API tools faq
paste
Sweetening

Harden.ps1

Sweetening
Apr 25th, 2024
56
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 40.36 KB | None | 0 0
raw download clone embed print report
  1. :: Windows 10 Hardening Script
  2. :: By Taylor Christian Newsome
  3. ::#######################################################################
  4. ::
  5. :: Change file associations to protect against common ransomware attacks
  6. :: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershel
  7. :: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
  8. :: https://support.microsoft.com/en-us/help/883260/information-about-the-attachment-manager-in-microsoft-windows
  9. :: ---------------------
  10. ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  11. ftype wshfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  12. ftype wsffile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  13. ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  14. ftype jsfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  15. ftype jsefile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  16. ftype vbefile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  17. ftype vbsfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
  18. ::
  19. ::#######################################################################
  20. :: Enable and configure Windows Defender and advanced settings
  21. ::#######################################################################
  22. ::
  23. :: Reset Defender to defaults. Commented out but available for reference
  24. ::"%programfiles%"\"Windows Defender"\MpCmdRun.exe -RestoreDefaults
  25. :: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent
  26. :: https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=win10-ps
  27. ::
  28. :: Start Defender Service
  29. sc start WinDefend
  30. ::Enable Windows Defender sandboxing
  31. setx /M MP_FORCE_USE_SANDBOX 1
  32. :: Update signatures
  33. "%ProgramFiles%"\"Windows Defender"\MpCmdRun.exe -SignatureUpdate
  34. :: Enable Defender signatures for Potentially Unwanted Applications (PUA)
  35. powershell.exe Set-MpPreference -PUAProtection enable
  36. :: Enable Defender periodic scanning
  37. reg add "HKCU\SOFTWARE\Microsoft\Windows Defender" /v PassiveMode /t REG_DWORD /d 2 /f
  38. :: Enable Cloud functionality of Windows Defender
  39. powershell.exe Set-MpPreference -MAPSReporting Advanced
  40. powershell.exe Set-MpPreference -SubmitSamplesConsent 0
  41. ::
  42. :: Enable early launch antimalware driver for scan of boot-start drivers
  43. :: 3 is the default which allows good, unknown and 'bad but critical'. Recommend trying 1 for 'good and unknown' or 8 which is 'good only'
  44. reg add "HKCU\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" /v DriverLoadPolicy /t REG_DWORD /d 3 /f
  45. ::
  46. :: Enable ASR rules in Win10 1903 ExploitGuard to mitigate Office malspam
  47. :: Blocks Office childprocs, Office proc injection, Office win32 api calls & executable content creation
  48. :: Note these only work when Defender is your primary AV
  49. ::
  50. :: Block Office Child Process Creation
  51. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
  52. :: Block Process Injection
  53. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
  54. :: Block Win32 API calls in macros
  55. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
  56. :: Block Office from creating executables
  57. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
  58. :: Block execution of potentially obfuscated scripts
  59. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
  60. :: Block executable content from email client and webmail
  61. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
  62. :: Block JavaScript or VBScript from launching downloaded executable content
  63. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
  64. :: Block lsass cred theft
  65. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
  66. :: Block untrusted and unsigned processes that run from USB
  67. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
  68. :: Block Adobe Reader from creating child processes
  69. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled
  70. :: Block persistence through WMI event subscription
  71. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
  72. :: Block process creations originating from PSExec and WMI commands
  73. powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled
  74. ::
  75. :: Enable Defender exploit system-wide protection
  76. :: The commented line includes CFG which can cause issues with apps like Discord & Mouse Without Borders
  77. :: powershell.exe Set-Processmitigation -System -Enable DEP,EmulateAtlThunks,BottomUp,HighEntropy,SEHOP,SEHOPTelemetry,TerminateOnError,CFG
  78. powershell.exe Set-Processmitigation -System -Enable DEP,EmulateAtlThunks,BottomUp,HighEntropy,SEHOP,SEHOPTelemetry,TerminateOnError
  79. ::
  80. ::#######################################################################
  81. :: Enable and Configure Internet Browser Settings
  82. ::#######################################################################
  83. ::
  84. :: Enable SmartScreen for Edge
  85. reg add "HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 1 /f
  86. :: Enable Notifications in IE when a site attempts to install software
  87. reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer" /v SafeForScripting /t REG_DWORD /d 0 /f
  88. :: Disable Edge password manager to encourage use of proper password manager
