Hardening Categories • How To Use • Features • Related • Trust • Support • Security Recommendations • Resources • License • Wiki • Full change log in Excel online
Use the PowerShell script below to automatically apply the proactive security measures described in this page.
Security for Organizations, Enterprises and Highly secure personal users
Refer to Windows Defender Application Control resources on this GitHub repository.
Use the WDACConfig Module for Advanced Automated WDAC configurations and Application/File whitelisting in Windows.
Read the Rationale behind this GitHub repository
Note Windows by default is secure and safe, this repository does not imply nor claim otherwise. just like anything, you have to use it wisely and don't compromise yourself with reckless behavior and bad user configuration; Nothing is foolproof. This repository only uses the tools and features that have already been implemented by Microsoft in Windows OS to fine-tune it towards the highest security and locked-down state, using well-documented, supported, recommended and official methods. continue reading for comprehensive info.
There are 3 ways you can use this script. Using GitHub and Azure sources means you'll always use the latest version.
When the script is installed using PowerShell Gallery source and you run it, if there is a new version available, you will be prompted to update it.
Note About Invoke-Expression or iex
irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1' | iex
irm 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Harden-Windows-Security.ps1' | iex
Install-Script -Name Harden-Windows-Security
A quick video demonstrating how the Harden-Windows-Security script works
Any device that meets the Windows 11 hardware and Virtualization Based Security requirements. Most of the hardware manufactured in the past few years are supported.
TPM 2.0, Virtualization technology and Secure Boot enabled in your UEFI settings. Official guide - How to enable Secure Boot on: HP - Lenovo - Dell.
Windows editions higher than Home edition.
No 3rd party antivirus or security solution installed.
Latest available version of Windows installed.
Note Restart your device after applying the script, don't use any commands to force Group Policy update.
Always stays up-to-date with the newest proactive security measures.
Everything is in plain text, nothing hidden, no 3rd party executable or pre-compiled binary is involved.
Warning For your own security, do not use any other 3rd party tools, programs or scripts that claim to harden Windows or modify it in any way, unless you can 100% verify it. Never trust 3rd party people on the Internet, always verify their resources and do that after each release. Keep on reading the features to see why this Harden-Windows-Security script is different and read the Trust section to see how you can 100% Trust it.
Doesn't remove or disable Windows functionalities against Microsoft's recommendations.
All of the links and sources are from official Microsoft websites, straight from the source. No bias, No misinformation and definitely No old obsolete methods. That's why there are no links to 3rd party news websites, forums, made up blogs/articles and such.
With the following exceptions
Link Count | Link | Reason |
---|---|---|
1 | Intel website | i7 13700k product page |
1 | state.gov | List of State Sponsors of Terrorism |
1 | orpa.princeton.edu | OFAC Sanctioned Countries |
2 | Wikipedia | TLS - providing additional information |
1 | UK Cyber Security Centre | TLS - providing additional information |
1 | Security.Stackexchange Q&A | TLS - providing additional information |
1 | browserleaks.com/tls | TLS - Browser test |
1 | clienttest.ssllabs.com | TLS - Browser test |
1 | scanigma.com/knowledge-base | TLS - providing additional information |
1 | cloudflare.com/ssl/reference/ | TLS - providing additional information |
1 | github.com/ssllabs/research/ | TLS - providing additional information |
1 | Wayback Machine | Providing additional information about Edge Browser |
The script primarily uses Group policies, the Microsoft recommended way of configuring Windows. It also uses PowerShell cmdlets where Group Policies aren't available, and finally uses a few registry keys to configure security measures that can neither be configured using Group Policies nor PowerShell cmdlets. This is why the script doesn't break anything or cause unwanted behavior.
Warning Any other 3rd party tool/program/script that claims to modify Windows or harden it, if they don't strictly adhere to the official rules above, they can damage your system, cause unknown problems and bugs. How are Group Policies for this script created and maintained?
This Readme page lists all of the security measures applied by this script.
When a hardening measure is no longer necessary because it's applied by default by Microsoft on new builds of Windows, it will also be removed from this script in order to prevent any problems and because it won't be necessary anymore.
The script can be run infinite number of times, it's made in a way that it won't make any duplicate changes.
The script prompts for confirmation before running each hardening category and some sub-categories, so you can selectively run (or don't run) each of them.
Applying this script makes your PC compliant with Microsoft Security Baselines and Secured-core PC specifications (provided that you use modern hardware that supports the latest Windows security features) - See what makes a Secured-core PC - Check Device Guard category for more details.
Secured-core – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks.
There are 5 items tagged with #TopSecurity that can cause some inconvenience but increase security even further. When you run this script, you will have an option to enable them if you want to. Press Control + F
and search for #TopSecurity
on this page to find those security measures.
Since I originally created this repository for myself and people I care about, I always maintain it to the highest possible standard.
-
Commands that require Administrator Privileges (click/tap on each of these to see in-depth info)
- May 9 2023 Windows Boot Manager CVE-2023-24932
- Windows Kernel Information Disclosure CVE-2023-32019
- Microsoft Security Baselines
- Microsoft 365 Apps Security Baselines
- Microsoft Defender
- Attack surface reduction rules
- Bitlocker Settings
- TLS Security
- Lock Screen
- UAC (User Account Control)
- Device Guard
- Windows Firewall
- Optional Windows Features
- Windows Networking
- Miscellaneous Configurations
- Windows Update configurations
- Edge Browser configurations
- Certificate Checking Commands
- Country IP Blocking
-
Commands that don't require Administrator Privileges
Indicates the security measure is applied using Group Policies
Indicates the security measure is applied using PowerShell cmdlets or Registry
Automatically applies the security measures described in the KB5025885 document page.
KB5026372 must be installed, so make sure your OS is fully up to date first.
