Windows Hardening (SEC 300) - Chromosom3/TechNotes GitHub Wiki

Windows Hardening

Note: The steps in the entry are for hardening an individual system. If you are attempting to harden multiple systems in a domain environment you should apply the same security settings via group policy. This journal entry is based on windows 10.

Account Policy:

Command: net accounts

Description: List the current system account policies.

Account Policy

Changing Password: Open Command Prompt as administrator. Then use the following command.

Command: net USERNAME

Example: net sys140

Changing the Password Policy:

Open the “Local Security Policy” editor. Navigate to Account Policies, Password Policy.

Policies:

  • Enforce password history: How many passwords will the system remember and prevent you from reusing. For this lab we set it to 24 passwords.
  • Maximum password age: How long you can have the same password before it expires. For this lab we set it to 180.
  • Minimum password age: How long before a user can change their password. For this lab we set it to 14. In a domain setting if this is set and you give the user a temp password make sure to enable “User must change password on next logon” when setting the temp password.
  • Minimum password length: The minimum amount of characters a user needs in their password. For this lab we used 12.
  • Password must meet complexity requirements: Whether or not to enforce a password complexity policy. For this lab we enable this setting.
  • Store password using reversible encryption: Leave this disabled.

Changing the Lockout Policy:

Open the “Local Security Policy” editor. Navigate to Account Policies, Account Locout Policy.

Policies:

  • Account lockout duration: How long after the account lockout threshold is meet the account remains locked. For this lab we set it to 15.
  • Account lockout threshold: How many failed logons will lock out the account. Must be greater than one to edit the other two settings. For this lab we set it to 5.
  • Reset account lockout counter after: How long after the account lockout threshold is meet the account threshold will be reset.For this lab we set it to 15.

Local Policies:

Changing the Audit Policy:

Open the “Local Security Policy” editor. Navigate to Local Policies, Audit Policy.

Policies:

  • Audit logon events: Logs logon events. Can select successfully or failed logons. For this lab we set it to both success and failure.
  • Audit account logon events: Audits every time the computer validates an account's credentials. For this lab we enabled both options.
  • Audit account management: Logs any changes to user accounts or groups. For this lab we enabled both options.
  • Audit privilege use: Logs when a user exercises a user right. For this lab we enabled both options.
  • Audit policy change: Audits changes made to the audit policy (everything in this section). For this lab we enabled both options.

Changing the Security Options:

Open the “Local Security Policy” editor. Navigate to Local Policies, Security Options.

Policies:

  • Interactive logon: Don't display username at the sign-in prompt: Will not display username on the logon screen. For this lab we enabled this setting.
  • Interactive logon: Prompt user to change password before expiration: How many days before the user's password expires will the system warn them. For this lab we set it to 7.
  • Accounts: Rename administrator account: Renames the administrator account to the specified value. For this lab we set it to sys200.
  • Accounts: Rename guest account: Renames the guest account to the specified value. For this lab we set it to sys201.
  • Interactive logon: Message title for users attempting to log on: Title of the logon message. For this lab we put “!!!SECURITY WARNING!!!”
  • Interactive logon: Message text for users attempting to log on: Text of the logon message. For this lab we put “You are accessing a private system. Any activity will be logged, any attempts to bypass security restrictions will be reported to law enforcement.”
  • Interactive logon: Number of previous logons to cache: Good in a domain environment. Caches user logons in case domain isnt reachable.

Example Log on Message:

Banner

Example Accounts (Renamed Admin and Guest):

AccountChange

Windows Defender:

To change windows defender settings open windows security via the start menu.

Virus & threat protection:

You should ensure that your system has been scanned recently. If you want to change and virus and threat settings select manage settings.

  • Real-time protection: Locates and stops malware on the system.
  • Cloud-delivered protection: Downloads latest security updates and checks to see if its up to date with microsofts cloud servers.
  • Automatic sample submission: Automatically sends suspicious files to microsoft for review. Note if you have sensitive data on a system you may want to not send files to MS.
  • Controlled folder access: Comes with enterprise or PRO versions of windows. Helps protect from ransomeware. Turn it on then you can add protected folders by selecting protected folders.
  • Exclusions: Allows you to make exclusions for windows defender protection.

Example of Controlled Folder Access:

Ransomeware

Example of Blocking a program:

BlockApp

Example of allowing a program:

AllowApp