Tomster/Windows-Setup
1
0
Fork 0
mirror of https://github.com/TommyTran732/Windows-Setup.git synced 2024-11-23 00:21:43 -05:00
Code

Compare commits

base: Tomster:ab9f1d258cfbf614cebe1ff062ea0d57f722966d
Branches Tags
Tomster:main
..
compare: Tomster:2f0ff65e76e240d0c6944df826fe488c873ff278
Branches Tags
Tomster:main

No commits in common. "ab9f1d258cfbf614cebe1ff062ea0d57f722966d" and "2f0ff65e76e240d0c6944df826fe488c873ff278" have entirely different histories.
ab9f1d258c ... 2f0ff65e76

12 changed files with 45 additions and 94 deletions
Show Stats Expand all files Collapse all files

23
Group Policies Objects/Default Domain Policy/Microsoft Defender Antivirus.md
View File

@ -1,13 +1,15 @@
# Microsoft Defender Antivirus # Microsoft Defender Antivirus
**MAPS and features dependent on it disabled using this policy. It is quite invasive so I will only enable it for certain OUs.** **MAPS and features dependent on it are not enabled using this policy. It just configures how aggressive MAPS should be. This is quite invasive so I will only enable it for certain OUs.**
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus` `Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
## MAPS ## MAPS
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS` `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
- Join Microsoft MAPS -> Enabled -> Disabled
- Configure the 'Block at First Sight' feature -> Enabled
- Send file samples when further analysis is required -> Enabled -> Always Prompt (Send safe sample works better with 'Block at First Sight, but I really, really do not trust Microsoft on this one)
## Controlled Folder Access ## Controlled Folder Access
@ -15,11 +17,28 @@
- Configure Controlled folder access -> Enabled -> Block - Configure Controlled folder access -> Enabled -> Block
## Network Protection
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
Only relevant if SmartScreen is used.
Documentation:
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
Prevent users and apps from accessing dangerous websites -> Enabled -> Block
## MpEngine ## MpEngine
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine` `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine`
Only relevant if MAPS is used
- Enable file hash computation feature -> Enabled - Enable file hash computation feature -> Enabled
- Configure extended cloud check -> Specify the extended cloud check time in seconds -> 50
- Select cloud protection level -> Zero tolerance blocking level
## Quarantine ## Quarantine

8
Group Policies Objects/Default Domain Policy/Microsoft Edge.md Normal file
View File

@ -0,0 +1,8 @@
# Microsoft Edge
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge - Default Settings (users can override)`
You will need to download the Edge policies from https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and install it.
For the actual policies to set, you can follow my repo at https://github.com/TommyTran732/Microsoft-Edge-Policies at set the equivalent group policies of what is being set there.

5
Group Policies Objects/Default Domain Policy/Microsoft Edge/Cast.md
View File

@ -1,5 +0,0 @@
# Cast
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Cast`
- Enabled Google Cast -> Disabled `EnableMediaRouter: false`

13
Group Policies Objects/Default Domain Policy/Microsoft Edge/Content Settings.md
View File

@ -1,13 +0,0 @@
# Content Settings
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Content Settings`
- Block cookies on specific sites -> ntp.msn.com `CookiesBlockedForUrls": [ "ntp.msn.com" ]`
- Default geolocation setting -> Enabled -> Don't allow any site to track users' physical location `DefaultGeolocationSetting: 2`
- Control use of insecure content Exceptions -> Enabled -> Do not allow any sites to load mixed content `DefaultInsecureContentSetting: 2`
- Configure cookies -> Enabled -> Keep cookies for the duration of the session, except ones listed in "SaveCookiesOnExit" `DefaultCookiesSetting: 4`
- Default setting for third-party storage partitioning -> Let third-party storage partitioning to be enabled. `DefaultThirdPartyStoragePartitioningSetting: 1`
- Control the use of File System API for reading -> Don't allow any site to request and read access to files and directories via the File System API `DefaultFileSystemReadGuardSetting: 2`
- Control the use of File System API for writing -> Don't allow any site to request and write access to files and directories via the File System API `DefaultFileSystemWriteGuardSetting: 2`
- Control use of the Web Bluetooth API -> Don't allow any site to request access to Bluetooth devices via the Web Bluetooth API `DefaultWebBluetoothGuardSetting: 2`
- Allow notifications to set Microsoft Edge as default PDF reader -> Disabled `ShowPDFDefaultRecommendationsEnabled: false`

7
Group Policies Objects/Default Domain Policy/Microsoft Edge/README.md
View File

@ -1,7 +0,0 @@
# Microsoft Edge
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
You will need to download the Edge policies from https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and install it.
SmartScreen and Typosquatting as recommeded settings doesn't seem to apply consistently, therefore I force them to be disabled in my Domain Default Policy.

