This document provides instructions for hardening Windows servers to improve security. It describes removing unnecessary roles and services, configuring the Windows firewall, applying security baselines, and resetting passwords. The lab is divided into three sections - the first involves manually hardening a server, the second applies what was learned with alternative methods, and the third involves independent challenges. Upon completing the lab, students will have hands-on experience hardening Windows servers in various ways to reduce vulnerabilities and unauthorized access. Screenshots and descriptions of the configuration changes are required deliverables.

1. Creating a Scheduled Backup and Replicating System Folders
Introduction
Disaster recovery (DR) and business continuity (BC) are key
elements in any security program. While not the responsibility
of a security practitioner, DR and BC plans should exist for all
information systems in an organization, and system backups are
traditionally the cornerstone of every disaster recovery plan.
With the advent of virtualization, many organizations are
moving away from traditional server backups and instead
relying on cloning and redundancy for their backup and
recovery needs. Regardless, traditional file and folder backups
still play an important role.
If traditional server backups are used, they should be configured
to meet the needs of defined organizational policies and data
classification standards. In common practice, incremental data
backups occur daily for data stored that day, while complete
system backups may be scheduled weekly. In addition, the
backup strategy for many organizations includes a process for
moving data that has been backed up to an offsite vault for safe
keeping. One popular backup strategy is nicknamed the “son-
father-grandfather” backup strategy, where the “son” is the
daily/nightly backup, the “father” is a weekly backup, and the
“grandfather” is a monthly backup of the system. Often, the
father backup is graduated to grandfather status and is kept off-
site for safekeeping in case of a disaster at the main site.
The Windows Distributed File System (DFS) can be used to
replicate files, folders, and data across many servers
automatically. There are two main types of full server backups:
bare metal and cloning. Bare metal backups allow a server to be
restored on new hardware (or virtual hardware). Clones are
copies of virtual servers that can be kept offline until they are

2. needed.
There are four kinds of data backups:
· Full: Full backups backup all data, even if it has not changed.
· Incremental: Incremental backups backup only changed files.
· Differential: Differential backups backup all files that have
changed since the last full backup.
· Mirror: Mirror backups copy all data from one location to
another redundant location.
In this lab, you will install the Windows Distributed File
System and Windows Server Backup features from the
PowerShell command line. You will schedule a daily backup of
the C:ERPdocuments folder on the TargetWindows01 server
and replicate this backup to the TargetWindows02 server using
the DFS Replication feature.
Lab Overview
Each section of this lab is assigned at your instructor’s
discretion. Please consult your instructor to confirm which
sections you are required to complete for your lab assignment.
SECTION 1 of this lab has three parts, which should be
completed in the order specified.
1. In the first part of the lab, you will install the Distributed
File System (DFS) and configure the network shares required
for data replication.
2. In the second part of the lab, you will use the DFS
Management console to configure DFS to create a mirror backup
of the C:Archive folder on the TargetWindows01 server.

3. 3. In the third part of the lab, you will install Windows Server
Backup on a Windows Server 2019 machine and schedule a
backup of the ERPdocuments folder and its sub-folders.
SECTION 2 of this lab allows you to apply what you learned in
SECTION 1 with less guidance and different deliverables, as
well as some expanded tasks and alternative methods. You will
also use PowerShell commands to configure DFS and create a
script that will back up the specified folders.
Finally, if assigned by your instructor, you will explore the
virtual environment on your own in SECTION 3 of this lab to
answer a set of questions and challenges that allow you to use
the skills you learned in the lab to conduct independent,
unguided work, similar to what you will encounter in a real-
world situation.
Learning Objectives
Upon completing this lab, you will be able to:
1. Install Microsoft’s Distributed File System (DFS) on a
Windows Server 2019 machine
2. Configure DFS to replicate data from a Windows Server 2019
machine
3. Install Windows Server Backup from PowerShell
4. Schedule a backup using Windows Server Backup on a
Windows Server 2019 machine
5. Verify DFS replication on a Windows Server 2019 machine
6. Section 2: Use PowerShell to configure DFS.
7. Section 2: Schedule a backup using a robocopy script.
Topology
This lab contains the following virtual machines. Please refer to
the network topology diagram below.
· TargetWindows01 (Windows Server 2019) [Domain

