• Pricing
  • Performance
  • About Us
PricingPerformanceAbout Us
Sign InSign Up
  • Pricing
  • Performance
  • About Us
PricingPerformanceAbout Us
Sign InSign Up
Sign InGet Started

High-Performance Cloud Infrastructure

Empowering businesses with enterprise-grade cloud solutions at competitive prices. Built for reliability and simplicity. Designed for growth.

SOC 2 Compliant
ISO 27001
99.9% Uptime

Stay Updated

1000+

Customers

15,000+

VMs Deployed

24/7

Human Support

Products

Build

  • Raff VM
  • Raff Windows VM
  • Raff AppsSoon
  • Kubernetes

Templates

  • Linux VM
  • Forex VM
  • n8n VM

Store

  • Raff S3
  • Raff DatabasesSoon

Support

  • Documentation
  • API Reference
  • CLI
  • Terraform Provider
  • Contact
  • FAQ
  • Status

Company

  • About
  • Pricing
  • Blog
  • Release Notes
  • Performance
  • Status

Account

  • Sign In
  • Sign Up
  • Reset Password

Legal

  • Terms of Service
  • Privacy Policy
  • Service Level Agreement
  • Acceptable Use Policy

© 2026 Raff Technologies. All rights reserved.

System Status
Security & hardening
Security & hardeningadvanced18 min read·Updated Apr 24, 2026

Windows Server Hardening Checklist: Secure Your VPS Before Production

Harden a Windows Server VPS before production with practical checks for accounts, RDP, firewall rules, Defender, audit logging, updates, and services.

Serdar Tekin
Serdar Tekin
Co-Founder & Head of Infrastructure
Genuine, fully-licensed Windows
Spin up a Windows Server: full admin, RDP-ready
Genuine Windows Server 2019, 2022, or 2025 with full administrator access. We handle the Microsoft licensing, billed monthly with nothing to buy upfront.
Deploy Windows NowLearn MoreTalk to Windows Engineer
PowerShell audit policy output showing Windows Server logon, account lockout, user management, and process creation audit settings.

In short

Windows Server hardening is the work you do before a VPS becomes production. Start with the controls that reduce the most risk: audit local administrators, enforce account lockout policy, keep Windows Firewall enabled, limit RDP exposure, confirm Microsoft Defender is active, enable useful audit logging, and remove unused services. This checklist is built for practical SMB Windows VPS workloads, not regulated enterprise environments with hundreds of compliance controls.

Quick checklist

AreaMinimum production check
AccountsReview local users and local Administrators group
PasswordsEnforce account lockout and strong password policy
RDPKeep RDP limited to admins and restrict source IPs where possible
FirewallKeep Windows Firewall enabled on all profiles
DefenderConfirm real-time, behavior, and script scanning are active
UpdatesPatch on a controlled schedule with snapshots
AuditingEnable logon, account lockout, user management, and process creation auditing
ServicesDisable services you do not need
BackupsSnapshot before major changes
DocumentationRecord what you changed and why

Do not apply every hardening setting blindly. Some controls can break applications, RDP access, authentication, printing, or management workflows. Snapshot first, then change one area at a time.

What we tested on Raff

We tested the audit and verification commands on a Raff Windows VPS running Windows Server 2025 Datacenter Evaluation.

PowerShell output showing a Raff Windows VPS running Windows Server 2025 Datacenter Evaluation with build number, CPU count, and memory details. Test environment:

ItemValue
ProviderRaff Technologies
OSWindows Server 2025 Datacenter Evaluation
Build26100
CPU4 vCPU
RAMApproximately 8 GB
Test date2026-05-24
TesterSerdar Tekin

On this VM, we verified:

  • Windows Server version and hardware details
  • Local users and Administrators group audit commands
  • Account policy status with net accounts
  • Firewall profile and RDP rule inspection
  • Microsoft Defender preference checks
  • Audit policy checks for logon, account lockout, user management, and process creation

We did not apply every hardening change on this test VM. Some changes should be applied only after taking a snapshot and confirming workload compatibility.

What you'll need

  • A Raff Windows VPS running Windows Server 2022 or Windows Server 2025
  • Local administrator access through RDP
  • A fresh snapshot before making hardening changes
  • 1-3 hours, depending on how many controls you apply
  • A maintenance window if the server is already in production

Before changing authentication, firewall, RDP, or service settings, take a snapshot from the Raff dashboard. Some changes are easy to undo. Some are not.

Apply hardening in this order

Use this order:

  1. Accounts and authentication
  2. RDP and firewall exposure
  3. Windows Update and Defender
  4. Auditing and logs
  5. Services and installed roles
  6. Final verification

This order matters. Account, RDP, and firewall mistakes create the fastest path to compromise. Audit and logging controls help you detect problems after the fact.

