OS Hardening - PimmyTrousers/Cooking-Recipes GitHub Wiki

Windows OS Hardening Policies

  • System Services – The following system services are forced to Automatic mode via GPO
  • Base Filtering Engine
  • COM+ Event System
  • Cryptographic Services
  • DCOM Server Process Launcher
  • Desktop Window Manager Session Manager
  • DFS Replication
  • Group Policy Client
  • IKE & AuthIP IPsec Keying Modules
  • Microsoft Fibre Channel Platform Registration Service
  • Network List Service
  • Network Location Awareness
  • Network Store Interface Service
  • Plug and Play
  • RPC
  • Remote Registry
  • Security Accounts Manager
  • Shell Hardware Detection
  • Software Protection
  • Task Scheduler
  • TCP/IP NetBIOS Helper
  • User Profile Service
  • Windows Event Log
  • Windows Firewall
  • Windows Management Instrumentation
  • Windows Time
  • Windows Update
  • Workstation

Security Options – The following policies are enforced via GPO

  • Accounts: Administrator Account Status = Enabled
  • Accounts: Guest Account Status = Disabled
  • Accounts: Rename Local Administrator = _adm_usric1_local
  • Accounts: Limit local account use of blank passwords to console logon = Enabled
  • Audit: Audit the use of Backup and Restore privilege = Enabled
  • Devices: Allow undock without login = Disabled
  • Devices: Allowed to format/eject removable media = Administrators/Interactive Users
  • Devices: Prevent users from installing printer drivers = Enabled
  • Domain Controller: Allow server operators to schedule tasks = Disabled
  • Domain Controller: LDAP Server Signing = Required
  • Domain Controller: Refuse Machine Account Password Changes = Disabled
  • Domain Member: Digitally encrypt/sign secure channel data always = Enabled
  • Domain Member: Digitally encrypt secure channel data when possible = Enabled
  • Domain Member: Digitally sign secure channel data when possible = Enabled
  • Domain Member: Disable machine account password changes = Disabled
  • Domain Member: Maximum machine account password age = 30 days
  • Domain Member: Require strong session key = Enabled
  • Interactive Logon: Do not display last user name = Enabled
  • Interactive Logon: Do not require CTRL+ALT+DEL = Disabled
  • Interactive Logon: Prompt User to change password before expiration = 14 days
  • Interactive Logon: Require DC authentication to unlock workstation = Enabled
  • MS Network Client: Digitally sign communications (always) = Enabled
  • MS Network Client: Digitally sign communications (if server agrees) = Enabled
  • MS Network Client: Send unencrypted passwords to 3rd party SMB servers = Disabled
  • MS Network Server: Digitally sign communications (always) = Enabled
  • MS Network Server: Digitally sign communications (if client agrees) = Enabled
  • MS Network Server: Disconnect clients when logon hours expire = Enabled
  • Network Access: Allow anonymous SID/Name Translation = Disabled
  • Network Access: Do not allow anonymous enumeration of SAM accounts & shares = Enabled
  • Network Access: Let Everyone permissions apply to anonymous users = Disabled
  • Network Access: Restrict anonymous access to Named Pipes & Shares = Enabled
  • Network Access: Sharing & Security model for local accounts = Classic
  • Network Security: Allow Local System to use computer identity for NTLM = Enabled
  • Network Security: Allow Local System NULL session failback = Disabled
  • Network Security: Do not store LAN Manager hash value on next pw change = Enabled
  • Network Security: LDAP client signing requirements = Negotiate Signing
  • Network Security: Minimum security for NTLM SSP (clients&servers) = Require NTLMv2 & 128-bit encryption
  • Network Security: Allow PKU2U Authentication requests to use online identities = Disabled
  • Network Security: Force logoff when logon hours expire = Enabled
  • Network Security: LAN Manager authentication level = Send NTLMv2 response only. Refuse LM & NTLM
  • Recovery Console: Allow automatic administrative logon = Disabled
  • Recovery Console: Allow floppy copy and access to drives/folders = Disabled
  • Shutdown: Allow system to be shut down without logon = Disabled
  • Shutdown: Clear virtual memory pagefile = Disabled
  • System Cryptography: Use FIPS compliant algorithms for encryption, hashing, signing = Enabled
  • System Objects: Require case insensitivity for non-Windows subsystems = Enabled
  • System Objects: Strengthen default permissions of internal system objects = Enabled
  • System Settings: Use certificate rules on Windows Executable for Software Restriction Policies = Enabled
  • UAC: AAM for builtin Administrator = Enabled
  • UAC: Elevation Prompt Behavior for AAM = Consent prompt for non-Windows binaries
  • UAC: Run all administrators in AAM = Enabled
  • UAC: Allow UIAccess application to prompt for elevation without using secure desktop = Disabled
  • UAC: Switch to secure desktop when prompting for elevation = Enabled
  • UAC: Virtualize file and registry write failures to per-user locations = Enabled
  • UAC: Detect application installations and prompt for elevation = Enabled
  • UAC: Only elevate executables that are signed and validated = Enabled
  • UAC: Behavior for standard users = Prompt for credentials
  • UAC: Only elevate UIAccess applications are installed in secure locations = Enabled

User Rights Assignment – Via GPO, the following rights are restricted to only local administrators and members of the local OU admin group in GS, except where otherwise noted.

  • Add workstations to domain
  • Force remote shutdown
  • Create a pagefile
  • Debug programs
  • Increase a process working set
  • Increase scheduling priority
  • Load & unload device drivers
  • Log on as batch job
  • Manage auditing & security logs
  • Modify firmware environment values
  • Take ownership of files or other objects
  • Access computer from network (Also granted to Authenticated Users)
  • Change system time (Also granted to LOCAL SERVICE)
  • The following policies are applied to β€œGuests”
  • Deny log on as batch job
  • Deny log on locally
  • Deny access to computer from network
  • Audit Policy – Audit settings listed include objects from Local Policies -> Audit Policy as well as Advanced Audit Policy Configuration, and are set to log Success & Failure.
  • Account logon events
  • Audit Policy Change
  • Credential Validation
  • Directory service access
  • Directory service changes
  • IPSec Driver Events
  • Logon events
  • Computer Account Management
  • Security Group Management
  • Sensitive Privilege Use
  • System Integrity
  • User Account Management
  • Administrative Templates
  • Windows Components – Event Logs
  • Event Log Service: Security - Maximum Log Size 196608
  • Event Log Service: Security - Retain Old Events Disabled (allows overwrite when full)
  • Event Log Service: Application - Maximum Log Size 32768
  • Event Log Service: Application - Retain Old Events Disabled (allows overwrite when full)
  • Event Log Service: System - Maximum Log Size 32768
  • Event Log Service: System - Retain Old Events Disabled (allows overwrite when full)