  89. reg add "HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" /v "FormSuggest Passwords" /t REG_SZ /d no /f
  90. ::
  91. ::#######################################################################
  92. :: Enable and Configure Google Chrome Internet Browser Settings
  93. ::#######################################################################
  94. ::
  95. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AdvancedProtectionAllowed" /t REG_DWORD /d 1 /f
  96. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AllowCrossOriginAuthPrompt" /t REG_DWORD /d 0 /f
  97. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AlwaysOpenPdfExternally" /t REG_DWORD /d 1 /f
  98. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AmbientAuthenticationInPrivateModesEnabled" /t REG_DWORD /d 0 /f
  99. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AudioCaptureAllowed" /t REG_DWORD /d 0 /f
  100. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AudioSandboxEnabled" /t REG_DWORD /d 1 /f
  101. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "BlockExternalExtensions" /t REG_DWORD /d 1 /f
  102. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DnsOverHttpsMode" /t REG_SZ /d on /f
  103. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "SSLVersionMin" /t REG_SZ /d tls1 /f
  104. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ScreenCaptureAllowed" /t REG_DWORD /d 0 /f
  105. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "SitePerProcess" /t REG_DWORD /d 1 /f
  106. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "TLS13HardeningForLocalAnchorsEnabled" /t REG_DWORD /d 1 /f
  107. reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "VideoCaptureAllowed" /t REG_DWORD /d 0 /f
  108. ::
  109. ::#######################################################################
  110. :: Enable and Configure Microsoft Office Security Settings
  111. ::#######################################################################
  112. ::
  113. :: Harden all version of MS Office itself against common malspam attacks
  114. :: Disables Macros, enables ProtectedView
  115. :: ---------------------
  116. reg add "HKCU\Software\Policies\Microsoft\Office\12.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  117. reg add "HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  118. reg add "HKCU\Software\Policies\Microsoft\Office\14.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  119. reg add "HKCU\Software\Policies\Microsoft\Office\14.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  120. reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Outlook\Security" /v markinternalasunsafe /t REG_DWORD /d 0 /f
  121. reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Word\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
  122. reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Excel\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
  123. reg add "HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
  124. reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  125. reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  126. reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Security" /v markinternalasunsafe /t REG_DWORD /d 0 /f
  127. reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
  128. reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Excel\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
  129. reg add "HKCU\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
  130. reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  131. reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f
  132. ::
  133. :: Harden all version of MS Office itself against DDE malspam attacks
  134. :: Disables Macros, enables ProtectedView
  135. :: ---------------------
  136. ::
  137. reg add "HKCU\Software\Microsoft\Office\14.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
  138. reg add "HKCU\Software\Microsoft\Office\14.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
  139. reg add "HKCU\Software\Microsoft\Office\15.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
  140. reg add "HKCU\Software\Microsoft\Office\15.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
  141. reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
  142. reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
  143. ::
  144. ::#######################################################################
  145. :: Enable and Configure General Windows Security Settings
  146. ::#######################################################################
  147. :: Disables DNS multicast, smart mutli-homed resolution, netbios, powershellv2, printer driver download and printing over http, icmp redirect
  148. :: Enables UAC and sets to always notify, Safe DLL loading (DLL Hijacking prevention), saving zone information, explorer DEP, explorer shell protocol protected mode
  149. :: ---------------------
  150. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f
  151. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v DisableSmartNameResolution /t REG_DWORD /d 1 /f
  152. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v DisableParallelAandAAAA /t REG_DWORD /d 1 /f
  153. reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f
  154. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v IGMPLevel /t REG_DWORD /d 0 /f
  155. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 2 /f
  156. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f
  157. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 2 /f
  158. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f
  159. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableVirtualization /t REG_DWORD /d 1 /f
