89 lines
2.2 KiB
Markdown
89 lines
2.2 KiB
Markdown
|
# Windows hardening
|
||
|
|
|
||
|
|
## UAC Sharpening
|
||
|
|
|
||
|
|
* Control Panel -> User Accounts -> Change User Account Control Setting -> Set to "Always Notify"
|
||
|
|
|
||
|
|
## User and Group Policy
|
||
|
|
|
||
|
|
* Local Group Policy Editor
|
||
|
|
|
||
|
|
## Password Policy
|
||
|
|
|
||
|
|
* Security Settings -> Account Policies -> Password policy
|
||
|
|
* Local Security Policy -> Windows Settings -> Account Policies -> Account Lockout Policy
|
||
|
|
|
||
|
|
## Windows Defender
|
||
|
|
|
||
|
|
### Antivirus
|
||
|
|
|
||
|
|
* Check excluded file endings: Settings -> Windows Security -> Virus & Threat Protection -> Virus & threat protection settings -> Manage Settings -> Exclusions -> Add or remove exclusions
|
||
|
|
|
||
|
|
### Firewall
|
||
|
|
|
||
|
|
* wf.msc -> Windows Defender Firewall Properties -> Public / Private Profile -> Inbound connections -> On
|
||
|
|
* wf.msc -> Windows Defender Firewall Properties -> Monitoring -> Check the active Profile
|
||
|
|
|
||
|
|
## Network
|
||
|
|
|
||
|
|
### Disable Unused Interfaces
|
||
|
|
|
||
|
|
* Control Panel -> System and Security Setting -> System -> Device Manager
|
||
|
|
|
||
|
|
### SMB
|
||
|
|
|
||
|
|
* Disable SMB via Powershell
|
||
|
|
```sh
|
||
|
|
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
|
||
|
|
```
|
||
|
|
|
||
|
|
### Hosts File
|
||
|
|
|
||
|
|
* Check `C:\Windows\System32\Drivers\etc\hosts` for unwanted domain resolution
|
||
|
|
|
||
|
|
### ARP
|
||
|
|
|
||
|
|
* After potential ARP poisoning the cache can be deleted via `arp -d`
|
||
|
|
|
||
|
|
### RDP
|
||
|
|
|
||
|
|
* Settings -> Windows Security Settings -> For developers -> Remote Desktop -> Show settings -> Don't allow remote connections to this computer
|
||
|
|
|
||
|
|
## Third Pary Applications
|
||
|
|
|
||
|
|
### Signed Software Only
|
||
|
|
* Settings -> Select Apps and Features -> Choose where to get apps -> The Microsoft Store only
|
||
|
|
|
||
|
|
### Applocker
|
||
|
|
|
||
|
|
* Local Group Policy Editor -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker
|
||
|
|
|
||
|
|
## Web Browsing
|
||
|
|
|
||
|
|
### Edge
|
||
|
|
|
||
|
|
* Settings -> Windows Security -> App and Browser Control -> Reputation-based Protection -> SmartScreen for Microsoft Edge -> On
|
||
|
|
* Edge -> `edge://settings/privacy` -> Privacy, Search and Services -> Tracking Prevention -> Strict
|
||
|
|
|
||
|
|
## Encryption
|
||
|
|
|
||
|
|
### BitLocker
|
||
|
|
|
||
|
|
* Control Panel -> System and Security -> BitLocker Drive Encryption -> Turn on BitLocker
|
||
|
|
|
||
|
|
## Sandbox
|
||
|
|
|
||
|
|
* Settings -> Windows Features -> Windows Sandbox -> OK
|
||
|
|
|
||
|
|
## Secure Boot
|
||
|
|
|
||
|
|
* Check status under: msinfo32 -> System Summary -> BIOS Mode / Secure Boot State
|
||
|
|
|
||
|
|
## Backups
|
||
|
|
|
||
|
|
* Settings -> Update & Security -> Backup -> Backup using File History
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|