Windows Client Hardening

From WikiWiki
Jump to navigation Jump to search



  • Reset TPM chip in bios (clear factory cache)
  • Change boot order in bios, only allow hard disk
  • Set password on bios
  • Enable secure boot
  • Don't use UAC, instead use 2 accounts: 1 admin account, 1 day to day work account
  • Enable bitlocker
  • Enable applocker Software Restriction Policies and add ps1 to disallowed list... AppLocker doesn't not block .htm or .hta and does not allow custom extentions :-(
  • Enable return to lockscreen on screensaver, and set screensaver to 1 minute
  • Clear inbound firewall policy, disable everything
    • enable per service inbound (RDP/WinRM)
  • ipsec inbound if really wanted
  • disable inbound ntlm
  • disable outbound ntlm
    • allow per server/domain/ip/iprange outbound ntlm
  • Remap utilman on lockscreen - regedit - new key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe with stringvalue named "debugger" and value "c:\"
  • Disable Windows Scripting Host. Either set it in HKLM or in HKCU. Make sure your user can't modify the registry key... (change ACL in registry). Also make sure you set the HKCU in the correct user's hive.
    • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled
    • KEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled



Header text Header text Header text Header text Header text Header text Value Extra Comment
Computer Configuration Windows Settings Security Settings Account Policies Account Lockout Policy Account lockout duration 30min
Account lockout threshold 5 invalid logons
Reset account lockout counter after 30min
Local Policies Security Options Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication *



Define exceptions (local NAS or storage devices and stuff - do by ip or by range or fqdn).
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Deny all Issues expected, define exceptions where needed. This will break things! If any authentication doesn't work, blame this! Think smb, rdp, websites, ... Define exception in policy above.
Shutdown: Allow system to be shut down without having to logon Disabled Holding ctrl while pressing the reboot button on logon screen goes into "recovery"/"advanced startup"
Software Restriction Policies Enforcement
Designated File Types add the following extensions (ever growing list)
  • hta
  • jar
  • js
  • jse
  • ps1
  • wsf
  • vba
  • vbs
  • wsh
  • sct
  • ...
Software Restriction Policies - Designated File Types
Security Levels Disallowed set as default
Additional Rules New path allow rule for program files and program files (x86)

new certification allow rule for windows/cisco (webext)/teamviewer/onedrive/visualstudio/...

Create exceptions here
Administrative Templates System Device Installation Device Installation Restrictions Allow administrators to override Device Installation Restriction policies Enabled On installation of new device, open devmgmt as administrator, go to "other devices", right click and update driver manually.
Prevent installation of devices not described by other policy settings Enabled Another known issue with RDP: aka connect to an rdp session first (to configure the virtual mouse/keyboard) before enabling the device installation restriction policy
Logon Do not display network selection UI Enabled
Windows Components Data Collection and Preview Builds Allow Telemetry Enabled - 0