1
0
mirror of https://github.com/TommyTran732/Windows-Setup.git synced 2024-11-23 00:21:43 -05:00

Compare commits

..

12 Commits

Author SHA1 Message Date
f17eb8444f
More security options
Signed-off-by: Tommy <contact@tommytran.io>
2024-04-26 01:37:34 -07:00
ce60c9a690
Disable NTLM
Signed-off-by: Tommy <contact@tommytran.io>
2024-04-26 01:34:13 -07:00
426bf0c995
Fix file name
Signed-off-by: Tommy <contact@tommytran.io>
2024-04-26 00:14:24 -07:00
ddefee6de0
Add ASR rules
Signed-off-by: Tommy <contact@tommytran.io>
2024-04-26 00:06:19 -07:00
c76835ff6a
Add additional security options
Signed-off-by: Tommy <contact@tommytran.io>
2024-04-25 23:34:02 -07:00
dd77093efe
Move disclaimer up
Signed-off-by: Tommy <contact@tommytran.io>
2024-04-18 02:42:03 -07:00
03da21e143
Disable WebDAV
Signed-off-by: Tommy <contact@tommytran.io>
2024-04-18 02:34:43 -07:00
c32321e46d
Disable SMB guest logons
Signed-off-by: Tommy <contact@tommytran.io>
2024-04-18 02:27:27 -07:00
947c1078c2
Add DisableSMB1.ps1
Signed-off-by: Tommy <contact@tommytran.io>
2024-04-18 02:17:07 -07:00
4b89e17eb5
Enforce SMB encryption
Signed-off-by: Tommy <contact@tommytran.io>
2024-04-18 01:43:57 -07:00
662b7b9e87
More security improvements
Signed-off-by: Tommy <contact@tommytran.io>
2024-04-18 01:29:42 -07:00
cfce55dd5d
Improvements to LDAPS policies
Signed-off-by: Tommy <contact@tommytran.io>
2024-04-18 01:10:03 -07:00
6 changed files with 51 additions and 4 deletions

View File

@ -0,0 +1,5 @@
# Lanman Workstation
`Computer Configuration\Policies\Administrative Templates\Network\Lanman Workstation`
- Enable insecure guest logons -> Disabled

View File

@ -15,6 +15,14 @@
- Configure Controlled folder access -> Enabled -> Block
## Attack Surface Reduction
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack surface reduction`
- Configure Attack Surface Reduction rules -> Add all rules from the [GUID Matrix](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rule-to-guid-matrix) except `01443614-cd74-433a-b99e-2ecdc07bfc25`. Set their value to 1.
Rationale: `01443614-cd74-433a-b99e-2ecdc07bfc25` depends on Microsoft Cloud Protection (MAPS). The only place where I use MAPS is my gaming machine, and it needs to be able to run not-so-reputable programs anyways.
## MpEngine
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine`

View File

@ -4,7 +4,30 @@ Documentation: https://learn.microsoft.com/en-us/windows/security/application-se
`Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials
(**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)
- Accounts: Block Microsoft accounts -> Users can't add or log on with Microsoft accounts
- Accounts: Guest account status -> Disabled
- Devices: Prevent users from installing printer drivers -> Enabled
- Domain controller: LDAP server signing requirements: Require signing
- Domain controller: LDAP server channel binding token requirements: Always
- Domain member: Digitally encrypt or sign secure channel data (always) -> Enabled
- Domain member: Require strong (Windows 2000 or later) session key -> Enabled
- Microsoft network client: Digitally sign communications (always) -> Enabled
- Microsoft network server: Digitally sign communications (always) -> Enabled
- Network access: Allow anonymous SID/Name translation -> Disabled
- Network security: Do not store LAN Manager hash value on next password change -> Enabled
- Network security: Force logoff when logon hours expire -> Disabled
- Network security: LDAP client signing requirements: Require signing
- Network security: Restrict NTLM: Incoming NTLM traffic -> Deny all accounts
- Network security: Restrict NTLM: NTLM authentication in this domain -> Deny all
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers -> Deny all
- Shutdown: Clear virtual memory pagefile -> Enabled
- User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop -> Disabled
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials on the secure desktop
- User Account Control: Behavior of the elevation prompt for standard users -> Prompt for credentials on the secure desktop
- User Account Control: Only elevate executables that are signed and validated -> Enabled
- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled (Docs says it is enabled by default, but it is off on my Parallels VM somehow)
- Network security: LDAP client signing requirements: Require signing (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)
- User Account Control: Only elevate UIAccess applications that are installed in secure locations -> Enabled
- User Account Control: Run all administrators in Admin Approval Mode
- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled
- User Account Control: Virtualize file and registry write failures to per-user locations -> Enabled

View File

@ -0,0 +1,6 @@
# Services
`Computer Configuration\Preferences\Control Panel Settings\Services`
- Startup: Disabled -> Service name: Webclient -> Service action: Stop service

1
Scripts/DisableSMB1.ps1 Normal file
View File

@ -0,0 +1 @@
Set-SmbServerConfiguration -EnableSMB1Protocol $false

View File

@ -2,3 +2,7 @@
- Put these in your NETLOGON directory
- In group policy objects, select the object you want to edit -> Computer Configuration -> Windows Setings -> Scripts -> Startup -> PowerShell Script, and add the scripts you want to use. Personally, I use all of these scripts in my Default Domain Policy object.
## Notes
- The DisableSMB1.ps1 script is not stricly necessary as SMB1 shouldn't be installed anyways. It's just there for extra assurances.