/windows_hardening

Windows Hardening settings and configurations

Primary LanguagePowerShellMIT LicenseMIT

Windows 10 Hardening

Introduction

This is a hardening checklist that can be used in private and business environments for hardening Windows 10. The checklist can be used for all Windows versions, but in Windows 10 Home the Group Policy Editor is not integrated and the adjustment must be done directly in the registry.

The settings should be seen as security and privacy recommendation and should be carefully checked whether they will affect the operation of your infrastructure or impact the usability of key functions. It is important to weigh security against usability.

Policy Analyzer

Policy Analzyer reads out and compares local registry and local policy values to a defined baseline. The PolicyRule file from aha-181 contains all rules which are needed to check Group Policy and Registry settings that are defined in the Windows 10 Hardening checklist.

Policy Analyzer supports the Hardening checklist up to version 0.2.0, additional entries are not yet supported.

HardeningKitty

HardeningKitty supports hardening of a Windows system. The configuration of the system is retrieved and assessed using a finding list. In addition, the system can be hardened according to predefined values. HardeningKitty reads settings from the registry and uses other modules to read configurations outside the registry.

Attention: HardeningKitty has a dependency for the tool AccessChk by Mark Russinovich. This must be present on the computer and defined in the script accordingly.

The script was developed for English systems. It is possible that in other languages the analysis is incorrect. Please create an issue if this occurs.

How to run

Run the script with administrative privileges to access machine settings. For the user settings it is better to execute them with a normal user account. Ideally, the user account is used for daily work.

Download HardeningKitty and copy it to the target system (script and lists). Additionally, AccessChk (tested with version 1.6.2) must be available on the target system. The path of the variable $BinaryAccesschk must be modified accordingly. After that HardeningKitty can be imported and executed:

PS C:\> Import-Module Invoke-HardeningKitty.ps1
PS C:\> Invoke-HardeningKitty -EmojiSupport


         =^._.^=
        _(      )/  HardeningKitty


[*] 5/28/2020 4:39:16 PM - Starting HardeningKitty


[*] 5/28/2020 4:39:16 PM - Getting machine information
[*] Hostname: w10
[*] Domain: WORKGROUP

...

[*] 5/28/2020 4:39:21 PM - Starting Category Account Policies
[😺] ID 1100, Account lockout duration, Result=30, Severity=Passed
[😺] ID 1101, Account lockout threshold, Result=5, Severity=Passed
[😺] ID 1102, Reset account lockout counter, Result=30, Severity=Passed

...

[*] 5/28/2020 4:39:23 PM - Starting Category Advanced Audit Policy Configuration
[😼] ID 1513, Kernel Object, Result=, Recommended=Success and Failure, Severity=Low

...

[*] 5/28/2020 4:39:24 PM - Starting Category System
[😿] ID 1614, Device Guard: Virtualization Based Security Status, Result=Not available, Recommended=2, Severity=Medium

...

[*] 5/28/2020 4:39:25 PM - Starting Category Windows Components
[🙀] ID 1708, BitLocker Drive Encryption: Volume status, Result=FullyDecrypted, Recommended=FullyEncrypted, Severity=High

...

[*] 5/28/2020 4:39:34 PM - HardeningKitty is done

Last Update

The lists were last updated/checked against the following Microsoft Security Baseline or other frameworks:

  • Hardening list Windows 10
    • Security baseline for Windows 10 and Windows Server, version 2004
    • Security baseline for Office 365 ProPlus, version 1908
  • finding_list_0x6d69636b_machine and finding_list_0x6d69636b_user
    • Security baseline for Windows 10 and Windows Server, version 2004
    • Security baseline for Office 365 ProPlus, version 1908
    • 0x6d69636b own knowledge
  • finding_list_cis_microsoft_windows_10_enterprise_machine and finding_list_cis_microsoft_windows_10_enterprise_user
    • CIS Microsoft Windows 10 Enterprise (Release 2004) Benchmark v1.9.1 - 10-23-2020
  • finding_list_cis_microsoft_windows_server_2019_machine and finding_list_cis_microsoft_windows_server_2019_user
    • CIS Microsoft Windows Server 2019 RTM (Release 1809) Benchmark v1.1.0 - 01-14-2020
  • finding_list_msft_security_baseline_edge_machine
    • Security baseline for Microsoft Edge, version 86
  • finding_list_msft_security_baseline_windows_10_machine
    • Security baseline for Windows 10 and Windows Server, version 2004
  • finding_list_msft_security_baseline_windows_10_machine_draft
    • Security baseline for Windows 10 and Windows Server, version 2009
  • finding_list_msft_security_baseline_windows_server_dc_machine
    • Security baseline for Windows 10 and Windows Server, version 2004
  • finding_list_msft_security_baseline_windows_server_dc_machine_draft
    • Security baseline for Windows 10 and Windows Server, version 2009
  • finding_list_msft_security_baseline_windows_server_member_machine
    • Security baseline for Windows 10 and Windows Server, version 2004
  • finding_list_msft_security_baseline_windows_server_member_machine_draft
    • Security baseline for Windows 10 and Windows Server, version 2009

Sources