The IDs correspond to the finding lists for HardeningKitty finding_list_0x6d69636b_machine.csv and finding_list_0x6d69636b_user.csv.
- Use a separate local admin account
- ID 1708: Use of BitLocker Encryption (use of Enhanced PIN is recommended, see ID 1712)
- Enable Windows Defender
- ID 1000: Disable SMBv1 (only needed for Windows <1709 build)
- Check Status:
Get-WindowsOptionalFeature -Online -FeatureName smb1protocol - Disable:
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
- Check Status:
- ID 1103: Set Password Policy\Store passwords using reversible encryption to Disabled
- ID 1101: Set Account Lockout Policy\Account lockout duration to 15 or more minute(s)
- ID 1100: Set Account Lockout Policy\Account lockout threshold to 10 or fewer invalid logon attempt(s), but not 0
- ID 1104: Set Account Lockout Policy\Allow Administrator account lockout to Enabled
- ID 1102: Set Account Lockout Policy\Reset account lockout counter after to 15 or more minute(s)
- Overridden by Advanced Audit Policy Configuration
- ID 1200: Set Access this computer from the network to Administrators
- ID 1201: Set Allow log on locally to Administrators, Users
- ID 1202: Remove Administrators from Debug programs (SeDebugPrivilege)
- ID 1203: Set Deny access to this computer from the network to include Guests, Local account
- ID 1204: Set Deny log on as a batch job to include Guests
- ID 1205: Set Deny log on as a service to include Guests
- ID 1206: Set Deny log on through Remote Desktop Services to include Guests, Local account
- ID 1300: Set Accounts: Block Microsoft accounts to Users can't add or log on with Microsoft accounts
- ID 1301: Set Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to Enabled
- ID 1302: Set Interactive logon: Do not require CTRL+ALT+DEL to Disabled
- ID 1303: Set Interactive logon: Don't display last signed-in to Enabled
- ID 1304: Set Interactive logon: Don't display username at sign-in to Enabled
- ID 1305: Set Microsoft network client: Digitally sign communications (always) to Enabled
- ID 1306: Set Microsoft network client: Digitally sign communications (if server agrees) to Enabled
- ID 1307: Set Microsoft network server: Digitally sign communications (always) to Enabled
- ID 1308: Set Microsoft network server: Digitally sign communications (if client agrees) to Enabled
- ID 1309: Set Network access: Do not allow anonymous enumeration of SAM accounts to Enabled
- ID 1310: Set Network access: Do not allow anonymous enumeration of SAM accounts and shares to Enabled
- ID 1311: Set Network access: Do not allow storage of passwords and credentials for network authentication to Enabled
- ID 1324: Set Network access: Restrict anonymous access to Named Pipes and Shares to Enabled
- ID 1325: Set Network access: Restrict clients allowed to make remote calls to SAM to O:BAG:BAD:(A;;RC;;;BA) (Remote Access for Administrators allowed, no other groups/user)
- ID 1312: Set Network security: Allow LocalSystem NULL session fallback to Disabled
- ID 1326: Set Network security: Do not store LAN Manager hash value on next password change to Enabled
- ID 1313: Set Network security: LAN Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM
- ID 1314: Set Network security: LDAP client signing requirements to Negotiate signing
- ID 1315: Set Network security: Minimum session security for NTLM SSP based (including secure RPC) clients to Require NTLMv2 session security, Require 128-bit encryption
- ID 1316: Set Network security: Minimum session security for NTLM SSP based (including secure RPC) servers to Require NTLMv2 session security, Require 128-bit encryption
- ID 1317: Set Network security: Restrict NTLM: Audit Incoming NTLM Traffic to Enable auditing for all accounts
- ID 1318: Set Network security: Restrict NTLM: Audit NTLM authentication in this domain to Enable all
- ID 1319: Set Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Audit all
- ID 1320: Set Shutdown: Allow system to be shut down without having to log on to Disabled
- ID 1321: Set User Account Control: Admin Approval Mode for the Built-in Administrator account to Enabled
- ID 1322: Set User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to Prompt for consent on the secure desktop
- ID 1323: Set User Account Control: Behavior of the elevation prompt for standard users to Prompt for credentials on the secure desktop
- ID 1400: Firewall State: On
- ID 1401: Inbound Connections: Block
- ID 1402: Outbound Connections: Allow
- ID 1403: Size limit: 16384
- ID 1404: Log dropped packets: Yes
- ID 1405: Log successful connections: Yes
- ID 1406: Firewall State: On
- ID 1407: Inbound Connections: Block
- ID 1408: Outbound Connections: Allow