You will need to restart your device once. After restart, wait at least for 5-10 minutes and then restart again, as suggested in the official page.
Microsoft Security Response Center post
Automatically applies the security measures described in the KB5028407 document page.
KB5027231 must be installed, so make sure your OS is fully up to date first.
Microsoft Security Response Center post
A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
Continue reading in the official documentation
Optional Overrides for Microsoft Security Baselines
Highly recommended to apply these overrides, the script will ask you whether you want to apply them or not.
The security baseline for Microsoft 365 Apps for enterprise is published twice a year, usually in June and December.
Microsoft Security Baselines Version Matrix
-
Enables additional security features of Microsoft Defender, You can refer to this official document for full details.
-
This script makes sure Cloud Security Scan and Block At First Sight are enabled to the highest possible security states available, Zero Tolerance Cloud Block level. You need to be aware that this means actions like downloading and opening an unknown file will make Microsoft Defender send samples of it to the Cloud for more advanced analysis and it can take a maximum of 60 seconds (this script sets it to max) from the time you try to open that unknown file to the time when it will be opened (if deemed safe), so you will have to wait. All of these security measures are in place by default in Windows to some extent and happen automatically without the need to run this script, but this script maxes them out and sets them to the highest possible levels at the cost of convenience and usability. It's always a trade-off.
- Here is an example of the notification you will see in Windows 11 if that happens.
-
Enables file hash computation; designed to allow admins to force the anti-malware solution to "compute file hashes for every executable file that is scanned if it wasn't previously computed" to "improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-
Clears Quarantined items after 3 days instead of the default behavior of keeping them indefinitely.
-
Allows Microsoft Defender to download security updates even on a metered connection.
-
Enables Microsoft Defender to scan network drives, restore points, Emails and removable drives during a full scan, so it will take a while to finish a full scan if you have lots of those Items.
-
Sets the Signature Update Interval to every 3 hours instead of automatically.
-
Forces Microsoft Defender to check for new virus and spyware definitions before it runs a scan.
-
Makes Microsoft Defender run catch-up scans for scheduled quick scans. A computer can miss a scheduled scan, usually because the computer is off at the scheduled time, but now after the computer misses two scheduled quick scans, Microsoft Defender runs a catch-up scan the next time someone logs onto the computer.
-
Makes sure Async Inspection for Network protection of Microsoft Defender is turned on - Network protection now has a performance optimization that allows Block mode to start asynchronously inspecting long connections after they're validated and allowed by SmartScreen, which might provide a potential reduction in the cost that inspection has on bandwidth and can also help with app compatibility problems.
-
(Requires additional confirmation to run): Enables Smart App Control (if it's in Evaluation mode): adds significant protection from new and emerging threats by blocking apps that are malicious or untrusted. Smart App Control also helps to block potentially unwanted apps, which are apps that may cause your device to run slowly, display unexpected ads, offer extra software you didn't want, or do other things you don't expect.
-
Smart App Control is User-Mode (and enforces Kernel-Mode) Windows Defender Application Control policy (WDAC), more info in the Wiki. You can see its status in System Information and enable it manually from Microsoft Defender app's GUI. It is very important for Windows and Windows Defender intelligence updates to be always up-to-date in order for Smart App Control to work properly as it relies on live intelligence and definition data from the cloud and other sources to make a Smart decision about programs and files it encounters.
-
Smart App Control uses ISG (Intelligent Security Graph). The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources and processed every 24 hours. As a result, the decision from the cloud can change.
-
Smart App Control can block a program entirely from running or only some parts of it in which case your app or program will continue working just fine most of the time. It's improved a lot since it was introduced, and it continues doing so. Consider turning it on after clean installing a new OS and fully updating it.
-
Smart App Control enforces the Microsoft Recommended Driver Block rules and the Microsoft Recommended Block Rules
-
Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
-
-
Enables Controlled Folder Access. It helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Due to the recent wave of global ransomware attacks, it is important to use this feature to protect your valuables files, specially OneDrive folders.
- If it blocks a program from accessing one of your folders it protects, and you absolutely trust that program, then you can add it to exclusion list using Microsoft Defender GUI or PowerShell. you can also query the list of allowed apps using PowerShell (commands below). with these commands, you can backup your personalized list of allowed apps, that are relevant to your system, and restore them in case you clean install your Windows.
- The script adds the root of OneDrive folders of all user accounts present when running the script, to the protected folders list of Controlled Folder Access, to provide Ransomware protection for the entire OneDrive folder.
# Add multiple programs to the exclusion list of Controlled Folder Access
Add-MpPreference -ControlledFolderAccessAllowedApplications 'C:\Program Files\App\app.exe','C:\Program Files\App2\app2.exe'
# Get the list of all allowed apps
(Get-MpPreference).ControlledFolderAccessAllowedApplications
-
Enables Mandatory ASLR, It might cause compatibility issues only for some poorly-made 3rd party programs, specially portable ones.
- You can add Mandatory ASLR override for a trusted program using the PowerShell command below or in the Program Settings section of Exploit Protection in Microsoft Defender app.
Set-ProcessMitigation -Name "C:\TrustedApp.exe" -Disable ForceRelocateImages
- You can add Mandatory ASLR override for a trusted program using the PowerShell command below or in the Program Settings section of Exploit Protection in Microsoft Defender app.
-
Applies Exploit Protection/Process Mitigations from this list to the following programs:
- All channels of Microsoft Edge browser
- Quick Assist app
- Some System processes, full list available here.
- More apps and processes will be added to the list over time once they are properly validated to be fully compatible.
-
Turns on Data Execution Prevention (DEP) for all applications, including 32-bit programs. By default, the output of
BCDEdit /enum "{current}"
(in PowerShell) for the NX bit isOptIn
but this script sets it toAlwaysOn
-
Check for the latest virus and spyware security intelligence on startup.
