windows hardening

This commit is contained in:
Stefan Friese 2022-09-20 23:47:18 +02:00
parent a8ddd6e02a
commit 8d7e90ebca
1 changed files with 88 additions and 0 deletions

View File

@ -0,0 +1,88 @@
# Windows hardening
## UAC Sharpening
* Control Panel -> User Accounts -> Change User Account Control Setting -> Set to "Always Notify"
## User and Group Policy
* Local Group Policy Editor
## Password Policy
* Security Settings -> Account Policies -> Password policy
* Local Security Policy -> Windows Settings -> Account Policies -> Account Lockout Policy
## Windows Defender
### Antivirus
* Check excluded file endings: Settings -> Windows Security -> Virus & Threat Protection -> Virus & threat protection settings -> Manage Settings -> Exclusions -> Add or remove exclusions
### Firewall
* wf.msc -> Windows Defender Firewall Properties -> Public / Private Profile -> Inbound connections -> On
* wf.msc -> Windows Defender Firewall Properties -> Monitoring -> Check the active Profile
## Network
### Disable Unused Interfaces
* Control Panel -> System and Security Setting -> System -> Device Manager
### SMB
* Disable SMB via Powershell
```sh
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
```
### Hosts File
* Check `C:\Windows\System32\Drivers\etc\hosts` for unwanted domain resolution
### ARP
* After potential ARP poisoning the cache can be deleted via `arp -d`
### RDP
* Settings -> Windows Security Settings -> For developers -> Remote Desktop -> Show settings -> Don't allow remote connections to this computer
## Third Pary Applications
### Signed Software Only
* Settings -> Select Apps and Features -> Choose where to get apps -> The Microsoft Store only
### Applocker
* Local Group Policy Editor -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker
## Web Browsing
### Edge
* Settings -> Windows Security -> App and Browser Control -> Reputation-based Protection -> SmartScreen for Microsoft Edge -> On
* Edge -> `edge://settings/privacy` -> Privacy, Search and Services -> Tracking Prevention -> Strict
## Encryption
### BitLocker
* Control Panel -> System and Security -> BitLocker Drive Encryption -> Turn on BitLocker
## Sandbox
* Settings -> Windows Features -> Windows Sandbox -> OK
## Secure Boot
* Check status under: msinfo32 -> System Summary -> BIOS Mode / Secure Boot State
## Backups
* Settings -> Update & Security -> Backup -> Backup using File History