- Use a separate local admin account
- Use BitLocker with Enhanced PIN
- Enable Windows Defender
- Disable SMBv1
- Check Status:
Get-WindowsOptionalFeature -Online -FeatureName smb1protocol - Disable:
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
- Check Status:
- Set Account Lockout Policy\Account lockout duration to 15 or more minute(s)
- Set Account Lockout Policy\Account lockout threshold to 10 or fewer invalid logon attempt(s), but not 0
- Set Account Lockout Policy\Reset account lockout counter after to 15 or more minute(s)
- Audit account logon events: Failure
- Audit account management: Success and Failure
- Audit directory service access: No auditing
- Audit logon events: Failure
- Audit object access: Failure
- Audit policy change: Success and Failure
- Audit privilege use: Success and Failure
- Audit process tracking: No auditing
- Audit system events: Success and Failure
- Set Access this computer from the network to Administrators
- Set Allow log on locally to Administrators, Users
- Remove Administrators from Debug programs (SeDebugPrivilege)
- Set Deny access to this computer from the network to include Guests, Local account
- Set Deny log on as a batch job to include Guests
- Set Deny log on as a service to include Guests
- Set Deny log on through Remote Desktop Services to include Guests, Local account
- Set Accounts: Block Microsoft accounts to Users can't add or log on with Microsoft accounts
- Set Interactive logon: Do not require CTRL+ALT+DEL to Disabled
- Set Interactive logon: Don't display last signed-in to Enabled
- Set Interactive logon: Don't display username at sign-in to Enabled
- Set Microsoft network client: Digitally sign communications (always) to Enabled
- Set Microsoft network client: Digitally sign communications (if server agrees) to Enabled
- Set Microsoft network server: Digitally sign communications (always) to Enabled
- Set Microsoft network server: Digitally sign communications (if client agrees) to Enabled
- Set Network access: Do not allow anonymous enumeration of SAM accounts and shares to Enabled
- Set Network access: Do not allow storage of passwords and credentials for network authentication to Enabled
- Set Network security: Allow LocalSystem NULL session fallback to Disabled
- Set Network security: LAN Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM
- Set Network security: LDAP client signing requirements to Negotiate signing
- Set Network security: Minimum session security for NTLM SSP based (including secure RPC) clients to Require NTLMv2 session security, Require 128-bit encryption
- Set Network security: Minimum session security for NTLM SSP based (including secure RPC) servers to Require NTLMv2 session security, Require 128-bit encryption
- Set Network security: Restrict NTLM: Audit Incoming NTLM Traffic to Enable auditing for all accounts
- Set Network security: Restrict NTLM: Audit NTLM authentication in this domain to Enable all
- Set Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Audit all
- Set Shutdown: Allow system to be shut down without having to log on to Disabled
- Set User Account Control: Admin Approval Mode for the Built-in Administrator account to Enabled
- Set User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to Prompt for consent on the secure desktop
- Set User Account Control: Behavior of the elevation prompt for standard users to Prompt for credentials on the secure desktop
- Firewall State: On
- Inbound Connections: Block
- Outbound Connections: Allow
- Size limit: 16384
- Log dropped packets: Yes
- Log successful connections: Yes
- Account Logon\Audit Credential Validation: Success and Failure
- Account Management\Audit Security Group Management: Success
- Account Management\Audit User Account Management: Success and Failure
- Detailed Tracking\Audit PNP Activity: Success
- Detailed Tracking\Audit Process Creation: Success
- Logon/Logoff\Audit Account Lockout: Failure
- Logon/Logoff\Audit Group Membership: Success
- Logon/Logoff\Audit Logon: Success and Failure
- Logon/Logoff\Audit Other Logon/Logoff Events: Success and Failure
- Logon/Logoff\Audit Special Logon: Success
- Object Access\Audit Detailed File Share: Failure
- Object Access\Audit File Share: Success and Failure
- Object Access\Kernel Object: Success and Failure
- Object Access\Audit Other Object Access Events: Success and Failure
- Object Access\Audit Removable Storage: Success and Failure