-
Specifies the maximum depth to scan archive files to the maximum possible value of
4,294,967,295
-
Defines the maximum size of downloaded files and attachments to be scanned and set it to the maximum possible value of
10,000,000 KB
or10 GB
. the default is20480 KB
or~20MB
-
Enforces all features of the Enhanced Phishing Protection in Microsoft Defender SmartScreen.
-
(Requires additional confirmation to run): Create scheduled task for fast weekly Microsoft recommended driver block list update.
-
(Requires additional confirmation to run): Set Microsoft Defender engine and platform update channel to beta.
-
Detects and blocks potentially unwanted applications - PUA blocking
-
Defines the number of days before spyware and virus security intelligence definitions are considered out of date to 2 days, instead of the default 7 days.
-
Sets the default action for Severe and High threat levels to Remove, for Medium and Low threat levels to Quarantine.
-
Configures real-time protection and Security Intelligence Updates to be enabled during OOBE.
Reducing your attack surface means protecting your devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Windows can help!
Attack surface reduction rules target certain software behaviors, such as:
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don't usually initiate during normal day-to-day work
Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe.
This script enables all 16 available Attack Surface Reduction rules shown in the official chart.
-
This script sets up and configures Bitlocker using official documentation, with the most secure configuration and Military Grade encryption algorithm, XTS-AES-256, TPM 2.0 and start-up PIN, to protect the confidentiality and integrity of all information at rest and in use.
-
OS drive is automatically encrypted (if it isn't already) when you run this category and select a startup PIN. For every other non-OS drive, there will be prompts for confirmation before encrypting it. Removable flash drives are skipped. Non-OS drives will have Recovery Password and Auto-unlock methods for authentication once they are encrypted.
-
You will be asked to enter a Startup PIN when activating Bitlocker for the first time. Make sure it contains at least 10 characters (uppercase and lowercase letters, symbols, numbers, spaces) and it's not the same as your Windows Hello PIN.
-
Once you run this script for the first time, there will be a text file containing the 48-digit recovery password for each encrypted drive that will be saved in itself, with the names like
Drive C recovery password.txt
. It is very important to keep it in a safe and reachable place, e.g., in OneDrive's Personal Vault which requires authentication to access. See Here and Here for more info about OneDrive's Personal Vault -
TPM has special anti-hammering logic which prevents malicious user from guessing the authorization data indefinitely. Microsoft defines that maximum number of failed attempts in Windows is 32 and every single failed attempt is forgotten after 2 hours. This means that every continuous two hours of powered on (and successfully booted) operation without an event which increases the counter will cause the counter to decrease by 1. You can view all the details using this PowerShell command:
Get-TPM
. -
Check out Lock Screen category for more info about the recovery password and the 2nd anti-hammering mechanism.
-
To have even more security than what the script provides, you can utilize a Startup key in addition to the other 3 key protectors (TPM, Startup PIN and Recovery password). with this method, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
-
BitLocker will bring you a real security against the theft of your device if you strictly abide by the following basic rules:
-
As soon as you have finished working, either Hibernate or shut Windows down and allow for every shadow of information to disappear from RAM within 2 minutes. This practice is recommended in High-Risk Environments.
-
Do not mix 3rd party encryption software and tools with Bitlocker. Bitlocker creates a secure end-to-end encrypted ecosystem for your device and its peripherals, this secure ecosystem is backed by things such as software, Virtualization Technology, TPM 2.0 and UEFI firmware, Bitlocker protects your data and entire device against real-life attacks and threats. You can encrypt your external SSDs and flash drives with Bitlocker too.
-
-
-
Enables or disables DMA protection from Bitlocker Countermeasures based on the status of Kernel DMA protection. Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection (this script does that exactly). Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals. you can check the status of Kernel DMA protection using this official guide.
- Kernel DMA Protection (Memory Access Protection) for OEMs page shows the requirements for Kernel DMA Protection. for Intel CPUs, support for requirements such as VT-X and VT-D can be found in each CPU's respective product page. e.g. Intel i7 13700K
-
Disallows standard (non-Administrator) users from changing the Bitlocker Startup PIN or password
-
Requires you to choose a PIN that contains at least 10 characters
-
Enables Hibernate, adds Hibernate to Start menu's power options and disables Sleep. This feature is only recommended for High-Risk Environments. This is to prevent an Attacker with skill and lengthy physical access to your computer which is the Worst-case Scenario
- Attack Scenario: Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software. Of course, Bitlocker and configurations applied by this script will protect you against that.
- Power states S1-S3 will be disabled in order to completely disable Sleep, doing so also removes the Sleep option from Start menu and even using commands to put the computer to sleep won't work. You will have to restart your device for the changes to take effect.
-
Disallows access to Bitlocker-protected removable data drives from earlier versions of Windows.
Refer to this official documentation about the countermeasures of Bitlocker
Changes made by this category only affect things that use Schannel SSP: that includes IIS web server, built-in inbox Windows apps and some other programs supplied by Microsoft, including Windows network communications, but not 3rd party software that use portable stacks like Java, nodejs, python or php.
If you want to read more: Demystifying Schannel
Note The only known program incompatible with this category is Battle.net game client.
-
Disables TLS 1 and TLS 1.1 security protocols that only exist for backward compatibility. All modern software should and do use
TLS 1.2
andTLS 1.3
. -
Disables MD5 Hashing Algorithm that is only available for backward compatibility
-
Disables the following weak ciphers that are only available for backward compatibility:
"DES 56-bit"
,"RC2 40-bit"
,"RC2 56-bit"
,"RC2 128-bit"
,"RC4 40-bit"
,"RC4 56-bit"
,"RC4 64-bit"
,"RC4 128-bit"
,"3DES 168-bit (Triple DES 168)"
-
Configures the TLS to only use the following secure cipher suites and in this exact order:
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- Configures TLS ECC Curves to use the following prioritized Curves order:
nistP521
curve25519
NistP384
NistP256
- By default, in Windows 11 22H2, the order is this:
curve25519
NistP256
NistP384
-
Automatically locks device after X seconds of inactivity (just like mobile phones), which is set to 120 seconds (2 minutes) in this script, you can change that to any value you like.
