Windows Client Hardening: Difference between revisions

From WikiWiki
Jump to navigation Jump to search
Line 56: Line 56:
! Header text !! Header text !! Header text !! Header text !! Header text !! Header text !! Value !! Extra Comment
! Header text !! Header text !! Header text !! Header text !! Header text !! Header text !! Value !! Extra Comment
|-
|-
| Computer Configuration || Windows Settings || Security Settings ||Account Policies || Account Lockout Policy || Account lockout duration || ||  
| Computer Configuration || Windows Settings || Security Settings ||Account Policies || Account Lockout Policy || Account lockout duration || 30min ||  
|-
|-
| || || || || Account lockout threshold || || ||  
| || || || || || Account lockout threshold  || 5 invalid logons ||  
|-
|-
| || || || || Reset account lockout counter after || ||  ||  
| || || || ||  || Reset account lockout counter after  || 30min ||  
|-
|-
| || || || Local Policies || Security Options || Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication ||  ||  
| || || || Local Policies || Security Options || Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication || *.corp.contoso.com
192.168.0.*
 
nas  
|| Define exceptions (local NAS or storage devices and stuff - do by ip or by range or fqdn)
|-
|-
| || || || || || Network security: Restrict NTLM: Incoming NTLM traffic ||  ||  
| || || || || || Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers || Deny all || Issues expected, define exceptions where needed
|-
|-
| || || || || || Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers ||  ||  
| || || || Software Restriction Policies || || Enforcement  ||  ||  
|-
|-
| || || || Software Restriction Policies || || ||  ||  
| || || || || || Designated File Types ||  ||  
|-
|-
| || Administrative Templates || System || Device Installation || Device Installation Restrictions || Allow administrators to override Device Installation Restriction policies || ||  
| || || || || Security Levels || Disallowed  || set as default ||  
|-
|-
| || || || || || Prevent installation of devices not described by other policy settings || ||  
| || || || || Additional Rules ||  || New path exception for program files and program files (x86)  || Create exceptions here
|-
| || Administrative Templates || System || Device Installation || Device Installation Restrictions || Allow administrators to override Device Installation Restriction policies || Enabled || On installation of new device, open devmgmt as administrator, go to "other devices", right click and update driver manually
|-
| || || || || || Prevent installation of devices not described by other policy settings || Enabled ||  
|-
|-
| || || || Logon || Do not display network selection UI ||  ||  ||  
| || || || Logon || Do not display network selection UI ||  ||  ||  
|-
|-
| || || Windows Components || Data Collection and Preview Builds || Allow Telemetry || Enabled - 0  ||  ||  
| || || Windows Components || Data Collection and Preview Builds || Allow Telemetry || Enabled - 0  ||  ||  
|-
| || || || || ||  ||  ||
|-
| || || || || ||  ||  ||
|-
| || || || || ||  ||  ||
|}
|}



Revision as of 12:47, 5 January 2017

Software

Settings

  • Reset TPM chip in bios (clear factory cache)
  • Change boot order in bios, only allow hard disk
  • Set password on bios
  • Enable secure boot
  • Don't use UAC, instead use 2 accounts: 1 admin account, 1 day to day work account
  • Enable bitlocker
  • Enable applocker Software Restriction Policies and add ps1 to disallowed list... AppLocker doesn't not block .htm or .hta and does not allow custom extentions :-(
  • Enable return to lockscreen on screensaver, and set screensaver to 1 minute
  • Clear inbound firewall policy, disable everything
    • enable per service inbound (RDP/WinRM)
  • ipsec inbound if really wanted
  • disable inbound ntlm
  • disable outbound ntlm
    • allow per server/domain/ip/iprange outbound ntlm

GPO settings

Setting Configure Location
Don't connect to a wifi without logging on Do not display network selection UI gpedit Computer Configuration\Administrative Templates\system\logon
Remap utilman on lockscreen Example regedit - new key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe with stringvalue named "debugger" and value "c:\"
Disable USB Example Example
Disable NTLM Example Example
Enable NLA for RDP Example Example
Example Example Example
Example Example Example
Example Example Example
Example Example Example

Reads


GPResult

Header text Header text Header text Header text Header text Header text Value Extra Comment
Computer Configuration Windows Settings Security Settings Account Policies Account Lockout Policy Account lockout duration 30min
Account lockout threshold 5 invalid logons
Reset account lockout counter after 30min
Local Policies Security Options Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication *.corp.contoso.com

192.168.0.*

nas

Define exceptions (local NAS or storage devices and stuff - do by ip or by range or fqdn)
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Deny all Issues expected, define exceptions where needed
Software Restriction Policies Enforcement
Designated File Types
Security Levels Disallowed set as default
Additional Rules New path exception for program files and program files (x86) Create exceptions here
Administrative Templates System Device Installation Device Installation Restrictions Allow administrators to override Device Installation Restriction policies Enabled On installation of new device, open devmgmt as administrator, go to "other devices", right click and update driver manually
Prevent installation of devices not described by other policy settings Enabled
Logon Do not display network selection UI
Windows Components Data Collection and Preview Builds Allow Telemetry Enabled - 0


security