Sweetening

Untitled

May 12th, 2024
28
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 40.36 KB | None | 0 0
  1. :: Windows 10 Hardening Script
  2. :: By Taylor Christian Newsome
  3. ::#######################################################################
  4. ::
  5. :: Change file associations to protect against common ransomware attacks
  6. :: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershel
  7. :: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
  8. :: https://support.microsoft.com/en-us/help/883260/information-about-the-attachment-manager-in-microsoft-windows
  9. :: ---------------------
  10. ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  11. ftype wshfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  12. ftype wsffile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  13. ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  14. ftype jsfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  15. ftype jsefile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  16. ftype vbefile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  17. ftype vbsfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  18. ::
  19. ::#######################################################################
  20. :: Enable and configure Windows Defender and advanced settings
  21. ::#######################################################################
  22. ::
  23. :: Reset Defender to defaults. Commented out but available for reference
  24. ::"%programfiles%"\"Windows Defender"\MpCmdRun.exe -RestoreDefaults
  25. :: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent
  26. :: https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=win10-ps
  27. ::
  28. :: Start Defender Service
  29. sc start WinDefend
  30. ::Enable Windows Defender sandboxing
  31. setx /M MP_FORCE_USE_SANDBOX 1
  32. :: Update signatures
  33. "%ProgramFiles%"\"Windows Defender"\MpCmdRun.exe -SignatureUpdate
  34. :: Enable Defender signatures for Potentially Unwanted Applications (PUA)
  35. powershell.exe Set-MpPreference -PUAProtection enable
  36. :: Enable Defender periodic scanning
  37. reg add "HKCU\SOFTWARE\Microsoft\Windows Defender" /v PassiveMode /t REG_DWORD /d 2 /f
  38. :: Enable Cloud functionality of Windows Defender
  39. powershell.exe Set-MpPreference -MAPSReporting Advanced
  40. powershell.exe Set-MpPreference -SubmitSamplesConsent 0
  41. ::
  42. :: Enable early launch antimalware driver for scan of boot-start drivers
  43. :: 3 is the default which allows good, unknown and 'bad but critical'. Recommend trying 1 for 'good and unknown' or 8 which is 'good only'
  44. reg add "HKCU\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" /v DriverLoadPolicy /t REG_DWORD /d 3 /f
  45. ::
  46. :: Enable ASR rules in Win10 1903 ExploitGuard to mitigate Office malspam
  47. :: Blocks Office childprocs, Office proc injection, Office win32 api calls & executable content creation
  48. :: Note these only work when Defender is your primary AV
  49. ::
  50. :: Block Office Child Process Creation
  51. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
  52. :: Block Process Injection
  53. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
  54. :: Block Win32 API calls in macros
  55. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
  56. :: Block Office from creating executables
  57. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
  58. :: Block execution of potentially obfuscated scripts
  59. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
  60. :: Block executable content from email client and webmail
  61. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
  62. :: Block JavaScript or VBScript from launching downloaded executable content
  63. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
  64. :: Block lsass cred theft
  65. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
  66. :: Block untrusted and unsigned processes that run from USB
  67. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
  68. :: Block Adobe Reader from creating child processes
  69. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled
  70. :: Block persistence through WMI event subscription
  71. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
  72. :: Block process creations originating from PSExec and WMI commands
  73. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled
  74. ::
  75. :: Enable Defender exploit system-wide protection
  76. :: The commented line includes CFG which can cause issues with apps like Discord & Mouse Without Borders
  77. :: powershell.exe Set-Processmitigation -System -Enable DEP,EmulateAtlThunks,BottomUp,HighEntropy,SEHOP,SEHOPTelemetry,TerminateOnError,CFG
  78. powershell.exe Set-Processmitigation -System -Enable DEP,EmulateAtlThunks,BottomUp,HighEntropy,SEHOP,SEHOPTelemetry,TerminateOnError
  79. ::
  80. ::#######################################################################
  81. :: Enable and Configure Internet Browser Settings
  82. ::#######################################################################
  83. ::
  84. :: Enable SmartScreen for Edge
  85. reg add "HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 1 /f
  86. :: Enable Notifications in IE when a site attempts to install software
  87. reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer" /v SafeForScripting /t REG_DWORD /d 0 /f
  88. :: Disable Edge password manager to encourage use of proper password manager
  89. reg add "HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" /v "FormSuggest Passwords" /t REG_SZ /d no /f