-
Requires CTRL+ALT+DEL on the lock screen, kernel protected set of key strokes. The reason and logic behind it is:
- A malicious user might install malware that looks like the standard sign-in dialog box for the Windows operating system and capture a user's password. The attacker can then sign into the compromised account with whatever level of user rights that user has.
-
Enables a security anti-hammering feature that sets a threshold of 6 for the number of failed sign-in attempts that causes the device to be locked by using BitLocker. Sign-in attempts include Windows password or Windows Hello authentication methods. This threshold means, if the specified maximum number of failed sign-in attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access.
- This script (in the Bitlocker category) automatically saves the 48-digit recovery password of each drive in itself, the location of it will also be visible on the PowerShell console when you run it. It is very important to keep it in a safe and reachable place, e.g. in OneDrive's Personal Vault which requires authentication to access. See Here and Here for more info about OneDrive's Personal Vault
-
Hides email address of the Microsoft account on lock screen, if your device is in a trusted place like at home then this isn't necessary.
-
Don't display username at sign-in; If a user signs in as Other user, the full name of the user isn't displayed during sign-in. In the same context, if users type their email address and password at the sign-in screen and press Enter, the displayed text "Other user" remains unchanged, and is no longer replaced by the user's first and last name, as in previous versions of Windows 10. Additionally, if users enter their domain user name and password and click Submit, their full name isn't shown until the Start screen displays.
- Useful If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user's full names or domain account names
-
#TopSecurity Don't display last signed-in; This security policy setting determines whether the name of the last user to sign in to the device is displayed on the Secure Desktop. If this policy is enabled, the full name of the last user to successfully sign in isn't displayed on the Secure Desktop, nor is the user's sign-in tile displayed. Additionally, if the Switch user feature is used, the full name and sign-in tile aren't displayed. The sign-in screen requests a qualified domain account name (or local user name) and password.
- This feature can be useful to enable if you live in High-Risk Environments and you don't want anyone to get any information about your device when it's locked and you're not around.
-
Don't Display Network Selection UI on Lock Screen (like WIFI Icon); This setting allows you to control whether anyone can interact with available networks UI on the logon screen. Once enabled, the device's network connectivity state cannot be changed without signing into Windows. Suitable for High-Risk Environments.
-
Prompt for elevation of privilege on secure desktop for all binaries in Administrator accounts, which presents the sign-in UI and restricts functionality and access to the system until the sign-in requirements are satisfied. The secure desktop's primary difference from the user desktop is that only trusted processes running as SYSTEM are allowed to run here (that is, nothing is running at the user's privilege level). The path to get to the secure desktop from the user desktop must also be trusted through the entire chain.
- This is the default behavior: prompt the administrator in Admin Approval Mode to select either "Permit" or "Deny" for an operation that requires elevation of privilege for any non-Windows binaries. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. This operation will happen on the secure desktop
- This is the behavior that this script sets: prompts the administrator in Admin Approval Mode to select either "Permit" or "Deny" an operation that requires elevation of privilege. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. "Prompt for consent" removes the inconvenience of requiring that users enter their name and password to perform a privileged task. This operation occurs on the secure desktop.
-
#TopSecurity Only elevate executables that are signed and validated by enforcing cryptographic signatures on any interactive application that requests elevation of privilege. One of the Potential impacts of it is that it can prevent certain poorly designed programs from prompting for UAC.
-
Changes the behavior of the elevation prompt for standard users from "prompt for credentials" to "prompt for credentials on the secure desktop".
- #TopSecurity behavior: Automatically deny all UAC prompts on Standard accounts. Highly recommended to be used on sensitive critical machines. Only use Standard account for regular everyday tasks, and if you want to perform administrative tasks such as intalling a program system-wide or changing system settings, completely log out of the Standard account and log into an Administrator account, perform the tasks, then completely log out and log back into the Standard account to continue your work. No fast user switching and absolutely no UAC on Standard accounts.
-
#TopSecurity Hides the entry points for Fast User Switching.
-
(Requires additional confirmation to run): Asks for a strong password for the built-in Administrator account and then enables it.
Most of the Device Guard and Virtualization-Based Security features are Automatically enabled by default on capable and modern hardware, this script only checks their status and if needed, enables UEFI lock for them and also proceeds with enabling full Secured-Core PC requirements. UEFI locked security measures are rooted in Proof of Physical Presence.
-
Requires Secure boot and enables DMA protection with it (if available) for Virtualization-Based Security
- This is in accordance with Microsoft's recommendation. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
- Secure boot has 2 parts, part 1 is enforced using the Group Policy by this script, but for part 2, you need to enable Secure Boot in your UEFI firmware settings if it's not enabled by default (which is the case on older hardware).
- (Kernel) DMA protection hardware requirements
-
Makes sure Virtualization-based protection of Code Integrity policies is Enabled
-
Turns on UEFI lock for virtualization-based protection of Code Integrity policies
-
Enables UEFI Lock for Local Security Authority (LSA) process Protection. it is turned on by default on new Windows 11 installations but not with UEFI Lock. When this setting is used with UEFI lock and Secure Boot, additional protection is achieved because disabling its registry key will have no effect.
- when this feature is on, a new option called "Local Security Authority Protection" appears in Windows Security GUI => Device Security => Core Isolation
- Standard hardware security not supported
- This means that your device does not meet at least one of the requirements of Standard Hardware Security.
- Your device meets the requirements for Standard Hardware Security.
