1. Accounts and authentication

  • Disable the built-in Administrator account, or rename it and give it a strong, unique password.
  • Enforce MFA for remote access, VPN, and any admin console.
  • Follow least privilege: day-to-day accounts should not have local or domain admin rights.
  • Set an account lockout policy to slow down password-guessing attacks.

2. Patch management

  • Apply security updates on a regular, defined schedule — don't let "later" become "never."
  • Prioritize internet-facing servers and anything running outdated, unsupported Windows versions.
  • Patch third-party software too (browsers, PDF readers, Java) — not just Windows itself.

3. Reduce the attack surface

  • Disable unused services and roles (e.g. SMBv1, legacy protocols).
  • Remove software nobody uses — every installed application is potential attack surface.
  • Restrict PowerShell where possible (constrained language mode, script block logging).
  • Disable AutoRun/AutoPlay for removable media.

4. Remote access

  • Never expose RDP directly to the internet — require a VPN with MFA first.
  • Change the default RDP port only as a minor deterrent, not a real control (it doesn't replace MFA/VPN).
  • Limit which accounts and IP ranges can use remote access.

5. Logging and monitoring

  • Enable audit logging for logons, account changes, and privilege use.
  • Forward logs to a central location (even a simple log server) so they survive if a host is compromised.
  • Review logs for repeated failed logons, new admin accounts, or logons at unusual hours.

6. Backups and recovery

  • Keep backups isolated from the domain — ransomware often targets backup systems specifically.
  • Test restoring from backup on a schedule, not just when disaster strikes.

Highest-impact first: enforce MFA on remote access, get RDP off the public internet, and confirm patching is actually happening on a schedule. Those three changes stop the majority of real-world Windows compromises we see.

Want an independent review?

A vulnerability assessment or internal network audit checks these settings across your environment and gives you a ranked list of what to fix first.

See Vulnerability Assessment Back to blog