Windows Client Hardening: Difference between revisions

From WikiWiki
Jump to navigation Jump to search
Line 15: Line 15:
* Enable <s>applocker</s> Software Restriction Policies and add ps1 to disallowed list... AppLocker doesn't not block .htm or .hta and does not allow custom extentions :-(
* Enable <s>applocker</s> Software Restriction Policies and add ps1 to disallowed list... AppLocker doesn't not block .htm or .hta and does not allow custom extentions :-(
* Enable return to lockscreen on screensaver, and set screensaver to 1 minute
* Enable return to lockscreen on screensaver, and set screensaver to 1 minute
* Clear inbound firewall policy, disable everything
** enable per service inbound (RDP/WinRM)
* ipsec inbound if really wanted


= GPO settings =
= GPO settings =

Revision as of 15:28, 3 January 2017

Software

Settings

  • Reset TPM chip in bios (clear factory cache)
  • Change boot order in bios, only allow hard disk
  • Set password on bios
  • Enable secure boot
  • Don't use UAC, instead use 2 accounts: 1 admin account, 1 day to day work account
  • Enable bitlocker
  • Enable applocker Software Restriction Policies and add ps1 to disallowed list... AppLocker doesn't not block .htm or .hta and does not allow custom extentions :-(
  • Enable return to lockscreen on screensaver, and set screensaver to 1 minute
  • Clear inbound firewall policy, disable everything
    • enable per service inbound (RDP/WinRM)
  • ipsec inbound if really wanted

GPO settings

Setting Configure Location
Don't connect to a wifi without logging on Do not display network selection UI gpedit Computer Configuration\Administrative Templates\system\logon
Remap utilman on lockscreen Example regedit - new key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe with stringvalue named "debugger" and value "c:\"
Disable USB Example Example
Disable NTLM Example Example
Enable NLA for RDP Example Example
Example Example Example
Example Example Example
Example Example Example
Example Example Example

Reads



security