├── CODEOWNERS ├── .github └── CODEOWNERS ├── README.md ├── Harden.cmd └── Harden_PS.ps1 /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @zephrfish 2 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @zephrfish 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Windows 10/11 Hardening Script 2 | ## Overview 3 | This script enhances the security of Windows operating systems by making various system modifications. It includes adjusting settings, policies, and features to reduce vulnerabilities and protect against various cyber threats. 4 | 5 | ## Important Notes 6 | - Pre-execution Review: Users are urged to review each setting and modification before execution meticulously. This ensures alignment with operational requirements and confirms that no essential functionalities are compromised. 7 | 8 | - Intended Audience: The script is crafted explicitly for security professionals and system administrators who understand the intricacies of Windows operating systems and their security frameworks. 9 | 10 | - Testing Environment: Thorough testing in a non-production environment is strongly recommended to ensure the script's effects align with your unique configurations and do not adversely impact system performance. 11 | 12 | - User Discretion: Please exercise caution. The script includes warnings at critical junctures to confirm your consent for the changes. I would like to let you know that your decision to proceed should be informed and deliberate. 13 | 14 | ## Key Features 15 | - Admin Check: Ensures the script is executed with administrative privileges for effective changes. 16 | - Initial Warning and Consent: This alerts users about the significant system changes the script will make and seeks their consent to proceed. 17 | - File Association Changes: This feature modifies file associations for potentially dangerous file types in Notepad to obscure malicious content. It offers optional changes for .bat and .ps1 files. 18 | - Windows Defender Configuration: Activates and configures Windows Defender settings to enhance malware protection. 19 | - Internet Browser Settings: Adjusts Microsoft Edge and Google Chrome settings to improve web browsing security. 20 | - Microsoft Office Security Settings: This feature applies security settings across different versions of Microsoft Office to mitigate risks from malspam attacks and other vulnerabilities. 21 | - General Windows Security Enhancements: DNS client and SMB1 configuration, TCP/IP configuration, system and security policies adjustments, Wi-Fi and NetBIOS configuration, disabling PowerShell 2.0, cryptography, and Kerberos configuration. 22 | - Windows Remote Access, Removable Media, and Sharing/SMB Settings: Harden remote access settings, disable unnecessary features and protocols, and enforce security policies for file sharing. 23 | - Biometrics and App Privacy: Adjusts settings to enhance privacy and security regarding biometrics and application permissions. 24 | - Firewall Modifications: Enables Windows Firewall for all profiles, configures logging, and blocks specific binaries from making outbound connections. 25 | - Privacy Settings and System Cleanup: This program implements a range of privacy settings adjustments and removes pre-installed applications deemed unnecessary. 26 | - Advanced Logging and Audit Policies: Enhances system logging and audit policies for better monitoring and detection capabilities. 27 | - Optional Security Lockdown Options: This option offers a series of optional yet significant security enhancements, including NTLMv2 enforcement, SMB server signing, enabling Windows Defender features, and more. 28 | 29 | ## What this Repo Includes 30 | 31 | - Harden.cmd - Original Hardening script written as a batch script but has no warnings, so is very much a fire and hope for the best 32 | - Harden_PS.ps1 - Improved Hardening script with additional features, checks it is being run as admin first and also warns you before it does certain actions 33 | 34 | This has been tested on Windows 10 and Windows 11 Dev VM. Your mileage may vary, but gives a good baseline to harden a build. 35 | 36 | 37 | ## Future / Todo 38 | - Build out reporting function for before and after 39 | - add logging of changed files and settings 40 | - add granular controls to only do certain thjngs 41 | - add ability to back up reg keys before and after changes 42 | 43 | ## References 44 | - Originally built off the back of Paving The Way to DA series; https://blog.zsec.uk/paving-2-da-wholeset/ 45 | -------------------------------------------------------------------------------- /Harden.cmd: -------------------------------------------------------------------------------- 1 | :: Windows 10 Hardening Script 2 | :: Some settings stolen from multiple scripts @ZephrFish 3 | :: 4 | ::####################################################################### 5 | :: 6 | :: Change file associations to protect against common ransomware attacks 7 | :: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershel 8 | :: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :) 9 | :: https://support.microsoft.com/en-us/help/883260/information-about-the-attachment-manager-in-microsoft-windows 10 | :: 11 | :: --------------------- 12 | ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" 13 | ftype wshfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" 14 | ftype wsffile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" 15 | ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" 16 | ftype jsfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" 17 | ftype jsefile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" 18 | ftype vbefile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" 19 | ftype vbsfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" 20 | :: 21 | ::####################################################################### 22 | :: Enable and configure Windows Defender and advanced settings 23 | ::####################################################################### 24 | :: 25 | :: Reset Defender to defaults. Commented out but available for reference 26 | ::"%programfiles%"\"Windows Defender"\MpCmdRun.exe -RestoreDefaults 27 | :: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent 28 | :: https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=win10-ps 29 | :: 30 | :: Start Defender Service 31 | sc start WinDefend 32 | ::Enable Windows Defender sandboxing 33 | setx /M MP_FORCE_USE_SANDBOX 1 34 | :: Update signatures 35 | "%ProgramFiles%"\"Windows Defender"\MpCmdRun.exe -SignatureUpdate 36 | :: Enable Defender signatures for Potentially Unwanted Applications (PUA) 37 | powershell.exe Set-MpPreference -PUAProtection enable 38 | :: Enable Defender periodic scanning 39 | reg add "HKCU\SOFTWARE\Microsoft\Windows Defender" /v PassiveMode /t REG_DWORD /d 2 /f 40 | :: Enable Cloud functionality of Windows Defender 41 | powershell.exe Set-MpPreference -MAPSReporting Advanced 42 | powershell.exe Set-MpPreference -SubmitSamplesConsent 0 43 | :: 44 | :: Enable early launch antimalware driver for scan of boot-start drivers 45 | :: 3 is the default which allows good, unknown and 'bad but critical'. Recommend trying 1 for 'good and unknown' or 8 which is 'good only' 46 | reg add "HKCU\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" /v DriverLoadPolicy /t REG_DWORD /d 3 /f 47 | :: 48 | :: Enable ASR rules in Win10 1903 ExploitGuard to mitigate Office malspam 49 | :: Blocks Office childprocs, Office proc injection, Office win32 api calls & executable content creation 50 | :: Note these only work when Defender is your primary AV 51 | :: 52 | :: Block Office Child Process Creation 53 | powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled 54 | :: Block Process Injection 55 | powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled 56 | :: Block Win32 API calls in macros 57 | powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled 58 | :: Block Office from creating executables 59 | powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled 60 | :: Block execution of potentially obfuscated scripts 61 | powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled 62 | :: Block executable content from email client and webmail 63 | powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled 64 | :: Block JavaScript or VBScript from launching downloaded executable content 65 | powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled 66 | :: Block lsass cred theft 67 | powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled 68 | :: Block untrusted and unsigned processes that run from USB 69 | powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled 70 | :: Block Adobe Reader from creating child processes 71 | powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled 72 | :: Block persistence through WMI event subscription 73 | powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled 74 | :: Block process creations originating from PSExec and WMI commands 75 | powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled 76 | :: 77 | :: Enable Defender exploit system-wide protection 78 | :: The commented line includes CFG which can cause issues with apps like Discord & Mouse Without Borders 79 | :: powershell.exe Set-Processmitigation -System -Enable DEP,EmulateAtlThunks,BottomUp,HighEntropy,SEHOP,SEHOPTelemetry,TerminateOnError,CFG 80 | powershell.exe Set-Processmitigation -System -Enable DEP,EmulateAtlThunks,BottomUp,HighEntropy,SEHOP,SEHOPTelemetry,TerminateOnError 81 | :: 82 | ::####################################################################### 83 | :: Enable and Configure Internet Browser Settings 84 | ::####################################################################### 85 | :: 86 | :: Enable SmartScreen for Edge 87 | reg add "HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 1 /f 88 | :: Enable Notifications in IE when a site attempts to install software 89 | reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer" /v SafeForScripting /t REG_DWORD /d 0 /f 90 | :: Disable Edge password manager to encourage use of proper password manager 91 | reg add "HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" /v "FormSuggest Passwords" /t REG_SZ /d no /f 92 | :: 93 | ::####################################################################### 94 | :: Enable and Configure Google Chrome Internet Browser Settings 95 | ::####################################################################### 96 | :: 97 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AdvancedProtectionAllowed" /t REG_DWORD /d 1 /f 98 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AllowCrossOriginAuthPrompt" /t REG_DWORD /d 0 /f 99 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AlwaysOpenPdfExternally" /t REG_DWORD /d 1 /f 100 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AmbientAuthenticationInPrivateModesEnabled" /t REG_DWORD /d 0 /f 101 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AudioCaptureAllowed" /t REG_DWORD /d 0 /f 102 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "AudioSandboxEnabled" /t REG_DWORD /d 1 /f 103 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "BlockExternalExtensions" /t REG_DWORD /d 1 /f 104 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "DnsOverHttpsMode" /t REG_SZ /d on /f 105 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "SSLVersionMin" /t REG_SZ /d tls1 /f 106 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ScreenCaptureAllowed" /t REG_DWORD /d 0 /f 107 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "SitePerProcess" /t REG_DWORD /d 1 /f 108 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "TLS13HardeningForLocalAnchorsEnabled" /t REG_DWORD /d 1 /f 109 | reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "VideoCaptureAllowed" /t REG_DWORD /d 0 /f 110 | :: 111 | ::####################################################################### 112 | :: Enable and Configure Microsoft Office Security Settings 113 | ::####################################################################### 114 | :: 115 | :: Harden all version of MS Office itself against common malspam attacks 116 | :: Disables Macros, enables ProtectedView 117 | :: --------------------- 118 | reg add "HKCU\Software\Policies\Microsoft\Office\12.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f 119 | reg add "HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f 120 | reg add "HKCU\Software\Policies\Microsoft\Office\14.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f 121 | reg add "HKCU\Software\Policies\Microsoft\Office\14.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f 122 | reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Outlook\Security" /v markinternalasunsafe /t REG_DWORD /d 0 /f 123 | reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Word\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f 124 | reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Excel\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f 125 | reg add "HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f 126 | reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f 127 | reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f 128 | reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Security" /v markinternalasunsafe /t REG_DWORD /d 0 /f 129 | reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f 130 | reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Excel\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f 131 | reg add "HKCU\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f 132 | reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f 133 | reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f 134 | reg add "HKCU\Software\Policies\Microsoft\Office\19.0\Outlook\Security" /v markinternalasunsafe /t REG_DWORD /d 0 /f 135 | reg add "HKCU\Software\Policies\Microsoft\Office\19.0\Word\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f 136 | reg add "HKCU\Software\Policies\Microsoft\Office\19.0\Excel\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f 137 | reg add "HKCU\Software\Policies\Microsoft\Office\19.0\PowerPoint\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f 138 | reg add "HKCU\Software\Policies\Microsoft\Office\19.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f 139 | reg add "HKCU\Software\Policies\Microsoft\Office\19.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f 140 | :: 141 | :: Harden all version of MS Office itself against DDE malspam attacks 142 | :: Disables Macros, enables ProtectedView 143 | :: --------------------- 144 | :: 145 | reg add "HKCU\Software\Microsoft\Office\14.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f 146 | reg add "HKCU\Software\Microsoft\Office\14.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f 147 | reg add "HKCU\Software\Microsoft\Office\15.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f 148 | reg add "HKCU\Software\Microsoft\Office\15.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f 149 | reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f 150 | reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f 151 | :: 152 | ::####################################################################### 153 | :: Enable and Configure General Windows Security Settings 154 | ::####################################################################### 155 | :: Disables DNS multicast, smart mutli-homed resolution, netbios, powershellv2, printer driver download and printing over http, icmp redirect 156 | :: Enables UAC and sets to always notify, Safe DLL loading (DLL Hijacking prevention), saving zone information, explorer DEP, explorer shell protocol protected mode 157 | :: --------------------- 158 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f 159 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v DisableSmartNameResolution /t REG_DWORD /d 1 /f 160 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v DisableParallelAandAAAA /t REG_DWORD /d 1 /f 161 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f 162 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v IGMPLevel /t REG_DWORD /d 0 /f 163 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 2 /f 164 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f 165 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 2 /f 166 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f 167 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableVirtualization /t REG_DWORD /d 1 /f 168 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 2 /f 169 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDLLSearchMode /t REG_DWORD /d 1 /f 170 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v ProtectionMode /t REG_DWORD /d 1 /f 171 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v SaveZoneInformation /t REG_DWORD /d 2 /f 172 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoDataExecutionPrevention /t REG_DWORD /d 0 /f 173 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoHeapTerminationOnCorruption /t REG_DWORD /d 0 /f 174 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v PreXPSP2ShellProtocolBehavior /t REG_DWORD /d 0 /f 175 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers" /v DisableWebPnPDownload /t REG_DWORD /d 1 /f 176 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers" /v DisableHTTPPrinting /t REG_DWORD /d 1 /f 177 | reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v AutoConnectAllowedOEM /t REG_DWORD /d 0 /f 178 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v fMinimizeConnections /t REG_DWORD /d 1 /f 179 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" /v NoNameReleaseOnDemand /t REG_DWORD /d 1 /f 180 | wmic /interactive:off nicconfig where (TcpipNetbiosOptions=0 OR TcpipNetbiosOptions=1) call SetTcpipNetbios 2 181 | powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -norestart 182 | powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -norestart 183 | :: 184 | :: Prioritize ECC Curves with longer keys 185 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" /v EccCurves /t REG_MULTI_SZ /d NistP384,NistP256 /f 186 | :: Prevent Kerberos from using DES or RC4 187 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" /v SupportedEncryptionTypes /t REG_DWORD /d 2147483640 /f 188 | :: Encrypt and sign outgoing secure channel traffic when possible 189 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v SealSecureChannel /t REG_DWORD /d 1 /f 190 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v SignSecureChannel /t REG_DWORD /d 1 /f 191 | :: 192 | :: Enable SmartScreen 193 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 1 /f 194 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /t REG_SZ /d Block /f 195 | :: 196 | :: Enforce device driver signing 197 | BCDEDIT /set nointegritychecks OFF 198 | :: 199 | :: Windows Update Settings 200 | :: Prevent Delivery Optimization from downloading Updates from other computers across the internet 201 | :: 1 will restrict to LAN only. 0 will disable the feature entirely 202 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DODownloadMode /t REG_DWORD /d 1 /f 203 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\" /v DODownloadMode /t REG_DWORD /d 1 /f 204 | :: 205 | :: Set screen saver inactivity timeout to 15 minutes 206 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v InactivityTimeoutSecs /t REG_DWORD /d 900 /f 207 | :: Enable password prompt on sleep resume while plugged in and on battery 208 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" /v ACSettingIndex /t REG_DWORD /d 1 /f 209 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" /v DCSettingIndex /t REG_DWORD /d 1 /f 210 | :: 211 | :: Windows Remote Access Settings 212 | :: Disable solicited remote assistance 213 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fAllowToGetHelp /t REG_DWORD /d 0 /f 214 | :: Require encrypted RPC connections to Remote Desktop 215 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEncryptRPCTraffic /t REG_DWORD /d 1 /f 216 | :: Prevent sharing of local drives via Remote Desktop Session Hosts 217 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDisableCdm /t REG_DWORD /d 1 /f 218 | :: 219 | :: Removal Media Settings 220 | :: Disable autorun/autoplay on all drives 221 