Windows Client Hardening: Difference between revisions
Jump to navigation
Jump to search
(14 intermediate revisions by the same user not shown) | |||
Line 21: | Line 21: | ||
* disable outbound ntlm | * disable outbound ntlm | ||
** allow per server/domain/ip/iprange outbound ntlm | ** allow per server/domain/ip/iprange outbound ntlm | ||
* Remap utilman on lockscreen - regedit - new key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe with stringvalue named "debugger" and value "c:\" | |||
* Disable Windows Scripting Host. Either set it in HKLM or in HKCU. Make sure your user can't modify the registry key... (change ACL in registry). Also make sure you set the HKCU in the correct user's hive. | |||
** HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled | |||
** KEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled | |||
= Reads = | |||
* https://decentsecurity.com/ | |||
= GPResult = | |||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! | ! Header text !! Header text !! Header text !! Header text !! Header text !! Header text !! Value !! Extra Comment | ||
|- | |||
| Computer Configuration || Windows Settings || Security Settings ||Account Policies || Account Lockout Policy || Account lockout duration || 30min || | |||
|- | |- | ||
| | | || || || || || Account lockout threshold || 5 invalid logons || | ||
|- | |- | ||
| | | || || || || || Reset account lockout counter after || 30min || | ||
|- | |- | ||
| | | || || || Local Policies || Security Options || Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication || *.corp.contoso.com | ||
192.168.0.* | |||
nas | |||
|| Define exceptions (local NAS or storage devices and stuff - do by ip or by range or fqdn). | |||
|- | |- | ||
| | | || || || || || Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers || Deny all || Issues expected, define exceptions where needed. This will break things! If any authentication doesn't work, blame this! Think smb, rdp, websites, ... Define exception in policy above. | ||
|- | |- | ||
| | | || || || || || Shutdown: Allow system to be shut down without having to logon || Disabled || Holding ctrl while pressing the reboot button on logon screen goes into "recovery"/"advanced startup" | ||
|- | |- | ||
| | | || || || Software Restriction Policies || || Enforcement || || | ||
|- | |- | ||
| | | || || || || || Designated File Types || add the following extensions (ever growing list) | ||
* hta | |||
* jar | |||
* js | |||
* jse | |||
* ps1 | |||
* wsf | |||
* vba | |||
* vbs | |||
* wsh | |||
* sct | |||
* ... | |||
|| [[Software_Restriction_Policies#Designated_File_Types|Software Restriction Policies - Designated File Types]] | |||
|- | |- | ||
| | | || || || || Security Levels || Disallowed || set as default || | ||
|- | |- | ||
| | | || || || || Additional Rules || || New path allow rule for program files and program files (x86) | ||
new certification allow rule for windows/cisco (webext)/teamviewer/onedrive/visualstudio/... | |||
|| Create exceptions here | |||
|- | |||
| || Administrative Templates || System || Device Installation || Device Installation Restrictions || Allow administrators to override Device Installation Restriction policies || Enabled || On installation of new device, open devmgmt as administrator, go to "other devices", right click and update driver manually. | |||
|- | |||
| || || || || || Prevent installation of devices not described by other policy settings || Enabled || Another known issue with RDP: https://social.technet.microsoft.com/Forums/windows/en-US/4d4d6863-3fc0-4281-918b-235ca790a98a/rds-2012-r2-collections-show-black-screen-and-then-close?forum=winserverTS aka connect to an rdp session first (to configure the virtual mouse/keyboard) before enabling the device installation restriction policy | |||
|- | |||
| || || || Logon || Do not display network selection UI || || Enabled || | |||
|- | |||
| || || Windows Components || Data Collection and Preview Builds || Allow Telemetry || || Enabled - 0 || | |||
|- | |||
| || || || || || || || | |||
|- | |||
| || || || || || || || | |||
|- | |||
| || || || || || || || | |||
|} | |} | ||
security | security |
Latest revision as of 11:31, 28 February 2017
Software
Settings
- Reset TPM chip in bios (clear factory cache)
- Change boot order in bios, only allow hard disk
- Set password on bios
- Enable secure boot
- Don't use UAC, instead use 2 accounts: 1 admin account, 1 day to day work account
- Enable bitlocker
- Enable
applockerSoftware Restriction Policies and add ps1 to disallowed list... AppLocker doesn't not block .htm or .hta and does not allow custom extentions :-( - Enable return to lockscreen on screensaver, and set screensaver to 1 minute
- Clear inbound firewall policy, disable everything
- enable per service inbound (RDP/WinRM)
- ipsec inbound if really wanted
- disable inbound ntlm
- disable outbound ntlm
- allow per server/domain/ip/iprange outbound ntlm
- Remap utilman on lockscreen - regedit - new key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe with stringvalue named "debugger" and value "c:\"
- Disable Windows Scripting Host. Either set it in HKLM or in HKCU. Make sure your user can't modify the registry key... (change ACL in registry). Also make sure you set the HKCU in the correct user's hive.
- HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled
- KEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled
Reads
GPResult
Header text | Header text | Header text | Header text | Header text | Header text | Value | Extra Comment |
---|---|---|---|---|---|---|---|
Computer Configuration | Windows Settings | Security Settings | Account Policies | Account Lockout Policy | Account lockout duration | 30min | |
Account lockout threshold | 5 invalid logons | ||||||
Reset account lockout counter after | 30min | ||||||
Local Policies | Security Options | Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication | *.corp.contoso.com
192.168.0.* nas |
Define exceptions (local NAS or storage devices and stuff - do by ip or by range or fqdn). | |||
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers | Deny all | Issues expected, define exceptions where needed. This will break things! If any authentication doesn't work, blame this! Think smb, rdp, websites, ... Define exception in policy above. | |||||
Shutdown: Allow system to be shut down without having to logon | Disabled | Holding ctrl while pressing the reboot button on logon screen goes into "recovery"/"advanced startup" | |||||
Software Restriction Policies | Enforcement | ||||||
Designated File Types | add the following extensions (ever growing list)
|
Software Restriction Policies - Designated File Types | |||||
Security Levels | Disallowed | set as default | |||||
Additional Rules | New path allow rule for program files and program files (x86)
new certification allow rule for windows/cisco (webext)/teamviewer/onedrive/visualstudio/... |
Create exceptions here | |||||
Administrative Templates | System | Device Installation | Device Installation Restrictions | Allow administrators to override Device Installation Restriction policies | Enabled | On installation of new device, open devmgmt as administrator, go to "other devices", right click and update driver manually. | |
Prevent installation of devices not described by other policy settings | Enabled | Another known issue with RDP: https://social.technet.microsoft.com/Forums/windows/en-US/4d4d6863-3fc0-4281-918b-235ca790a98a/rds-2012-r2-collections-show-black-screen-and-then-close?forum=winserverTS aka connect to an rdp session first (to configure the virtual mouse/keyboard) before enabling the device installation restriction policy | |||||
Logon | Do not display network selection UI | Enabled | |||||
Windows Components | Data Collection and Preview Builds | Allow Telemetry | Enabled - 0 | ||||
security