Layer0 Tips to Harden your

All networks have security vulnerabilities. Penetration testing and network security assessments are great tools to gauge the security posture of your environment. However, most organizations attempt these without conducting some sort of basic hardening.
The result you might ask?
A report with critical findings and a team that is now rushed to fix them.
Does it matter that we can gain Domain Administration permissions within an hour? No.
We want our engagements to mean something and have value to your organization. This is why we are publishing some best practices for organizations to follow and a series of videos on how to implement some of these controls.
As with all recommendations, we recommend that you test and research all changes before implementing in your environment. What might work for most may cause issues in your environment. We are not liable for any damages.

Hardening Microsoft Windows Environments: Configuring Audit Policies

Windows Domain Controller Audit Policy:
We recommend that you create a new policy for these settings and give it precedence over the default domain controller policy, this should be applied to the OU that your domain controllers reside.
Computer Configuration> Windows Settings> Security Settings> Local Polices> Audit Policy

PolicyRecommendedDefault
Audit account logon eventsSuccess, FailureSuccess
Audit account managementSuccess, FailureSuccess
Audit directory service accessSuccessSuccess
Audit logon eventsSuccess, FailureSuccess
Audit object accessFailureNo auditing (not defined)
Audit policy changeSuccessSuccess
Audit privilege useFailureNo auditing (not defined)
Audit process trackingSuccess, FailureNo auditing (not defined)
Audit system eventsSuccessSuccess

 
Member Servers and Workstation Audit Policy:
We recommend that you create a new policy for these settings and give it precedence over the default domain policy, this should be applied at the root level of your domain.
Computer Configuration> Windows Settings> Security Settings> Local Polices> Audit Policy

PolicyRecommendedDefault
Audit account logon eventsSuccess, FailureNo auditing (not defined)
Audit account managementSuccess, FailureNo auditing (not defined)
Audit directory service accessNo auditing (not defined)No auditing (not defined)
Audit logon eventsSuccess, FailureNo auditing (not defined)
Audit object accessFailureNo auditing (not defined)
Audit policy changeSuccessNo auditing (not defined)
Audit privilege useFailureNo auditing (not defined)
Audit process trackingSuccess, FailureNo auditing (not defined)
Audit system eventsSuccessNo auditing (not defined)

Hardening Microsoft Windows Environments: Basic Domain Hardening Using GPMC

Member Servers and Workstation Audit Policy:
We recommend that you create a new policy for these settings and give it precedence over the default domain policy, this should be applied at the root level of your domain.
Computer Configuration> Windows Settings> Security Settings> Local Polices> Security Options

PolicyRecommendation
Accounts: Administrator account statusEnabled
Account: Rename administrator accountSet a unique username
Network access: Allow anonymous SID/name translationDisabled
Network access: Do not allow anonymous enumeration of SAM accountsEnabled
Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabled
Network security: Do not store LAN Manager hash value on next password changeEnabled
Network security: LAN Manager authentication levelSent NTLMv2 response only/refuse LM and NTLM

Windows Domain Controller Audit Policy:
We recommend that you create a new policy for these settings and give it precedence over the default domain controller policy, this should be applied to the OU that your domain controllers reside.
Computer Configuration> Windows Settings> Security Settings> Local Polices> Security Options

PolicyRecommendation
Network access: Allow anonymous SID/name translationDisabled
Network access: Do not allow anonymous enumeration of SAM accountsEnabled
Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabled
Network security: Do not store LAN Manager hash value on next password changeEnabled
Network security: LAN Manager authentication levelSent NTLMv2 response only/refuse LM and NTLM