- Object Access\Audit SAM: Success and Failure
- Policy Change\Audit Audit Policy Change: Success
- Policy Change\Audit Authentication Policy Change: Success
- Policy Change\Audit MPSSVC Rule-Level Policy Change: Success and Failure
- Policy Change\Audit Other Policy Change Events: Failure
- Privilege Use\Audit Sensitive Privilege Use: Success and Failure
- System\Audit Other System Events: Success and Failure
- System\Audit Security State Change: Success
- System\Audit Security System Extension: Success
- System\Audit System Integrity: Success and Failure
- Set Prevent enabling lock screen camera to Enabled
- Set DNS Client\Turn off multicast name resolution (LLMNR) to Enabled
- Set Lanman Workstation\Enable insecure guest logons to Disabled
- Set Turn off Microsoft Peer-to-Peer Networking Services to Enabled
- Set WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services to Disabled
- Set Turn off notifications network usage to Enabled
- Set Credentials Delegation\Allow delegation default credentials to Disabled (tspkg)
- Set Credentials Delegation\Encryption Oracle Remediation to Enabled: Force Updated Clients
- Set Device Installation Restrictions\Prevent installation of devices that match any of these device IDs to Enabled
- Set Also apply to matching devices that are already installed to True
- Device ID = PCI\CC_0C0010 (Plug and Play compatible ID for a 1394 controller)
- Device ID = PCI\CC_0C0A (Plug and Play compatible ID for a Thunderbolt controller)
Note: Not required if Kernel DMA protection is active (check with
msinfo32.exe)
- Set Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes to Enabled
- Set Also apply to matching devices that are already installed to True
- GUID = {d48179be-ec20-11d1-b6b8-00c04fa372a7} (Plug and Play device setup class GUID for an SBP-2 drive)
Warning: Besides Virtualization Based Security, no other virtualization solution like VMware Workstation can be used at the moment.
- Set Turn On Virtualization Based Security to Enabled
- Set Select Plattform Security Level to Secure Boot and DMA Protection
- Set Virtualization Based Protection of Code Integrity to Enabled with UEFI lock
- Set Credential Guard Configuration to Enabled with UEFI lock
- Set Secure Lunch Configuration to Enabled
- Set Boot-Start Driver Initialization Policy to Good, unknown and bad but critical
- Set Configure registry policy processing To Enabled
- Set Process even if the Group Policy objects have not changed to True
- Set Do not apply during periodic background processing to False
- Set Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program to Enabled
- Set Internet Communication settings\Turn off downloading of print drivers over HTTP to Enabled
- Set Internet Communication settings\Turn off Windows Error Reporting to Enabled
- Set Internet Communication settings\Turn off Internet download for Web publishing and online ordering wizards to Enabled
- Set Internet Communication settings\Turn off Windows Customer Experience Improvement Program to Enabled
- Set Enumeration policy for external devices incompatible with Kernel DMA Protection to Block all
- Set Turn on convenience PIN sign-in to Disabled
- Set Turn off app notifications on the lock screen to Enabled
- Set Do not display network selection UI to Enabled
- Set Untrusted Font Blocking to Block untrusted fonts and log events
- Set Allow Clipboard synchronization across devices to Disabled
- Set Sleep Settings\Require a password when a computer wakes (plugged in) to Enabled
- Set Sleep Settings\Allow standby states (S1-S3) when sleeping (on battery) to Disabled
- Set Allow standby states (S1-S3) when sleeping (plugged in) to Disabled
- Set Require a password when a computer wakes (on battery) to Enabled
- Set Configure Offer Remote Assistance to Disabled
- Set Configure Solicited Remote Assistance to Disabled
- Set Enable RPC Endpoint Mapper Client Authentication to Enabled
- Set Restrict Unauthenticated RPC clients to Enabled: Authenticated without exceptions
- Set Security Settings\Enable svchost.exe mitigation options to Enabled
- Set Windows Performance PerfTrack\Enable/Disable PerfTrack to Disabled
- Set Turn of the advertising ID to Enabled
- Set Enable Windows NTP Client to Enabled
- Set Enable Windows NTP Server to Disabled
- Set Allow a Windows app to share application data between users to Disabled
- Set Let Windows apps activate with voice while the system is locked to Enabled: Force Deny