1. Audit local users and administrators

Start by reviewing who can sign in locally and who has administrator rights.

Run PowerShell as Administrator:

Powershell
Get-LocalUser | Select-Object Name, Enabled, LastLogon

Then check the local Administrators group:

Powershell
Get-LocalGroupMember -Group "Administrators" | Select-Object Name, ObjectClass

PowerShell output showing local users and members of the local Administrators group on a Windows Server VPS.

What to look for:

FindingAction
Unknown local admin accountInvestigate before disabling
Old test userDisable or remove
Guest account enabledDisable it
Shared admin accountReplace with named accounts
No recent logon dataVerify whether the account is still needed

For production, every admin account should have a reason to exist.

2. Disable the Guest account

The Guest account should not be enabled on a production Windows VPS.

Check it:

Powershell
Get-LocalUser Guest | Select-Object Name, Enabled

Disable it:

Powershell
Disable-LocalUser -Name "Guest"

This is safe for most VPS workloads. If an application depends on Guest access, that application design needs review.

3. Review the built-in Administrator account

The built-in Administrator account is a common brute-force target because attackers know the username.

You have two practical options:

OptionWhen to use
Keep it but use a strong passwordSimple environments with limited admins
Rename it and document the new nameBetter for production servers exposed to RDP

To rename it:

Powershell
Rename-LocalUser -Name "Administrator" -NewName "RaffAdmin01"

Do not run this casually on a production server unless your team knows the new admin username. Update documentation and password vault entries first.

4. Enforce account lockout policy

Account lockout slows down brute-force attempts against RDP and local accounts.

Check the current policy:

Powershell
net accounts

03-account-policy-status.png

A practical baseline for many SMB servers:

Powershell
net accounts /lockoutthreshold:5 /lockoutduration:30 /lockoutwindow:30

This means:

SettingValue
Failed attempts before lockout5
Lockout duration30 minutes
Observation window30 minutes

Do not set the threshold too low. You can lock out real admins during busy support work.

5. Use a non-admin daily account

Do not use an administrator account for routine browsing, downloads, or daily work inside the server.

Create a standard user:

Powershell
$pw = Read-Host "Daily-user password" -AsSecureString New-LocalUser -Name "user.daily" -Password $pw -PasswordNeverExpires:$false

Use administrator rights only when needed. For servers used by multiple staff, pair this with RDS Session Host planning and proper user access design.

6. Keep Windows Firewall enabled

Windows Firewall should stay enabled on a VPS.

Check firewall profiles:

Powershell
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction

Check RDP rules:

Powershell
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Select-Object DisplayName, Enabled, Direction, Action, Profile | Format-Table -AutoSize

04-firewall-and-rdp-status.png

Windows Firewall is a host-based firewall included with Windows and enabled by default on Windows editions. It helps filter traffic by profile, rule, application, port, and other conditions.

For production, keep the firewall enabled and open only the ports your workload needs.

7. Restrict RDP where possible

RDP is useful, but it should not be treated as a public front door.

If your office has a fixed IP, restrict RDP to that IP:

Powershell
Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -RemoteAddress "203.0.113.10/32"

Replace 203.0.113.10 with your actual office or VPN IP.

Before applying this, confirm your current public IP. If you set the wrong address, you can lock yourself out of RDP.

Safer options:

  • Restrict RDP to office IPs
  • Use a VPN or private access layer
  • Use named admin accounts
  • Use strong passwords
  • Monitor failed logons
  • Disable old test accounts

If you cannot restrict RDP by IP, at least keep the firewall enabled, use strong passwords, and review failed logon events.

Don’t have a server yet?

Deploy Windows NowLearn MoreTalk to Windows Engineer

8. Disable SMBv1

SMBv1 is legacy and should not be used on modern production Windows Server deployments.

Check SMBv1 server setting:

Powershell
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol

Disable SMBv1:

Powershell
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

Reboot during a maintenance window if Windows requires it.

9. Be careful with IPv6

Do not disable IPv6 just because you do not actively use it.

Microsoft warns that disabling IPv6 can cause issues with Windows components. Leave IPv6 enabled unless you have a documented reason and have tested the workload.

For most Raff Windows VPS customers, the practical rule is simple:

Do not touch IPv6 unless you know exactly why you are changing it.

10. Confirm Microsoft Defender status

Check Defender preferences:

Powershell
Get-MpPreference | Select-Object DisableRealtimeMonitoring, DisableBehaviorMonitoring, DisableScriptScanning

PowerShell output showing Microsoft Defender real-time, behavior, and script scanning settings on Windows Server.