4. Controller]
· TargetWindows02 (Windows Server 2019)
Tools and Software
The following software and/or utilities are required to complete
this lab. Students are encouraged to explore the Internet to learn
more about the products and tools used in this lab.
· Windows Distributed File System (DFS)
· Windows PowerShell
· Windows Server Backup
Deliverables
Upon completion of this lab, you are required to provide the
following deliverables to your instructor:
SECTION 1:
1. Lab Report file including screen captures of the following;
· successful DFS and net share commands on TargetWindows01;
· successful DFS and net share commands on TargetWindows02;
· Review Settings and Create Namespace page;
· Confirmation page;
· Namespace entries;
· successful backup schedule on the Summary page;
· contents of the backup folder on TargetWindows01;
· contents of the backup folder on TargetWindows02;
2. Any additional information as directed by the lab:
· none;

5. SECTION 2:
1. Lab Report file including screen captures of the following:
· net share results on TargetWindows01;
· net share results on TargetWindows02;
· new namespace in the DFS Management console;
· completed Robocopy script;
· contents of the Section2 folder on the TargetWindows01
server;
· contents of the Section2 folder on the TargetWindows02
server;
2. Any additional information as directed by the lab:
· none.
SECTION 3:
1. Analysis and Discussion
2. Tools and Commands
3. Challenge Exercise
Section 1: Hands-On Demonstration
Part 1: Install Windows DFS and Create Network Shares

6. 13. Make a screen capture showing the successful DFS and net
share commands on TargetWindows01 and paste it into the Lab
Report file.
19. Make a screen capture showing the successful DFS and net
share commands on TargetWindows02 and paste it into the Lab
Report file.
Part 2: Configure DFS
8. Make a screen capture showing the Review Settings and
Create Namespace page and paste it into your Lab Report file.
26. Make a screen capture showing the Confirmation page and
paste it into your Lab Report file.
29. Make a screen capture showing the Namespace entries and
paste it into the Lab Report file.
Part 3: Install and Configure Windows System Backup
18. Make a screen capture showing the successful backup
schedule on the Summary page and
paste it into the Lab Report file.
28. Make a screen capture showing the contents of the backup
folder on TargetWindows01 and
paste this into your Lab Report file.

7. 33. Make a screen capture showing the contents of the backup
folder on TargetWindows02 and
paste this into your Lab Report file.
Section 2: Applied Learning
Part 1: Install Windows DFS and Create Network Shares
8. Make a screen capture showing the net share results on
TargetWindows01 and paste it into the Lab Report file.
13. Make a screen capture showing the net share results on
TargetWindows01 and paste it into the Lab Report file.
Part 2: Configure DFS
12. Make a screen capture showing the new namespace in the
DFS Management console and
paste it into your Lab Report.
Part 3: Create and Execute a Robocopy Script
9. Make a screen capture showing the completed Robocopy
script and paste it into your Lab Report file.
16. Make a screen capture showing the contents of the Section2
folder on the TargetWindows01 server and paste it into your
Lab Report file.