- Set Block launching Windows Store apps with Windows Runtime API access from hosted content. to Enabled
- Set Turn off Application Telemetry to Enabled
- Set Turn off Autoplay to Enabled: All drives
- Set Disallow Autoplay for non-volume devices to Enabled
- Set Set the default behavior for AutoRun to Enabled: Do not execute any autorun commands
- Set Allow the use of biometrics to Disabled
- Set Disable new DMA devices when this computer is locked to Enabled
- Set Operating System Drives\Allow Secure Boot for integrity validation to Enabled
- Set Operating System Drives\Require additional authentication at startup to Enabled
- Set Allow BitLocker without a compatible TPM to False
- Set Configure TPM startup to Do not allow TPM
- Set Configure TPM startup PIN to Require startup PIN with TPM
- Set Configure TPM startup key to Do not allow startup key with TPM
- Set Configure TPM startup key and PIN to Do not allow startup key and PIN with TPM
- Set Operating System Drives\Allow enhanced PINs for startup to Enabled
- Set Configure use of hardware-based encryption for operating system drives to Enabled
- Set Use BitLocker software-based encryption when hardware encryption is not available to True
- Set Do not show Windows tips to Enabled
- Set Turn off Microsoft consumer experiences to Enabled
- Set Do not display the password reveal button to Enabled
- Set Require trusted path for credential entry to Enabled
- Set Enumerate administrator accounts on elevation to Disabled
- Set Allow Telemetry to Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic
- Set Allow device name to be sent in Windows diagnostic data to Disabled
- Set Download Mode to Disabled
- Set Application\Specify the maximum log file size (KB) to Enabled: 32768
- Set Security\Specify the maximum log file size (KB) to Enabled: 196608
- Set System: Specify the maximum log file size (KB) to Enabled: 32768
- Set Allow the use of remote paths in file shortcut icons to Disabled
- Set Configure Windows Defender SmartScreen to Enabled: Warn and prevent bypass
- Set Prevent the computer from joining a homegroup to Enabled
- Set Prevent the usage of OneDrive for file storage to Enabled
- Set Remote Desktop Connection Client\Do not allow passwords to be saved to Enabled
- Set Remote Desktop Session Host\Connections\Allow users to connect remotely by using Remote Desktop Services to Disabled
- Set Remote Desktop Session Host\Device and Resource Redirection\Do not allow drive redirection to Enabled
- Set Remote Desktop Session Host\Security\Always prompt for password upon connection to Enabled
- Set Remote Desktop Session Host\Security\Require secure RPC communication to Enabled
- Set Remote Desktop Session Host\Security\Set client connection encryption level to High Level
- Set Allow Cloud Search to Disabled
- Set Allow Cortana to Disabled
- Set Allow Cortana above lock screen to Disabled
- Set Allow indexing of encrypted files to Disabled
- Set Allow search and Cortana to use location to Disabled
- Set Set what information is shared in Search to Enabled: Anonymous info
- Set Turn off Windows Defender Antivirus to Disabled
- Set Configure detection for potentially unwanted applications to Audit Mode
- Set Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules to Enabled
- Apply these rules (Set 'Value' to '1' (Block Mode)
- be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - Block executable content from email client and webmail
- d4f940ab-401b-4efc-aadc-ad5f3c50688a - Block Office applications from creating child processes
- 3b576869-a4ec-4529-8536-b80a7769e899 - Block Office applications from creating executable content
- 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - Block Office applications from injecting into other processes
- d3e037e1-3eb8-44c8-a917-57927947596d - Impede JavaScript and VBScript to launch executables
- 5beb7efe-fd9a-4556-801d-275e5ffc04cc - Block execution of potentially obfuscated scripts
- 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - Block Win32 imports from Macro code in Office
- 01443614-cd74-433a-b99e-2ecdc07bfc25 - Block executable files from running unless they meet a prevalence, age, or trusted list criteria
- c1db55ab-c21a-4637-bb3f-a12568109d35 - Use advanced protection against ransomware
- 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- d1e49aac-8f56-4280-b9ba-993a6d77406c - Block process creations originating from PSExec and WMI commands