  160. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 2 /f
  161. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDLLSearchMode /t REG_DWORD /d 1 /f
  162. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v ProtectionMode /t REG_DWORD /d 1 /f
  163. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v SaveZoneInformation /t REG_DWORD /d 2 /f
  164. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoDataExecutionPrevention /t REG_DWORD /d 0 /f
  165. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoHeapTerminationOnCorruption /t REG_DWORD /d 0 /f
  166. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v PreXPSP2ShellProtocolBehavior /t REG_DWORD /d 0 /f
  167. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers" /v DisableWebPnPDownload /t REG_DWORD /d 1 /f
  168. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers" /v DisableHTTPPrinting /t REG_DWORD /d 1 /f
  169. reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v AutoConnectAllowedOEM /t REG_DWORD /d 0 /f
  170. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v fMinimizeConnections /t REG_DWORD /d 1 /f
  171. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" /v NoNameReleaseOnDemand /t REG_DWORD /d 1 /f
  172. wmic /interactive:off nicconfig where (TcpipNetbiosOptions=0 OR TcpipNetbiosOptions=1) call SetTcpipNetbios 2
  173. powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -norestart
  174. powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -norestart
  175. ::
  176. :: Prioritize ECC Curves with longer keys
  177. ::reg add "HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" /v EccCurves /t REG_MULTI_SZ /d NistP384,NistP256 /f
  178. :: Prevent Kerberos from using DES or RC4
  179. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" /v SupportedEncryptionTypes /t REG_DWORD /d 2147483640 /f
  180. :: Encrypt and sign outgoing secure channel traffic when possible
  181. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v SealSecureChannel /t REG_DWORD /d 1 /f
  182. reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v SignSecureChannel /t REG_DWORD /d 1 /f
  183. ::
  184. :: Enable SmartScreen
  185. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 1 /f
  186. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /t REG_SZ /d Block /f
  187. ::
  188. :: Enforce device driver signing
  189. BCDEDIT /set nointegritychecks OFF
  190. ::
  191. :: Windows Update Settings
  192. :: Prevent Delivery Optimization from downloading Updates from other computers across the internet
  193. :: 1 will restrict to LAN only. 0 will disable the feature entirely
  194. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DODownloadMode /t REG_DWORD /d 1 /f
  195. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\" /v DODownloadMode /t REG_DWORD /d 1 /f
  196. ::
  197. :: Set screen saver inactivity timeout to 15 minutes
  198. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v InactivityTimeoutSecs /t REG_DWORD /d 900 /f
  199. :: Enable password prompt on sleep resume while plugged in and on battery
  200. reg add "HKLM\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" /v ACSettingIndex /t REG_DWORD /d 1 /f
  201. reg add "HKLM\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" /v DCSettingIndex /t REG_DWORD /d 1 /f
  202. ::
  203. :: Windows Remote Access Settings
  204. :: Disable solicited remote assistance
  205. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
  206. :: Require encrypted RPC connections to Remote Desktop
  207. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEncryptRPCTraffic /t REG_DWORD /d 1 /f
  208. :: Prevent sharing of local drives via Remote Desktop Session Hosts
  209. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDisableCdm /t REG_DWORD /d 1 /f
  210. ::
  211. :: Removal Media Settings
  212. :: Disable autorun/autoplay on all drives
  213. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f
  214. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
  215. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAutorun /t REG_DWORD /d 1 /f
  216. ::
  217. :: Windows Sharing/SMB Settings
  218. :: Disable smb1, anonymous access to named pipes/shared, anonymous enumeration of SAM accounts, non-admin remote access to SAM
  219. :: Enable optional SMB client signing
  220. powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -norestart
  221. reg add "HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb10" /v Start /t REG_DWORD /d 4 /f
  222. reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f
  223. reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v RestrictNullSessAccess /t REG_DWORD /d 1 /f
  224. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymousSAM /t REG_DWORD /d 1 /f
  225. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 1 /f
  226. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 0 /f
  227. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictRemoteSAM /t REG_SZ /d "O:BAG:BAD:(A;;RC;;;BA)" /f
  228. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v UseMachineId /t REG_DWORD /d 1 /f
  229. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f
  230. reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0" /v allownullsessionfallback /t REG_DWORD /d 0 /f
  231. reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v EnableSecuritySignature /t REG_DWORD /d 1 /f
  232. :: Force SMB server signing
  233. :: This could cause impact if the Windows computer this is run on is hosting a file share and the other computers connecting to it do not have SMB client signing enabled.
