anti-APT solution and other security measures to detect advanced attacks. You may want to have a look at Microsoft Advanced Threat Analytics.

 

Specific security guides/best practices to harden systems or environments

Windows Client

Windows Server

IIS

AD

O365

EMET

Other