8. 19. Make a screen capture showing the contents of the Section2
folder on the TargetWindows02 server and paste it into your
Lab Report file.
Section 3: Challenge and Analysis
Note: The following challenge questions are provided to allow
independent, unguided work, similar to what you will encounter
in a real situation. You should aim to improve your skills by
getting the correct answer in as few steps as possible. Use
screen captures in your lab document where possible to
illustrate your answers.
Part 1: Analysis and Discussion
In Section 2 of this lab, you used Robocopy in the script to copy
files from one remote machine to another. Robocopy was
selected because it is native to Windows and is a robust tool
with a variety of switches for customizing the command line.
Use the Internet to research an alternative to Robocopy that
could be used in the script. Explain your choice.
Answers will be unique to each student. Alternative products
can be found by searching for “Robocopy alternatives”. Not all
alternatives will be able to match the robust options.
Part 2: Tools and Commands
Use the Internet to research Robocopy switches and then
construct a command line that will use Robocopy to copy files
in restart mode from a source to a destination mirroring the
folder structure and using FAT file times. The command should
retry the copy in case of a failed attempt.
robocopy sourcedrive:path destinationdrive:path /MIR /FFT
/R:3 /W:10 /Z
Part 3: Challenge Exercise
Use the Internet to research the alternative product you

9. identified in the Analysis and Discussion question and then
construct a command that would replace the Robocopy
command in the script used in Section 2 of this lab.
Hardening Windows Systems for Security Compliance
Introduction
Hardening a computer is the process of identifying as many of
its vulnerabilities as possible and implementing
countermeasures to those vulnerabilities. Countermeasures to
vulnerabilities can take on many different forms. Some
countermeasures are technical controls that protect a vulnerable
asset, while other countermeasures simply remove the
vulnerability.
Windows Server operating systems install various default
features that could increase the computer’s attack surface. One
of the first steps in hardening any Windows computer is to
consider what its purpose will be and then only install the
minimum features and services that it needs to carry out its
purpose. However, you can’t always install the minimum
features. In some cases, you’ll need to circle back after
installation and disable or remove items that were added during
installation. Fortunately, Microsoft publishes online
documentation that provides guidance to security administrators
on potentially unneeded services and helps reduce the attack
surface of Windows computers. You can use this documentation
to determine if any services present on a Windows computer
should be disabled or removed.
Security administrators will also need to harden the servers
using Windows Firewall to eliminate other network access
methods. The Windows Firewall with Advanced Security
configuration option allows more granular control over inbound
and outbound traffic based on ports, programs, IP addresses,
computers, users, and more.
In this lab, you will examine the installed roles and services of
a Windows Server 2016 computer and identify features that you
really don’t need. You’ll remove an entire role, which includes
multiple services, and then disable additional services to harden

10. your server. You will then use the built-in Windows Firewall to
prevent unauthorized access to the server.
Lab Overview
Each section of this lab is assigned at your instructor’s
discretion. Please consult your instructor to confirm which
sections you are required to complete for your lab assignment.
SECTION 1 of this lab has three parts, which should be
completed in the order specified.
1. In the first part of the lab, you will manually harden the
security posture of a Windows Server 2016 machine by
removing an unnecessary server role.
2. In the second part of the lab, you will manually harden the
security on a Windows Server 2016 machine by disabling
unnecessary services.
3. In the last part of the lab, you will manually harden the
security on a Windows Server 2016 machine by changing the
internal firewall configuration.
SECTION 2 of this lab allows you to apply what you learned in
SECTION 1 with less guidance and different deliverables, as
well as some expanded tasks and alternative methods. You will
import a security baseline GPO from the Security Compliance
Toolkit, reset the DSRM password on TargetWindows01, and
use the Windows Defender Firewall with Advanced Security to
edit Inbound Rules.
Finally, you will explore the virtual environment on your own
in SECTION 3 of this lab. You will answer questions and
complete challenges that allow you to use the skills you learned
in the lab to conduct independent, unguided work, similar to
what you will encounter in a real-world situation.
Learning Objectives
Upon completing this lab, you will be able to:
1. Define system hardening as it applies to securing Windows