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f 222 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f 223 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAutorun /t REG_DWORD /d 1 /f 224 | :: 225 | :: Windows Sharing/SMB Settings 226 | :: Disable smb1, anonymous access to named pipes/shared, anonymous enumeration of SAM accounts, non-admin remote access to SAM 227 | :: Enable optional SMB client signing 228 | powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -norestart 229 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb10" /v Start /t REG_DWORD /d 4 /f 230 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f 231 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v RestrictNullSessAccess /t REG_DWORD /d 1 /f 232 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymousSAM /t REG_DWORD /d 1 /f 233 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 1 /f 234 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 0 /f 235 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictRemoteSAM /t REG_SZ /d O:BAG:BAD:(A;;RC;;;BA) /f 236 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v UseMachineId /t REG_DWORD /d 1 /f 237 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f 238 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0" /v allownullsessionfallback /t REG_DWORD /d 0 /f 239 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v EnableSecuritySignature /t REG_DWORD /d 1 /f 240 | :: Force SMB server signing 241 | :: This could cause impact if the Windows computer this is run on is hosting a file share and the other computers connecting to it do not have SMB client signing enabled. 242 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 1 /f 243 | :: 244 | :: Harden lsass to help protect against credential dumping (mimikatz) and audit lsass access requests 245 | :: Configures lsass.exe as a protected process and disables wdigest 246 | :: Enables delegation of non-exported credentials which enables support for Restricted Admin Mode or Remote Credential Guard 247 | :: --------------------- 248 | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f 249 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 00000001 /f 250 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f 251 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" /v AllowProtectedCreds /t REG_DWORD /d 1 /f 252 | :: 253 | :: Windows RPC and WinRM settings 254 | :: Stop WinRM 255 | net stop WinRM 256 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" /v AllowUnencryptedTraffic /t REG_DWORD /d 0 /f 257 | :: Prevent unauthenticated RPC connections 258 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" /v RestrictRemoteClients /t REG_DWORD /d 1 /f 259 | :: Disable WinRM Client Digiest authentication 260 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v AllowDigest /t REG_DWORD /d 0 /f 261 | :: Disabling RPC usage from a remote asset interacting with scheduled tasks 262 | reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule" /v DisableRpcOverTcp /t REG_DWORD /d 1 /f 263 | :: Disabling RPC usage from a remote asset interacting with services 264 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v DisableRemoteScmEndpoints /t REG_DWORD /d 1 /f 265 | :: 266 | :: Biometrics 267 | :: Enable anti-spoofing for facial recognition 268 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" /v EnhancedAntiSpoofing /t REG_DWORD /d 1 /f 269 | :: Disable other camera use while screen is locked 270 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /t REG_DWORD /d 1 /f 271 | :: Prevent Windows app voice activation while locked 272 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v LetAppsActivateWithVoiceAboveLock /t REG_DWORD /d 2 /f 273 | :: Prevent Windows app voice activation entirely (be mindful of those with accesibility needs) 274 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v LetAppsActivateWithVoice /t REG_DWORD /d 2 /f 275 | :: 276 | ::####################################################################### 277 | :: Enable and configure Windows Firewall 278 | ::####################################################################### 279 | :: 280 | NetSh Advfirewall set allprofiles state on 281 | :: 282 | :: Enable Firewall Logging 283 | netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log 284 | netsh advfirewall set currentprofile logging maxfilesize 4096 285 | netsh advfirewall set currentprofile logging droppedconnections enable 286 | :: 287 | :: Block all inbound connections on Public profile 288 | netsh advfirewall set publicprofile firewallpolicy blockinboundalways,allowoutbound 289 | :: Enable Windows Defender Network Protection 290 | powershell.exe Set-MpPreference -EnableNetworkProtection Enabled 291 | :: 292 | :: Block Win32 binaries from making netconns when they shouldn't - specifically targeting native processes known to be abused by bad actors 293 | :: --------------------- 294 | Netsh.exe advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\system32\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any 295 | Netsh.exe advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\system32\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any 296 | Netsh.exe advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\system32\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any 297 | Netsh.exe advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\system32\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any 298 | Netsh.exe advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\system32\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any 299 | Netsh.exe advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\system32\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any 300 | Netsh.exe advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\system32\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any 301 | Netsh.exe advfirewall firewall add rule name="Block hh.exe netconns" program="%systemroot%\system32\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any 302 | :: 303 | ::####################################################################### 304 | :: Windows 10 Privacy Settings 305 | ::####################################################################### 306 | :: 307 | :: Set Windows Analytics to limited enhanced if enhanced is enabled 308 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v LimitEnhancedDiagnosticDataWindowsAnalytics /t REG_DWORD /d 1 /f 309 | :: Set Windows Telemetry to security only 310 | :: If you intend to use Enhanced for Windows Analytics then set this to "2" instead 311 | :: Note my understanding is W10 Home edition will do a minimum of "Basic" 312 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f 313 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v MaxTelemetryAllowed /t REG_DWORD /d 1 /f 314 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v ShowedToastAtLevel /t REG_DWORD /d 1 /f 315 | :: Disable location data 316 | reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore" /v Location /t REG_SZ /d Deny /f 317 | :: Prevent the Start Menu Search from providing internet results and using your location 318 | reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f 319 | reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v AllowSearchToUseLocation /t REG_DWORD /d 0 /f 320 | reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f 321 | :: Disable publishing of Win10 user activity 322 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v PublishUserActivities /t REG_DWORD /d 1 /f 323 | :: 324 | :: Disable Windows GameDVR (Broadcasting and Recording) 325 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f 326 | :: Disable Microsoft consumer experience which prevent notifications of suggested applications to install 327 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f 328 | :: Prevent toast notifications from appearing on lock screen 329 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v NoToastApplicationNotificationOnLockScreen /t REG_DWORD /d 1 /f 330 | :: 331 | ::####################################################################### 332 | :: Enable Advanced Windows Logging 333 | ::####################################################################### 334 | :: 335 | :: Enlarge Windows Event Security Log Size 336 | wevtutil sl Security /ms:1024000 /f 337 | wevtutil sl Application /ms:1024000 /f 338 | wevtutil sl System /ms:1024000 /f 339 | wevtutil sl "Windows Powershell" /ms:1024000 /f 340 | wevtutil sl "Microsoft-Windows-PowerShell/Operational" /ms:1024000 /f 341 | :: Record command line data in process creation events eventid 4688 342 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f 343 | :: 344 | :: Enabled Advanced Settings 345 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v SCENoApplyLegacyAuditPolicy /t REG_DWORD /d 1 /f 346 | :: Enable PowerShell Logging 347 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1 /f 348 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f 349 | :: 350 | :: Enable Windows Event Detailed Logging 351 | :: This is intentionally meant to be a subset of expected enterprise logging as this script may be used on consumer devices. 