- b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - Block untrusted and unsigned processes that run from USB
- 26190899-1602-49e8-8b27-eb1d0a1ce869 - Block Office communication applications from creating child processes
- 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - Block Adobe Reader from creating child processes
- e6db77e5-3df2-4cf1-b95a-636979351e5b - Block persistence through WMI event subscription
- Set Explorer\Configure Windows Defender SmartScreen to Enabled: Warn and prevent bypass
- Set Disable Windows Error Reporting to Enabled
- Set Enables or disables Windows Game Recording and Broadcasting to Disabled
- Set Allow Windows Ink Workspace to Disabled
- Set Always install with elevated privileges to Disabled
- Set Allow user control over installs to Disabled
- Set Prevent Internet Explorer security prompt for Windows Installer scripts to Disabled
- Set Sign-in and lock last interactive user automatically after a restart to Disabled
- Set Turn on PowerShell Script Block Logging to Enabled
- Set Turn on PowerShell Transcription to Enabled
- Set WinRM Client\Allow Basic authentication to Disabled
- Set WinRM Client\Allow unencrypted traffic to Disabled
- Set WinRM Client\Disallow Digest authentication to Enabled
- Set WinRM Service\Allow remote server management through WinRM to Disabled
- Set WinRM Service\Allow Basic authentication to Disabled
- Set WinRM Service\Allow unencrypted traffic to Disabled
- Set WinRM Service\Disallow WinRM from storing RunAs credentials to Enabled
- Set Allow Remote Shell Access to Disabled
- Set Turn off toast notifications on the lock screen to Enabled
- Set Internet Communication Settings\Turn off Help Experience Improvement Program to Enabled
- Set Do not use diagnostic data for tailored experiences to Enabled
- Set Do not suggest third-party content in Windows spotlight to Enabled
- Set Always install with elevated privileges to Disabled
- Set NetBT NodeType configuration to P-node
- Add NodeType=dword:00000002 to HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
- Set WDigest Authentication to Disabled
- Add UseLogonCredential=dword:00000000 to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
- Set LSASS Audit Mode to Enabled
- Add AuditLevel=dword:00000008 to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe
- Set LSASS Protection Mode to Enabled
- Add RunAsPPL=dword:00000001 to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Apply the following registry settings for your main/working user(s)
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Options]
"DisableEmbeddedFiles"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\OneNote\Options]
"DisableEmbeddedFiles"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options]
"DontUpdateLinks"=dword:00000001
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options]
"DontUpdateLinks"=dword:00000001
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000001
"Options"=dword:00000117
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options]
"DontUpdateLinks"=dword:00000001
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000001
"Options"=dword:00000117
- Set Show notification on the lock screen to Off (Already managed by Group policy)
- Set Show reminders and incoming VoIP calls on the lock screen to Off
- Set Show me the Windows welcome experience after updates and occasionally when I sign in to highlight what's new and suggested to Off
- Set Get tips, tricks, and suggestions as you use Windows to Off
- Set Shared across devices to Off
- Set Clipboard history to Off
- Set Sync across devices to Off (Already managed by Group policy)
- Set Autocorrect misspelled words to Off
- Set Use AutoPlay for all media and devices to Off
- Set Random hardware addresses to On
- Set Let me use Online Sign-Up to get connected to Off
- Go to Change Adapter Options
- Disable File and Printer Sharing for Microsoft Networks for each adapter
- Disable NetBIOS in Advanced TCP/IP Settings for each adapter
- Set Get fun facts, tips, tricks, and more on your lock screen to Off
- Set Show more tiles on Start to Off
- Set Show suggestions occasionally in Start to Off
- Set Windows Cloud Search to Off
The basic recommendation is to deactivate all access. However, this should not limit the functionality, e.g. if an app needs the microphone, access should be granted. Be careful with the settings for background apps as well, disabling anything can lead to unexpected behaviour.