  234. reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 1 /f
  235. ::
  236. :: Harden lsass to help protect against credential dumping (mimikatz) and audit lsass access requests
  237. :: Configures lsass.exe as a protected process and disables wdigest
  238. :: Enables delegation of non-exported credentials which enables support for Restricted Admin Mode or Remote Credential Guard
  239. :: ---------------------
  240. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f
  241. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 00000001 /f
  242. reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
  243. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" /v AllowProtectedCreds /t REG_DWORD /d 1 /f
  244. ::
  245. :: Windows RPC and WinRM settings
  246. :: Stop WinRM
  247. net stop WinRM
  248. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" /v AllowUnencryptedTraffic /t REG_DWORD /d 0 /f
  249. :: Disable WinRM Client Digiest authentication
  250. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v AllowDigest /t REG_DWORD /d 0 /f
  251. :: Disabling RPC usage from a remote asset interacting with scheduled tasks
  252. reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule" /v DisableRpcOverTcp /t REG_DWORD /d 1 /f
  253. :: Disabling RPC usage from a remote asset interacting with services
  254. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v DisableRemoteScmEndpoints /t REG_DWORD /d 1 /f
  255. ::
  256. :: Biometrics
  257. :: Enable anti-spoofing for facial recognition
  258. reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" /v EnhancedAntiSpoofing /t REG_DWORD /d 1 /f
  259. :: Disable other camera use while screen is locked
  260. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /t REG_DWORD /d 1 /f
  261. :: Prevent Windows app voice activation while locked
  262. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v LetAppsActivateWithVoiceAboveLock /t REG_DWORD /d 2 /f
  263. :: Prevent Windows app voice activation entirely (be mindful of those with accesibility needs)
  264. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v LetAppsActivateWithVoice /t REG_DWORD /d 2 /f
  265. ::
  266. ::#######################################################################
  267. :: Enable and configure Windows Firewall
  268. ::#######################################################################
  269. ::
  270. NetSh Advfirewall set allprofiles state on
  271. ::
  272. :: Enable Firewall Logging
  273. netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log
  274. netsh advfirewall set currentprofile logging maxfilesize 4096
  275. netsh advfirewall set currentprofile logging droppedconnections enable
  276. ::
  277. :: Block all inbound connections on Public profile
  278. netsh advfirewall set publicprofile firewallpolicy blockinboundalways,allowoutbound
  279. :: Enable Windows Defender Network Protection
  280. powershell.exe Set-MpPreference -EnableNetworkProtection Enabled
  281. ::
  282. :: Block Win32 binaries from making netconns when they shouldn't - specifically targeting native processes known to be abused by bad actors
  283. :: ---------------------
  284. Netsh.exe advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\system32\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any
  285. Netsh.exe advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\system32\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any
  286. Netsh.exe advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\system32\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any
  287. Netsh.exe advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\system32\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any
  288. Netsh.exe advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\system32\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
  289. Netsh.exe advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\system32\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
  290. Netsh.exe advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\system32\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any
  291. Netsh.exe advfirewall firewall add rule name="Block hh.exe netconns" program="%systemroot%\system32\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any
  292. ::
  293. ::Netsh.exe int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
  294. ::https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
  295. ::#######################################################################
  296. :: Windows 10 Privacy Settings
  297. ::#######################################################################
  298. ::
  299. :: Set Windows Analytics to limited enhanced if enhanced is enabled
  300. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v LimitEnhancedDiagnosticDataWindowsAnalytics /t REG_DWORD /d 1 /f
  301. :: Set Windows Telemetry to security only
  302. :: If you intend to use Enhanced for Windows Analytics then set this to "2" instead
  303. :: Note my understanding is W10 Home edition will do a minimum of "Basic"