- Your device meets the requirements for Enhanced Hardware Security
- Your device has all Secured-core PC features enabled
-
Makes sure Windows Firewall is enabled for all profiles (which is the default)
-
Sets inbound and outbound default actions for Domain Firewall Profile to Block; because this script is Not intended to be used on devices that are part of a domain or controlled by an Active Directory Domain Controller, since they will have their own policies and policy management systems in place.
-
Enables Windows Firewall logging for Domain, Private and Public profiles, sets the log file size for each of them to the max
32.767 MB
. Defines separate log files for each of the firewall profiles. Logs only dropped packets for Private and Public profiles, Logs both dropped and successful packets for Domain profile. -
Disables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles, This might interfere with Miracast screen sharing, which relies on the Public profile, and homes where the Private profile is not selected, but it does add an extra measure of security in public places, like a coffee shop.
- The domain name
.local
which is used in mDNS (Multicast DNS) is a special-use domain name reserved by the Internet Engineering Task Force (IETF) so that it may not be installed as a top-level domain in the Domain Name System (DNS) of the Internet.
- The domain name
-
The script disables the following rarely used features in Windows optional features (Control Panel):
- PowerShell v2; because it's old and doesn't support AMSI.
- Work Folders client; not used when your computer is not part of a domain or enterprise network.
- Internet Printing Client; used in combination with IIS web server, old feature, can be disabled without causing problems further down the road.
- Windows Media Player (legacy); isn't needed anymore, Windows 11 has a modern media player app.
-
Uninstalls these optional features (Windows Settings -> Apps -> Optional Features):
- Notepad (system): legacy Notepad program. Windows 11 has multi-tabbed modern Notepad app.
- VBSCRIPT; a legacy scripting engine component, Microsoft does not recommend using this component unless and until it is really required. It's become uninstallable as an optional features since Windows 11 insider Dev build 25309.
- Internet Explorer mode for Edge browser; It's only used by a few possible organizations that have very old internal websites.
- WMIC; old feature that's deprecated, not secure and is in Microsoft recommended block rules.
-
Enables these optional features (Control Panel):
- Microsoft Defender Application Guard; which is a safe Environment to open untrusted websites. - System Requirements - Frequently asked questions - Its behavior regarding DNS over HTTPS in Edge
- Windows Sandbox; install, test and use programs in a disposable virtual operation system, completely separate from your main OS
- Hyper-V; a great hybrid hypervisor (Type 1 and Type 2) to run virtual machines on. check out this Hyper-V Wiki page
- Virtual Machine Platform; required for Android subsystem or WSA (Windows subsystem for Android). if it's disabled, it will be automatically enabled either way when you try to install WSA from Store app
These are configurations that are typically recommended in High-Risk Environments but also can be applied for home users
-
Disables NetBIOS over TCP/IP on all network interfaces, virtual and physical. This command needs to run every time after installing a new VPN software or network adapter.
-
Disables the LLMNR protocol (Link Local Multicast Name Resolution) because it's only useful for networks that do not have a Domain Name System (DNS) server and Microsoft themselves are ramping down NetBIOS name resolution and LLMNR.
-
Disables LMHOSTS lookup protocol on all network adapters, legacy feature that's not used anymore.
-
Sets the Network Location of all connections to Public; Public network means less trust to other network devices.
-
Disables Printing over HTTP because HTTP is not encrypted and it's an old feature that's not used anymore.
-
Turns off downloading of print drivers over HTTP because HTTP is not encrypted and that method isn't used anymore. This is the recommended and secure way of downloading printer drivers in Windows 11.
-
Sets Early launch antimalware engine's status to
8
which is Good only. The default value is3
, which allows good, unknown and 'bad but critical'. that is the default value, because setting it to8
can prevent your computer from booting if the driver it relies on is critical but at the same time unknown or bad.- By being launched first by the kernel, ELAM is ensured to be launched before any third-party software and is therefore able to detect malware in the boot process and prevent it from initializing. ELAM drivers must be specially signed by Microsoft to ensure they are started by the Windows kernel early in the boot process.
-
Disables location service system wide. Websites and apps won't be able to use your precise location, however they will still be able to detect your location using your IP address.
-
Enables
svchost.exe
mitigations. built-in system services hosted insvchost.exe
processes will have stricter security policies enabled on them. These stricter security policies include a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code.- Requires Business Windows licenses. e.g., Windows 11 pro for Workstations, Enterprise or Education.
-
Turns on Enhanced mode search for Windows indexer. the default is classic mode.
- This causes some UI elements in the search settings in Windows settings to become unavailable for Standard user accounts to view, because it will be a managed feature by an Administrator.
-
Enables SMB/LDAP Signing
-
Enables SMB Encryption. Its status can be checked using the following PowerShell command:
(get-SmbServerConfiguration).EncryptData
. If the returned value is$True
then SMB Encryption is turned on. -
Enables Edge browser (stable/beta/dev channels) to download and install updates on any network, metered or not; because the updates are important and should not be suppressed.
-
Enables all Windows users to use Hyper-V and Windows Sandbox by adding all Windows users to the "Hyper-V Administrators" security group. By default, only Administrators can use Hyper-V or Windows Sandbox.
-
Changes Windows time sync interval from the default every 7 days to every 4 days (= every 345600 seconds)
-
Creates custom views for Windows Event Viewer to help keep tabs on important security events:
Attack Surface Reduction Rules
,Controlled Folder Access
,Exploit Protection
,Network Protection
,MSI and Scripts for WDAC Auditing
,Sudden Shut down events
(due to power outage) andCode Integrity Operational
. -
Enables "Send optional diagnostic data" because it is required for Smart App Control to operate and be enabled, and for communication between Intelligent Security Graph (ISG) and you.
-
Enables WinVerifyTrust Signature Validation, a security feature related to WinVerifyTrust function that handles Windows Authenticode signature verification for portable executable (PE) files.
