Windows Server Security Checklist for 2026: 10 Essential Steps

Managing a Windows Server means managing a target. The Verizon 2025 Data Breach Investigations Report found that 20% of breaches began with vulnerability exploitation — up 34% year over year. According to Mandiant's Time-to-Exploit Trends, the median time for attackers to start exploiting a newly disclosed vulnerability has dropped to around 5 days — while industry patching averages typically run 60 days or more depending on sector.

That gap is where most breaches happen. This checklist covers the 10 steps that close the biggest risks on a Windows Server. None of them require expensive tools or a dedicated security team. Most can be done in an afternoon.

1. Keep Windows patched

Why it matters. Recent critical Windows vulnerabilities include an RDP client heap-buffer overflow triggered by connecting to a malicious RDP server (CVE-2025-29966), a WSUS unauthenticated remote code execution flaw actively exploited in the wild (CVE-2025-59287), and a Remote Desktop Services privilege escalation zero-day (CVE-2026-21533). Any of these can become an entry point on an unpatched server.

What to do. Enable automatic Windows Update for security patches. Review and apply cumulative updates monthly. Prioritize any patch marked "Critical" or "Actively Exploited." If automatic updates are not an option, schedule a monthly patch window and stick to it.

2. Secure Remote Desktop (RDP)

Why it matters. RDP remains the single most abused legitimate tool in cyberattacks, involved in 84% of incident response cases examined in the Sophos 2025 Active Adversary Report. Automated scanners find exposed RDP ports within minutes.

What to do.

• Enable Network Level Authentication (NLA) — blocks pre-authentication attacks.
• Set an account lockout policy (for example, 10 failed attempts / 30-minute lockout).
• Restrict RDP access to specific IP addresses via Windows Firewall.
• If possible, place RDP behind a VPN or Remote Desktop Gateway instead of exposing port 3389 directly.
• Add automated brute force protection. BruteFence monitors failed RDP logins (Event ID 4625) and blocks attacking IPs in real time — it installs in five minutes and runs locally with no cloud dependency. You can also use the free BruteFence Checker to see how many attacks your server is already receiving.

For more detail, see our guides on what RDP brute force attacks are and whether it is safe to expose RDP to the internet.

3. Enforce strong password policies

Why it matters. Compromised credentials remain the top root cause of breaches. The updated NIST SP 800-63B Rev. 4 guidelines have shifted significantly from the old complexity rules.

What to do.

• Set a minimum password length of 15 characters.
• Do not force periodic password rotation — only require changes when a compromise is suspected.
• Do not require complexity rules (uppercase + number + symbol) — length matters more than complexity.
• Screen passwords against known breached lists — tools like Azure AD Password Protection or Enzoic can do this automatically.
• Enable multi-factor authentication (MFA) wherever possible.

4. Use separate admin accounts

Why it matters. Microsoft's AD threat mitigation guidance emphasizes that over-privileged accounts are the prime target in most attacks. An admin account used for browsing the web or reading email is one phishing click away from a domain takeover.

What to do.

• Create dedicated admin accounts that are only used for server management.
• Use a standard user account for daily work — email, web browsing, everything else.
• Never log into a server with a Domain Admin account unless absolutely necessary.
• Audit who has admin privileges regularly and remove access that is no longer needed.

5. Keep Windows Firewall enabled

Why it matters. Disabling Windows Firewall is one of the most common misconfigurations found in security audits. It allows unrestricted inbound and outbound traffic.

What to do.

• Never disable Windows Firewall — not even on internal networks.
• Block all inbound ports by default. Only open what the server actually needs.
• Restrict management ports (RDP 3389, SMB 445, WinRM 5985/5986) to specific trusted IPs.
• Block legacy NetBIOS ports (137-139) unless they are specifically needed.

6. Disable unnecessary services and protocols

Why it matters. Every running service is a potential attack surface. Legacy protocols like SMB1 have known, actively exploited vulnerabilities.

What to do.

• Verify that SMB1 is disabled — it is removed by default in Windows Server 2025, but older versions may still have it enabled.
• Review running services (services.msc) and disable anything the server does not need.
• Disable the Print Spooler service on servers that do not manage printers — it has been the target of multiple critical vulnerabilities.
• Remove unused server roles and features through Server Manager.

7. Secure file sharing (SMB)

Why it matters. SMB is one of the most common protocols used for lateral movement inside a network after an initial breach. Attackers use it to access files and spread to other machines.

What to do.

• Enable SMB signing — Windows Server 2025 requires it by default on outbound connections. For older versions, enable it via Group Policy.
• Block TCP port 445 at the perimeter firewall — SMB should never be accessible from the internet.
• Apply least-privilege share permissions — avoid giving "Everyone" full access.
• Consider SMB over QUIC (available in Server 2025) for encrypted file access without VPN.

8. Set up logging and monitoring

Why it matters. If you are not watching your logs, you will not know you are under attack until something breaks. The difference between a failed attack and a successful one is often whether someone noticed in time.

What to do. Enable auditing and monitor these critical Event IDs:

| Event ID | What it means | |----------|---------------| | 4625 | Failed logon — brute force indicator | | 4624 | Successful logon — track who logs in | | 4740 | Account locked out | | 1102 | Audit log cleared — possible tampering | | 4732 | Member added to a security group | | 4719 | Audit policy changed | | 4104 | PowerShell script block executed |

Forward logs to a central location — a SIEM, a log collector, or at minimum a separate server. If logs only exist on the machine that gets compromised, they are useless.

9. Back up properly (3-2-1-1-0)

Why it matters. Ransomware targets backups first. The classic 3-2-1 backup rule (3 copies, 2 media types, 1 offsite) is no longer sufficient on its own.

What to do. Follow the updated 3-2-1-1-0 rule:

• 3 copies of your data.
• 2 different storage types (for example, local disk + cloud).
• 1 copy offsite.
• 1 copy that is immutable or offline — digitally locked so no one, not even an admin, can modify or delete it for a set period.
• 0 errors — test your restores regularly. A backup you have never tested is not a backup.

10. Stay informed about new vulnerabilities

Why it matters. The threat landscape changes weekly. In 2025-2026 alone, multiple critical RDP vulnerabilities were disclosed — including heap-buffer overflows, path traversal attacks, and privilege escalation zero-days. Knowing about these before attackers exploit them is essential.

What to do.

• Subscribe to Microsoft Security Update Guide notifications.
• Follow the CISA Known Exploited Vulnerabilities Catalog — these are the ones actively being used in attacks.
• Review the CIS Benchmarks for Windows Server annually and compare against your configuration.
• Check your server's exposure regularly. The free BruteFence Checker can show you how many failed login attempts your server has received in the last 30 days.

Start with one step

You do not need to do all ten today. Pick the one that addresses your biggest gap — for most servers, that is patching, RDP security, or password policy — and work through the list over time. Each step reduces your attack surface meaningfully, and none of them require a large budget.

If you want to see where your server stands right now, the BruteFence Checker gives you a quick 30-day snapshot of failed login activity. And if you want continuous, automated RDP protection, BruteFence offers a free 7-day trial.