  90. ::
  91. ::#######################################################################
  92. :: Enable and Configure Google Chrome Internet Browser Settings
  93. ::#######################################################################
  94. ::
  95. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AdvancedProtectionAllowed" /t REG_DWORD /d 1 /f
  96. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AllowCrossOriginAuthPrompt" /t REG_DWORD /d 0 /f
  97. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AlwaysOpenPdfExternally" /t REG_DWORD /d 1 /f
  98. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AmbientAuthenticationInPrivateModesEnabled" /t REG_DWORD /d 0 /f
  99. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AudioCaptureAllowed" /t REG_DWORD /d 0 /f
  100. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AudioSandboxEnabled" /t REG_DWORD /d 1 /f
  101. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "BlockExternalExtensions" /t REG_DWORD /d 1 /f
  102. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DnsOverHttpsMode" /t REG_SZ /d on /f
  103. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "SSLVersionMin" /t REG_SZ /d tls1 /f
  104. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ScreenCaptureAllowed" /t REG_DWORD /d 0 /f
  105. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "SitePerProcess" /t REG_DWORD /d 1 /f
  106. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "TLS13HardeningForLocalAnchorsEnabled" /t REG_DWORD /d 1 /f
  107. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "VideoCaptureAllowed" /t REG_DWORD /d 0 /f
  108. ::
  109. ::#######################################################################
  110. :: Enable and Configure Microsoft Office Security Settings
  111. ::#######################################################################
  112. ::
  113. :: Harden all version of MS Office itself against common malspam attacks
  114. :: Disables Macros, enables ProtectedView
  115. :: ---------------------
  116. reg add "HKCU\Software\Policies\Microsoft\Office\12.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  117. reg add "HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  118. reg add "HKCU\Software\Policies\Microsoft\Office\14.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  119. reg add "HKCU\Software\Policies\Microsoft\Office\14.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  120. reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Outlook\Security" /v markinternalasunsafe /t REG_DWORD /d 0 /f
  121. reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Word\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
  122. reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Excel\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
  123. reg add "HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
  124. reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  125. reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  126. reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Security" /v markinternalasunsafe /t REG_DWORD /d 0 /f
  127. reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
  128. reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Excel\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
  129. reg add "HKCU\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
  130. reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  131. reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  132. ::
  133. :: Harden all version of MS Office itself against DDE malspam attacks
  134. :: Disables Macros, enables ProtectedView
  135. :: ---------------------
  136. ::
  137. reg add "HKCU\Software\Microsoft\Office\14.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
  138. reg add "HKCU\Software\Microsoft\Office\14.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
  139. reg add "HKCU\Software\Microsoft\Office\15.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
  140. reg add "HKCU\Software\Microsoft\Office\15.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
  141. reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
  142. reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
  143. ::
  144. ::#######################################################################
  145. :: Enable and Configure General Windows Security Settings
  146. ::#######################################################################
  147. :: Disables DNS multicast, smart mutli-homed resolution, netbios, powershellv2, printer driver download and printing over http, icmp redirect
  148. :: Enables UAC and sets to always notify, Safe DLL loading (DLL Hijacking prevention), saving zone information, explorer DEP, explorer shell protocol protected mode
  149. :: ---------------------
  150. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f
  151. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v DisableSmartNameResolution /t REG_DWORD /d 1 /f
  152. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v DisableParallelAandAAAA /t REG_DWORD /d 1 /f
  153. reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f
  154. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v IGMPLevel /t REG_DWORD /d 0 /f
  155. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 2 /f
  156. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f
  157. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 2 /f
  158. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f
  159. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableVirtualization /t REG_DWORD /d 1 /f