- ID 1409: Size limit: 16384
- ID 1410: Log dropped packets: Yes
- ID 1411: Log successful connections: Yes
- ID 1412: Firewall State: On
- ID 1413: Inbound Connections: Block
- ID 1414: Outbound Connections: Allow
- ID 1415: Size limit: 16384
- ID 1416: Log dropped packets: Yes
- ID 1417: Log successful connections: Yes
- ID 1500: Account Logon\Audit Credential Validation: Success and Failure
- ID 1501: Account Management\Audit Security Group Management: Success
- ID 1502: Account Management\Audit User Account Management: Success and Failure
- ID 1503: Detailed Tracking\Audit DPAPI Activity: Success and Failure
- ID 1504: Detailed Tracking\Audit PNP Activity: Success
- ID 1505: Detailed Tracking\Audit Process Creation: Success
- ID 1506: Logon/Logoff\Audit Account Lockout: Failure
- ID 1507: Logon/Logoff\Audit Group Membership: Success
- ID 1508: Logon/Logoff\Audit Logon: Success and Failure
- ID 1509: Logon/Logoff\Audit Other Logon/Logoff Events: Success and Failure
- ID 1510: Logon/Logoff\Audit Special Logon: Success
- ID 1511: Object Access\Audit Detailed File Share: Failure
- ID 1512: Object Access\Audit File Share: Success and Failure
- ID 1513: Object Access\Kernel Object: Success and Failure
- ID 1514: Object Access\Audit Other Object Access Events: Success and Failure
- ID 1515: Object Access\Audit Removable Storage: Success and Failure
- ID 1516: Object Access\Audit SAM: Success and Failure
- ID 1517: Policy Change\Audit Audit Policy Change: Success
- ID 1518: Policy Change\Audit Authentication Policy Change: Success
- ID 1519: Policy Change\Audit MPSSVC Rule-Level Policy Change: Success and Failure
- ID 1520: Policy Change\Audit Other Policy Change Events: Failure
- ID 1521: Privilege Use\Audit Sensitive Privilege Use: Success and Failure
- ID 1522: System\Audit Other System Events: Success and Failure
- ID 1523: System\Audit Security State Change: Success
- ID 1524: System\Audit Security System Extension: Success
- ID 1525: System\Audit System Integrity: Success and Failure
- ID 1600: Set Prevent enabling lock screen camera to Enabled
- ID 1601: Set DNS Client\Turn off multicast name resolution (LLMNR) to Enabled
- ID 1602: Set Lanman Workstation\Enable insecure guest logons to Disabled
- ID 1603: Set Turn off Microsoft Peer-to-Peer Networking Services to Enabled
- ID 1604: Set WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services to Disabled
- ID 2108, ID 2109: Set Turn on Module Logging to Enabled, Use Windows PowerShell Policy setting
- ID 2110: Set Turn on Module Logging - Module Names to * (Wildcard)
- ID 2111, ID 2112, ID 2113: Set Turn on PowerShell Script Block Logging to Enabled, Log script block invocation, Use Windows PowerShell Policy setting
- ID 2114, ID 2115, ID 2116: Set Turn on PowerShell Transcription to Enabled, Include invocation headers, Use Windows PowerShell Policy setting
These settings are already set by default. If these settings are different, the system is vulnerable to CVE-2021-34527 and CVE-2021-36958.
- ID 1772: Set Configure Redirection Guard to Enabled: Redirection Guard Enabled
- ID 1768: Set Only use Package Point and Print to Enabled
- ID 1769: Set Package Point and Print - Approved servers to Enabled and add a list of servers or a fake entry
- ID 1764: Set Point and Print Restrictions\When installing drivers for a new connection to Show warning and elevation prompt
- ID 1765: Set Point and Print Restrictions\When updating drivers for an existing connection to Show warning and elevation prompt
- ID 1771: Set Turn off notifications network usage to Enabled
- ID 1605: Set Credentials Delegation\Allow delegating default credentials to Disabled (tspkg)
- ID 1606: Set Credentials Delegation\Encryption Oracle Remediation to Enabled: Force Updated Clients
- ID 1699: Set Credentials Delegation\Remote host allows delegation of non-exportable credentials to Enabled
- ID 1607: Set Device Installation Restrictions\Prevent installation of devices that match any of these device IDs to Enabled
- ID 1608: Set Also apply to matching devices that are already installed to True
- ID 1609: Device ID = PCI\CC_0C0010 (Plug and Play compatible ID for a 1394 controller)
- ID 1610: Device ID = PCI\CC_0C0A (Plug and Play compatible ID for a Thunderbolt controller)
Note: Not required if Kernel DMA protection is active (check with
msinfo32.exe)
- ID 1611: Set Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes to Enabled
- ID 1612: Set Also apply to matching devices that are already installed to True
- ID 1613: GUID = {d48179be-ec20-11d1-b6b8-00c04fa372a7} (Plug and Play device setup class GUID for an SBP-2 drive)
Warning: An Enterprise license is required to use Device Guard / Credential Guard.
Update: VMware Workstation Pro 15.5.5 can now run on Windows 10 hosts with Hyper-V enabled (Device Guard/Credential Guard). This requires Windows 10 version 2004 (20H1 build 19041.264) and above.
- ID 1614: Set Turn On Virtualization Based Security to Enabled
- ID 1615, ID 1616: Set Select Plattform Security Level to Secure Boot and DMA Protection
- ID 1617, ID 1619: Set Credential Guard Configuration to Enabled with UEFI lock
- ID 1618, ID 1620: Set Virtualization Based Protection of Code Integrity to Enabled with UEFI lock
- ID 1623: Set Require UEFI Memory Attributes Table to Enabled
- ID 1621: Set Secure Launch Configuration to Enabled
- ID 1622: Use a Windows Defender Application Control policy
- ID 1630: Set Boot-Start Driver Initialization Policy to Enabled: Good, unknown and bad but critical
- Set Configure registry policy processing To Enabled
- ID 1631: Set Process even if the Group Policy objects have not changed to True
- ID 1632: Set Do not apply during periodic background processing to False
- ID 1640: Set Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program to Enabled
- ID 1641: Set Internet Communication settings\Turn off downloading of print drivers over HTTP to Enabled
- ID 1642, ID 1643: Set Internet Communication settings\Turn off Windows Error Reporting to Enabled
- ID 1644: Set Internet Communication settings\Turn off Internet download for Web publishing and online ordering wizards to Enabled
- ID 1645: Set Internet Communication settings\Turn off Windows Customer Experience Improvement Program to Enabled
- ID 1650: Set Enumeration policy for external devices incompatible with Kernel DMA Protection to Enabled: Block all
- ID 1660: Set Turn on convenience PIN sign-in to Disabled
- ID 1661: Set Turn off app notifications on the lock screen to Enabled
- ID 1662: Set Do not display network selection UI to Enabled
- ID 1670: Set Untrusted Font Blocking to Enabled: Block untrusted fonts and log events
- ID 1680: Set Allow Clipboard synchronization across devices to Disabled
- ID 1685: Set Sleep Settings\Require a password when a computer wakes (plugged in) to Enabled
- ID 1686: Set Sleep Settings\Require a password when a computer wakes (on battery) to Enabled
- ID 1687: Set Sleep Settings\Allow standby states (S1-S3) when sleeping (plugged in) to Disabled
- ID 1688: Set Sleep Settings\Allow standby states (S1-S3) when sleeping (on battery) to Disabled
- ID 1690: Set Configure Offer Remote Assistance to Disabled
- ID 1691: Set Configure Solicited Remote Assistance to Disabled
- ID 1692: Set Enable RPC Endpoint Mapper Client Authentication to Enabled
- ID 1693: Set Restrict Unauthenticated RPC clients to Enabled: Authenticated without exceptions
- ID 1694: Set Security Settings\Enable svchost.exe mitigation options to Enabled
- ID 1695: Set Windows Performance PerfTrack\Enable/Disable PerfTrack to Disabled
- ID 1696: Set Turn off the advertising ID to Enabled
- ID 1697: Set Time Providers\Enable Windows NTP Client to Enabled
- ID 1698: Set Time Providers\Enable Windows NTP Server to Disabled
- ID 1700: Set Allow a Windows app to share application data between users to Disabled
- ID 1701: Set Let Windows apps activate with voice while the system is locked to Enabled: Force Deny
- ID 1702: Set Block launching Universal Windows apps with Windows Runtime API access from hosted content to Enabled
- ID 1703: Set Turn off Application Telemetry to Enabled
- ID 1704: Set Turn off Autoplay to Enabled: All drives
- ID 1705: Set Disallow Autoplay for non-volume devices to Enabled
- ID 1706: Set Set the default behavior for AutoRun to Enabled: Do not execute any autorun commands
- ID 1707: Set Allow the use of biometrics to Disabled
- ID 1773: Set Facial Features: Configure enhanced anti-spoofing to Enabled
- ID 1761: Set Choose drive encryption method and cipher strength (for operating system drives) to XTS-AES 128-bit
- ID 1762: Check used BitLocker drive encryption method (for operation system drives): XtsAes128
- ID 1709: Set Disable new DMA devices when this computer is locked to Enabled
- ID 1710: Set Operating System Drives\Allow Secure Boot for integrity validation to Enabled
- ID 1711: Set Operating System Drives\Require additional authentication at startup to Enabled
- ID 1715: Set Allow BitLocker without a compatible TPM to False
- ID 1716: Set Configure TPM startup to Do not allow TPM
- ID 1717: Set Configure TPM startup PIN to Require startup PIN with TPM
- ID 1718: Set Configure TPM startup key to Do not allow startup key with TPM
- ID 1719: Set Configure TPM startup key and PIN to Do not allow startup key and PIN with TPM
- ID 1712: Set Operating System Drives\Allow enhanced PINs for startup to Enabled
- ID 1713: Set Operating System Drives\Configure use of hardware-based encryption for operating system drives to Enabled
- ID 1714: Set Use BitLocker software-based encryption when hardware encryption is not available to True
- ID 1763: Set Operating System Drives: Configure minimum PIN length for startup to 8 or higher
- ID 1720: Set Do not show Windows tips to Enabled
- ID 1721: Set Turn off Microsoft consumer experiences to Enabled
- ID 1722: Set Do not display the password reveal button to Enabled
- ID 1724: Set Enumerate administrator accounts on elevation to Disabled
- ID 1725: Set Allow Telemetry to Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic
- ID 1726: Set Allow device name to be sent in Windows diagnostic data to Disabled
- ID 1727: Set Download Mode to Enabled: Simple (99)
- ID 1728: Set Application\Specify the maximum log file size (KB) to Enabled: 32768 or higher
- ID 1729: Set Security\Specify the maximum log file size (KB) to Enabled: 196608 or higher
- ID 1730: Set System\Specify the maximum log file size (KB) to Enabled: 32768 or higher
- ID 1774: Set Microsoft-Windows-PowerShell/Operational\Specify the maximum log file size (KB) to Enabled: 268435456 or higher
- Add MaxSize=dword:10000000 to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-PowerShell/Operational
- ID 1775: Set PowerShellCore/Operational\Specify the maximum log file size (KB) to Enabled: 268435456 or higher
- Add MaxSize=dword:10000000 to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\PowerShellCore/Operational
- ID 1731: Set Allow the use of remote paths in file shortcut icons to Disabled
- ID 1732: Set Prevent the computer from joining a homegroup to Enabled
- ID 1800: Set Turn off Microsoft Defender Antivirus to Disabled
- ID 1826: Set Enable Tamper Protection (Status) to Enabled
- ID 1801: Set Configure detection for potentially unwanted applications to Enabled: Audit Mode
- ID 1806: Set Exclusions\Extension Exclusions to Disabled
- ID 1807: Do not use exclusions for extensions: empty list
- ID 1808: Set Exclusions\Path Exclusions to Disabled
- ID 1809: Do not use exclusions for paths: empty list
- ID 1810: Set Exclusions\Process Exclusions to Disabled
- ID 1811: Do not use exclusions for processes: empty list
- ID 1816: Set MAPS: Join Microsoft MAPS to Enabled: Advanced MAPS
- ID 1817: Set MAPS: Configure the 'Block at First Sight' feature to Enabled
- ID 1818: Set MAPS: Send file samples when further analysis is required to Disabled (Always prompt)
- ID 1819: Set MpEngine: Enable file hash computation feature to Enabled
- ID 1820: Set MpEngine: Select cloud protection level to Enabled: High blocking level or higher
- ID 1821: Set Real-time Protection: Scan all downloaded files and attachments to Enabled
- ID 1822: Set Real-time Protection: Turn off real-time protection to Disabled
- ID 1823: Set Real-time Protection: Turn on behavior monitoring (Policy) to Enabled
- ID 1824: Set Real-time Protection: Turn on script scanning to Enabled
- ID 1825: Set Scan: Scan removable drives to Enabled
- ID 1812: Enable sandboxing for Microsoft Defender Antivirus
- ID 1900: Set Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules to Enabled
- Apply these rules (Set 'Value' to '1' (Block Mode)
- ID 1901: be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - Block executable content from email client and webmail
- ID 1902: d4f940ab-401b-4efc-aadc-ad5f3c50688a - Block Office applications from creating child processes
- ID 1903: 3b576869-a4ec-4529-8536-b80a7769e899 - Block Office applications from creating executable content
- ID 1904: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - Block Office applications from injecting into other processes
- ID 1905: d3e037e1-3eb8-44c8-a917-57927947596d - Impede JavaScript and VBScript to launch executables
- ID 1906: 5beb7efe-fd9a-4556-801d-275e5ffc04cc - Block execution of potentially obfuscated scripts
- ID 1907: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - Block Win32 imports from Macro code in Office
- ID 1908: 01443614-cd74-433a-b99e-2ecdc07bfc25 - Block executable files from running unless they meet a prevalence, age, or trusted list criteria
- ID 1909: c1db55ab-c21a-4637-bb3f-a12568109d35 - Use advanced protection against ransomware
- ID 1910: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- ID 1911: d1e49aac-8f56-4280-b9ba-993a6d77406c - Block process creations originating from PSExec and WMI commands
- ID 1912: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - Block untrusted and unsigned processes that run from USB
- ID 1913: 26190899-1602-49e8-8b27-eb1d0a1ce869 - Block Office communication applications from creating child processes
- ID 1914: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - Block Adobe Reader from creating child processes
- ID 1915: e6db77e5-3df2-4cf1-b95a-636979351e5b - Block persistence through WMI event subscription
- ID 1930: 56a863a9-875e-4185-98a7-b882c64b5ce5 - Block abuse of exploited vulnerable signed drivers
- ID 1966: Set Microsoft Defender Exploit Guard\Attack Surface Reduction\Exclude files and paths from Attack Surface Reduction Rules (Policy) to Disabled
- ID 1967: Do not use exclusions for ASR Rules: empty list
- ID 1965: Set Microsoft Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites to Block
Application Guard can be used in Standalone mode on Windows 10 Pro and Enterprise edition, and in Enterprise-managed mode in Windows 10 Enterprise. To use Application Guard in standalone mode, Microsoft Edge must be started manually with Application Guard.
