A Windows Server 2022 after using HardeningKitty to use the following standard to hardening:
CIS Microsoft Windows Server 2022 (Machine) (for 21H2 version)
Microsoft Security baseline for Windows Server 2022 (Member) (for 21H2 version)
Resolve the hardening on "Deny log on through Remote Desktop Services"
- Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
- Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
- Find and double click "Deny logon through Remote Desktop Services"
- Remove the "local account" group.
-
Find and double click "Deny access to this computer from the network"
- Remove the "local account and member of Administrators group".
- Click ok.
- Run gpupdate /force /target:computer for this setting to take effect.
Resolve the "Defender Firewall" being deny to disable, by using registry method.
Use the Registry method only, the other methods (Cmd, Powershell. Group Policy) has no effect after the hardening in the Windows Server.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
Right-click the "WindowsFirewall" key, select the New menu, and choose the "Key" option.
Name the key StandardProfile and press Enter.
Right-click the "StandardProfile" key, select the New menu, and choose the "DWORD (32-bit) Value" option
Name the EnableFirewall name and press Enter.
Double-click the newly created key and set the value to "0".
Click the OK button.
Restart the server.
Once you complete the steps, reboot the server.
Reference:
Nessus Scan cannot scan a harden machine by HardeningKitty