Windows Desktop / Endpoint Hardening Tips
- -raise UAC
- -services.msc
- -msconfig/startup folder
- -windows update
- -IE Smart Screen Filter and other settings
- -user account permissions - compmgmt.msc
- -shares/file permissions
- -update misc apps
- -remove unecessary programs
- -local security policy (secpol.msc, gpedit.msc)
- -action center
- -disable ipv6
-firewall used advanced sec options. Block inbound and outbound connections
-gpedit.msc/secpol.msc
GPEDIT/SECPOL.msc configs
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\
Minimum password length = 15
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
User Account Control: Virtualize file and registry write failures to per-user locations = enabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations = enabled
User Account Control: Behavior of the elevation prompt for standard users = prompt for credentials on the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = prompt for consent on the secure desktop
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) = enabled
Shutdown: Allow system to be shut down without having to log on = enabled
Interactive logon: Do not require CTRL+ALT+DEL = disabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
Bypass traverse checking = Users,Network Service,Local Service,Administrators
Allow log on locally = Administrators, Users
Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\
Require trusted path for credential entry = enabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon:
Do not require CTRL+ALT+DEL
Interactive logon: Do not require CTRL+ALT+DEL = Disabled
Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\
Turn off Autoplay = enabled
Turn off Autoplay = All drives
Default behavior for AutoRun = Do not execute any autorun commands
Turn off Autoplay for non-volume devices = enabled
Computer Configuration\Administrative Templates\Windows Components\NetMeeting\
Disable remote Desktop Sharing = enabled
Computer Configuration\Administrative Templates\System\Internet Communication
Management\Internet Communication settings\
Turn off the Windows Messenger Customer Experience Improvement Program = enabled
Turn off Help and Support Center "Did you know?" content = enabled
Turn off Windows Customer Experience Improvement Program = enabled
Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\
Turn off Microsoft Peer-to-Peer Networking Services = enabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behaviorInteractive logon: Smart card removal behavior = Lock Workstation
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts:
Guest account status
Accounts: Guest account status = Disabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts:
Rename administrator account
Accounts: Rename administrator account = Not Defined
Accounts: Rename guest account = Not Defined
Computer Configuration\Administrative Templates\Windows Components\Windows Mail\
Turn off the communities features = enabled
Turn off Windows Mail application = enabled
Computer Configuration\Administrative Templates\System\Remote Assistance\
Solicited Remote Assistance = disabled
Computer Configuration\Administrative Templates\Windows Components\HomeGroup\
Prevent the computer from joining a homegroup = enabled
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\
Windows Firewall: Public: Allow unicast response = No
User Configuration\Administrative Templates\Control Panel\Personalization\
Password protect the screen saver = enabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS:
(ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) = 0
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked
Interactive logon: Display user information when the session is locked = Enable
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System
cryptography: Force strong key protection for user keys stored on the compute
System cryptography: Force strong key protection for user keys stored on the computer = Enable
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User
Account Control: Behavior of the elevation prompt for standard users
User Account Control: Behavior of the elevation prompt for standard users = Automatically deny elevation requests
Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Always install with elevated privileges
Always install with elevated privileges = Disabled
Computer Configuration\Administrative Templates\System\Internet Communication
Management\Internet Communication settings\Turn off downloading of print drivers over HTTP
Turn off downloading of print drivers over HTTP = Enabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network
access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow anonymous enumeration of SAM accounts and shares = Enabled
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown:
Clear virtual memory pagefile
Shutdown: Clear virtual memory pagefile = Enable
0 comments:
Post a Comment