Windows Client Hardening: Difference between revisions
Jump to navigation
Jump to search
Line 18: | Line 18: | ||
** enable per service inbound (RDP/WinRM) | ** enable per service inbound (RDP/WinRM) | ||
* ipsec inbound if really wanted | * ipsec inbound if really wanted | ||
* disable inbound ntlm | |||
* disable outbound ntlm | |||
** allow per server/domain/ip/iprange outbound ntlm | |||
= GPO settings = | = GPO settings = |
Revision as of 16:29, 3 January 2017
Software
Settings
- Reset TPM chip in bios (clear factory cache)
- Change boot order in bios, only allow hard disk
- Set password on bios
- Enable secure boot
- Don't use UAC, instead use 2 accounts: 1 admin account, 1 day to day work account
- Enable bitlocker
- Enable
applockerSoftware Restriction Policies and add ps1 to disallowed list... AppLocker doesn't not block .htm or .hta and does not allow custom extentions :-( - Enable return to lockscreen on screensaver, and set screensaver to 1 minute
- Clear inbound firewall policy, disable everything
- enable per service inbound (RDP/WinRM)
- ipsec inbound if really wanted
- disable inbound ntlm
- disable outbound ntlm
- allow per server/domain/ip/iprange outbound ntlm
GPO settings
Setting | Configure | Location |
---|---|---|
Don't connect to a wifi without logging on | Do not display network selection UI | gpedit Computer Configuration\Administrative Templates\system\logon |
Remap utilman on lockscreen | Example | regedit - new key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe with stringvalue named "debugger" and value "c:\" |
Disable USB | Example | Example |
Disable NTLM | Example | Example |
Enable NLA for RDP | Example | Example |
Example | Example | Example |
Example | Example | Example |
Example | Example | Example |
Example | Example | Example |
Reads
security