1. Check that the default Admin Account and Guest Account are renamed
(e.g. RENAdministrator and RENGuest; but you should choose your own idea here!)
2. Check the screen saver will lock out the screen after x min (would prefer 15min) or not
3. Check that the default Admin Account and Guest Account require a password. This can be done via.
Net user RENAdministrator /PASSWORDREQ:YES
Net user RENGuest /PASSWORDREQ:YES
4. Windows Hardening: Disable the Print Spooler Service
5. Hardening Windows: Disable NTFS 8 Dot 3
6. Hardening IIS: Disable SSL 2.0 & PCT 1.0 & disable weak ciphers
7. Disable SMBv1
As SMBv1 is quite old and has some vulnerabilities you should disable that (as explained here) via the following:
Windows 2012:
<> Set-SmbServerConfiguration -EnableSMB1Protocol $false
Windows 2008:
<> Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 –Type DWORD -Value 0 -Force
This would still leave SMBv2 and SMBv3 activity which can be used.
8. Upgrade Diffie-Hellman Prime to 2048 bit as explained here.
9. Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP.