General

• UPDATE
  • Update right at the beginning so that it can restart
• https://www.bleepingcomputer.com/download/malwarebytes-anti-exploit/ malwarebytes
• Software restriction policy
• how to disable ipv6
• DISABLE STICKY KEYS!!!!!

Windows Server (2008):

• $scwcmd.exe configure /p:isa_harden.xml$
• Windows Server 2008 R2 Service Pack
• Windows server hardening checklist
  • Update Installation
  • User Configuration
  • Network Configuration
  • Windows Features and Roles Configuration
  • NTP Configuration
  • Firewall Configuration
  • Remote Access Configuration
  • Service Configuration
  • Logging and Monitoring

Newest Windows security template

• Probably not phenomenal, will make my own

Windows Server (2012):

Group Policy Settings to configure by Location (THIS CAN BE FOUND by pressing “winkey + r” and typing either “gpedit.msc” or “gpmsc.msc” depending on the version of windows server.

• Computer configuration → Windows settings → security settings → account policies → password policy:
  • Minimum password length = 11
  • Enforce password history = 0
• Computer configuration → Windows settings → security settings → account policies → Account Lock policy
  • Account Lockout Threshold = 5
  • Account lockout duration = 30 min.
• Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options:
  • Network security: Do not store LAN Manager hash value on next password change = Enabled
  • Interactive logon - do not require ctrl alt del at logon : Disabled
  • Lan Manager authentication level - “SEND NTLMv2 response only. Refuse LM & NTLM”
• Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options:

Win7:

Windows 7 Service Package:

• Besides the Administrator, make everyone else a normal user
  • This will force anyone doing anything sketchy to have the Admin password
  • Turn User Account Settings all the way up
    • UAC
• Disable Java in the browsers
• Make Sure Data Execution Protection is Enabled (Use Admin Command Prompt)
  • $bcdedit.exe /set {current} nx AlwaysOn$

WinXP:

Windows 8/10:

• TURN OFF FUCKING WI-FI SENSE PIECE OF SHIT KILL WHATEVER MORONIC STUPID FUCKING WASTE OF LIFE DEVELOPER CAME UP WITH THAT HOLY FUCKING SHIT PLEASE GOD TURN IT OFF NOW.
• http://hardenwindows10forsecurity.com/

GENERAL

• run control userpasswords2 advance enable control-alt-delete
• Control>userpasswords2>enable control-alt-delete
• Screensaver>personalize>lock computer 5 minute
• Turn off services
• add/remove programs>windows features
• Device manager> firewire controller disable
• Turn off powershell
• Check environment variables
• Check aliases
• Verify C:\Windows\System32\utilman.exe
• Check ease of access center vulnerabilities
• Turn on view hidden files
• Check task scheduler
• Disable services.msc
• Fail2ban
• Autoruns
• Remove 64bit and 32bit programs