352 | :: For more extensive Windows logging, I recommend https://www.malwarearchaeology.com/cheat-sheets 353 | Auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable 354 | Auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable 355 | Auditpol /set /subcategory:"Logoff" /success:enable /failure:disable 356 | Auditpol /set /subcategory:"Logon" /success:enable /failure:enable 357 | Auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:disable 358 | Auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable 359 | Auditpol /set /subcategory:"SAM" /success:disable /failure:disable 360 | Auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable 361 | Auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable 362 | Auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable 363 | Auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable 364 | Auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable 365 | :: 366 | ::####################################################################### 367 | :: Extra settings commented out but worth considering 368 | ::####################################################################### 369 | :: 370 | :: Uninstall common extra apps found on a lot of Win10 installs 371 | :: Obviously do a quick review to ensure it isn't removing any apps you or your user need to use. 372 | :: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 373 | :: PowerShell command to reinstall all pre-installed apps below 374 | :: Get-AppxPackage -AllUsers| Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"} 375 | powershell.exe -command "Get-AppxPackage *Microsoft.BingWeather* -AllUsers | Remove-AppxPackage" 376 | powershell.exe -command "Get-AppxPackage *Microsoft.DesktopAppInstaller* -AllUsers | Remove-AppxPackage" 377 | powershell.exe -command "Get-AppxPackage *Microsoft.GetHelp* -AllUsers | Remove-AppxPackage" 378 | powershell.exe -command "Get-AppxPackage *Microsoft.Getstarted* -AllUsers | Remove-AppxPackage" 379 | powershell.exe -command "Get-AppxPackage *Microsoft.Messaging* -AllUsers | Remove-AppxPackage" 380 | powershell.exe -command "Get-AppxPackage *Microsoft.Microsoft3DViewer* -AllUsers | Remove-AppxPackage" 381 | powershell.exe -command "Get-AppxPackage *Microsoft.MicrosoftOfficeHub* -AllUsers | Remove-AppxPackage" 382 | powershell.exe -command "Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* -AllUsers | Remove-AppxPackage" 383 | powershell.exe -command "Get-AppxPackage *Microsoft.MicrosoftStickyNotes* -AllUsers | Remove-AppxPackage" 384 | powershell.exe -command "Get-AppxPackage *Microsoft.MixedReality.Portal* -AllUsers | Remove-AppxPackage" 385 | powershell.exe -command "Get-AppxPackage *Microsoft.Office.OneNote* -AllUsers | Remove-AppxPackage" 386 | powershell.exe -command "Get-AppxPackage *Microsoft.OneConnect* -AllUsers | Remove-AppxPackage" 387 | powershell.exe -command "Get-AppxPackage *Microsoft.Print3D* -AllUsers | Remove-AppxPackage" 388 | powershell.exe -command "Get-AppxPackage *Microsoft.SkypeApp* -AllUsers | Remove-AppxPackage" 389 | powershell.exe -command "Get-AppxPackage *Microsoft.Wallet* -AllUsers | Remove-AppxPackage" 390 | powershell.exe -command "Get-AppxPackage *Microsoft.WebMediaExtensions* -AllUsers | Remove-AppxPackage" 391 | powershell.exe -command "Get-AppxPackage *Microsoft.WebpImageExtension* -AllUsers | Remove-AppxPackage" 392 | powershell.exe -command "Get-AppxPackage *Microsoft.WindowsAlarms* -AllUsers | Remove-AppxPackage" 393 | powershell.exe -command "Get-AppxPackage *Microsoft.WindowsCamera* -AllUsers | Remove-AppxPackage" 394 | powershell.exe -command "Get-AppxPackage *microsoft.windowscommunicationsapps* -AllUsers | Remove-AppxPackage" 395 | powershell.exe -command "Get-AppxPackage *Microsoft.WindowsFeedbackHub* -AllUsers | Remove-AppxPackage" 396 | powershell.exe -command "Get-AppxPackage *Microsoft.WindowsMaps* -AllUsers | Remove-AppxPackage" 397 | powershell.exe -command "Get-AppxPackage *Microsoft.WindowsSoundRecorder* -AllUsers | Remove-AppxPackage" 398 | powershell.exe -command "Get-AppxPackage *Microsoft.Xbox.TCUI* -AllUsers | Remove-AppxPackage" 399 | powershell.exe -command "Get-AppxPackage *Microsoft.XboxApp* -AllUsers | Remove-AppxPackage" 400 | powershell.exe -command "Get-AppxPackage *Microsoft.XboxGameOverlay* -AllUsers | Remove-AppxPackage" 401 | powershell.exe -command "Get-AppxPackage *Microsoft.XboxGamingOverlay* -AllUsers | Remove-AppxPackage" 402 | powershell.exe -command "Get-AppxPackage *Microsoft.XboxIdentityProvider* -AllUsers | Remove-AppxPackage" 403 | powershell.exe -command "Get-AppxPackage *Microsoft.XboxSpeechToTextOverlay* -AllUsers | Remove-AppxPackage" 404 | powershell.exe -command "Get-AppxPackage *Microsoft.YourPhone* -AllUsers | Remove-AppxPackage" 405 | powershell.exe -command "Get-AppxPackage *Microsoft.ZuneMusic* -AllUsers | Remove-AppxPackage" 406 | powershell.exe -command "Get-AppxPackage *Microsoft.ZuneVideo* -AllUsers | Remove-AppxPackage" 407 | powershell.exe -command "Get-AppxPackage *Microsoft.WindowsFeedback* -AllUsers | Remove-AppxPackage" 408 | powershell.exe -command "Get-AppxPackage *Windows.ContactSupport* -AllUsers | Remove-AppxPackage" 409 | powershell.exe -command "Get-AppxPackage *PandoraMedia* -AllUsers | Remove-AppxPackage" 410 | powershell.exe -command "Get-AppxPackage *AdobeSystemIncorporated. AdobePhotoshop* -AllUsers | Remove-AppxPackage" 411 | powershell.exe -command "Get-AppxPackage *Duolingo* -AllUsers | Remove-AppxPackage" 412 | powershell.exe -command "Get-AppxPackage *Microsoft.BingNews* -AllUsers | Remove-AppxPackage" 413 | powershell.exe -command "Get-AppxPackage *Microsoft.Office.Sway* -AllUsers | Remove-AppxPackage" 414 | powershell.exe -command "Get-AppxPackage *Microsoft.Advertising.Xaml* -AllUsers | Remove-AppxPackage" 415 | powershell.exe -command "Get-AppxPackage *Microsoft.NET.Native.Framework.1.* -AllUsers | Remove-AppxPackage" 416 | powershell.exe -command "Get-AppxPackage *Microsoft.Services.Store.Engagement* -AllUsers | Remove-AppxPackage" 417 | powershell.exe -command "Get-AppxPackage *ActiproSoftware* -AllUsers | Remove-AppxPackage" 418 | powershell.exe -command "Get-AppxPackage *EclipseManager* -AllUsers | Remove-AppxPackage" 419 | powershell.exe -command "Get-AppxPackage *SpotifyAB.SpotifyMusic* -AllUsers | Remove-AppxPackage" 420 | powershell.exe -command "Get-AppxPackage *king.com.* -AllUsers | Remove-AppxPackage" 421 | :: 422 | ::####################################################################### 423 | :: Extra settings commented out but worth considering 424 | ::####################################################################### 425 | :: 426 | :: Enforce NTLMv2 and LM authentication 427 | :: This is commented out by default as it could impact access to consumer-grade file shares but it's a recommended setting 428 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel /t REG_DWORD /d 5 /f 429 | :: 430 | :: Prevent unencrypted passwords being sent to third-party SMB servers 431 | :: This is commented out by default as it could impact access to consumer-grade file shares but it's a recommended setting 432 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v EnablePlainTextPassword /t REG_DWORD /d 0 /f 433 | :: 434 | :: Prevent guest logons to SMB servers 435 | :: This is commented out by default as it could impact access to consumer-grade file shares but it's a recommended setting 436 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" /v AllowInsecureGuestAuth /t REG_DWORD /d 0 /f 437 | :: 438 | :: Force SMB server signing 439 | :: This is commented out by default as it could impact access to consumer-grade file shares but it's a recommended setting 440 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 1 /f 441 | :: 442 | :: Enable Windows Defender Application Guard 443 | :: This setting is commented out as it enables subset of DC/CG which renders other virtualization products unsuable. Can be enabled if you don't use those 444 | powershell.exe Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard -norestart 445 | :: 446 | :: Enable Windows Defender Credential Guard 447 | :: This setting is commented out as it enables subset of DC/CG which renders other virtualization products unsuable. Can be enabled if you don't use those 448 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f 449 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v RequirePlatformSecurityFeatures /t REG_DWORD /d 3 /f 450 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v LsaCfgFlags /t REG_DWORD /d 1 /f 451 | :: 452 | :: The following variant also enables forced ASLR and CFG but causes issues with several third party apps 453 | :: powershell.exe Set-Processmitigation -System -Enable DEP,CFG,ForceRelocateImages,BottomUp,SEHOP 454 | :: 455 | :: Block executable files from running unless they meet a prevalence, age, or trusted list criterion 456 | :: This one is commented out for now as I need to research and test more to determine potential impact 457 | :: powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Enabled 458 | :: 459 | :: Enable Windows Defender real time monitoring 460 | :: Commented out given consumers often run third party anti-virus. You can run either. 461 | :: powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $false" 462 | :: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 0 /f 463 | :: 464 | :: Disable internet connection sharing 465 | :: Commented out as it's not enabled by default and if it is enabled, may be for a reason 466 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Network Connections" /v NC_ShowSharedAccessUI /t REG_DWORD /d 0 /f 467 | :: 468 | :: Always re-process Group Policy even if no changes 469 | :: Commented out as consumers don't typically use GPO 470 | :: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" /v NoGPOListChanges /t REG_DWORD /d 0 /f 471 | :: 472 | :: Force logoff if smart card removed 473 | :: Set to "2" for logoff, set to "1" for lock 474 | :: Commented out as consumers don't typically use smart cards 475 | :: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SCRemoveOption /t REG_DWORD /d 2 /f 476 | :: 477 | :: Restrict privileged local admin tokens being used from network 478 | :: Commented out as it only works on domain-joined assets 479 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f 480 | :: 481 | :: Ensure outgoing secure channel traffic is encrytped 482 | :: Commented out as it only works on domain-joined assets 483 | :: reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v RequireSignOrSeal /t REG_DWORD /d 1 /f 484 | :: 485 | :: Enforce LDAP client signing 486 | :: Commented out as most consumers don't use LDAP auth 487 | :: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LDAP" /v LDAPClientIntegrity /t REG_DWORD /d 1 /f 488 | :: 489 | :: Remove the Reg Keys for PSEXEC, sometimes it is legit 490 | :: REG add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f 491 | :: REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint" /v Enabled /t REG_DWORD /d 0 /f 492 | :: REG delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint" /v RemoteAddresses /t REG_SZ /d "*" /f 493 | :: REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint" /v Enabled /t REG_DWORD /d 0 /f 494 | :: REG delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint" /v RemoteAddresses /t REG_SZ /d "*" /f 495 | :: 496 | :: 497 | :: 498 | ::####################################################################### 499 | :: References 500 | ::####################################################################### 501 | :: 502 | :: LLMNR 503 | :: https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/ 504 | :: 505 | :: Windows Defender References 506 | :: ASR Rules https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office 507 | :: ASR and Exploit Guard https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard 508 | :: ASR Rules https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction 509 | :: Easy methods to test rules https://demo.wd.microsoft.com/?ocid=cx-wddocs-testground 510 | :: Resource on the rules and associated event IDs https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/event-views 511 | :: Defender sandboxing https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/ 512 | :: Defender exploit protection https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection 513 | :: Application Guard https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard 514 | :: Defender cmdline https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus 515 | :: 516 | :: General hardening references 517 | :: LSA Protection https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408187(v=ws.11)?redirectedfrom=MSDN 518 | :: 519 | :: Microsoft Office References: 520 | :: Disable DDE https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b 521 | :: Disable macros https://decentsecurity.com/block-office-macros/ 522 | :: 523 | :: Frameworks and benchmarks 524 | :: STIG https://www.stigviewer.com/stig/windows_10/ 525 | pause 526 | -------------------------------------------------------------------------------- /Harden_PS.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | ZephrFish's Ultimate Windows Lockdown and Hardening Script 2024 3 | #> 4 | 5 | # Before we roll out we must be admin for things to run 6 | If (!([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) 7 | { 8 | WriteToLog -Message "Please run as administrator." -color "red" 9 | Read-Host 10 | Exit 11 | } 12 | 13 | 14 | 15 | 16 | # Warning about the script's impact 17 | Write-Host "WARNING: This script will make significant changes to your system's configuration to harden security. Please ensure you understand the impact of each change before proceeding." -ForegroundColor Red 18 | $continue = Read-Host "Do you want to continue? (Y/N)" 19 | if ($continue -ne 'Y') { 20 | Write-Host "Operation aborted by the user." 21 | exit 22 | } 23 | 24 | Write-Host "We are going to first check that all the expected Registry paths exist before executing" 25 | function LetsAllCheckRegExist { 26 | param ( 27 | [string]$Path 28 | ) 29 | # Extract the root and subpath for New-Item 30 | $root = $Path -replace '\\.+', '' 31 | $subPath = $Path -replace '^[^\\]+\\', '' 32 | 33 | # Check if the path exists 34 | if (-not (Test-Path $Path)) { 35 | try { 36 | New-Item -Path "$root" -Name "$subPath" -Force -ErrorAction Stop | Out-Null 37 | Write-Host "Created registry path: $Path" -ForegroundColor Green 38 | } 39 | catch { 40 | Write-Host "Failed to create registry path: $Path" -ForegroundColor Red 41 | } 42 | } 43 | } 44 | 45 | # Provided registry paths 46 | $registryPaths = @( 47 | "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment", 48 | "HKCU:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch", 49 | "HKCU:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter", 50 | "HKLM:\SOFTWARE\Policies\Google\Chrome", 51 | "HKCU:\Software\Microsoft\Office\14.0\Word\Options", 52 | "HKCU:\Software\Microsoft\Office\14.0\Word\Options\WordMail", 53 | "HKCU:\Software\Microsoft\Office\15.0\Word\Options", 54 | "HKCU:\Software\Microsoft\Office\15.0\Word\Options\WordMail", 55 | "HKCU:\Software\Microsoft\Office\16.0\Word\Options", 56 | "HKCU:\Software\Microsoft\Office\16.0\Word\Options\WordMail", 57 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient", 58 | "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters", 59 | "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", 60 | "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters", 61 | "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters", 62 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", 63 | "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager", 64 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments", 65 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer", 66 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer", 67 | "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10", 68 | "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe", 69 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation", 70 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service", 71 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc", 72 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client", 73 | "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Schedule", 74 | "HKLM:\SYSTEM\CurrentControlSet\Control", 75 | "HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures", 76 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization", 77 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy", 78 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection", 79 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack", 80 | "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore", 81 | "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Search", 82 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System", 83 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR", 84 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent", 85 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications", 86 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit", 87 | "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa", 88 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell", 89 | "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint", 90 | "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint", 91 | "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection", 92 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections", 93 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}", 94 | "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", 95 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", 96 | "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters", 97 | "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System", 98 | "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" 99 | ) 100 | 101 | # Ensure each path exists before setting properties 102 | foreach ($path in $registryPaths) { 103 | LetsAllCheckRegExist -Path $path 104 | } 105 | 106 | # Change file associations for obscuring malicious filetypes 107 | $extensions = @('hta', 'wsh', 'wsf', 'js', 'jse', 'vbe', 'vbs', 'scr', 'htm') 108 | $optionalExtensions = @('bat', 'ps1') 109 | 110 | Write-Host "Do you want to change the file associations for .bat and .ps1 files to Notepad? (Y/N)" -ForegroundColor Yellow 111 | $response = Read-Host "Please enter Y for Yes or N for No" 112 | 113 | if ($response -eq 'Y') { 114 | $extensions += $optionalExtensions 115 | } 116 | 117 | foreach ($ext in $extensions) { 118 | $path = "HKCU:\Software\Classes\.$ext" 119 | # Ensure the path exists before attempting to set a property. 120 | if (Test-Path $path) { 121 | Set-ItemProperty -Path $path -Name "(Default)" -Value "Notepad" 122 | Write-Host "File association for .$ext changed to Notepad." -ForegroundColor Green 123 | } else { 124 | Write-Host "The registry path for .$ext does not exist. Attempting to create." 125 | # Optionally, create the registry key if it doesn't exist. 126 | New-Item -Path $path -Force | Out-Null 127 | Set-ItemProperty -Path $path -Name "(Default)" -Value "Notepad" 128 | Write-Host "File association for .$ext has been created and set to Notepad." -ForegroundColor Green 129 | } 130 | } 131 | 132 | 133 | # Enable and configure Windows Defender 134 | Start-Service WinDefend 135 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name "MP_FORCE_USE_SANDBOX" -Value 1 136 | Start-Process "powershell" -ArgumentList "Set-MpPreference -PUAProtection enable; Set-MpPreference -MAPSReporting Advanced; Set-MpPreference -SubmitSamplesConsent 0" -Wait 137 | 138 | # Additional Defender configurations omitted for brevity 139 | Set-ItemProperty -Path "HKCU:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" -Name "DriverLoadPolicy" -Value 3 140 | 141 | # Enable and Configure Internet Browser Settings 142 | Set-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" -Name "EnabledV9" -Value 1 143 | 144 | # Google Chrome and other settings 145 | # Ensure the registry path exists, create if not 146 | $chromePolicyPath = "HKLM:\SOFTWARE\Policies\Google\Chrome" 147 | if (-not (Test-Path $chromePolicyPath)) { 148 | New-Item -Path $chromePolicyPath -Force 149 | } 150 | 151 | # Setting Chrome policies 152 | Set-ItemProperty -Path $chromePolicyPath -Name "AdvancedProtectionAllowed" -Value 1 -Type DWord 153 | Set-ItemProperty -Path $chromePolicyPath -Name "AllowCrossOriginAuthPrompt" -Value 0 -Type DWord 154 | Set-ItemProperty -Path $chromePolicyPath -Name "AlwaysOpenPdfExternally" -Value 1 -Type DWord 155 | Set-ItemProperty -Path $chromePolicyPath -Name "AmbientAuthenticationInPrivateModesEnabled" -Value 0 -Type DWord 156 | Set-ItemProperty -Path $chromePolicyPath -Name "AudioCaptureAllowed" -Value 0 -Type DWord 157 | Set-ItemProperty -Path $chromePolicyPath -Name "AudioSandboxEnabled" -Value 1 -Type DWord 158 | Set-ItemProperty -Path $chromePolicyPath -Name "BlockExternalExtensions" -Value 1 -Type DWord 159 | Set-ItemProperty -Path $chromePolicyPath -Name "DnsOverHttpsMode" -Value "on" -Type String 160 | Set-ItemProperty -Path $chromePolicyPath -Name "SSLVersionMin" -Value "tls1" -Type String 161 | Set-ItemProperty -Path $chromePolicyPath -Name "ScreenCaptureAllowed" -Value 0 -Type DWord 162 | Set-ItemProperty -Path $chromePolicyPath -Name "SitePerProcess" -Value 1 -Type DWord 163 | Set-ItemProperty -Path $chromePolicyPath -Name "TLS13HardeningForLocalAnchorsEnabled" -Value 1 -Type DWord 164 | Set-ItemProperty -Path $chromePolicyPath -Name "VideoCaptureAllowed" -Value 0 -Type DWord 165 | 166 | Write-Host "Chrome policy settings have been updated." -ForegroundColor Green 167 | 168 | 169 | # Enable and Configure Microsoft Office Security Settings 170 | # Harden all version of MS Office itself against common malspam attacks 171 | # Disables Macros, enables ProtectedView 172 | 173 | $officeVersions = @('12.0', '14.0', '15.0', '16.0', '19.0') 174 | foreach ($version in $officeVersions) { 175 | # Define base path for each Office version 176 | $basePath = "HKCU:\Software\Policies\Microsoft\Office\$version" 177 | 178 | # Publisher security settings 179 | $publisherSecurityPath = "$basePath\Publisher\Security" 180 | New-Item -Path $publisherSecurityPath -Force | Out-Null 181 | Set-ItemProperty -Path $publisherSecurityPath -Name "vbawarnings" -Value 4 182 | 183 | # Word security settings 184 | $wordSecurityPath = "$basePath\Word\Security" 185 | New-Item -Path $wordSecurityPath -Force | Out-Null 186 | Set-ItemProperty -Path $wordSecurityPath -Name "vbawarnings" -Value 4 187 | if ($version -eq '15.0' -or $version -eq '16.0' -or $version -eq '19.0') { 188 | Set-ItemProperty -Path $wordSecurityPath -Name "blockcontentexecutionfrominternet" -Value 1 189 | } 190 | 191 | # Outlook security settings for versions 15.0, 16.0, and 19.0 192 | if ($version -eq '15.0' -or $version -eq '16.0' -or $version -eq '19.0') { 193 | $outlookSecurityPath = "$basePath\Outlook\Security" 194 | New-Item -Path $outlookSecurityPath -Force | Out-Null 195 | Set-ItemProperty -Path $outlookSecurityPath -Name "markinternalasunsafe" -Value 0 196 | } 197 | 198 | # Excel security settings for versions 15.0, 16.0, and 19.0 199 | if ($version -eq '15.0' -or $version -eq '16.0' -or $version -eq '19.0') { 200 | $excelSecurityPath = "$basePath\Excel\Security" 201 | New-Item -Path $excelSecurityPath -Force | Out-Null 202 | Set-ItemProperty -Path $excelSecurityPath -Name "blockcontentexecutionfrominternet" -Value 1 203 | } 204 | 205 | # PowerPoint security settings for versions 15.0, 16.0, and 19.0 206 | if ($version -eq '15.0' -or $version -eq '16.0' -or $version -eq '19.0') { 207 | $powerPointSecurityPath = "$basePath\PowerPoint\Security" 208 | New-Item -Path $powerPointSecurityPath -Force | Out-Null 209 | Set-ItemProperty -Path $powerPointSecurityPath -Name "blockcontentexecutionfrominternet" -Value 1 210 | } 211 | } 212 | 213 | # Setting DontUpdateLinks for Word 2010 (Office 14.0) 214 | $word2010OptionsPath = "HKCU:\Software\Microsoft\Office\14.0\Word\Options" 215 | $word2010WordMailPath = "HKCU:\Software\Microsoft\Office\14.0\Word\Options\WordMail" 216 | New-Item -Path $word2010OptionsPath -Force | Out-Null 217 | New-Item -Path $word2010WordMailPath -Force | Out-Null 218 | Set-ItemProperty -Path $word2010OptionsPath -Name "DontUpdateLinks" -Value 1 219 | Set-ItemProperty -Path $word2010WordMailPath -Name "DontUpdateLinks" -Value 1 220 | 221 | # Setting DontUpdateLinks for Word 2013 (Office 15.0) 222 | $word2013OptionsPath = "HKCU:\Software\Microsoft\Office\15.0\Word\Options" 223 | $word2013WordMailPath = "HKCU:\Software\Microsoft\Office\15.0\Word\Options\WordMail" 224 | New-Item -Path $word2013OptionsPath -Force | Out-Null 225 | New-Item -Path $word2013WordMailPath -Force | Out-Null 226 | Set-ItemProperty -Path $word2013OptionsPath -Name "DontUpdateLinks" -Value 1 227 | Set-ItemProperty -Path $word2013WordMailPath -Name "DontUpdateLinks" -Value 1 228 | 229 | # Setting DontUpdateLinks for Word 2016 (Office 16.0) 230 | $word2016OptionsPath = "HKCU:\Software\Microsoft\Office\16.0\Word\Options" 231 | $word2016WordMailPath = "HKCU:\Software\Microsoft\Office\16.0\Word\Options\WordMail" 232 | New-Item -Path $word2016OptionsPath -Force | Out-Null 233 | New-Item -Path $word2016WordMailPath -Force | Out-Null 234 | Set-ItemProperty -Path $word2016OptionsPath -Name "DontUpdateLinks" -Value 1 235 | Set-ItemProperty -Path $word2016WordMailPath -Name "DontUpdateLinks" -Value 1 236 | 237 | Write-Host "Office settings have been updated." -ForegroundColor Green 238 | 239 | # General Windows Security Settings 240 | 241 | # Network Hardening 242 | # Stop and disable the Bonjour Service if installed 243 | Get-Service -Name "Bonjour Service" | Stop-Service -PassThru | Set-Service -StartupType Disabled 244 | 245 | # Disable NetBIOS over TCP/IP for all network adapters 246 | Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -eq $true } | ForEach-Object { $_.SetTcpipNetbios(2) } 247 | 248 | 249 | # Disable LLMNR 250 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0 -Type DWord 251 | 252 | 253 | 254 | # DNS Client and SMB1 configuration 255 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0 -Type DWord 256 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "DisableSmartNameResolution" -Value 1 -Type DWord 257 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" -Name "DisableParallelAandAAAA" -Value 1 -Type DWord 258 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "SMB1" -Value 0 -Type DWord 259 | 260 | # TCP/IP Configuration 261 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "IGMPLevel" -Value 0 -Type DWord 262 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "DisableIPSourceRouting" -Value 2 -Type DWord 263 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "EnableICMPRedirect" -Value 0 -Type DWord 264 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" -Name "DisableIPSourceRouting" -Value 2 -Type DWord 265 | 266 | # System and Security Policies 267 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -Value 1 -Type DWord 268 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableVirtualization" -Value 1 -Type DWord 269 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 2 -Type DWord 270 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "SafeDLLSearchMode" -Value 1 -Type DWord 271 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "ProtectionMode" -Value 1 -Type DWord 272 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" -Name "SaveZoneInformation" -Value 2 -Type DWord 273 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" -Name "NoDataExecutionPrevention" -Value 0 -Type DWord 274 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" -Name "NoHeapTerminationOnCorruption" -Value 0 -Type DWord 275 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "PreXPSP2ShellProtocolBehavior" -Value 0 -Type DWord 276 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "DisableWebPnPDownload" -Value 1 -Type DWord 277 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "DisableHTTPPrinting" -Value 1 -Type DWord 278 | 279 | # Wi-Fi and NetBIOS Configuration 280 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" -Name "AutoConnectAllowedOEM" -Value 0 -Type DWord 281 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" -Name "fMinimizeConnections" -Value 1 -Type DWord 282 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" -Name "NoNameReleaseOnDemand" -Value 1 -Type DWord 283 | 284 | # Disable Windows PowerShell 2.0 285 | Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root 286 | Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 287 | 288 | # Windows Remote Access Settings 289 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Force 290 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fAllowToGetHelp" -Value 0 -Type DWord 291 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fEncryptRPCTraffic" -Value 1 -Type DWord 292 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fDisableCdm" -Value 1 -Type DWord 293 | 294 | # Removal Media Settings 295 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" -Force 296 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" -Name "NoAutoplayfornonVolume" -Value 1 -Type DWord 297 | New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Force 298 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun" -Value 255 -Type DWord 299 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoAutorun" -Value 1 -Type DWord 300 | 301 | # Windows Sharing/SMB Settings 302 | Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol" -NoRestart 303 | New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10" -Force 304 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10" -Name "Start" -Value 4 -Type DWord 305 | New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Force 306 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "SMB1" -Value 0 -Type DWord 307 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" -Name "RestrictNullSessAccess" -Value 1 -Type DWord 308 | New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Force 309 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictAnonymousSAM" -Value 1 -Type DWord 310 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictAnonymous" -Value 1 -Type DWord 311 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "EveryoneIncludesAnonymous" -Value 0 -Type DWord 312 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictRemoteSAM" -Value "O:BAG:BAD:(A;;RC;;;BA)" -Type String 313 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "UseMachineId" -Value 1 -Type DWord 314 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LimitBlankPasswordUse" -Value 1 -Type DWord 315 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0" -Name "allownullsessionfallback" -Value 0 -Type DWord 316 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "EnableSecuritySignature" -Value 1 -Type DWord 317 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" -Name "RequireSecuritySignature" -Value 1 -Type DWord 318 | 319 | # Harden lsass to help protect against credential dumping (mimikatz) and audit lsass access requests 320 | New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" -Force 321 