-
Blocking Untrusted Fonts #TopSecurity
Windows updates are extremely important. They always should be installed as fast as possible to stay secure and if a reboot is required, it should be done immediately. Threat actors can weaponize publicly disclosed vulnerabilities the same day their POC (Proof-Of-Concept) is released..
In Windows by default, devices will scan daily, automatically download and install any applicable updates at a time optimized to reduce interference with usage, and then automatically try to restart when the end user is away.
The following policies the script configures make sure the default behavior explained above is tightly enforced.
- Enables Windows Update to download and install updates on any network, metered or not; because the updates are important and should not be suppressed, that's what bad actors would want.
- Enables "Receive Updates for other Microsoft products" (such as PowerShell)
- Enables "Notify me when a restart is required to finish updating"
- Sets the grace period for auto restart to 1 day.
- Configures the automatic updates to happen every day, automatically be downloaded and installed, notify users for restart.
- Enables features introduced via servicing that are off by default so that users will be able to get new features after having Windows Update settings managed by Group Policy as the result of running this category.
- Block 3rd party cookies - Recommendatory policy
- Set Edge to use system's DNS over HTTPS
- Automatic HTTPS upgrade of HTTP connections
- Enable Encrypted Client Hello
- Restrict exposure of local IP address by WebRTC
- Disable the ability to access insecure websites with TLS errors
- Disable Basic HTTP authentication scheme
- Force WebRTC respect the Windows OS routing table rules when making P2P connections
- Launch Renderer processes into an App Container for additional security benefits
- Enforces Secure mode and Certificate-based Digital Signature validation in native PDF reader
- Allow devices using this hardening category to receive new features and experimentations like normal devices
- Enforce the audio process to run sandboxed
- Sets the share additional operating system region setting to never - Recommendatory policy
- Sets the new Adobe PDF reader to be used in Edge for PDFs - Recommendatory policy
- Enables a feature that requires device authentication before the saved password is auto-filled into a web form
- Disables the following weak Cipher Suites
TLS_RSA_WITH_AES_256_CBC_SHA Reason: NO Perfect Forward Secrecy, CBC, SHA1
TLS_RSA_WITH_AES_128_CBC_SHA Reason: NO Perfect Forward Secrecy, CBC, SHA1
TLS_RSA_WITH_AES_128_GCM_SHA256 Reason: NO Perfect Forward Secrecy
TLS_RSA_WITH_AES_256_GCM_SHA384 Reason: NO Perfect Forward Secrecy
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Reason: CBC, SHA1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Reason: CBC, SHA1
Some settings require the client to be joined to Windows Server Active Directory/Azure Active Directory, in order to be applied. This script does not use any of them. When those settings are applied using registry, they are ignored by the browser and edge://policy/
shows an error for them. This is a security measure.
- You can view all of the policies being applied to your Edge browser by visiting this page:
edge://policy/
- You can find all of the available internal Edge pages in here:
edge://about/
- Useful links:
- Microsoft Edge stable channel change log
- Microsoft Edge Security updates change log
- Microsoft Edge Beta channel change log
- Microsoft Edge Mobile stable channel change log
- Edge Insider for Beta/Dev/Canary channels
- Microsoft Edge Security baselines - Work without ingesting ADMX policy files first - This script includes them
-
When DNS over HTTPS is set by user in Edge settings, Microsoft Defender Application Guard ignores that and connects directly to the Internet without using any DoH configuration.
-
If DNS over HTTPS is enforced on Edge by a Group Policy or registry, then MDAG fails to connect to the Internet and shows DNS errors.
-
When DNS over HTTPS settings are set OS wide in Windows settings, both normal Edge and MDAG use the OS DoH settings. (This is the behavior set by this script)
- Use my WinSecureDNSMgr module to easily configure DNS over HTTPS in Windows
In this category, the script downloads and runs sigcheck64.exe from Sysinternals, then lists valid certificates not rooted to the Microsoft Certificate Trust List in the User and Machine certificate stores. Except for some possible Microsoft certificates, Windows insider builds certificates or certificates that have your own computer's name, which are perfectly safe and should not be deleted, All other certificates that will be listed should be treated as dangerous and removed from your system immediately.
The script uses the newest range of IPv4
and IPv6
addresses of State Sponsors of Terrorism and OFAC Sanctioned Countries, directly from official IANA sources repository, then creates 2 rules (inbound and outbound) for each list in Windows firewall, completely blocking connections to and from those countries.
Once you have those Firewall rules added, you can use this method to see if any of the blocked connections were from/to those countries.
Note Threat actors can use VPN, VPS etc. to mask their originating IP address and location. So don't take this category as the perfect solution for network protection.
You don't need Admin privileges to run this category, because no system-wide changes is made. Changes in this category only apply to the current user account that is running the PowerShell session. For this reason, in addition to running this category as Admin, it's better to run it without elevation on any other available Standard accounts too.
- Shows known file extensions in File explorer
- Shows hidden files, folders and drives (toggles the control panel folder options item)
- Disables websites accessing local language list - good for privacy
- Turns off safe search in Windows search, will enable +18 content to appear in searches; essentially toggles the button in: Windows settings > privacy and security > search permissions > safe search
- prevents showing notifications in Lock screen - this is the same as toggling the button in Windows settings > system > notifications > show notifications in the lock screen
- Enables Clipboard History and sync with Microsoft Account
- Turns on text suggestions when typing on the physical keyboard
- Turns on "Multilingual text suggestions" for the current user, toggles the option in Windows settings
- Turns off sticky key shortcut of pressing shift key 5 times fast
Harden Windows Security website
Official global IANA IP block for each country
Privacy, Anonymity and Compartmentalization
This repository uses the simplest possible, yet effective, methods that make it very easy to verify:
-
Change log history is present on GitHub. (Despite some of my awkward documentation typos)
-
You can open the file in Visual Studio Code/Visual Studio Code Web, and view the script in a nice easy to read environment, it's well formatted and indented.