  160. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 2 /f
  161. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDLLSearchMode /t REG_DWORD /d 1 /f
  162. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v ProtectionMode /t REG_DWORD /d 1 /f
  163. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v SaveZoneInformation /t REG_DWORD /d 2 /f
  164. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoDataExecutionPrevention /t REG_DWORD /d 0 /f
  165. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoHeapTerminationOnCorruption /t REG_DWORD /d 0 /f
  166. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v PreXPSP2ShellProtocolBehavior /t REG_DWORD /d 0 /f
  167. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers" /v DisableWebPnPDownload /t REG_DWORD /d 1 /f
  168. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers" /v DisableHTTPPrinting /t REG_DWORD /d 1 /f
  169. reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v AutoConnectAllowedOEM /t REG_DWORD /d 0 /f
  170. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v fMinimizeConnections /t REG_DWORD /d 1 /f
  171. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" /v NoNameReleaseOnDemand /t REG_DWORD /d 1 /f
  172. wmic /interactive:off nicconfig where (TcpipNetbiosOptions=0 OR TcpipNetbiosOptions=1) call SetTcpipNetbios 2
  173. powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -norestart
  174. powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -norestart
  175. ::
  176. :: Prioritize ECC Curves with longer keys
  177. ::reg add "HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" /v EccCurves /t REG_MULTI_SZ /d NistP384,NistP256 /f
  178. :: Prevent Kerberos from using DES or RC4
  179. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" /v SupportedEncryptionTypes /t REG_DWORD /d 2147483640 /f
  180. :: Encrypt and sign outgoing secure channel traffic when possible
  181. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v SealSecureChannel /t REG_DWORD /d 1 /f
  182. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v SignSecureChannel /t REG_DWORD /d 1 /f
  183. ::
  184. :: Enable SmartScreen
  185. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 1 /f
  186. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /t REG_SZ /d Block /f
  187. ::
  188. :: Enforce device driver signing
  189. BCDEDIT /set nointegritychecks OFF
  190. ::
  191. :: Windows Update Settings
  192. :: Prevent Delivery Optimization from downloading Updates from other computers across the internet
  193. :: 1 will restrict to LAN only. 0 will disable the feature entirely
  194. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DODownloadMode /t REG_DWORD /d 1 /f
  195. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\" /v DODownloadMode /t REG_DWORD /d 1 /f
  196. ::
  197. :: Set screen saver inactivity timeout to 15 minutes
  198. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v InactivityTimeoutSecs /t REG_DWORD /d 900 /f
  199. :: Enable password prompt on sleep resume while plugged in and on battery
  200. reg add "HKLM\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" /v ACSettingIndex /t REG_DWORD /d 1 /f
  201. reg add "HKLM\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" /v DCSettingIndex /t REG_DWORD /d 1 /f
  202. ::
  203. :: Windows Remote Access Settings
  204. :: Disable solicited remote assistance
  205. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
  206. :: Require encrypted RPC connections to Remote Desktop
  207. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEncryptRPCTraffic /t REG_DWORD /d 1 /f
  208. :: Prevent sharing of local drives via Remote Desktop Session Hosts
  209. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDisableCdm /t REG_DWORD /d 1 /f
  210. ::
  211. :: Removal Media Settings
  212. :: Disable autorun/autoplay on all drives
  213. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f
  214. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
  215. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAutorun /t REG_DWORD /d 1 /f
  216. ::
  217. :: Windows Sharing/SMB Settings
  218. :: Disable smb1, anonymous access to named pipes/shared, anonymous enumeration of SAM accounts, non-admin remote access to SAM
  219. :: Enable optional SMB client signing
  220. powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -norestart
  221. reg add "HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb10" /v Start /t REG_DWORD /d 4 /f
  222. reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f
  223. reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v RestrictNullSessAccess /t REG_DWORD /d 1 /f
  224. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymousSAM /t REG_DWORD /d 1 /f
  225. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 1 /f
  226. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 0 /f
  227. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictRemoteSAM /t REG_SZ /d "O:BAG:BAD:(A;;RC;;;BA)" /f
  228. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v UseMachineId /t REG_DWORD /d 1 /f
  229. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f
  230. reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0" /v allownullsessionfallback /t REG_DWORD /d 0 /f
  231. reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v EnableSecuritySignature /t REG_DWORD /d 1 /f
  232. :: Force SMB server signing
  233. :: This could cause impact if the Windows computer this is run on is hosting a file share and the other computers connecting to it do not have SMB client signing enabled.
