Harden the PVWA server

This topic describes how to automatically harden the PVWA server using the hardening script, and manual steps that you perform after running the hardening script.


You can harden the PVWA server automatically using a script file. The hardening script file performs the following tasks:

  • Imports the INF configuration

  • Validates server roles

  • Enables IIS Anonymous authentication

  • Disables IIS Registry shares

  • Disables IIS Directory browsing

  • Disables IIS WebDAV

  • Removes unnecessary IIS Mime types

  • IIS SSL/TLS settings

    • Updates IIS SSL\TLS settings

    • Configures ciphers suites

  • Policy configuration

    • Enables screen saver policies

    • Configures advanced audit policies

    • Configures Remote Desktop Services policies

  • Sets EventLog size and retention
  • General auditing, registry, and file system configuration 
    • Registry audits

    • Registry permissions

    • FileSystem permissions

    • FileSystem audit

  • Disables services

Run the hardening script


If you have installed PSM on the same machine as PVWA, the following automated tasks may affect the PSM installation:

  • Importing INF configuration

  • Validating Server Roles

  • Remote Desktop Services

Before you run the hardening script, in the PVWA\InstallationAutomation folder, locate and open the PVWA_Hardening_Config.xml file, and set the IsPSMInstalled parameter to True.

  • In a PowerShell window, run the PVWA_Hardening.ps1 script as Administrator.

Manual hardening steps

Perform the following hardening steps after you have run the hardening script.

Remove or disable other protocols, services, or clients

Only the following protocols services or clients are required for the PVWA server:

  • Client for Microsoft Network

  • File and Printer Sharing for Microsoft Network

  • Internet Protocol Version 4 (TCP/IPv4)

Remove or disable any other protocols, services, or clients from your network connection properties.

Also disable IPv6 unless it is specifically required for your PVWA server.

Remove Adobe Flash

Adobe Flash is not secure and not required by PVWA. If Adobe Flash is installed on your PVWA server, remove it.