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" -Name "AuditLevel" -Value 8 -Type DWord 322 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1 -Type DWord 323 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name "UseLogonCredential" -Value 0 -Type DWord 324 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" -Force 325 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" -Name "AllowProtectedCreds" -Value 1 -Type DWord 326 | 327 | # Windows RPC and WinRM settings 328 | Stop-Service -Name WinRM -Force 329 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowUnencryptedTraffic" -Value 0 -Type DWord 330 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" -Name "RestrictRemoteClients" -Value 1 -Type DWord 331 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" -Name "AllowDigest" -Value 0 -Type DWord 332 | 333 | # Disabling RPC usage from a remote asset interacting with scheduled tasks and services 334 | Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Schedule" -Name "DisableRpcOverTcp" -Value 1 -Type DWord 335 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control" -Name "DisableRemoteScmEndpoints" -Value 1 -Type DWord 336 | 337 | # Biometrics and App Privacy 338 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" -Force 339 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" -Name "EnhancedAntiSpoofing" -Value 1 -Type DWord 340 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Force 341 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "NoLockScreenCamera" -Value 1 -Type DWord 342 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" -Force 343 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" -Name "LetAppsActivateWithVoiceAboveLock" -Value 2 -Type DWord 344 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" -Name "LetAppsActivateWithVoice" -Value 2 -Type DWord 345 | 346 | 347 | # Warning before applying firewall rules 348 | Write-Host "WARNING: The next steps involve modifying the firewall settings. This could impact network connectivity and application functionality." -ForegroundColor Red 349 | $continueFirewall = Read-Host "Do you want to continue with firewall modifications? (Y/N)" 350 | if ($continueFirewall -ne 'Y') { 351 | Write-Host "Firewall modification aborted by the user." 352 | } else { 353 | # Enable Windows Firewall for all profiles 354 | Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True 355 | 356 | # Enable Firewall Logging for the current profile 357 | $LogFilePath = "$env:SystemRoot\system32\LogFiles\Firewall\pfirewall.log" 358 | Set-NetFirewallProfile -LoggingFileName $LogFilePath 359 | Set-NetFirewallProfile -LoggingMaxFileSize 4096 360 | Set-NetFirewallProfile -LoggingAllowed $True 361 | Set-NetFirewallProfile -LoggingBlocked $True 362 | 363 | # Block all inbound connections on Public profile 364 | Set-NetFirewallProfile -Profile Public -DefaultInboundAction Block -DefaultOutboundAction Allow 365 | 366 | # Enable Windows Defender Network Protection 367 | Set-MpPreference -EnableNetworkProtection Enabled 368 | 369 | # Block specific Win32 binaries from making outbound connections 370 | $programs = @('notepad.exe', 'regsvr32.exe', 'calc.exe', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'runscripthelper.exe', 'hh.exe', 'msiexec.exe') 371 | foreach ($program in $programs) { 372 | $ruleName = "Block $($program) network connections" 373 | $programPath = Join-Path $env:SystemRoot "system32\$program" 374 | New-NetFirewallRule -DisplayName $ruleName -Direction Outbound -Program $programPath -Action Block -Protocol TCP -Profile Any 375 | Write-Host "Firewall rule added: $ruleName" -ForegroundColor Green 376 | } 377 | 378 | } 379 | # Windows Privacy Settings, Logging, and more 380 | Write-Host "WARNING: We're about to remove pre-installed applications that Windows comes with by default. This action cannot be undone." -ForegroundColor Red 381 | $continue = Read-Host "Do you want to continue with the cleanup? (Y/N)" 382 | if ($continue -ne 'Y') { 383 | Write-Host "Operation aborted by the user." 384 | return 385 | } 386 | 387 | # Re-register all AppxPackages for all users in case it's needed for repair 388 | Get-AppxPackage -AllUsers | ForEach-Object { 389 | Write-Host "Re-registering package: $($_.Name)" 390 | Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml" -ErrorAction SilentlyContinue 391 | } 392 | 393 | # Define an array of AppxPackage names that are considered removable 394 | $removableApps = @( 395 | "Microsoft.BingWeather", "Microsoft.DesktopAppInstaller", "Microsoft.GetHelp", 396 | "Microsoft.Getstarted", "Microsoft.Messaging", "Microsoft.Microsoft3DViewer", 397 | "Microsoft.MicrosoftOfficeHub", "Microsoft.MicrosoftSolitaireCollection", 398 | "Microsoft.MicrosoftStickyNotes", "Microsoft.MixedReality.Portal", "Microsoft.Office.OneNote", 399 | "Microsoft.OneConnect", "Microsoft.Print3D", "Microsoft.SkypeApp", "Microsoft.Wallet", 400 | "Microsoft.WebMediaExtensions", "Microsoft.WebpImageExtension", "Microsoft.WindowsAlarms", 401 | "Microsoft.WindowsCamera", "microsoft.windowscommunicationsapps", "Microsoft.WindowsFeedbackHub", 402 | "Microsoft.WindowsMaps", "Microsoft.WindowsSoundRecorder", "Microsoft.Xbox.TCUI", 403 | "Microsoft.XboxApp", "Microsoft.XboxGameOverlay", "Microsoft.XboxGamingOverlay", 404 | "Microsoft.XboxIdentityProvider", "Microsoft.XboxSpeechToTextOverlay", "Microsoft.YourPhone", 405 | "Microsoft.ZuneMusic", "Microsoft.ZuneVideo", "Microsoft.WindowsFeedback", 406 | "Windows.ContactSupport", "PandoraMedia", "AdobeSystemIncorporated.AdobePhotoshop", 407 | "Duolingo", "Microsoft.BingNews", "Microsoft.Office.Sway", "Microsoft.Advertising.Xaml", 408 | "Microsoft.NET.Native.Framework.1.*", "Microsoft.Services.Store.Engagement", 409 | "ActiproSoftware", "EclipseManager", "SpotifyAB.SpotifyMusic", "king.com.*" 410 | ) 411 | 412 | # Loop through the array to remove each specified AppxPackage 413 | foreach ($appName in $removableApps) { 414 | Get-AppxPackage -AllUsers -Name $appName | ForEach-Object { 415 | Write-Host "Removing package: $($_.Name)" 416 | Remove-AppxPackage -Package $_.PackageFullName -ErrorAction SilentlyContinue 417 | } 418 | } 419 | 420 | Write-Host "Crapware removal process completed." -ForegroundColor Green 421 | 422 | # Set Windows Analytics to limited enhanced if enhanced is enabled 423 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Force | Out-Null 424 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "LimitEnhancedDiagnosticDataWindowsAnalytics" -Value 1 -Type DWord 425 | 426 | # Set Windows Telemetry to security only 427 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Value 0 -Type DWord 428 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "MaxTelemetryAllowed" -Value 1 -Type DWord 429 | New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" -Force | Out-Null 430 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" -Name "ShowedToastAtLevel" -Value 1 -Type DWord 431 | 432 | # Disable location data 433 | New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore" -Force | Out-Null 434 | Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore" -Name "Location" -Value "Deny" -Type String 435 | 436 | # Prevent the Start Menu Search from providing internet results and using your location 437 | New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" -Force | Out-Null 438 | Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" -Name "BingSearchEnabled" -Value 0 -Type DWord 439 | Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" -Name "AllowSearchToUseLocation" -Value 0 -Type DWord 440 | Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" -Name "CortanaConsent" -Value 0 -Type DWord 441 | 442 | # Disable publishing of Win10 user activity 443 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Force | Out-Null 444 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "PublishUserActivities" -Value 1 -Type DWord 445 | 446 | # Disable Windows GameDVR (Broadcasting and Recording) 447 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" -Force | Out-Null 448 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" -Name "AllowGameDVR" -Value 0 -Type DWord 449 | 450 | # Disable Microsoft consumer experience which prevents notifications of suggested applications to install 451 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent" -Force | Out-Null 452 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent" -Name "DisableWindowsConsumerFeatures" -Value 1 -Type DWord 453 | 454 | # Prevent toast notifications from appearing on lock screen 455 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" -Force | Out-Null 456 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "NoToastApplicationNotificationOnLockScreen" -Value 1 -Type DWord 457 | 458 | # Turn off services we don't need 459 | # Define an array of service names to be stopped and disabled 460 | $nonNeededservices = @( 461 | "WpcMonSvc", "SharedRealitySvc", "Fax", "autotimesvc", "wisvc", "SDRSVC", 462 | "MixedRealityOpenXRSvc", "WalletService", "SmsRouter", "SharedAccess", "MapsBroker", "PhoneSvc", 463 | "ScDeviceEnum", "TabletInputService", "icssvc", "edgeupdatem", "edgeupdate", 464 | "MicrosoftEdgeElevationService", "RetailDemo", "MessagingService", "PimIndexMaintenanceSvc", 465 | "OneSyncSvc", "UnistoreSvc", "DiagTrack", "dmwappushservice", 466 | "diagnosticshub.standardcollector.service", "diagsvc", "WerSvc", "wercplsupport", 467 | "SCardSvr", "SEMgrSvc" 468 | ) 469 | 470 | # Loop through each service in the array 471 | foreach ($serviceName in $nonNeededservices) { 472 | Stop-Service $serviceName -ErrorAction SilentlyContinue 473 | Set-Service $serviceName -StartupType Disabled -ErrorAction SilentlyContinue 474 | Write-Host "Service $serviceName has been stopped and disabled." -ForegroundColor Cyan 475 | } 476 | 477 | $features = @( 478 | "TFTP", "TelnetClient", "WCF-TCP-PortSharing45", "SmbDirect", 479 | "Printing-XPSServices-Features", "WorkFolders-Client", "MSRDC-Infrastructure" 480 | ) 481 | 482 | foreach ($feature in $features) { 483 | dism /Online /Disable-Feature /FeatureName:$feature /NoRestart 484 | } 485 | 486 | $capabilities = @( 