mirror of
https://github.com/TommyTran732/Windows-Setup.git
synced 2024-11-22 16:11:45 -05:00
Compare commits
12 Commits
588b7fac36
...
f17eb8444f
Author | SHA1 | Date | |
---|---|---|---|
f17eb8444f | |||
ce60c9a690 | |||
426bf0c995 | |||
ddefee6de0 | |||
c76835ff6a | |||
dd77093efe | |||
03da21e143 | |||
c32321e46d | |||
947c1078c2 | |||
4b89e17eb5 | |||
662b7b9e87 | |||
cfce55dd5d |
@ -0,0 +1,5 @@
|
|||||||
|
# Lanman Workstation
|
||||||
|
|
||||||
|
`Computer Configuration\Policies\Administrative Templates\Network\Lanman Workstation`
|
||||||
|
|
||||||
|
- Enable insecure guest logons -> Disabled
|
@ -15,6 +15,14 @@
|
|||||||
|
|
||||||
- Configure Controlled folder access -> Enabled -> Block
|
- Configure Controlled folder access -> Enabled -> Block
|
||||||
|
|
||||||
|
## Attack Surface Reduction
|
||||||
|
|
||||||
|
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack surface reduction`
|
||||||
|
|
||||||
|
- Configure Attack Surface Reduction rules -> Add all rules from the [GUID Matrix](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rule-to-guid-matrix) except `01443614-cd74-433a-b99e-2ecdc07bfc25`. Set their value to 1.
|
||||||
|
|
||||||
|
Rationale: `01443614-cd74-433a-b99e-2ecdc07bfc25` depends on Microsoft Cloud Protection (MAPS). The only place where I use MAPS is my gaming machine, and it needs to be able to run not-so-reputable programs anyways.
|
||||||
|
|
||||||
## MpEngine
|
## MpEngine
|
||||||
|
|
||||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine`
|
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine`
|
||||||
|
@ -4,7 +4,30 @@ Documentation: https://learn.microsoft.com/en-us/windows/security/application-se
|
|||||||
|
|
||||||
`Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`
|
`Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`
|
||||||
|
|
||||||
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials
|
(**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)
|
||||||
|
|
||||||
|
- Accounts: Block Microsoft accounts -> Users can't add or log on with Microsoft accounts
|
||||||
|
- Accounts: Guest account status -> Disabled
|
||||||
|
- Devices: Prevent users from installing printer drivers -> Enabled
|
||||||
|
- Domain controller: LDAP server signing requirements: Require signing
|
||||||
|
- Domain controller: LDAP server channel binding token requirements: Always
|
||||||
|
- Domain member: Digitally encrypt or sign secure channel data (always) -> Enabled
|
||||||
|
- Domain member: Require strong (Windows 2000 or later) session key -> Enabled
|
||||||
|
- Microsoft network client: Digitally sign communications (always) -> Enabled
|
||||||
|
- Microsoft network server: Digitally sign communications (always) -> Enabled
|
||||||
|
- Network access: Allow anonymous SID/Name translation -> Disabled
|
||||||
|
- Network security: Do not store LAN Manager hash value on next password change -> Enabled
|
||||||
|
- Network security: Force logoff when logon hours expire -> Disabled
|
||||||
|
- Network security: LDAP client signing requirements: Require signing
|
||||||
|
- Network security: Restrict NTLM: Incoming NTLM traffic -> Deny all accounts
|
||||||
|
- Network security: Restrict NTLM: NTLM authentication in this domain -> Deny all
|
||||||
|
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers -> Deny all
|
||||||
|
- Shutdown: Clear virtual memory pagefile -> Enabled
|
||||||
|
- User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop -> Disabled
|
||||||
|
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials on the secure desktop
|
||||||
|
- User Account Control: Behavior of the elevation prompt for standard users -> Prompt for credentials on the secure desktop
|
||||||
- User Account Control: Only elevate executables that are signed and validated -> Enabled
|
- User Account Control: Only elevate executables that are signed and validated -> Enabled
|
||||||
- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled (Docs says it is enabled by default, but it is off on my Parallels VM somehow)
|
- User Account Control: Only elevate UIAccess applications that are installed in secure locations -> Enabled
|
||||||
- Network security: LDAP client signing requirements: Require signing (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)
|
- User Account Control: Run all administrators in Admin Approval Mode
|
||||||
|
- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled
|
||||||
|
- User Account Control: Virtualize file and registry write failures to per-user locations -> Enabled
|
6
Group Policies Objects/Default Domain Policy/Services.md
Normal file
6
Group Policies Objects/Default Domain Policy/Services.md
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
# Services
|
||||||
|
|
||||||
|
`Computer Configuration\Preferences\Control Panel Settings\Services`
|
||||||
|
|
||||||
|
- Startup: Disabled -> Service name: Webclient -> Service action: Stop service
|
||||||
|
|
1
Scripts/DisableSMB1.ps1
Normal file
1
Scripts/DisableSMB1.ps1
Normal file
@ -0,0 +1 @@
|
|||||||
|
Set-SmbServerConfiguration -EnableSMB1Protocol $false
|
@ -1,4 +1,8 @@
|
|||||||
# Scripts
|
# Scripts
|
||||||
|
|
||||||
- Put these in your NETLOGON directory
|
- Put these in your NETLOGON directory
|
||||||
- In group policy objects, select the object you want to edit -> Computer Configuration -> Windows Setings -> Scripts -> Startup -> PowerShell Script, and add the scripts you want to use. Personally, I use all of these scripts in my Default Domain Policy object.
|
- In group policy objects, select the object you want to edit -> Computer Configuration -> Windows Setings -> Scripts -> Startup -> PowerShell Script, and add the scripts you want to use. Personally, I use all of these scripts in my Default Domain Policy object.
|
||||||
|
|
||||||
|
## Notes
|
||||||
|
|
||||||
|
- The DisableSMB1.ps1 script is not stricly necessary as SMB1 shouldn't be installed anyways. It's just there for extra assurances.
|
Loading…
Reference in New Issue
Block a user