For a healthy baseline, these should normally be False:

FieldHealthy meaning
DisableRealtimeMonitoringFalse means real-time monitoring is not disabled
DisableBehaviorMonitoringFalse means behavior monitoring is not disabled
DisableScriptScanningFalse means script scanning is not disabled

Update Defender signatures:

Powershell
Update-MpSignature -Verbose

Microsoft Defender Attack Surface Reduction rules can block common attacker behavior such as credential stealing from LSASS, Office child processes, and executable content from email or webmail. Test ASR rules before enforcing them on production workloads, especially servers running Office, ERP clients, scripts, or legacy applications.

11. Use Controlled Folder Access carefully

Controlled Folder Access can help protect important folders against ransomware-style behavior.

Example:

Powershell
Set-MpPreference -EnableControlledFolderAccess Enabled Add-MpPreference -ControlledFolderAccessProtectedFolders 'D:\BusinessData'

Do not enable it blindly on a production server. It can block legitimate applications that write to protected folders. Test first with your actual workload.

12. Enable useful audit policy

Audit policy determines what Windows records in the Security log.

Check key audit categories:

Powershell
auditpol /get /subcategory:"Logon" auditpol /get /subcategory:"Account Lockout" auditpol /get /subcategory:"User Account Management" auditpol /get /subcategory:"Process Creation"

06-audit-policy-status.png

For production, enable at least:

Powershell
auditpol /set /subcategory:"Logon" /success:enable /failure:enable auditpol /set /subcategory:"Logoff" /success:enable auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable auditpol /set /subcategory:"Process Creation" /success:enable

This gives you better visibility into sign-ins, failed logins, account changes, and process execution.

13. Increase event log size

Default log sizes can roll over quickly on busy servers.

Set larger log sizes:

Powershell
Limit-EventLog -LogName Security -MaximumSize 1GB Limit-EventLog -LogName System -MaximumSize 256MB Limit-EventLog -LogName Application -MaximumSize 256MB

This helps preserve useful evidence during troubleshooting or incident review.

14. Check failed logon attempts

Failed logons are one of the simplest signals to monitor on an internet-facing Windows VPS.

Check recent failed logons:

Powershell
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-24)}

Group failed logons:

Powershell
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-24)} | Group-Object {$_.Properties[5].Value} | Sort-Object Count -Descending | Select-Object Count, Name

If failed login attempts spike, review RDP exposure, firewall restrictions, account names, and password policy.

15. Enable PowerShell script block logging

PowerShell is powerful. That also makes it useful for attackers.

Enable script block logging:

Powershell
New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Force Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Value 1

This helps preserve command activity for incident response.

16. Disable Print Spooler if the server does not print

Many VPS workloads do not need printing.

Check the service:

Powershell
Get-Service -Name Spooler

If the server does not print, disable it:

Powershell
Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled

Do not disable Print Spooler if the server provides printing, PDF workflows, or software that depends on it. Test first.

17. Review running services

List running services:

Powershell
Get-Service | Where-Object Status -eq 'Running' | Sort-Object Name | Format-Table Name, DisplayName

Do not disable services only because you do not recognize the name.

Use this process:

  1. Identify the service.
  2. Confirm whether Windows or your app needs it.
  3. Search Microsoft or vendor documentation.
  4. Disable only if you are confident.
  5. Reboot and test the workload.

18. Keep Windows Update controlled

Hardening is not a one-time action. Patch management is part of it.

Use a controlled process:

  • Check Windows release health.
  • Take a Raff snapshot.
  • Patch during a maintenance window.
  • Reboot intentionally.
  • Verify Windows and the application afterward.

For the full process, read Windows Update Strategy on Production Servers.

19. Snapshot before major changes

Before applying authentication, firewall, Defender, service, or audit changes, take a Raff snapshot.

Snapshot before:

  • Restricting RDP source IPs
  • Changing authentication settings
  • Disabling services
  • Applying security baselines
  • Enabling ASR or Controlled Folder Access
  • Large Windows Update cycles

A snapshot gives you a rollback path if the server stops working as expected.

20. Document every change

Keep a simple changelog.

Minimum fields:

FieldExample
Date2026-05-24
ChangeRestricted RDP to office IP
Command or settingSet-NetFirewallRule ...
ReasonReduce public RDP exposure
Tested byAdmin name
RollbackRestore previous rule or snapshot

Six months later, this record matters.

Recommended hardening order for SMB servers

Use this practical order:

PriorityAction
1Take a snapshot
2Audit users and administrators
3Set account lockout policy
4Keep Windows Firewall enabled
5Review RDP rules
6Confirm Defender is active
7Enable useful audit policy
8Increase event log sizes
9Disable unused services carefully
10Document changes

This gives you the biggest security improvement without turning the server into a fragile compliance project.