2
Group Policies Objects/Default Domain Policy/Security Options.md
View File

@ -7,4 +7,4 @@ Documentation: https://learn.microsoft.com/en-us/windows/security/application-se
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials
- User Account Control: Only elevate executables that are signed and validated -> Enabled - User Account Control: Only elevate executables that are signed and validated -> Enabled
- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled (Docs says it is enabled by default, but it is off on my Parallels VM somehow) - User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled (Docs says it is enabled by default, but it is off on my Parallels VM somehow)
- Network security: LDAP client signing requirements: Require signing (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**) - Security setting -> Define -> Require signing (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)

5
Group Policies Objects/Default Domain Policy/Windows Defender SmartScreen.md
View File

@ -1,9 +1,6 @@
# Windows Defender SmartScreen # Windows Defender SmartScreen
**SmartScreen and features dependent on it disabled using this policy. It is quite invasive so I will only enable it for certain OUs.**
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender SmartScreen` `Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender SmartScreen`
- Enhanced Phishing Protection -> Service Enabled -> Disabled - Enhanced Phishing Protection -> Service Enabled -> Disabled (**Does not show on Windows Server 2022 by default**)
- Explorer -> Configure Windows Defender SmartScreen -> Disabled
- Microsoft Edge -> Configure Windows Defender SmartScreen -> Disabled - Microsoft Edge -> Configure Windows Defender SmartScreen -> Disabled

5
Group Policies Objects/Gaming/Microsoft Account (Allow).md
View File

@ -1,5 +0,0 @@
# Microsoft account
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft account`
- Block all consumer Microsoft account user authentication -> Disabled

47
Group Policies Objects/Gaming/Microsoft Defender (Gaming).md
View File

@ -1,47 +0,0 @@
# Microsoft Edge
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
- SmartScreen settings -> Configure Microsoft Defender SmartScreen -> Enabled
- SmartScreen settings -> Configure Microsoft SmartScreen to block potentially unwanted apps -> Enabled
- TyposuqattingChecker settings -> Configure Edge TyposquattingChecker -> Enabled
# Microsoft Defender Antivirus
## MAPS
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
- Join Microsoft MAPS -> Enabled -> Advanced Membership
- Configure the 'Block at First Sight' feature -> Enabled
- Send file samples when further analysis is required -> Enabled -> Always Prompt (Send safe sample works better with 'Block at First Sight, but I really, really do not trust Microsoft on this one)
## Network Protection
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
Only relevant if SmartScreen is used.
Documentation:
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
Prevent users and apps from accessing dangerous websites -> Enabled -> Block
## MpEngine
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine`
Only relevant if MAPS is used
- Configure extended cloud check -> Specify the extended cloud check time in seconds -> 50
- Select cloud protection level -> Zero tolerance blocking level
# Windows Defender SmartScreen
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender SmartScreen`
- Explorer -> Configure Windows Defender SmartScreen -> Enabled -> Warn
- Microsoft Edge -> Configure Windows Defender SmartScreen -> Enabled

14
Group Policies Objects/Gaming/Microsoft Defender Antivirus (Gaming).md Normal file
View File

@ -0,0 +1,14 @@
# Microsoft Edge
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
- SmartScreen settings -> Configure Microsoft Defender SmartScreen -> Enabled
- SmartScreen settings -> Configure Microsoft SmartScreen to block potentially unwanted apps -> Enabled
- TyposuqattingChecker settings -> Configure Edge TyposquattingChecker -> Enabled
# Microsoft Defender Antivirus
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
- Join Microsoft MAPS -> Enabled -> Advanced Membership

5
Group Policies Objects/Gaming/Microsoft Office/Microsoft Account (Allow).md
View File

@ -1,5 +0,0 @@
# Microsoft account
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft account`
- Block all consumer Microsoft account user authentication -> Disabled

5
Group Policies Objects/Gaming/Security Options (Gaming).md
View File

@ -1,5 +0,0 @@
# Security Options
`Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`
- User Account Control: Only elevate executables that are signed and validated -> Disabled