Harden the PVWA server
This topic describes how to automatically harden the PVWA server using the hardening script, and manual steps that you perform after running the hardening script.
Overview
You can harden the PVWA server automatically using a script file. The hardening script file performs the following tasks:
-
Imports the INF configuration
-
Validates server roles
-
Enables IIS Anonymous authentication
-
Disables IIS Registry shares
-
Disables IIS Directory browsing
-
Disables IIS WebDAV
-
Removes unnecessary IIS Mime types
-
IIS SSL/TLS settings
-
Updates IIS SSL\TLS settings
-
Configures ciphers suites
-
-
Policy configuration
-
Enables screen saver policies
-
Configures advanced audit policies
-
Configures Remote Desktop Services policies
-
- Sets EventLog size and retention
- General auditing, registry, and file system configuration
Registry audits
Registry permissions
FileSystem permissions
FileSystem audit
-
Disables services
Run the hardening script
|
If you have installed PSM on the same machine as PVWA, the following automated tasks may affect the PSM installation:
Before you run the hardening script, in the PVWA\InstallationAutomation folder, locate and open the PVWA_Hardening_Config.xml file, and set the IsPSMInstalled parameter to True. |
-
In a PowerShell window, run the PVWA_Hardening.ps1 script as Administrator.
Manual hardening steps
Perform the following hardening steps after you have run the hardening script.
Remove or disable other protocols, services, or clients
Only the following protocols services or clients are required for the PVWA server:
-
Client for Microsoft Network
-
File and Printer Sharing for Microsoft Network
-
Internet Protocol Version 4 (TCP/IPv4)
Remove or disable any other protocols, services, or clients from your network connection properties.
Also disable IPv6 unless it is specifically required for your PVWA server.
Remove Adobe Flash
Adobe Flash is not secure and not required by PVWA. If Adobe Flash is installed on your PVWA server, remove it.