487 | "App.StepsRecorder*", "App.Support.QuickAssist*", "Browser.InternetExplore*", 488 | "Hello.Face*", "MathRecognizer*", "Microsoft.Windows.PowerShell.ISE*", "OpenSSH*", "Language.Handwriting" 489 | ) 490 | 491 | # Loop through each capability pattern in the array 492 | foreach ($capabilityPattern in $capabilities) { 493 | Get-WindowsCapability -Online | Where-Object { $_.Name -like $capabilityPattern } | ForEach-Object { 494 | Remove-WindowsCapability -Online -Name $_.Name -ErrorAction SilentlyContinue 495 | Write-Host "Capability $($_.Name) has been removed." -ForegroundColor Cyan 496 | } 497 | } 498 | 499 | # Disable specific tasks directly by their full path 500 | $tasksByFullPath = @( 501 | "\Microsoft\Windows\Application Experience\ProgramDataUpdater", 502 | "\Microsoft\Windows\Application Experience\StartupAppTask", 503 | "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" 504 | ) 505 | 506 | foreach ($taskPath in $tasksByFullPath) { 507 | $task = Get-ScheduledTask -TaskPath $taskPath -ErrorAction SilentlyContinue 508 | if ($null -ne $task) { 509 | Disable-ScheduledTask -InputObject $task -ErrorAction SilentlyContinue 510 | Write-Host "Task at path $taskPath has been disabled." -ForegroundColor Cyan 511 | } 512 | } 513 | 514 | # Disable all tasks under a specific folder 515 | Get-ScheduledTask -TaskPath "\Microsoft\Windows\Customer Experience Improvement Program\" | Disable-ScheduledTask 516 | 517 | # Define an array of task names to be disabled 518 | $taskNames = @( 519 | "ProgramDataUpdater", "Proxy", "Consolidator", "Microsoft-Windows-DiskDiagnosticDataCollector", 520 | "MapsToastTask", "MapsUpdateTask", "FamilySafetyMonitor", "FODCleanupTask", 521 | "FamilySafetyRefreshTask", "XblGameSaveTask", "UsbCeip", "DmClient", "DmClientOnScenarioDownload" 522 | ) 523 | 524 | # Loop through each task name and disable it 525 | foreach ($taskName in $taskNames) { 526 | $task = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue 527 | if ($null -ne $task) { 528 | Disable-ScheduledTask -InputObject $task -ErrorAction SilentlyContinue 529 | Write-Host "Task $taskName has been disabled." -ForegroundColor Cyan 530 | } 531 | } 532 | 533 | 534 | # Enable Advanced Windows Logging 535 | # Turn our logging up to 11, to make sure all the essentials are covered 536 | # Set Event Log Size 537 | wevtutil sl Security /ms:1024000 538 | wevtutil sl Application /ms:1024000 539 | wevtutil sl System /ms:1024000 540 | wevtutil sl "Windows PowerShell" /ms:1024000 541 | wevtutil sl "Microsoft-Windows-PowerShell/Operational" /ms:1024000 542 | 543 | # Enable command line data logging 544 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 545 | 546 | # Enable Advanced Audit Policy Configuration 547 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "SCENoApplyLegacyAuditPolicy" -Value 1 548 | 549 | # Enable PowerShell Logging 550 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell" -Force | Out-Null 551 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell" -Name "EnableModuleLogging" -Value 1 552 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell" -Name "EnableScriptBlockLogging" -Value 1 553 | 554 | # Enable Windows Event Detailed Logging 555 | $auditCategories = @( 556 | "Security Group Management", 557 | "Process Creation", 558 | "Logoff", 559 | "Logon", 560 | "Filtering Platform Connection", 561 | "Removable Storage", 562 | "SAM", 563 | "Filtering Platform Policy Change", 564 | "IPsec Driver", 565 | "Security State Change", 566 | "Security System Extension", 567 | "System Integrity" 568 | ) 569 | 570 | foreach ($category in $auditCategories) { 571 | if ($category -eq "Logoff" -or $category -eq "Filtering Platform Connection" -or $category -eq "SAM" -or $category -eq "Filtering Platform Policy Change") { 572 | $success = "enable" 573 | $failure = "disable" 574 | } else { 575 | $success = "enable" 576 | $failure = "enable" 577 | } 578 | auditpol /set /subcategory:"$category" /success:$success /failure:$failure 579 | } 580 | 581 | Write-Host "Windows Event Log and Auditing Policies are configured." -ForegroundColor Green 582 | 583 | # Optional Additional Security Lockdown Options 584 | # Summary of actions to be taken 585 | $actions = @" 586 | This script will apply the following security enhancements and configurations: 587 | 588 | 1. Enforce NTLMv2 and LM authentication to improve security in network authentication. 589 | 2. Prevent unencrypted passwords from being sent to third-party SMB servers to enhance security in file sharing. 590 | 3. Prevent guest logons to SMB servers to restrict unauthorized access. 591 | 4. Force SMB server signing to ensure the integrity of SMB communications. 592 | 5. Enable Windows Defender Application Guard to provide robust isolation for browsing sessions. 593 | 6. Enable Windows Defender Credential Guard to protect credential information from attacks. 594 | 7. Enable system-wide mitigations like DEP, CFG, ForceRelocateImages, BottomUp, and SEHOP to improve security posture against exploits. 595 | 8. Block execution of files unless they meet criteria such as prevalence, age, or being on a trusted list. 596 | 9. Enable Windows Defender real-time monitoring to provide continuous protection against malware. 597 | 10. Disable Internet Connection Sharing to prevent potential unauthorized network use. 598 | 11. Always re-process Group Policy for the latest updates and configurations. 599 | 12. Force logoff if a smart card is removed to secure sessions in environments using smart cards. 600 | 13. Restrict usage of privileged local admin tokens over the network to enhance security against lateral movement in domain environments. 601 | 14. Ensure outgoing secure channel traffic is encrypted to protect data in transit. 602 | 603 | Do you want to continue with these changes? (Y/N): 604 | "@ 605 | 606 | # Prompt the user for confirmation 607 | $continue = Read-Host -Prompt $actions 608 | 609 | if ($continue -eq 'Y') { 610 | # Applying configurations only if user confirms with 'Y' 611 | 612 | # Enforce NTLMv2 and LM authentication 613 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5 -Type DWord 614 | 615 | # Prevent unencrypted passwords being sent to third-party SMB servers 616 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "EnablePlainTextPassword" -Value 0 -Type DWord 617 | 618 | # Prevent guest logons to SMB servers 619 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" -Name "AllowInsecureGuestAuth" -Value 0 -Type DWord 620 | 621 | # Force SMB server signing 622 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" -Name "RequireSecuritySignature" -Value 1 -Type DWord 623 | 624 | # Enable Windows Defender Application Guard 625 | Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -NoRestart 626 | 627 | # Enable Windows Defender Credential Guard 628 | $deviceGuardPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" 629 | New-ItemProperty -Path $deviceGuardPath -Name "EnableVirtualizationBasedSecurity" -Value 1 -PropertyType DWord -Force 630 | New-ItemProperty -Path $deviceGuardPath -Name "RequirePlatformSecurityFeatures" -Value 3 -PropertyType DWord -Force 631 | New-ItemProperty -Path $deviceGuardPath -Name "LsaCfgFlags" -Value 1 -PropertyType DWord -Force 632 | 633 | # Enable system-wide mitigations 634 | Set-ProcessMitigation -System -Enable DEP,CFG,ForceRelocateImages,BottomUp,SEHOP 635 | 636 | # Block execution of files based on criteria (Be cautious with this setting) 637 | Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Enabled 638 | 639 | # Enable Windows Defender real-time monitoring 640 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 0 -Type DWord -Force 641 | 642 | # Disable Internet Connection Sharing 643 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name "NC_ShowSharedAccessUI" -Value 0 -Type DWord -Force 644 | 645 | # Always re-process Group Policy 646 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" -Name "NoGPOListChanges" -Value 0 -Type DWord -Force 647 | 648 | # Force logoff if smart card removed 649 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "SCRemoveOption" -Value 2 -Type DWord -Force 650 | 651 | # Restrict privileged local admin tokens being used from network 652 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 0 -Type DWord -Force 653 | 654 | # Ensure outgoing secure channel traffic is encrypted 655 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "RequireSignOrSeal" -Value 1 -Type DWord -Force 656 | 657 | Write-Host "Additional security configurations have been applied successfully." -ForegroundColor Green 658 | } else { 659 | Write-Host "Operation aborted by the user." -ForegroundColor Red 660 | } 661 | 662 | # User prompt with a warning about PSExec requirement 663 | Write-Host "WARNING: This script will modify system policies that might affect PSExec functionality. If PSExec is required for your operations, consider selecting 'N'." -ForegroundColor Yellow 664 | $userConfirmation = Read-Host "Do you want to proceed with these changes? (Y/N)" 665 | 666 | if ($userConfirmation -eq 'Y') { 667 | # Convert REG commands to PowerShell commands 668 | Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 0 -Type DWord -Force 669 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint" -Name "Enabled" -Value 0 -Type DWord -Force 670 | Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint" -Name "RemoteAddresses" -Force -ErrorAction SilentlyContinue 671 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint" -Name "Enabled" -Value 0 -Type DWord -Force 672 | Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint" -Name "RemoteAddresses" -Force -ErrorAction SilentlyContinue 673 | 674 | Write-Host "System policies have been updated successfully." -ForegroundColor Green 675 | } else { 676 | Write-Host "Operation cancelled by the user." -ForegroundColor Red 677 | } 678 | 679 | 680 | Write-Host "All selected hardening tasks have been completed. Please review system functionality to ensure no critical operations are impacted." -ForegroundColor Green 681 | --------------------------------------------------------------------------------