-
Commits are verified either with my GPG key or SSH key and Vigilant mode is turned on in my GitHub account.
-
You can fork this repository, verify it until that point in time, then verify any subsequent changes/updates I push to this repository, at your own pace (using
Sync fork
andCompare
options on your fork), and if you are happy with the changes, allow it to be merged with your own copy/fork on your GitHub account. -
You can learn PowerShell which is super easy, multiplatform, and useful for the future, Microsoft Learn website teaches you everything, then you will understand everything in the script is safe, or you can ask someone that you trust and knows PowerShell to verify the script for you.
-
The Payload folder in this repository contains the files required to run this script:
-
Registry.csv includes registry data used by this script, viewable in plain text and easily verifiable.
-
ProcessMitigations.csv includes process mitigations data used by this script, viewable in plain text and easily verifiable.
-
EventViewerCustomViews.zip includes XML files, in plain text, easily readable and verifiable. the script downloads and copies them to
C:\ProgramData\Microsoft\Event Viewer\Views
so that when you open Windows Event Viewer, you will find custom views as explained in the Miscellaneous Configurations category. -
Security-Baselines-X.zip includes Group Policies that are used by this script to apply the security measures explained in this page.
-
-
How are Group Policies for this script created and maintained?
-
How to verify security-baselines-x.zip file and 100% trust it?
Virus Total scan results of Security-Baselines-X.zip
Virus Total scan results of EventViewerCustomViews.zip
Links above are automatically updated. There is a GitHub workflow that automatically detects changes to the files and uploads them to Virus Total website for scanning.
If you have any questions, requests, suggestions etc. about this GitHub repository and its content, please open a new discussion or Issue.
Reporting a vulnerability on this GitHub repository.
I can also be reached privately at: spynetgirl@outlook.com
-
Always download your operation system from official Microsoft websites. Right now, Windows 11 is the latest version of Windows, its ISO file can be downloaded from this official Microsoft server. One of the worst things you can do to your own security and privacy is downloading your OS, which is the root of all the active and passive security measures, from a 3rd party website claiming they have the official unmodified files. There are countless bad things that can happen as the result of it such as threat actors embedding malware or backdoors inside the customized OS, or pre-installing customized root CA certificates in your OS so that they can perform TLS termination and view all of your HTTPS and encrypted Internet data in plain clear text, even if you use VPN. Having a poisoned and compromised certificate store is the endgame for you, and that's just the tip of the iceberg.
- Refer to Wiki to see how to create Bootable USB flash drive with no 3rd party tools
-
Whenever you want to install a program or app, first use the Microsoft Store or Winget, if the program or app you are looking for isn't available in there, then download it from its official website. Somebody created a nice web interface for interacting with Winget CLI here. Using Winget or Microsoft store provides many benefits:
- Microsoft store UWP apps are secure in nature, digitally signed, in MSIX format. That means, installing and uninstalling them is guaranteed and there won't be any leftovers after uninstalling.
- Microsoft store has Win32 apps too, they are traditional
.exe
installers that we are all familiar with. The store has a library feature that makes it easy to find the apps you previously installed. - Both Microsoft and Winget check the hash of the files by default, if a program or file is tampered, they will warn you and block the installation, whereas when you manually download a program from a website, you will have to manually verify the file hash with the hash shown on the website, if any.
-
Use Secure DNS; Windows 11 natively supports DNS over HTTPS and DNS over TLS.
- Use my WinSecureDNSMgr module to easily configure DNS over HTTPS in Windows
-
Only use Microsoft Edge for browser; It has the Highest-rated protection against phishing and malware, available by default on Windows OS, has tightly integrated valuable Security features such as Microsoft Defender Application Guard, Microsoft Defender SmartScreen, Hardware Enforced Stack Protection, Arbitrary Code Guard (ACG), Control Flow Guard (CFG), Tracking Prevention and Trusted built-in Secure Network feature from Cloudflare just to name a few.
-
Always enable Two-Factor/Multi-Factor Authentication on websites, apps and services that you use. Preferably, use Microsoft Authenticator app which has backup and restore feature, so you never lose access to your TOTPs (Time-Based One-Time Passwords) even if you lose your phone. Available for Android and IOS. You can also use Microsoft Authenticator on Windows 11 (PC, Laptop or Tablet) using Windows Subsystem for Android (WSA) and access your authenticator codes without the need to use your phone (secure automatic backup/restore feature). Use an open and trusted Android store such as Aurora Store to install and keep it up to date.
-
Make sure OneDrive backup for important folders (Desktop/Documents/Pictures) is enabled. It is fast, secure and works in any network condition and since it's x64 (64-bit), it can handle a Lot of small and large files simultaneously.
-
If you live in a western country, NATO country, European country or Australia, do not use VPNs. your local ISP (Internet service provider) is a lot more trustworthy than the remote VPN server's ISP. Using VPN only takes the trust from your own local ISP and puts it in the hands of the remote ISP that the VPN server uses for its Internet, Nothing else. period. Do not fall for the fake advertisements of VPN companies, you never know who is behind the VPN provider, what their political views are, their background, where their allegiance lies. The permissive civilized western world could allow a state sponsor of terrorism or some other hostile country to create a VPN company in here and gather intelligence and collect bulk data for mining, tracking etc. this has happened before and one of the most recent revelations is about a VPN provider called Betternet, based in Canada, ran by IRGC terrorists and their families abroad. Stay vigilant and smart.
- There are situations where using VPN can provide security and privacy. For example, when using a public WiFi hotspot or basically any network that you don't have control over. In such cases, use Cloudflare WARP which uses WireGuard protocol, or as mentioned, use Secure Network in Edge browser that utilizes the same secure Cloudflare network. It's free, it's from an American company that has global radar and lots of insight about countries in the world in real-time, at least 19.7% of all websites use it (2022). Safe to say it's one of the backbones of the Internet.
