– WINDOWS HARDENING FOR GENETEC · LEVEL 1 · STUDY LEARNING
Windows hardening for a Genetec Security Center deployment BETA
The Windows boxes that run a Genetec install. Directory, Archiver, Synergis, ConfigTool, and the operator workstations. Hardened the way a working practitioner does it: PowerShell, Group Policy, Defender with scoped Genetec workload exclusions, BitLocker, Event 4688, and the operational habits that hold up under audit. Principles apply to any major Windows-based VMS; Genetec is the lens. Free.
What you will learn
This course covers the Windows side of a Genetec Security Center deployment. The Directory and Archiver servers, the Synergis access control server, the ConfigTool admin laptop, and the operator workstations that run Security Desk. PowerShell snippets and Group Policy paths apply to Windows Server 2019, 2022, and 2025, plus Windows 10 and 11 for workstations.
Genetec is the lens; the principles transfer. Where the lesson names Genetec services or service accounts, the same pattern applies to Milestone XProtect, Avigilon Unity, C-CURE, AC2000, or any other Windows-based VMS or access control platform. Adjust the service names and the Defender exclusion paths and the rest of the discipline carries over.
Companion to the Study Windows Configuration Utility tool, which automates most of the workstation-side checklist for Genetec specifically.
Course outline
Why Windows Hardening
Threat model for the Genetec Directory, Archiver, and Synergis servers. What Windows looks like out of the box. The deny-by-default philosophy the rest of the course operates from.
Accounts and Identity
Local vs domain vs service accounts (including the Genetec service account), LAPS, password discipline that holds up in 2026, the privileged tier model. The RID 500 problem. Includes a checkpoint.
Attack Surface Reduction
Services to disable on every server (Print Spooler, Fax, Remote Registry, Computer Browser, and the rest). LLMNR / NetBIOS / SMBv1 cleanup. RDP hardening. Removable media. What stays on for a Genetec workload and what does not.
Protection Layers
Microsoft Defender real-time protection and tamper protection. Scoped Defender exclusions for Genetec Archiver, Directory, and ConfigTool (the right way and the wrong way). Windows Firewall in deny-by-default. BitLocker. Includes a checkpoint.
Visibility
Advanced Audit Policy with Process Creation logging (Event 4688). Windows Event Forwarding (WEF). Sysmon with a tuned config. Where to look in the Security log for the brute-force pattern.
Operational Hardening
WSUS / Intune patch cadence. The VMS-vendor compatibility lag and how to handle it. Microsoft Security Baselines and CIS Benchmarks via Group Policy. The consolidated hardening checklist. Final assessment closes the course.
Who this is for
- Genetec integrators and partners deploying Security Center on customer Windows infrastructure.
- IT generalists handed a Genetec environment and asked to harden the Windows side.
- Sysadmins on physical security teams where the operator workstations and the VMS servers fall under their patch cadence.
- Practitioners on other VMS platforms (Milestone, Avigilon, C-CURE, etc.) who need the same discipline with their own service names and Defender exclusion paths substituted in.
- Auditors and reviewers who want to know what Process Creation (Event 4688) should look like in a defensible audit log.
Course details
- Level, Level 1 (beginner)
- Length, ~85 minutes
- Lessons, 20 across 6 parts
- Knowledge checks, 8 total (2 per checkpoint, 4 in the final)
- CLI animations, 8 PowerShell-focused scripts (Get-LocalUser, Get-Service, Get-NetTCPConnection, secedit, auditpol, Get-MpPreference, Get-WinEvent, Set-NetFirewallProfile)
- OS coverage, Windows Server 2019 / 2022 / 2025, Windows 10 / 11
- Cost, Free
- Author, Hans Study
- Status, BETA
Ready to start?
The course opens at lesson 01 and steps through all 20 lessons in order. Use the prev / next buttons or arrow keys to move between lessons. Score is tracked on the bottom bar and a completion certificate appears at the end.
Open the course →