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set Diagnostic data to Basic (Already managed by Group policy)
- Set Improve inking and typing to Off (Already managed by Group policy)
- Set Tailored experiences to Off
- Set View diagnostic data to Off
- Set Windows should ask for my feedback to Never
- Set Recommended troubleshooting to Ask me before fixing problems
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set Allow downloads to Do not allow
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set Allow downloads from other PCs to Off
- Set Cloud-delivered protection to On (only works if Join MAPS is not disabled)
- Set Automatic sample submission to Off
- Set Controlled folder access to On
- Install Sysmon
- Use your own configuration, mine is based on SwiftOnSecurity/sysmon-config
Add the following rules to Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security
- GPO-Block-TCP-NetBIOS
- Custom Rule
- All programs
- Protocol: TCP
- Local ports: 137-139
- Any IP addresses
- Block
- All profiles
- GPO-Block-TCP-RDP
- Custom Rule
- All programs
- Protocol: TCP
- Local ports: 3389
- Any IP addresses
- Block
- All profiles
- GPO-Block-TCP-RPC
- Custom Rule
- All programs
- Protocol: TCP
- Local ports: 135, 593
- Any IP addresses
- Block
- All profiles
- GPO-Block-TCP-SMB
- Custom Rule
- All programs
- Protocol: TCP
- Local ports: 445
- Any IP addresses
- Block
- All profiles
- GPO-Block-TCP-WinRM
- Custom Rule
- All programs
- Protocol: TCP
- Local ports: 5985, 5986
- Any IP addresses
- Block
- All profiles
- GPO-Block-UDP-NetBIOS
- Custom Rule
- All programs
- Protocol: UDP
- Local ports: 137-139
- Any IP addresses
- Block
- All profiles
- GPO-Block-UDP-RPC
- Custom Rule
- All programs
- Protocol: UDP
- Local ports: 135, 593
- Any IP addresses
- Block
- All profiles
- GPO-Block-TCP-VMware-HTTPS
- Custom Rule
- All programs
- Protocol: TCP
- Local ports: 443
- Any IP addresses
- Block
- All profiles
- GPO-Block-TCP-VMware-authd
- Custom Rule
- All programs
- Protocol: TCP
- Local ports: 902, 912
- Any IP addresses
- Block
- All profiles
Quote @cryps1s: While not the most glamorous of defensive strategies, those applications are commonly abused by default behaviors for process migration and injection techniques.
- GPO-Block-calc
- Custom Rule
- %SystemRoot%\System32\calc.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-calc
- Custom Rule
- %SystemRoot%\Syswow64\calc.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-certutil
- Custom Rule
- %SystemRoot%\System32\certutil.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-certutil
- Custom Rule
- %SystemRoot%\Syswow64\certutil.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-conhost
- Custom Rule
- %SystemRoot%\System32\conhost.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-conhost
- Custom Rule
- %SystemRoot%\Syswow64\conhost.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-cscript
- Custom Rule
- %SystemRoot%\System32\cscript.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-cscript
- Custom Rule
- %SystemRoot%\Syswow64\cscript.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-mshta
- Custom Rule
- %SystemRoot%\System32\mshta.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-mshta
- Custom Rule
- %SystemRoot%\Syswow64\mshta.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-notepad
- Custom Rule
- %SystemRoot%\System32\notepad.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-notepad
- Custom Rule
- %SystemRoot%\Syswow64\notepad.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-RunScriptHelper
- Custom Rule
- %SystemRoot%\System32\RunScriptHelper.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-RunScriptHelper
- Custom Rule
- %SystemRoot%\Syswow64\RunScriptHelper.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-wscript
- Custom Rule
- %SystemRoot%\System32\wscript.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles
- GPO-Block-wscript
- Custom Rule
- %SystemRoot%\Syswow64\wscript.exe
- Any protocols
- Any ports
- Any IP addresses
- Block
- All profiles