# Windows hardening

## UAC Sharpening

* Control Panel -> User Accounts -> Change User Account Control Setting -> Set to "Always Notify"

## User and Group Policy

* Local Group Policy Editor 

## Password Policy

* Security Settings -> Account Policies -> Password policy
* Local Security Policy -> Windows Settings -> Account Policies -> Account Lockout Policy

## Windows Defender

### Antivirus

* Check excluded file endings: Settings -> Windows Security -> Virus & Threat Protection -> Virus & threat protection settings -> Manage Settings -> Exclusions -> Add or remove exclusions

### Firewall

* wf.msc -> Windows Defender Firewall Properties -> Public / Private Profile -> Inbound connections -> On
* wf.msc -> Windows Defender Firewall Properties -> Monitoring -> Check the active Profile

## Network 

### Disable Unused Interfaces

* Control Panel -> System and Security Setting -> System -> Device Manager

### SMB

* Disable SMB via Powershell 
```sh
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
```

### Hosts File

* Check `C:\Windows\System32\Drivers\etc\hosts` for unwanted domain resolution

### ARP 

* After potential ARP poisoning the cache can be deleted via `arp -d`

### RDP

* Settings -> Windows Security Settings -> For developers -> Remote Desktop -> Show settings -> Don't allow remote connections to this computer

## Third Pary Applications

### Signed Software Only
* Settings -> Select Apps and Features -> Choose where to get apps -> The Microsoft Store only

### Applocker

* Local Group Policy Editor ->  Windows Settings -> Security Settings -> Application Control Policies -> AppLocker 

## Web Browsing

### Edge

* Settings -> Windows Security -> App and Browser Control -> Reputation-based Protection -> SmartScreen for Microsoft Edge -> On
* Edge -> `edge://settings/privacy` -> Privacy, Search and Services -> Tracking Prevention -> Strict

## Encryption

### BitLocker

* Control Panel -> System and Security -> BitLocker Drive Encryption -> Turn on BitLocker

## Sandbox

* Settings -> Windows Features -> Windows Sandbox -> OK

## Secure Boot

* Check status under: msinfo32 -> System Summary -> BIOS Mode / Secure Boot State 

## Backups

* Settings -> Update & Security -> Backup -> Backup using File History