killchain-compendium/misc/Blue Teaming/windows-hardening.md

2.2 KiB

Windows hardening

UAC Sharpening

  • Control Panel -> User Accounts -> Change User Account Control Setting -> Set to "Always Notify"

User and Group Policy

  • Local Group Policy Editor

Password Policy

  • Security Settings -> Account Policies -> Password policy
  • Local Security Policy -> Windows Settings -> Account Policies -> Account Lockout Policy

Windows Defender

Antivirus

  • Check excluded file endings: Settings -> Windows Security -> Virus & Threat Protection -> Virus & threat protection settings -> Manage Settings -> Exclusions -> Add or remove exclusions

Firewall

  • wf.msc -> Windows Defender Firewall Properties -> Public / Private Profile -> Inbound connections -> On
  • wf.msc -> Windows Defender Firewall Properties -> Monitoring -> Check the active Profile

Network

Disable Unused Interfaces

  • Control Panel -> System and Security Setting -> System -> Device Manager

SMB

  • Disable SMB via Powershell
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Hosts File

  • Check C:\Windows\System32\Drivers\etc\hosts for unwanted domain resolution

ARP

  • After potential ARP poisoning the cache can be deleted via arp -d

RDP

  • Settings -> Windows Security Settings -> For developers -> Remote Desktop -> Show settings -> Don't allow remote connections to this computer

Third Pary Applications

Signed Software Only

  • Settings -> Select Apps and Features -> Choose where to get apps -> The Microsoft Store only

Applocker

  • Local Group Policy Editor -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker

Web Browsing

Edge

  • Settings -> Windows Security -> App and Browser Control -> Reputation-based Protection -> SmartScreen for Microsoft Edge -> On
  • Edge -> edge://settings/privacy -> Privacy, Search and Services -> Tracking Prevention -> Strict

Encryption

BitLocker

  • Control Panel -> System and Security -> BitLocker Drive Encryption -> Turn on BitLocker

Sandbox

  • Settings -> Windows Features -> Windows Sandbox -> OK

Secure Boot

  • Check status under: msinfo32 -> System Summary -> BIOS Mode / Secure Boot State

Backups

  • Settings -> Update & Security -> Backup -> Backup using File History