Windows Client Hardening: Difference between revisions
Jump to navigation
Jump to search
No edit summary (change visibility) |
|||
| Line 39: | Line 39: | ||
| Example || Example || Example | | Example || Example || Example | ||
|} | |} | ||
= Reads = | |||
* https://decentsecurity.com/ | |||
security | security | ||
Revision as of 16:45, 12 December 2016
Software
- EMET
- Firefox
- Sandboxie
- VMware
- Instal RSAT
Settings
- Reset TPM chip in bios (clear factory cache)
- Change boot order in bios, only allow hard disk
- Set password on bios
- Enable secure boot
- Don't use UAC, instead use 2 accounts: 1 admin account, 1 day to day work account
- Enable bitlocker
- Enable
applockerSoftware Restriction Policies and add ps1 to disallowed list... AppLocker doesn't not block .htm or .hta and does not allow custom extentions :-( - Enable return to lockscreen on screensaver, and set screensaver to 1 minute
GPO settings
| Setting | Configure | Location |
|---|---|---|
| Don't connect to a wifi without logging on | Do not display network selection UI | gpedit Computer Configuration\Administrative Templates\system\logon |
| Remap utilman on lockscreen | Example | Example |
| Disable USB | Example | Example |
| Disable NTLM | Example | Example |
| Enable NLA for RDP | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
Reads
security