Windows Client Hardening: Difference between revisions
Jump to navigation
Jump to search
Line 56: | Line 56: | ||
! Header text !! Header text !! Header text !! Header text !! Header text !! Header text !! Value !! Extra Comment | ! Header text !! Header text !! Header text !! Header text !! Header text !! Header text !! Value !! Extra Comment | ||
|- | |- | ||
| Computer Configuration || Windows Settings || Security Settings ||Account Policies || Account Lockout Policy || Account lockout duration || | | Computer Configuration || Windows Settings || Security Settings ||Account Policies || Account Lockout Policy || Account lockout duration || 30min || | ||
|- | |- | ||
| || || || || Account lockout threshold | | || || || || || Account lockout threshold || 5 invalid logons || | ||
|- | |- | ||
| || || || || Reset account lockout counter after | | || || || || || Reset account lockout counter after || 30min || | ||
|- | |- | ||
| || || || Local Policies || Security Options || Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication || || | | || || || Local Policies || Security Options || Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication || *.corp.contoso.com | ||
192.168.0.* | |||
nas | |||
|| Define exceptions (local NAS or storage devices and stuff - do by ip or by range or fqdn) | |||
|- | |- | ||
| || || || || || Network security: Restrict NTLM: | | || || || || || Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers || Deny all || Issues expected, define exceptions where needed | ||
|- | |- | ||
| || || || || || | | || || || Software Restriction Policies || || Enforcement || || | ||
|- | |- | ||
| || || || | | || || || || || Designated File Types || || | ||
|- | |- | ||
| || | | || || || || Security Levels || Disallowed || set as default || | ||
|- | |- | ||
| || || || || || Prevent installation of devices not described by other policy settings || | | || || || || Additional Rules || || New path exception for program files and program files (x86) || Create exceptions here | ||
|- | |||
| || Administrative Templates || System || Device Installation || Device Installation Restrictions || Allow administrators to override Device Installation Restriction policies || Enabled || On installation of new device, open devmgmt as administrator, go to "other devices", right click and update driver manually | |||
|- | |||
| || || || || || Prevent installation of devices not described by other policy settings || Enabled || | |||
|- | |- | ||
| || || || Logon || Do not display network selection UI || || || | | || || || Logon || Do not display network selection UI || || || | ||
|- | |- | ||
| || || Windows Components || Data Collection and Preview Builds || Allow Telemetry || Enabled - 0 || || | | || || Windows Components || Data Collection and Preview Builds || Allow Telemetry || Enabled - 0 || || | ||
|- | |||
| || || || || || || || | |||
|- | |||
| || || || || || || || | |||
|- | |||
| || || || || || || || | |||
|} | |} | ||
Revision as of 12:47, 5 January 2017
Software
Settings
- Reset TPM chip in bios (clear factory cache)
- Change boot order in bios, only allow hard disk
- Set password on bios
- Enable secure boot
- Don't use UAC, instead use 2 accounts: 1 admin account, 1 day to day work account
- Enable bitlocker
- Enable
applockerSoftware Restriction Policies and add ps1 to disallowed list... AppLocker doesn't not block .htm or .hta and does not allow custom extentions :-( - Enable return to lockscreen on screensaver, and set screensaver to 1 minute
- Clear inbound firewall policy, disable everything
- enable per service inbound (RDP/WinRM)
- ipsec inbound if really wanted
- disable inbound ntlm
- disable outbound ntlm
- allow per server/domain/ip/iprange outbound ntlm
GPO settings
Setting | Configure | Location |
---|---|---|
Don't connect to a wifi without logging on | Do not display network selection UI | gpedit Computer Configuration\Administrative Templates\system\logon |
Remap utilman on lockscreen | Example | regedit - new key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe with stringvalue named "debugger" and value "c:\" |
Disable USB | Example | Example |
Disable NTLM | Example | Example |
Enable NLA for RDP | Example | Example |
Example | Example | Example |
Example | Example | Example |
Example | Example | Example |
Example | Example | Example |
Reads
GPResult
Header text | Header text | Header text | Header text | Header text | Header text | Value | Extra Comment |
---|---|---|---|---|---|---|---|
Computer Configuration | Windows Settings | Security Settings | Account Policies | Account Lockout Policy | Account lockout duration | 30min | |
Account lockout threshold | 5 invalid logons | ||||||
Reset account lockout counter after | 30min | ||||||
Local Policies | Security Options | Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication | *.corp.contoso.com
192.168.0.* nas |
Define exceptions (local NAS or storage devices and stuff - do by ip or by range or fqdn) | |||
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers | Deny all | Issues expected, define exceptions where needed | |||||
Software Restriction Policies | Enforcement | ||||||
Designated File Types | |||||||
Security Levels | Disallowed | set as default | |||||
Additional Rules | New path exception for program files and program files (x86) | Create exceptions here | |||||
Administrative Templates | System | Device Installation | Device Installation Restrictions | Allow administrators to override Device Installation Restriction policies | Enabled | On installation of new device, open devmgmt as administrator, go to "other devices", right click and update driver manually | |
Prevent installation of devices not described by other policy settings | Enabled | ||||||
Logon | Do not display network selection UI | ||||||
Windows Components | Data Collection and Preview Builds | Allow Telemetry | Enabled - 0 | ||||
security