11. Server Operating Systems
2. Harden Windows Server 2016 by using the Windows Security
Manager to remove roles
3. Harden Windows Server 2016 by stopping and disabling
services to optimize performance and security
4. Harden Windows Server 2016 by activating the Windows
Firewall
5. Section 2: Harden Windows Server 2019 by using security
baselines to create new Group Policy Objects
6. Section 2: Harden a Domain Controller by updating the
DSRM password
7. Section 2: Harden Windows Server 2019 by editing inbound
rules in the Windows Defender Firewall
Topology
This lab contains the following virtual machines. Please refer to
the network topology diagram below.
· TargetWindows01 (Windows Server 2019) [Domain
Controller]
· TargetWindows04 (Windows Server 2016)
Tools and Software
The following software is required to complete this lab.
Students are encouraged to explore the Internet to learn more
about the products and tools used in this lab.
· Security Compliance Toolkit (SKT)
· Group Policy Management Console (GPMC)
· Ntdsutil
· Windows Firewall
· Windows Defender Firewall with Advanced Security
Deliverables
Upon completion of this lab, you are required to provide the
following deliverables to your instructor:

12. SECTION 1:
1. Lab Report file including screen captures of the following;
· current Roles and Server Groups;
· updated Roles and Server Groups;
· disabled DHCP Server service;
· results of the first ping test on TargetWindows01;
· enabled Windows Firewall for all three profiles;
· results of the second ping test on TargetWindows01;
2. Any additional information as directed by the lab:
· describe how the firewall changes affected the results.
SECTION 2:
1. Lab Report file including screen captures of the following:
· Microsoft's recommended Password and Account Lockout
policy settings;
· linked MSDomainSecurity2019 object;
· implemented Password and Account Lockout policy settings;
· successful DSRM password change;
· results of the first ping test on TargetWindows04;
· results of the second ping test on TargetWindows04;
2. Any additional information as directed by the lab:

13. · discuss how the firewall changes affected the results.
SECTION 3:
1. Analysis and Discussion
2. Tools and Commands
3. Challenge Exercise
Section 1: Hands-On Demonstration
Part 1: Remove Unnecessary Server Roles
5. Make a screen capture showing the current Roles and Server
Groups and paste it into your Lab Report file.
17. Make a screen capture showing the updated Roles and
Server Groups and paste it into your Lab Report file.
Part 2: Remove Unnecessary Services
8. Make a screen capture showing the disabled DHCP Server
service and paste it into your Lab Report file.
Part 3: Secure the Windows Firewall
4. Make a screen capture showing the results of the first ping
test on TargetWindows01 and
paste it into the Lab Report file.

14. 15. Make a screen capture showing the enabled Windows
Firewall for all three profiles and paste
it into the Lab Report file.
19. Make a screen capture showing the results of the second
Ping test and paste it into the Lab Report file.
20. In the Lab Report file, describe how the firewall changes
affected the results. Below is an example; Answer may vary by
student.
The ping is no longer successful since because the firewall is
blocking ping responses from the target. Since the default
configuration blocks all incoming connections unless explicitly
allowed, we’d have to create a rule that allows ICMP pings to
get successful responses again.
Section 2: Applied Learning
Part 1: Apply Windows Security Baselines
5. Make a screen capture showing Microsoft's recommended
Password and Account Lockout policy settings and paste it into
your Lab Report file.
18. Make a screen capture showing the linked
MSDomainSecurity2019 object and paste it into your Lab
Report file.

15. 22. Make a screen capture showing the implemented Password
and Account Lockout policy settings and paste it into your Lab
Report file.
Part 2: Reset the DSRM Password
7. Make a screen capture showing the successful DSRM
password change and paste it into your Lab Report file
Part 3: Secure the Windows Defender Firewall
3. Make a screen capture showing the results of the first ping
test on TargetWindows04 and
paste it into your Lab Report file.
16. Make a screen capture showing the results of the second
ping test on TargetWindows04 and
paste it into your Lab Report file.
17. In the Lab Report file, describe how the firewall changes
affected the results. Below is an example; Answer may vary by
student.
After disabling all ICMPv4 traffic – ICMP echo requests (pings)
included -- the TW04 machines is unable to penetrate the
firewall we’ve erected on TW01.
Section 3: Lab Challenge and Analysis
Note: The following challenge questions are provided to allow
independent, unguided work, similar to what you will encounter
in a real situation. You should aim to improve your skills by
getting the correct answer in as few steps as possible. Use