  234. reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 1 /f
  235. ::
  236. :: Harden lsass to help protect against credential dumping (mimikatz) and audit lsass access requests
  237. :: Configures lsass.exe as a protected process and disables wdigest
  238. :: Enables delegation of non-exported credentials which enables support for Restricted Admin Mode or Remote Credential Guard
  239. :: ---------------------
  240. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f
  241. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 00000001 /f
  242. reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
  243. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" /v AllowProtectedCreds /t REG_DWORD /d 1 /f
  244. ::
  245. :: Windows RPC and WinRM settings
  246. :: Stop WinRM
  247. net stop WinRM
  248. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" /v AllowUnencryptedTraffic /t REG_DWORD /d 0 /f
  249. :: Disable WinRM Client Digiest authentication
  250. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v AllowDigest /t REG_DWORD /d 0 /f
  251. :: Disabling RPC usage from a remote asset interacting with scheduled tasks
  252. reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule" /v DisableRpcOverTcp /t REG_DWORD /d 1 /f
  253. :: Disabling RPC usage from a remote asset interacting with services
  254. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v DisableRemoteScmEndpoints /t REG_DWORD /d 1 /f
  255. ::
  256. :: Biometrics
  257. :: Enable anti-spoofing for facial recognition
  258. reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" /v EnhancedAntiSpoofing /t REG_DWORD /d 1 /f
  259. :: Disable other camera use while screen is locked
  260. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /t REG_DWORD /d 1 /f
  261. :: Prevent Windows app voice activation while locked
  262. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v LetAppsActivateWithVoiceAboveLock /t REG_DWORD /d 2 /f
  263. :: Prevent Windows app voice activation entirely (be mindful of those with accesibility needs)
  264. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v LetAppsActivateWithVoice /t REG_DWORD /d 2 /f
  265. ::
  266. ::#######################################################################
  267. :: Enable and configure Windows Firewall
  268. ::#######################################################################
  269. ::
  270. NetSh Advfirewall set allprofiles state on
  271. ::
  272. :: Enable Firewall Logging
  273. netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log
  274. netsh advfirewall set currentprofile logging maxfilesize 4096
  275. netsh advfirewall set currentprofile logging droppedconnections enable
  276. ::
  277. :: Block all inbound connections on Public profile
  278. netsh advfirewall set publicprofile firewallpolicy blockinboundalways,allowoutbound
  279. :: Enable Windows Defender Network Protection
  280. powershell.exe Set-MpPreference -EnableNetworkProtection Enabled
  281. ::
  282. :: Block Win32 binaries from making netconns when they shouldn't - specifically targeting native processes known to be abused by bad actors
  283. :: ---------------------
  284. Netsh.exe advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\system32\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any
  285. Netsh.exe advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\system32\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any
  286. Netsh.exe advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\system32\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any
  287. Netsh.exe advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\system32\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any
  288. Netsh.exe advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\system32\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
  289. Netsh.exe advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\system32\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
  290. Netsh.exe advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\system32\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any
  291. Netsh.exe advfirewall firewall add rule name="Block hh.exe netconns" program="%systemroot%\system32\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any
  292. ::
  293. ::Netsh.exe int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
  294. ::https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
  295. ::#######################################################################
  296. :: Windows 10 Privacy Settings
  297. ::#######################################################################
  298. ::
  299. :: Set Windows Analytics to limited enhanced if enhanced is enabled
  300. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v LimitEnhancedDiagnosticDataWindowsAnalytics /t REG_DWORD /d 1 /f
  301. :: Set Windows Telemetry to security only
  302. :: If you intend to use Enhanced for Windows Analytics then set this to "2" instead
  303. :: Note my understanding is W10 Home edition will do a minimum of "Basic"