In enterprise-managed mode, trusted zones can be defined via the network isolation settings and then Application Guard is automatically applied.
- ID 1980: Enable Support for Microsoft Defender Application Guard
- Check Status:
Get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard - Enable:
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
- Check Status:
- ID 1981: Set Turn on Microsoft Defender Application Guard in Managed Mode to Enabled: 3 (Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments)
- ID 1982: Set Allow auditing events in Microsoft Defender Application Guard to Enabled
- ID 1767: Set Enable news and interests on the taskbar to Disabled
- ID 1733: Set Prevent the usage of OneDrive for file storage to Enabled
- ID 1734: Set Remote Desktop Connection Client\Do not allow passwords to be saved to Enabled
- ID 1735: Set Remote Desktop Session Host\Connections\Allow users to connect remotely by using Remote Desktop Services to Disabled
- ID 1736: Set Remote Desktop Session Host\Device and Resource Redirection\Do not allow drive redirection to Enabled
- ID 1737: Set Remote Desktop Session Host\Security\Always prompt for password upon connection to Enabled
- ID 1738: Set Remote Desktop Session Host\Security\Require secure RPC communication to Enabled
- ID 1739: Set Remote Desktop Session Host\Security\Set client connection encryption level to Enabled: High Level
- ID 1740: Set Allow Cloud Search to Disabled
- ID 1741: Set Allow Cortana to Disabled
- ID 1742: Set Allow Cortana above lock screen to Disabled
- ID 1743: Set Allow indexing of encrypted files to Disabled
- ID 1744: Set Allow search and Cortana to use location to Disabled
- ID 1745: Set Set what information is shared in Search to Enabled: Anonymous info
- ID 1746: Set Disable Windows Error Reporting to Enabled
- ID 1747: Set Enables or disables Windows Game Recording and Broadcasting to Disabled
- ID 1748: Set Allow Windows Ink Workspace to Disabled
- ID 1749: Set Always install with elevated privileges to Disabled
- ID 1750: Set Allow user control over installs to Disabled
- ID 1751: Set Prevent Internet Explorer security prompt for Windows Installer scripts to Disabled
- ID 1770: Disable Co-Installer (USB AutoInstall)
- Add DisableCoInstallers=dword:00000001 to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer
- ID 1752: Set Sign-in and lock last interactive user automatically after a restart to Disabled
- ID 1753: Set WinRM Client\Allow Basic authentication to Disabled
- ID 1754: Set WinRM Client\Allow unencrypted traffic to Disabled
- ID 1755: Set WinRM Client\Disallow Digest authentication to Enabled
- ID 1756: Set WinRM Service\Allow remote server management through WinRM to Disabled
- ID 1757: Set WinRM Service\Allow Basic authentication to Disabled
- ID 1758: Set WinRM Service\Allow unencrypted traffic to Disabled
- ID 1759: Set WinRM Service\Disallow WinRM from storing RunAs credentials to Enabled
- ID 1760: Set Allow Remote Shell Access to Disabled
- ID 2000, ID 2001: Set Explorer\Configure Windows Defender SmartScreen to Enabled: Warn and prevent bypass
- ID 2105: Set Turn on Module Logging to Enabled
- ID 2106: Set Turn on Module Logging - Module Names to * (Wildcard)
- ID 2100, ID 2101: Set Turn on PowerShell Script Block Logging to Enabled
- ID 2102, 2107: Set Turn on PowerShell Transcription to Enabled, Include invocation headers
- ID 2103, ID 2104: Remove PowerShell Version 2
- ID 2200: Set LSASS Protection Mode to Enabled
- Add RunAsPPL=dword:00000001 to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- ID 2201: Set LSASS Audit Mode to Enabled
- Add AuditLevel=dword:00000008 to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe
- ID 2202: Set NetBT NodeType configuration to P-node
- Add NodeType=dword:00000002 to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
- ID 2203: Set WDigest Authentication to Disabled
- Add UseLogonCredential=dword:00000000 to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
- ID 2209: Set Enable Structured Exception Handling Overwrite Protection (SEHOP) to Enabled
- Add DisableExceptionChainValidation=dword:00000000 to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
- ID 2210: Set Limits print driver installation to Administrators to Enabled
- Add RestrictDriverInstallationToAdministrators=dword:00000001 to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- ID 2211: Set Configure RPC packet level privacy setting for incoming connections to Enabled
- Add RpcAuthnLevelPrivacyEnabled=dword:00000001 to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print
- ID 2212: Set Manage processing of Queue-specific files to Enabled
- Add CopyFilesPolicy=dword:00000001 to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers
- ID 2204: Set Enable Safe DLL search mode to Enabled
- Add SafeDLLSearchMode=dword:00000001 to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
- ID 2205: Set MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) to Highest protection, source routing is completely disabled
- Add DisableIPSourceRouting=dword:00000002 to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters
- ID 2206: Set MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) to Highest protection, source routing is completely disabled
- Add DisableIPSourceRouting=dword:00000002 to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
- ID 2207: Set MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes to Disabled
- Add EnableICMPRedirect=dword:00000000 to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
- ID 2208: Set MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers to Enabled
- Add NoNameReleaseOnDemand=dword:00000001 to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters
- ID 2400: Disable the task XblGameSave Standby Task
- ID 2401, 2402: Disable the service Print Spooler (Spooler)
- ID 2411, 2412: Disable the service WebClient (WebClient)
- ID 2403, 2404: Disable the service Xbox Accessory Management Service (XboxGipSvc)
- ID 2405, 2406: Disable the service Xbox Live Auth Manager (XblAuthManager)
- ID 2407, 2408: Disable the service Xbox Live Game Save (XblGameSave)
- ID 2409, 2410: Disable the service Xbox Live Networking Service (XboxNetApiSvc)
- ID 1950: Set Control flow guard (CFG) to On by default
- ID 1951, ID 1952: Set Data Execution Prevention (DEP) to On by default
- ID 1954, ID 1955: Set Force randomization for images (Mandatory ASLR) to On by default
- ID 1956, ID 1957: Set Randomize memory allocations (Bottom-up ASLR) to On by default
- ID 1958, ID 1959: Set High-entropy ASLR to On by default
- ID 1960, ID 1961, ID 1962: Set Validate exception chains (SEHOP) to On by default
- ID 1963, ID 1964: Set Validate heap integrity to On by default
These settings can be exported as an XML file and loaded via Group Policy Computer Configuration\Administrative Templates\Windows Components\Windows Defender Exploit Guard\Exploit Protection\Use a common set of exploit protection settings. It is also possible to configure policies per application.
Example of an XML configuration file:
<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
<SystemConfig>
<DEP Enable="true" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="true" />
<ControlFlowGuard Enable="true" SuppressExports="false" />
<Fonts DisableNonSystemFonts="true" AuditOnly="false" Audit="false" />
<SEHOP Enable="true" TelemetryOnly="false" />
<Heap TerminateOnError="true" />
</SystemConfig>
</MitigationPolicy>- ID 1953: Force the use of Data Execution Prevention (DEP):
bcdedit.exe /set nx AlwaysOn(Default is OptIn)
- ID 4307, ID 4308: Set Turn on Module Logging to Enabled, Use Windows PowerShell Policy setting
- ID 4309: Set Turn on Module Logging - Module Names to * (Wildcard)
- ID 4310, ID 4311, ID 4312: Set Turn on PowerShell Script Block Logging to Enabled, Log script block invocation, Use Windows PowerShell Policy setting
- ID 4313, ID 4314, ID 4315: Set Turn on PowerShell Transcription to Enabled, Include invocation headers, Use Windows PowerShell Policy setting
- ID 4001: Set Turn off toast notifications on the lock screen to Enabled
- ID 4100: Set Internet Communication Settings\Turn off Help Experience Improvement Program to Enabled
- ID 4200: Set Do not use diagnostic data for tailored experiences to Enabled
- ID 4201: Set Do not suggest third-party content in Windows spotlight to Enabled
- ID 4202: Set Always install with elevated privileges to Disabled
- ID 4304: Set Turn on Module Logging to Enabled
- ID 4305: Set Turn on Module Logging - Module Names to * (Wildcard)
- ID 4300, ID 4301: Set Turn on PowerShell Script Block Logging to Enabled
- ID 4302, ID 4306: Set Turn on PowerShell Transcription to Enabled, Include invocation headers
- ID 4303: Use ConstrainedLanguageMode for users who do not need PowerShell
For Office 365 Hardening, lists Microsoft 365 Apps (Machine) and Microsoft 365 Apps (User) should be used. Only stricter recommendations and additional settings are listed here.