16. screen captures in your lab document where possible to
illustrate your answers.
Part 1: Analysis and Discussion
Why would disabling services be important in securing and
optimizing server performance? What determines which services
are disabled?
Below is an example; Answer may vary by student.
Disabling unnecessary services decreases the attack surface area
of a server. Any services exposed to the network increase the
server’s vulnerability, so disabling would make them mostly
unavailable to be used by a bad actor as vector for entry. And
by disabling unnecessary services, you free up memory and
computing resources from the server, which naturally increases
performance.
Services are disabled and enabled depending on the programs
you install which require them. It’s up to you which services
remain enabled, and some are easier to determine the value and
consequences of than others (not acting as a DHCP server?
Disable DHCP on that server). However, Microsoft also
provides guidelines for which services it recommends disabling.
Starting in Win2019, these guidelines are applied by default.
Part 2: Tools and Commands
Use the Internet to research a command line statement that will
add a new Inbound rule for the Windows Defender Firewall with
Advanced Security that will allow all traffic from TCP port
8088 on all security profiles. Name the new rule “yourname port
8088”, replacing yourname with your own name. Make a screen
capture of your executed command line statement.
Below is an example; Answer may vary by student.
Part 3: Challenge Exercise
In the Windows Firewall with Advanced Security, create a new
Outbound rule to deny HTTP/HTTPS traffic on the
TargetWindows01 server. Apply the changes and use screen

17. captures to document your changes and the result of the rule in
the browser window.
-/i New Outbound Rule Wizard X
Action
Specify the action to be taken when a connection matches the
conditions specified in the rule.
Sleps:
· Rule Type
· Protocol andPorts
· Action
· Profile
· Name
What action should be taken when a connection matches the
specified conditions?
0 Allow lhe conneclion
This includes connections that are protected withIPsec as well
as those are not.
0 Allow the onnection if it is secure
This includes only connections that have been authenticated by
usingIPsec. Connections willbe secured using the settings in
IPsec properties andrules in the Connection Security Rule node.
@ Bloc.!; lhe conneclion

18. _
c
_
k
_
<
I
_
C
_
a
_
n
c
_
e
_
l- - •
I I Next> j

19. fl New Outbound Rule Wizard X
Name
Specif}' the name and description of this rule.
Steps:
Rule T}'pe
· Protocol and Ports
· Action Profile Name
!:lame:
IDen}' HTTP/HTTPS
Qescription (optional):
Denies the usual ports used b}' HTTP/HTTPS (80
an
443)

20. _
C
_
a
_
n
_
c
e
_
l
_
_
,
.
._ <_Jl_.a_ck_ _
_.I!.. E_in_is_h _ ..!. I
fl Windows Defender Firewall with Advanced Security
Eile ,£!,.ction iew .tielp

21. □ X
ti Window5 Defender Fircw II wit l
Outbound Rules
,= = = = = = = = = = = = = =
Name
0 Deny HTTP/HTTPS
S @{Micro,oft.AAD.BrokerPlugin_1000.143...
S @{Microsoft.AAD.BrokerPlugin_1000.143...
D @{Microsoft.AccountsControl_10.0.1439,,,
=
= = = = = = = = =
Group
@{Microsoft.AAD,BrokerPlu,,,
@{Microsoft.AAD,BrokerPlu.,,
@{Microsoft.AccountsContr...
= =
Profile
All All All
All
=
= = =
Enabled
Yes Yes Yes

22. Yes
=
=
A "
B A A
A
Actions
t=O auatbaoa.u. anaadaaRu.aale,aaaa========-
New Rule...
V Filter by Profile
V Filter by St t c
El Inbound Rule5 1
Outbound Rules
! Connection Security Rub

23. ) _ Monitoring
And the result of this rule, after its application, is that I am now
unable to reach the IIS homepage on TW04 from TW01, which
IS reachable without the rule (screenshot below).