Common mistakes

Hardening without a snapshot

Do not start with authentication or firewall changes unless you have a rollback path.

Restricting RDP to the wrong IP

This can lock you out. Confirm your public IP first, and keep dashboard recovery available.

Disabling services too aggressively

Some services look unnecessary but support real workloads. Disable slowly and test.

Enabling Defender controls without testing apps

ASR rules and Controlled Folder Access can block legitimate business software. Test before enforcing.

Ignoring failed logons

Failed logons are an early warning. Review them regularly on internet-facing servers.

Treating compliance baselines as copy-paste scripts

Microsoft, DISA, CIS, and NIST baselines are valuable, but they are broader than a simple SMB VPS checklist. Apply them with planning.

What Raff recommends

For most Windows VPS customers, Raff recommends a practical baseline:

  • Snapshot before hardening.
  • Keep Windows Firewall enabled.
  • Restrict RDP where possible.
  • Use named admin accounts.
  • Remove old test users.
  • Confirm Defender is active.
  • Enable useful audit logging.
  • Patch on a controlled schedule.
  • Avoid exposing database and file-sharing ports publicly.
  • Document changes.

The goal is a server that is safer and still usable.

Tested on

Tested on Raff Windows VPS, Windows Server 2025 Datacenter Evaluation, build 26100, 4 vCPU, approximately 8 GB RAM, 2026-05-24. We verified local user and administrator audit commands, account policy status, firewall and RDP rule inspection, Microsoft Defender preference checks, and audit policy checks. We did not apply every hardening change on this test VM. Tester: [ENGINEER NAME].

What's next

  • Configure Windows Firewall on a Windows VPS - review firewall profiles, RDP rules, and custom inbound rules
  • Windows Update Strategy on Production Servers - patch Windows Server safely with snapshots and maintenance windows
  • Multi-User RDP: 2 Admin Sessions vs RDS Session Host - understand when default RDP is enough and when RDS is required
  • Raff Windows Server Hub - browse Windows Server guides, commands, compatibility notes, and version comparisons
  • Raff Windows VPS - deploy a Windows Server VPS for production workloads

Sources

  • Microsoft Learn - Windows Firewall overview
  • Microsoft Learn - Attack surface reduction rules reference
  • Microsoft Learn - Configure IPv6 in Windows
  • Microsoft Learn - Audit policy recommendations
  • Microsoft Learn - Security Compliance Toolkit
  • CIS Benchmarks - Microsoft Windows Server Benchmarks
  • CISA - Known Exploited Vulnerabilities Catalog
Was this article helpful?

Published April 24, 2026 · Updated April 24, 2026

Back to hub
Get started
Deploy a Windows Server

Genuine, fully-licensed Windows. Full admin, RDP-ready in ~2 minutes.

Deploy Windows Now
Full admin · RDP-ready · 14-day money-back
On this page
In shortQuick checklistWhat we tested on RaffWhat you'll needApply hardening in this order1. Audit local users and administrators2. Disable the Guest account3. Review the built-in Administrator account4. Enforce account lockout policy5. Use a non-admin daily account6. Keep Windows Firewall enabled7. Restrict RDP where possible8. Disable SMBv19. Be careful with IPv610. Confirm Microsoft Defender status11. Use Controlled Folder Access carefully12. Enable useful audit policy13. Increase event log size14. Check failed logon attempts15. Enable PowerShell script block logging16. Disable Print Spooler if the server does not print17. Review running services18. Keep Windows Update controlled19. Snapshot before major changes20. Document every changeRecommended hardening order for SMB serversCommon mistakesWhat Raff recommendsTested onWhat's nextSources
Ready when you are

Your Windows Server, live in ~2 minutes

Genuine, fully-licensed Windows with full admin and RDP. We handle the Microsoft licensing, billed monthly with nothing upfront. On NVMe SSD, backed by a 14-day money-back guarantee.

Deploy Windows Now
Learn MoreTalk to Windows Engineer

Related articles

security networkingWindows VPS Backup Strategy for Small BusinessesPlan a Windows VPS backup strategy for small business workloads with snapshots, backups, restore tests, app-aware recovery, and off-server copies.14 min read7/1/2026security networkingRemote Desktop Gateway vs Direct RDP on a Windows VPSCompare RD Gateway vs direct RDP on a Windows VPS for safer remote access, SMB users, RDS planning, firewall exposure, and security tradeoffs.15 min read7/1/2026Security & hardeningWindows Update Strategy on Production ServersUpdate Windows Server safely on a production VPS: snapshot first, patch on a controlled schedule, scan with PowerShell, and verify reboot state.9 min read5/24/2026