HowTo: Design a Secure Windows 2012 R2 Standard Operating Environment (SOE)

HowTo: Design a Secure Windows 2012 R2 Standard Operating Environment (SOE)

2014-10-20 17_28_17-Tripwire SecureCheq

It does’t matter the size of your organisation or the compliance posture that it must adhere to. Every device on the network should be hardened and maintained.  I worked for one of the largest IT companies in the world and it was the only company that had proper Windows Operating System hardening and Security Compliance Management. I also worked for a very large bank and the Security Team numbering in the 50+ just didn’t understand how develop a proper basis line for Security Compliance and copy and pasted information from another IT Vendor! What I am trying to say is . They are different levels of Security Experts..

So here is a basic Overview of how to create a Secure Windows 2012 R2 SOE. This method can be applied to any support OS.
Firstly, understand your security posture requirements:- I have listed a few here :

It is also important to understand SAN Critical Controls and Defeating Kill Chains.

This course is also a good starting point -SEC505: Securing Windows with the Critical Security Controls:-

Understand the Critical Security Controls –

Security Standards

These are the core Security Standards and vital information for Windows harderning

The above website and tools can be used to develop the require base line for your environments.. The Microsoft Security Compliance manager is the starting point for this process. You can use this software to understand all the settings and then export them into a Group Policy that can be used to harden the Operating System.  Once you have a policy setup, you need to maintain that posture  using Desired State management and Continuous Monitoring

Desired State

Security Scanners

Once you have the base policy using the above methods, You need to run a two types of scanners on your base OS.. The first is to use a Security Scanner against your OS and make adjust as required.. The other one I recommend is to run a tool to check and update all your software on the base OS image.. Key tool to use is Nessus which can be configured to scan and alert on items for PCI compliance,etc..

The follow three tools are required to create a sold secure SOE: These tools are NIST Security Content Automation Protocol (SCAP 1.2) Validation approved tools.

** you can not create a Secure hardened OS without a Security Scanner..

Implement OS Encryption

Implement Bootlocker


Install Microsoft Enhanced Mitigation Experience Toolkit

Here is a link to my own SOE settings –


Leave a Reply