- ID 4400: Set Macro Runtime Scan Scope to Enable for all documents
- ID 4401: Set Always prevent untrusted Microsoft Query files from opening to Enabled
- ID 4405: Set Don’t allow Dynamic Data Exchange (DDE) server launch in Excel to Enabled
- ID 4406: Set Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel to Enabled
- ID 4407: Set Block macros from running in Office files from the Internet to Enabled
- ID 4408, ID 4409: Set VBA Macro Notification Settings to Disable all
- ID 4411: Set Block macros from running in Office files from the Internet to Enabled
- ID 4412: Set VBA Macro Notification Settings to Disable all
- ID 4415: Set Block macros from running in Office files from the Internet to Enabled
- ID 4416, ID 4417: Set VBA Macro Notification Settings to Disable all
Apply the following registry settings for your main/working user(s)
- ID 4402, ID 4403, ID 4404: Excel registry settings
- ID 4410: OneNote registry settings
- ID 4413, ID 4414: Word registry settings
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options]
"DontUpdateLinks"=dword:00000001
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Options]
"DisableEmbeddedFiles"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000001
- ID 4418: Disable the Office 365 Telemetry module (undocumented)
[HKEY_CURRENT_USER\Software\Policies\Microsoft\office\common\clienttelemetry]
"DisableTelemetry"=dword:00000001
- ID 4419: Set Allow the use of connected experiences in Office to Disabled
[HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\common\privacy]
"disconnectedstate"=dword:00000002
- ID 4420: Set Allow the use of connected experiences that analyze content to Disabled
[HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\common\privacy]
"usercontentdisabled"=dword:00000002
- ID 4421: Set Allow the use of connected experiences that download online content to Disabled
[HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\common\privacy]
"downloadcontentdisabled"=dword:00000002
- ID 4422: Set Allow the use of additional optional connected experiences to Disabled
[HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\common\privacy]
"controllerconnectedservicesenabled"=dword:00000002
- ID 4423: Set Configure the level of client software diagnostic data sent by Office to Microsoft to Neither
[HKEY_CURRENT_USER\Software\Policies\Microsoft\office\common\clienttelemetry]
"sendtelemetry"=dword:00000003
- Set Show notification on the lock screen to Off (Already managed by Group policy)
- Set Show reminders and incoming VoIP calls on the lock screen to Off
- ID 4500: Set Show me the Windows welcome experience after updates and occasionally when I sign in to highlight what's new and suggested to Off
- ID 4501: Set Get tips, tricks, and suggestions as you use Windows to Off
- ID 4502, ID 4503: Set Shared across devices to Off
- Set Clipboard history to Off
- Set Sync across devices to Off (Already managed by Group policy)
- ID 4504: Set Autocorrect misspelled words to Off
- ID 4505: Set Use AutoPlay for all media and devices to Off
- Set Random hardware addresses to On
- Set Let me use Online Sign-Up to get connected to Off
- Go to Change Adapter Options
- Disable File and Printer Sharing for Microsoft Networks for each adapter
- Disable NetBIOS in Advanced TCP/IP Settings for each adapter
- Set Get fun facts, tips, tricks, and more on your lock screen to Off
- Set Show more tiles on Start to Off
- Set Show suggestions occasionally in Start to Off
- Set Windows Cloud Search to Off
The basic recommendation is to deactivate all access. However, this should not limit the functionality, e.g. if an app needs the microphone, access should be granted. Be careful with the settings for background apps as well, disabling anything can lead to unexpected behaviour.