-
Go passwordless with your Microsoft account and use Windows Hello authentication. In your Microsoft account which has Outlook service, you can create up to 10 Email aliases in addition to the 1 Email address you get when you made your Microsoft account, that means without creating a new account, you can have 11 Email addresses all of which will use the same inbox and account. You can specify which one of those Email aliases can be used to sign into your account, in the sign in preferences of your Microsoft account settings. So for example, when going passwordless, if you need you can give one of your Email aliases to others for communication or add it to a public profile of yours, then block sign in using that Email alias so nobody can send you authenticator notifications by entering that Email alias in the sign in page, and use the other 10 aliases that are private to sign into your Microsoft account with peace of mind. You can create a rule in your Outlook so that all of the Emails sent to your public Email alias will be stored in a different folder, apart from your other inbox emails. All of this can be done using free Microsoft account and Outlook webapp.
-
Set a strong password for the UEFI firmware of your device so that it will ask for password before allowing any changes to be made to firmware. You can also configure the password to be required on startup.
-
Use NTFS (which is the default Filesystem in Windows) or ReFS (Resilient File System, newer). In addition to all their benefits, they support
Mark Of The Web
(MOTW) orzone.identifier
. When a file is downloaded to a device running Windows, Mark of the Web is added to the file, identifying its source as being from the internet. You can read all the information about it in here. If your USB flash drive is formatted asFAT32
, change it toNTFS
, becauseFAT32
does not keep theMOTW
of the files. If the file you are downloading is compressed in.zip
format, make sure you open/extract it using Windows built-in support for.zip
files because it keeps the MOTW of the files. If the compressed file you downloaded is in other formats such as.7zip
or.rar
, make sure you use an archive program that supports keeping the mark of the Web of files after extraction. One of those programs is NanaZip which is a fork of 7zip, available in Microsoft Store and GitHub, compared to 7zip, it has better and modern GUI, and the application is digitally signed. After installation, open it, navigate toTools
at the top then selectOptions
, setPropagate zone.id stream
toYes
. You can use this PowerShell command to find all the info about the Zone Identifier of the files you downloaded from the Internet.
Get-Content <Path-To-File> -stream zone.identifier
-
When using Xbox, make sure you configure sign-in preference and set it to either
Ask for my PIN
orLock it down
. The latter is the most secure one since it will require authentication using Microsoft Authenticator app.Ask for my PIN
is recommended for the most people because it will only require a PIN to be entered using controller. -
A few reminders about open source programs:
-
Unless you are a skilled programmer who can understand and verify every line of code in the source, and spends time to personally build the software from the source, and repeats all the aforementioned tasks for each subsequent version, then seeing the source code won't have any effect on you because you aren't able to understand nor verify it.
-
The majority of "open source" programs are unsigned, meaning they don't have a digital signature, their developers haven't bought and used a code signing certificate to sign their program. Among other problems, this poses a danger to the end-users, makes it harder to create trust for those programs in security solutions and makes it hard to authenticate them. Read Microsoft's Introduction to Code Signing or Digicert's 5 reasons why Code Signing is necessary.
-
When using "open source" program, there is not the kind of liability that you've got when you consume software from a commercial entity that is obligated and knows their reputation is at risk/stake, that they have potential legal liability if there are vulnerabilities in their software. In the open-source world, there is a volunteer, consume it as is, and if there is a problem with the software, that's your responsibility.
-
- Microsoft.com
- Microsoft Learn - Technical Documentation
- Germany Intelligence Agency - BND - Federal Office for Information Security
- Microsoft Tech Community - Official blogs and documentations
- Microsoft Security baselines - Security baselines from Microsoft
- Microsoft Security Response Center (MSRC) YouTube channel
- BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
- Security Update Guide: The Microsoft Security Response Center (MSRC) investigates all reports of security vulnerabilities affecting Microsoft products and services, and provides the information here as part of the ongoing effort to help you manage security risks and help keep your systems protected.
- Microsoft Security Response Center Blog
- Microsoft Security Blog
- Microsoft Podcasts
- Bug Bounty Program - With bounties worth up to
250,000
$ - Microsoft Active Protections Program
- Security Update Guide FAQs
- Microsoft On the Issues - Assessments, Investigations and Reports of APTs (Advanced Persistent Threats¹) and nation-sponsored cyberattack operations globally
- Center for Internet Security (CIS) Benchmarks
- A high level overview paper by Microsoft (in
PDF
), framework for cybersecurity information sharing and risk reduction. - Microsoft Threat Modeling Tool - for software architects and developers
- Important events to monitor
- Windows Security portal
- Security auditing
- Microsoft SysInternals Sysmon for Windows Event Collection or SIEM
- Privileged Access Workstations
- Enhanced Security Administrative Environment
- New Zealand 2016 Demystifying the Windows Firewall – Learn how to irritate attackers without crippli
- Download Windows virtual machines ready for development
- UK National Cyber Security Centre Advice & guidance
- Global threat activity
- Microsoft Zero Trust
- Understanding malware & other threats, phrases
- Malware naming
- Microsoft Digital Defense Report
- Microsoft Defender for Individuals
- Submit a file for malware analysis
- Submit a driver for analysis
- Service health status
- Microsoft Defender Threat Intelligence
- Microsoft Virus Initiative
- Digital Detectives @Microsoft
- Goblin Loot - Great security related website about EDR, Cloud and Microsoft products
Using GPL-2.0 license. Just free information, because the only mission of this GitHub repository is to give all Windows users accurate, up to date and correct facts and information about how to stay secure and safe in dangerous environments, and to stay not one, but Many steps, ahead of threat actors.