From 662b7b9e870bd91aecb9627c2a0fe0b5cd91d87a Mon Sep 17 00:00:00 2001 From: Tommy Date: Thu, 18 Apr 2024 01:29:42 -0700 Subject: [PATCH] More security improvements Signed-off-by: Tommy --- .../Default Domain Policy/Security Options.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Group Policies Objects/Default Domain Policy/Security Options.md b/Group Policies Objects/Default Domain Policy/Security Options.md index 18a7acc..a606c73 100644 --- a/Group Policies Objects/Default Domain Policy/Security Options.md +++ b/Group Policies Objects/Default Domain Policy/Security Options.md @@ -6,7 +6,14 @@ Documentation: https://learn.microsoft.com/en-us/windows/security/application-se - Domain controller: LDAP server signing requirements: Require signing (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**) - Domain controller: LDAP server channel binding token requirements: Always +- Microsoft network client: Digitally sign communications: Always - Network security: LDAP client signing requirements: Require signing -- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials +- Shutdown: Clear virtual memory pagefile -> Enabled +- User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop -> Disabled +- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials on the secure desktop +- User Account Control: Behavior of the elevation prompt for standard users -> Prompt for credentials on the secure desktop - User Account Control: Only elevate executables that are signed and validated -> Enabled -- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled (Docs says it is enabled by default, but it is off on my Parallels VM somehow) \ No newline at end of file +- User Account Control: Only elevate UIAccess applications that are installed in secure locations -> Enabled +- User Account Control: Run all administrators in Admin Approval Mode +- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled +- User Account Control: Virtualize file and registry write failures to per-user locations -> Enabled \ No newline at end of file