  304. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  305. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v MaxTelemetryAllowed /t REG_DWORD /d 1 /f
  306. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v ShowedToastAtLevel /t REG_DWORD /d 1 /f
  307. :: Disable location data
  308. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore" /v Location /t REG_SZ /d Deny /f
  309. :: Prevent the Start Menu Search from providing internet results and using your location
  310. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
  311. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v AllowSearchToUseLocation /t REG_DWORD /d 0 /f
  312. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f
  313. :: Disable publishing of Win10 user activity
  314. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v PublishUserActivities /t REG_DWORD /d 1 /f
  315. :: Disable Win10 settings sync to cloud
  316. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v DisableSettingSync /t REG_DWORD /d 2 /f
  317. :: Disable the advertising ID
  318. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  319. ::
  320. :: Disable Windows GameDVR (Broadcasting and Recording)
  321. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
  322. :: Disable Microsoft consumer experience which prevent notifications of suggested applications to install
  323. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
  324. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  325. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
  326. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  327. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  328. :: Disable websites accessing local language list
  329. reg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f
  330. :: Prevent toast notifications from appearing on lock screen
  331. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v NoToastApplicationNotificationOnLockScreen /t REG_DWORD /d 1 /f
  332. ::
  333. ::#######################################################################
  334. :: Enable Advanced Windows Logging
  335. ::#######################################################################
  336. ::
  337. :: Enlarge Windows Event Security Log Size
  338. wevtutil sl Security /ms:1024000
  339. wevtutil sl Application /ms:1024000
  340. wevtutil sl System /ms:1024000
  341. wevtutil sl "Windows Powershell" /ms:1024000
  342. wevtutil sl "Microsoft-Windows-PowerShell/Operational" /ms:1024000
  343. :: Record command line data in process creation events eventid 4688
  344. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
  345. ::
  346. :: Enabled Advanced Settings
  347. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v SCENoApplyLegacyAuditPolicy /t REG_DWORD /d 1 /f
  348. :: Enable PowerShell Logging
  349. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1 /f
  350. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f
  351. ::
  352. :: Enable Windows Event Detailed Logging
  353. :: This is intentionally meant to be a subset of expected enterprise logging as this script may be used on consumer devices.
  354. :: For more extensive Windows logging, I recommend https://www.malwarearchaeology.com/cheat-sheets
  355. Auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
  356. Auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
  357. Auditpol /set /subcategory:"Logoff" /success:enable /failure:disable
  358. Auditpol /set /subcategory:"Logon" /success:enable /failure:enable
  359. Auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:disable
  360. Auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable
  361. Auditpol /set /subcategory:"SAM" /success:disable /failure:disable
  362. Auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
  363. Auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
  364. Auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
  365. Auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
  366. Auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
  367. ::
  368. ::#######################################################################
  369. :: Extra settings commented out but worth considering
  370. ::#######################################################################
  371. ::
  372. :: Uninstall common extra apps found on a lot of Win10 installs
  373. :: Obviously do a quick review to ensure it isn't removing any apps you or your user need to use.
  374. :: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10
  375. :: PowerShell command to reinstall all pre-installed apps below
  376. :: Get-AppxPackage -AllUsers| Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}
  377. powershell.exe -command "Get-AppxPackage *Microsoft.BingWeather* -AllUsers | Remove-AppxPackage"
  378. powershell.exe -command "Get-AppxPackage *Microsoft.DesktopAppInstaller* -AllUsers | Remove-AppxPackage"
  379. powershell.exe -command "Get-AppxPackage *Microsoft.GetHelp* -AllUsers | Remove-AppxPackage"
  380. powershell.exe -command "Get-AppxPackage *Microsoft.Getstarted* -AllUsers | Remove-AppxPackage"