  304. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  305. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v MaxTelemetryAllowed /t REG_DWORD /d 1 /f
  306. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v ShowedToastAtLevel /t REG_DWORD /d 1 /f
  307. :: Disable location data
  308. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore" /v Location /t REG_SZ /d Deny /f
  309. :: Prevent the Start Menu Search from providing internet results and using your location
  310. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
  311. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v AllowSearchToUseLocation /t REG_DWORD /d 0 /f
  312. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f
  313. :: Disable publishing of Win10 user activity
  314. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v PublishUserActivities /t REG_DWORD /d 1 /f
  315. :: Disable Win10 settings sync to cloud
  316. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v DisableSettingSync /t REG_DWORD /d 2 /f
  317. :: Disable the advertising ID
  318. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  319. ::
  320. :: Disable Windows GameDVR (Broadcasting and Recording)
  321. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
  322. :: Disable Microsoft consumer experience which prevent notifications of suggested applications to install
  323. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
  324. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  325. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
  326. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  327. reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  328. :: Disable websites accessing local language list
  329. reg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f
  330. :: Prevent toast notifications from appearing on lock screen
  331. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v NoToastApplicationNotificationOnLockScreen /t REG_DWORD /d 1 /f
  332. ::
  333. ::#######################################################################
  334. :: Enable Advanced Windows Logging
  335. ::#######################################################################
  336. ::
  337. :: Enlarge Windows Event Security Log Size
  338. wevtutil sl Security /ms:1024000
  339. wevtutil sl Application /ms:1024000
  340. wevtutil sl System /ms:1024000
  341. wevtutil sl "Windows Powershell" /ms:1024000
  342. wevtutil sl "Microsoft-Windows-PowerShell/Operational" /ms:1024000
  343. :: Record command line data in process creation events eventid 4688
  344. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
  345. ::
  346. :: Enabled Advanced Settings
  347. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v SCENoApplyLegacyAuditPolicy /t REG_DWORD /d 1 /f
  348. :: Enable PowerShell Logging
  349. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1 /f
  350. reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f
  351. ::
  352. :: Enable Windows Event Detailed Logging
  353. :: This is intentionally meant to be a subset of expected enterprise logging as this script may be used on consumer devices.
  354. :: For more extensive Windows logging, I recommend https://www.malwarearchaeology.com/cheat-sheets
  355. Auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
  356. Auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
  357. Auditpol /set /subcategory:"Logoff" /success:enable /failure:disable
  358. Auditpol /set /subcategory:"Logon" /success:enable /failure:enable
  359. Auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:disable
  360. Auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable
  361. Auditpol /set /subcategory:"SAM" /success:disable /failure:disable
  362. Auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
  363. Auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
  364. Auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
  365. Auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
  366. Auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
  367. ::
  368. ::#######################################################################
  369. :: Extra settings commented out but worth considering
  370. ::#######################################################################
  371. ::
  372. :: Uninstall common extra apps found on a lot of Win10 installs
  373. :: Obviously do a quick review to ensure it isn't removing any apps you or your user need to use.
  374. :: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10
  375. :: PowerShell command to reinstall all pre-installed apps below
  376. :: Get-AppxPackage -AllUsers| Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}
  377. powershell.exe -command "Get-AppxPackage *Microsoft.BingWeather* -AllUsers | Remove-AppxPackage"
  378. powershell.exe -command "Get-AppxPackage *Microsoft.DesktopAppInstaller* -AllUsers | Remove-AppxPackage"
  379. powershell.exe -command "Get-AppxPackage *Microsoft.GetHelp* -AllUsers | Remove-AppxPackage"
  380. powershell.exe -command "Get-AppxPackage *Microsoft.Getstarted* -AllUsers | Remove-AppxPackage"