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set Diagnostic data to Basic (Already managed by Group policy)
- Set Improve inking and typing to Off (Already managed by Group policy)
- Set Tailored experiences to Off
- Set View diagnostic data to Off
- Set Windows should ask for my feedback to Never
- Set Recommended troubleshooting to Ask me before fixing problems
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set Allow downloads to Do not allow
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set everything to Off
- Set Allow downloads from other PCs to Off
Remove all unnecessary Apps like Xbox* or YourPhone:
Get-AppxPackage -Name Microsoft.XboxGameOverlay | Remove-AppxPackageList of Apps (your mileage may vary):
- Microsoft.People
- Microsoft.XboxGameOverlay
- Microsoft.XboxIdentityProvider
- Microsoft.XboxGameCallableUI
- Microsoft.XboxGamingOverlay
- Microsoft.YourPhone
- Install Sysmon
- Use your own configuration, mine is based on SwiftOnSecurity/sysmon-config
Add the following rules to Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security
| ID | Name | Type | Rule applies to | Protocol | Local ports | IP addresses | Action | Profile |
|---|---|---|---|---|---|---|---|---|
| 2300 | HardeningKitty-Block-TCP-NetBIOS | Custom Rule | All programs | TCP | 137-139 | Any | Block | All |
| 2301 | HardeningKitty-Block-TCP-RDP | Custom Rule | All programs | TCP | 3389 | Any | Block | All |
| 2302 | HardeningKitty-Block-TCP-RPC | Custom Rule | All programs | TCP | 135, 593 | Any | Block | All |
| 2303 | HardeningKitty-Block-TCP-SMB | Custom Rule | All programs | TCP | 445 | Any | Block | All |
| 2304 | HardeningKitty-Block-TCP-WinRM | Custom Rule | All programs | TCP | 5985, 5986 | Any | Block | All |
| 2305 | HardeningKitty-Block-UDP-NetBIOS | Custom Rule | All programs | UDP | 137-139 | Any | Block | All |
| 2306 | HardeningKitty-Block-UDP-RPC | Custom Rule | All programs | UDP | 135, 593 | Any | Block | All |
| ID | Name | Type | Rule applies to | Protocol | Local ports | IP addresses | Action | Profile |
|---|---|---|---|---|---|---|---|---|
| - | HardeningKitty-Block-TCP-VMware-HTTPS | Custom Rule | All programs | TCP | 443 | Any | Block | All |
| - | HardeningKitty-Block-TCP-VMware-authd | Custom Rule | All programs | TCP | 902, 912 | Any | Block | All |
Quote @cryps1s: While not the most glamorous of defensive strategies, those applications are commonly abused by default behaviors for process migration and injection techniques.
| ID | Name | Type | Rule applies to | Protocol | Local ports | IP addresses | Action | Profile |
|---|---|---|---|---|---|---|---|---|
| 2307 | HardeningKitty-Block-calc-x64 | Custom Rule | %SystemRoot%\System32\calc.exe | Any | Any | Any | Block | All |
| 2308 | HardeningKitty-Block-calc-x86 | Custom Rule | %SystemRoot%\Syswow64\calc.exe | Any | Any | Any | Block | All |
| 2309 | HardeningKitty-Block-certutil-x64 | Custom Rule | %SystemRoot%\System32\certutil.exe | Any | Any | Any | Block | All |
| 2310 | HardeningKitty-Block-certutil-x86 | Custom Rule | %SystemRoot%\Syswow64\certutil.exe | Any | Any | Any | Block | All |
| 2311 | HardeningKitty-Block-conhost-x64 | Custom Rule | %SystemRoot%\System32\conhost.exe | Any | Any | Any | Block | All |
| 2312 | HardeningKitty-Block-conhost-x86 | Custom Rule | %SystemRoot%\Syswow64\conhost.exe | Any | Any | Any | Block | All |
| 2313 | HardeningKitty--Block-cscript-x64 | Custom Rule | %SystemRoot%\System32\cscript.exe | Any | Any | Any | Block | All |
| 2314 | HardeningKitty--Block-cscript-x86 | Custom Rule | %SystemRoot%\Syswow64\cscript.exe | Any | Any | Any | Block | All |
| 2315 | HardeningKitty--Block-mshta-x64 | Custom Rule | %SystemRoot%\System32\mshta.exe | Any | Any | Any | Block | All |
| 2316 | HardeningKitty--Block-mshta-x86 | Custom Rule | %SystemRoot%\Syswow64\mshta.exe | Any | Any | Any | Block | All |
| 2317 | HardeningKitty--Block-notepad-x64 | Custom Rule | %SystemRoot%\System32\notepad.exe | Any | Any | Any | Block | All |
| 2318 | HardeningKitty--Block-notepad-x86 | Custom Rule | %SystemRoot%\Syswow64\notepad.exe | Any | Any | Any | Block | All |
| 2319 | HardeningKitty--Block-RunScriptHelper-x64 | Custom Rule | %SystemRoot%\System32\RunScriptHelper.exe | Any | Any | Any | Block | All |
| 2320 | HardeningKitty--Block-RunScriptHelper-x86 | Custom Rule | %SystemRoot%\Syswow64\RunScriptHelper.exe | Any | Any | Any | Block | All |
| 2321 | HardeningKitty--Block-wscript-x64 | Custom Rule | %SystemRoot%\System32\wscript.exe | Any | Any | Any | Block | All |
| 2322 | HardeningKitty--Block-wscript-x86 | Custom Rule | %SystemRoot%\Syswow64\wscript.exe | Any | Any | Any | Block | All |