  381. powershell.exe -command "Get-AppxPackage *Microsoft.Messaging* -AllUsers | Remove-AppxPackage"
  382. powershell.exe -command "Get-AppxPackage *Microsoft.OneConnect* -AllUsers | Remove-AppxPackage"
  383. powershell.exe -command "Get-AppxPackage *Microsoft.Print3D* -AllUsers | Remove-AppxPackage"
  384. powershell.exe -command "Get-AppxPackage *Microsoft.SkypeApp* -AllUsers | Remove-AppxPackage"
  385. powershell.exe -command "Get-AppxPackage *Microsoft.Wallet* -AllUsers | Remove-AppxPackage"
  386. powershell.exe -command "Get-AppxPackage *Microsoft.WindowsAlarms* -AllUsers | Remove-AppxPackage"
  387. powershell.exe -command "Get-AppxPackage *Microsoft.WindowsCamera* -AllUsers | Remove-AppxPackage"
  388. powershell.exe -command "Get-AppxPackage *microsoft.windowscommunicationsapps* -AllUsers | Remove-AppxPackage"
  389. powershell.exe -command "Get-AppxPackage *Microsoft.WindowsFeedbackHub* -AllUsers | Remove-AppxPackage"
  390. powershell.exe -command "Get-AppxPackage *Microsoft.WindowsSoundRecorder* -AllUsers | Remove-AppxPackage"
  391. powershell.exe -command "Get-AppxPackage *Microsoft.YourPhone* -AllUsers | Remove-AppxPackage"
  392. powershell.exe -command "Get-AppxPackage *Microsoft.WindowsFeedback* -AllUsers | Remove-AppxPackage"
  393. powershell.exe -command "Get-AppxPackage *Windows.ContactSupport* -AllUsers | Remove-AppxPackage"
  394. powershell.exe -command "Get-AppxPackage *PandoraMedia* -AllUsers | Remove-AppxPackage"
  395. powershell.exe -command "Get-AppxPackage *AdobeSystemIncorporated. AdobePhotoshop* -AllUsers | Remove-AppxPackage"
  396. powershell.exe -command "Get-AppxPackage *Duolingo* -AllUsers | Remove-AppxPackage"
  397. powershell.exe -command "Get-AppxPackage *Microsoft.BingNews* -AllUsers | Remove-AppxPackage"
  398. powershell.exe -command "Get-AppxPackage *Microsoft.Office.Sway* -AllUsers | Remove-AppxPackage"
  399. powershell.exe -command "Get-AppxPackage *Microsoft.Advertising.Xaml* -AllUsers | Remove-AppxPackage"
  400. powershell.exe -command "Get-AppxPackage *ActiproSoftware* -AllUsers | Remove-AppxPackage"
  401. powershell.exe -command "Get-AppxPackage *EclipseManager* -AllUsers | Remove-AppxPackage"
  402. powershell.exe -command "Get-AppxPackage *SpotifyAB.SpotifyMusic* -AllUsers | Remove-AppxPackage"
  403. powershell.exe -command "Get-AppxPackage *king.com.* -AllUsers | Remove-AppxPackage"
  404. :: Removed Provisioned Apps
  405. :: This will prevent these apps from being reinstalled on new user first logon
  406. :: Obviously I manually chose this list. If you truly want to nuke all the provisioned apps, you can use the below commented command in PowerShell
  407. :: Get-AppXProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online
  408. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.BingWeather'} | Remove-AppxProvisionedPackage -Online"
  409. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.GetHelp'} | Remove-AppxProvisionedPackage -Online"
  410. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.Getstarted'} | Remove-AppxProvisionedPackage -Online"
  411. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.SkypeApp'} | Remove-AppxProvisionedPackage -Online"
  412. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.WindowsAlarms'} | Remove-AppxProvisionedPackage -Online"
  413. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.WindowsCamera'} | Remove-AppxProvisionedPackage -Online"
  414. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'microsoft.windowscommunicationsapps'} | Remove-AppxProvisionedPackage -Online"
  415. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.WindowsFeedbackHub'} | Remove-AppxProvisionedPackage -Online"
  416. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.YourPhone'} | Remove-AppxProvisionedPackage -Online"
  417. ::
  418. ::#######################################################################
  419. :: Extra settings commented out but worth considering
  420. ::#######################################################################
  421. ::
  422. :: Enforce NTLMv2 and LM authentication
  423. :: This is commented out by default as it could impact access to consumer-grade file shares but it's a recommended setting
  424. :: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel /t REG_DWORD /d 5 /f
  425. ::
  426. :: Prevent unencrypted passwords being sent to third-party SMB servers
  427. :: This is commented out by default as it could impact access to consumer-grade file shares but it's a recommended setting
  428. :: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v EnablePlainTextPassword /t REG_DWORD /d 0 /f
  429. ::
  430. :: Prevent guest logons to SMB servers
  431. :: This is commented out by default as it could impact access to consumer-grade file shares but it's a recommended setting
  432. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" /v AllowInsecureGuestAuth /t REG_DWORD /d 0 /f
  433. ::
  434. :: Force SMB server signing
  435. :: This is commented out by default as it could impact access to consumer-grade file shares but it's a recommended setting
