Windows Client Hardening: Difference between revisions
Jump to navigation
Jump to search
Line 80: | Line 80: | ||
|| Create exceptions here | || Create exceptions here | ||
|- | |- | ||
| || Administrative Templates || System || Device Installation || Device Installation Restrictions || Allow administrators to override Device Installation Restriction policies || Enabled || On installation of new device, open devmgmt as administrator, go to "other devices", right click and update driver manually | | || Administrative Templates || System || Device Installation || Device Installation Restrictions || Allow administrators to override Device Installation Restriction policies || Enabled || On installation of new device, open devmgmt as administrator, go to "other devices", right click and update driver manually. | ||
|- | |- | ||
| || || || || || Prevent installation of devices not described by other policy settings || Enabled || | | || || || || || Prevent installation of devices not described by other policy settings || Enabled || Another known issue with RDP: https://social.technet.microsoft.com/Forums/windows/en-US/4d4d6863-3fc0-4281-918b-235ca790a98a/rds-2012-r2-collections-show-black-screen-and-then-close?forum=winserverTS aka connect to an rdp session first (to configure the virtual mouse/keyboard) before enabling the device installation restriction policy | ||
|- | |- | ||
| || || || Logon || Do not display network selection UI || || || | | || || || Logon || Do not display network selection UI || || || |
Revision as of 13:54, 8 January 2017
Software
Settings
- Reset TPM chip in bios (clear factory cache)
- Change boot order in bios, only allow hard disk
- Set password on bios
- Enable secure boot
- Don't use UAC, instead use 2 accounts: 1 admin account, 1 day to day work account
- Enable bitlocker
- Enable
applockerSoftware Restriction Policies and add ps1 to disallowed list... AppLocker doesn't not block .htm or .hta and does not allow custom extentions :-( - Enable return to lockscreen on screensaver, and set screensaver to 1 minute
- Clear inbound firewall policy, disable everything
- enable per service inbound (RDP/WinRM)
- ipsec inbound if really wanted
- disable inbound ntlm
- disable outbound ntlm
- allow per server/domain/ip/iprange outbound ntlm
GPO settings
Setting | Configure | Location |
---|---|---|
Don't connect to a wifi without logging on | Do not display network selection UI | gpedit Computer Configuration\Administrative Templates\system\logon |
Remap utilman on lockscreen | Example | regedit - new key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe with stringvalue named "debugger" and value "c:\" |
Disable USB | Example | Example |
Disable NTLM | Example | Example |
Enable NLA for RDP | Example | Example |
Example | Example | Example |
Example | Example | Example |
Example | Example | Example |
Example | Example | Example |
Reads
GPResult
Header text | Header text | Header text | Header text | Header text | Header text | Value | Extra Comment |
---|---|---|---|---|---|---|---|
Computer Configuration | Windows Settings | Security Settings | Account Policies | Account Lockout Policy | Account lockout duration | 30min | |
Account lockout threshold | 5 invalid logons | ||||||
Reset account lockout counter after | 30min | ||||||
Local Policies | Security Options | Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication | *.corp.contoso.com
192.168.0.* nas |
Define exceptions (local NAS or storage devices and stuff - do by ip or by range or fqdn). | |||
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers | Deny all | Issues expected, define exceptions where needed. This will break things! If any authentication doesn't work, blame this! Think smb, rdp, websites, ... Define exception in policy above. | |||||
Software Restriction Policies | Enforcement | ||||||
Designated File Types | |||||||
Security Levels | Disallowed | set as default | |||||
Additional Rules | New path allow rule for program files and program files (x86)
new certification allow rule for windows/cisco (webext)/teamviewer/onedrive/visualstudio/... |
Create exceptions here | |||||
Administrative Templates | System | Device Installation | Device Installation Restrictions | Allow administrators to override Device Installation Restriction policies | Enabled | On installation of new device, open devmgmt as administrator, go to "other devices", right click and update driver manually. | |
Prevent installation of devices not described by other policy settings | Enabled | Another known issue with RDP: https://social.technet.microsoft.com/Forums/windows/en-US/4d4d6863-3fc0-4281-918b-235ca790a98a/rds-2012-r2-collections-show-black-screen-and-then-close?forum=winserverTS aka connect to an rdp session first (to configure the virtual mouse/keyboard) before enabling the device installation restriction policy | |||||
Logon | Do not display network selection UI | ||||||
Windows Components | Data Collection and Preview Builds | Allow Telemetry | Enabled - 0 | ||||
security