  381. powershell.exe -command "Get-AppxPackage *Microsoft.Messaging* -AllUsers | Remove-AppxPackage"
  382. powershell.exe -command "Get-AppxPackage *Microsoft.OneConnect* -AllUsers | Remove-AppxPackage"
  383. powershell.exe -command "Get-AppxPackage *Microsoft.Print3D* -AllUsers | Remove-AppxPackage"
  384. powershell.exe -command "Get-AppxPackage *Microsoft.SkypeApp* -AllUsers | Remove-AppxPackage"
  385. powershell.exe -command "Get-AppxPackage *Microsoft.Wallet* -AllUsers | Remove-AppxPackage"
  386. powershell.exe -command "Get-AppxPackage *Microsoft.WindowsAlarms* -AllUsers | Remove-AppxPackage"
  387. powershell.exe -command "Get-AppxPackage *Microsoft.WindowsCamera* -AllUsers | Remove-AppxPackage"
  388. powershell.exe -command "Get-AppxPackage *microsoft.windowscommunicationsapps* -AllUsers | Remove-AppxPackage"
  389. powershell.exe -command "Get-AppxPackage *Microsoft.WindowsFeedbackHub* -AllUsers | Remove-AppxPackage"
  390. powershell.exe -command "Get-AppxPackage *Microsoft.WindowsSoundRecorder* -AllUsers | Remove-AppxPackage"
  391. powershell.exe -command "Get-AppxPackage *Microsoft.YourPhone* -AllUsers | Remove-AppxPackage"
  392. powershell.exe -command "Get-AppxPackage *Microsoft.WindowsFeedback* -AllUsers | Remove-AppxPackage"
  393. powershell.exe -command "Get-AppxPackage *Windows.ContactSupport* -AllUsers | Remove-AppxPackage"
  394. powershell.exe -command "Get-AppxPackage *PandoraMedia* -AllUsers | Remove-AppxPackage"
  395. powershell.exe -command "Get-AppxPackage *AdobeSystemIncorporated. AdobePhotoshop* -AllUsers | Remove-AppxPackage"
  396. powershell.exe -command "Get-AppxPackage *Duolingo* -AllUsers | Remove-AppxPackage"
  397. powershell.exe -command "Get-AppxPackage *Microsoft.BingNews* -AllUsers | Remove-AppxPackage"
  398. powershell.exe -command "Get-AppxPackage *Microsoft.Office.Sway* -AllUsers | Remove-AppxPackage"
  399. powershell.exe -command "Get-AppxPackage *Microsoft.Advertising.Xaml* -AllUsers | Remove-AppxPackage"
  400. powershell.exe -command "Get-AppxPackage *ActiproSoftware* -AllUsers | Remove-AppxPackage"
  401. powershell.exe -command "Get-AppxPackage *EclipseManager* -AllUsers | Remove-AppxPackage"
  402. powershell.exe -command "Get-AppxPackage *SpotifyAB.SpotifyMusic* -AllUsers | Remove-AppxPackage"
  403. powershell.exe -command "Get-AppxPackage *king.com.* -AllUsers | Remove-AppxPackage"
  404. :: Removed Provisioned Apps
  405. :: This will prevent these apps from being reinstalled on new user first logon
  406. :: Obviously I manually chose this list. If you truly want to nuke all the provisioned apps, you can use the below commented command in PowerShell
  407. :: Get-AppXProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online
  408. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.BingWeather'} | Remove-AppxProvisionedPackage -Online"
  409. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.GetHelp'} | Remove-AppxProvisionedPackage -Online"
  410. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.Getstarted'} | Remove-AppxProvisionedPackage -Online"
  411. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.SkypeApp'} | Remove-AppxProvisionedPackage -Online"
  412. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.WindowsAlarms'} | Remove-AppxProvisionedPackage -Online"
  413. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.WindowsCamera'} | Remove-AppxProvisionedPackage -Online"
  414. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'microsoft.windowscommunicationsapps'} | Remove-AppxProvisionedPackage -Online"
  415. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.WindowsFeedbackHub'} | Remove-AppxProvisionedPackage -Online"
  416. powershell.exe -command "Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq 'Microsoft.YourPhone'} | Remove-AppxProvisionedPackage -Online"
  417. ::
  418. ::#######################################################################
  419. :: Extra settings commented out but worth considering
  420. ::#######################################################################
  421. ::
  422. :: Enforce NTLMv2 and LM authentication
  423. :: This is commented out by default as it could impact access to consumer-grade file shares but it's a recommended setting
  424. :: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel /t REG_DWORD /d 5 /f
  425. ::
  426. :: Prevent unencrypted passwords being sent to third-party SMB servers
  427. :: This is commented out by default as it could impact access to consumer-grade file shares but it's a recommended setting
  428. :: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v EnablePlainTextPassword /t REG_DWORD /d 0 /f
  429. ::
  430. :: Prevent guest logons to SMB servers
  431. :: This is commented out by default as it could impact access to consumer-grade file shares but it's a recommended setting
  432. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" /v AllowInsecureGuestAuth /t REG_DWORD /d 0 /f
  433. ::
  434. :: Force SMB server signing
  435. :: This is commented out by default as it could impact access to consumer-grade file shares but it's a recommended setting