  436. :: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 1 /f
  437. ::
  438. :: Enable Windows Defender Application Guard
  439. :: This setting is commented out as it enables subset of DC/CG which renders other virtualization products unsuable. Can be enabled if you don't use those
  440. :: powershell.exe Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard -norestart
  441. ::
  442. :: Enable Windows Defender Credential Guard
  443. :: This setting is commented out as it enables subset of DC/CG which renders other virtualization products unsuable. Can be enabled if you don't use those
  444. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f
  445. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v RequirePlatformSecurityFeatures /t REG_DWORD /d 3 /f
  446. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v LsaCfgFlags /t REG_DWORD /d 1 /f
  447. ::
  448. :: The following variant also enables forced ASLR and CFG but causes issues with several third party apps
  449. :: powershell.exe Set-Processmitigation -System -Enable DEP,CFG,ForceRelocateImages,BottomUp,SEHOP
  450. ::
  451. :: Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  452. :: This one is commented out for now as I need to research and test more to determine potential impact
  453. :: powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Enabled
  454. ::
  455. :: Enable Windows Defender real time monitoring
  456. :: Commented out given consumers often run third party anti-virus. You can run either.
  457. :: powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $false"
  458. :: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 0 /f
  459. ::
  460. :: Disable internet connection sharing
  461. :: Commented out as it's not enabled by default and if it is enabled, may be for a reason
  462. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Network Connections" /v NC_ShowSharedAccessUI /t REG_DWORD /d 0 /f
  463. ::
  464. :: Always re-process Group Policy even if no changes
  465. :: Commented out as consumers don't typically use GPO
  466. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" /v NoGPOListChanges /t REG_DWORD /d 0 /f
  467. ::
  468. :: Force logoff if smart card removed
  469. :: Set to "2" for logoff, set to "1" for lock
  470. :: Commented out as consumers don't typically use smart cards
  471. :: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SCRemoveOption /t REG_DWORD /d 2 /f
  472. ::
  473. :: Restrict privileged local admin tokens being used from network
  474. :: Commented out as it only works on domain-joined assets
  475. :: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f
  476. ::
  477. :: Ensure outgoing secure channel traffic is encrytped
  478. :: Commented out as it only works on domain-joined assets
  479. :: reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v RequireSignOrSeal /t REG_DWORD /d 1 /f
  480. ::
  481. :: Enforce LDAP client signing
  482. :: Commented out as most consumers don't use LDAP auth
  483. :: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LDAP" /v LDAPClientIntegrity /t REG_DWORD /d 1 /f
  484. ::
  485. :: Prevent unauthenticated RPC connections
  486. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" /v RestrictRemoteClients /t REG_DWORD /d 1 /f
  487. ::
  488. ::#######################################################################
  489. :: References
  490. ::#######################################################################
  491. ::
  492. :: LLMNR
  493. :: https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/
  494. ::
  495. :: Windows Defender References
  496. :: ASR Rules https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
  497. :: ASR and Exploit Guard https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
  498. :: ASR Rules https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
  499. :: Easy methods to test rules https://demo.wd.microsoft.com/?ocid=cx-wddocs-testground
  500. :: Resource on the rules and associated event IDs https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/event-views
  501. :: Defender sandboxing https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/
  502. :: Defender exploit protection https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection
  503. :: Application Guard https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard
  504. :: Defender cmdline https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus
  505. ::
  506. :: General hardening references
  507. :: LSA Protection https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408187(v=ws.11)?redirectedfrom=MSDN
  508. ::
  509. :: Microsoft Office References:
  510. :: Disable DDE https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b
  511. :: Disable macros https://decentsecurity.com/block-office-macros/
  512. ::
  513. :: Debloating
  514. :: https://blog.danic.net/how-windows-10-pro-installs-unwanted-apps-candy-crush-and-how-you-stop-it/
  515.  
  516. :: Frameworks and benchmarks
  517. :: STIG https://www.stigviewer.com/stig/windows_10/
  518. pause
Add Comment
Please, Sign In to add comment