HD Doctor Logo

Post-Incident Windows Server Hardening

Direct answer

Restoring Windows Server after ransomware without applying hardening invites reinfection in weeks. These 10 items, applied in sequence, reduce roughly 80% of the typical corporate environment attack surface.

Why post-incident hardening differs

In a compromised environment, the attacker left persistence (Cobalt Strike Beacon, silent AnyDesk, created admin accounts, scheduled tasks, Kerberos golden ticket). Restore without cleanup just reactivates these mechanisms. Post-incident hardening combines: full credential rotation, privilege review, persistence elimination, entry-vector closure and detection deployment. Without it, the attacker returns through the same door.

Mistakes that invalidate hardening

  1. 1.
    Restore pre-incident VM or backup without steps 1-3 first. Pre-incident backup may contain persistence. Pre-incident passwords/tickets remain valid without reset.
  2. 2.
    Apply hardening without re-verifying 30 days later. Settings get reverted by automation or GPO. Hardening audit is a continuous process.
  3. 3.
    Skip step 1 (KRBTGT reset). Without it, golden ticket remains valid. Attacker returns undetected.

10-item checklist in sequence

  1. 1

    Reset KRBTGT twice (24h apart)

    The KRBTGT account is the Kerberos master key. Resetting it invalidates all golden/silver tickets. 2Γ— reset is required by protocol design.

  2. 2

    Reset all admin passwords

    Domain Admin, Enterprise Admin, local admin accounts on every server. Do not trust pre-incident passwords.

  3. 3

    Universal MFA on remote access

    RDP, VPN, RMM (Atera, ConnectWise), web panels. No exception.

  4. 4

    Modern EDR on all servers

    CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint. Not free Windows Defender.

  5. 5

    Critical patches applied

    Exchange, Fortinet, Citrix NetScaler, Cisco AnyConnect, VMware vCenter. Check CVEs from the last 24 months.

  6. 6

    Disable SMBv1 on all hosts

    WannaCry and variants use it. Command: Set-SmbServerConfiguration -EnableSMB1Protocol $false on every host.

  7. 7

    LSASS Protected Process Light (PPL)

    Prevents Mimikatz from dumping credentials. Registry: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1.

  8. 8

    Network segmentation

    Separate VLAN for servers, internal firewall rules denying lateral SMB/RDP traffic between workstations.

  9. 9

    Mandatory immutable backup

    S3 Object Lock or Veeam Hardened. Reinfection without immutable backup is catastrophic.

  10. 10

    Centralized logging + alerting

    Sentinel, Splunk or Wazuh. Without central logging, the next intrusion is invisible until encryption.

FAQ

How long does full hardening take?

For 50-200 server environment: 2-4 weeks with dedicated team. Steps 1-3 can be done in 24-48h. The rest needs more maintenance windows.

Does KRBTGT reset break any application?

Typically no if done correctly. Applications with ticket cache may need restart. Document impact beforehand in test env.

Can I do hardening without being attacked?

Yes and recommended. These 10 items are baseline for any corporate Windows Server in 2026, not just post-incident. Skip the KRBTGT reset if no compromise sign.

Is paid EDR worth it for SMB?

Yes. CrowdStrike Falcon Go or Microsoft Defender for Endpoint Plan 1 cost US$10-20/host/month. Massive defensive ROI compared to attack impact.

Need support on post-incident hardening?

Hardening + audit + training consulting.

Next reads