  436. :: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 1 /f
  437. ::
  438. :: Enable Windows Defender Application Guard
  439. :: This setting is commented out as it enables subset of DC/CG which renders other virtualization products unsuable. Can be enabled if you don't use those
  440. :: powershell.exe Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard -norestart
  441. ::
  442. :: Enable Windows Defender Credential Guard
  443. :: This setting is commented out as it enables subset of DC/CG which renders other virtualization products unsuable. Can be enabled if you don't use those
  444. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f
  445. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v RequirePlatformSecurityFeatures /t REG_DWORD /d 3 /f
  446. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v LsaCfgFlags /t REG_DWORD /d 1 /f
  447. ::
  448. :: The following variant also enables forced ASLR and CFG but causes issues with several third party apps
  449. :: powershell.exe Set-Processmitigation -System -Enable DEP,CFG,ForceRelocateImages,BottomUp,SEHOP
  450. ::
  451. :: Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  452. :: This one is commented out for now as I need to research and test more to determine potential impact
  453. :: powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Enabled
  454. ::
  455. :: Enable Windows Defender real time monitoring
  456. :: Commented out given consumers often run third party anti-virus. You can run either.
  457. :: powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $false"
  458. :: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 0 /f
  459. ::
  460. :: Disable internet connection sharing
  461. :: Commented out as it's not enabled by default and if it is enabled, may be for a reason
  462. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Network Connections" /v NC_ShowSharedAccessUI /t REG_DWORD /d 0 /f
  463. ::
  464. :: Always re-process Group Policy even if no changes
  465. :: Commented out as consumers don't typically use GPO
  466. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" /v NoGPOListChanges /t REG_DWORD /d 0 /f
  467. ::
  468. :: Force logoff if smart card removed
  469. :: Set to "2" for logoff, set to "1" for lock
  470. :: Commented out as consumers don't typically use smart cards
  471. :: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SCRemoveOption /t REG_DWORD /d 2 /f
  472. ::
  473. :: Restrict privileged local admin tokens being used from network
  474. :: Commented out as it only works on domain-joined assets
  475. :: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f
  476. ::
  477. :: Ensure outgoing secure channel traffic is encrytped
  478. :: Commented out as it only works on domain-joined assets
  479. :: reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v RequireSignOrSeal /t REG_DWORD /d 1 /f
  480. ::
  481. :: Enforce LDAP client signing
  482. :: Commented out as most consumers don't use LDAP auth
  483. :: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LDAP" /v LDAPClientIntegrity /t REG_DWORD /d 1 /f
  484. ::
  485. :: Prevent unauthenticated RPC connections
  486. :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" /v RestrictRemoteClients /t REG_DWORD /d 1 /f
  487. ::
  488. ::#######################################################################
  489. :: References
  490. ::#######################################################################
  491. ::
  492. :: LLMNR
  493. :: https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/
  494. ::
  495. :: Windows Defender References
  496. :: ASR Rules https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
  497. :: ASR and Exploit Guard https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
  498. :: ASR Rules https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
  499. :: Easy methods to test rules https://demo.wd.microsoft.com/?ocid=cx-wddocs-testground
  500. :: Resource on the rules and associated event IDs https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/event-views
  501. :: Defender sandboxing https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/
  502. :: Defender exploit protection https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection
  503. :: Application Guard https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard
  504. :: Defender cmdline https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus
  505. ::
  506. :: General hardening references
  507. :: LSA Protection https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408187(v=ws.11)?redirectedfrom=MSDN
  508. ::
  509. :: Microsoft Office References:
  510. :: Disable DDE https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b
  511. :: Disable macros https://decentsecurity.com/block-office-macros/
  512. ::
  513. :: Debloating
  514. :: https://blog.danic.net/how-windows-10-pro-installs-unwanted-apps-candy-crush-and-how-you-stop-it/
  515.  
  516. :: Frameworks and benchmarks
  517. :: STIG https://www.stigviewer.com/stig/windows_10/
  518. pause
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!