I'm looking for a tutorial/guide or book which explains how to harden the Windows Operating system. Specifically I'm looking to run certain applications in hardened user accounts, for example by setting their NTFS permissions so that they only have access to what they should. I'm still learning about hardening Windows. l'm currently looking for abilities to: Find effective permissions for a certain user on a partition, including all folders and subfolders. (To get a list of folders a user has access to) What's causing the user to have these permissions (e.g. groups, default permissions of a user) Other settings which can be used to harden the user account, application or OS. I've found a book called Windows Hardening, but it's 10 years old ans based on Windows XP/Server 2003. I'm looking for something which is up to date and can be used on Windows Server 2016.
Still the first and best step is using a standard account + Software Restriction Policy (SRP). Use this excellent guide which also contains a section (step 6) about closing loopholes regarding specific folders. If you're using Windows 10 Fall Creators Update there are additional hardening options covered, e.g., in articles on gHacks - see here and here and here. There have also been discussions in this forum.
You can find good guide about hardening Windows 10 on this link: http://www.hardenwindows10forsecurity.com/ Some of it can be applied to Server 2016, but you should check and test what will work and what not.
Thanks, I'll look into these. Are there any specific guides for applications? My current goal is to run MySQL as a service in limited user account, to prevent exploits from tampering with the rest of the system. (By default MySQL runs under the network service user account, which doesn't have specific permissions for MySQL.)
I never run any service under LUA, so I don't know how that would go for MySQL. You can probably run into all sorts of problems if it needs higher privileges to run correctly.
NTFS permissions haven't changed much since Xp but setting them gets more complicated with each new edition of Windows as does the default ACL structure that Microsoft sets up. The default ACLs have gotten more sensible and you will find that system ACLs don't automatically have full control anymore if you go spelunking in Windows 10's permissions. Even in the vastly more simple world of Xp, setting effective permissions required a bit of trial and error so the best thing I can recommend is just trying something and seeing if it works. Having backup images or using Shadow Defender would be a good idea. I have apps that launch services in a LUA but I've never set it up manually. The service might have a file, folder, or registry key that will need to have permissions set for user access.