Windows11_Hardening
Windows11_Hardening copied to clipboard
a collection about Windows 11
Hard_Configurator is highly recommended and will save a lot of your time.
Requirements
- [x] Standards for a highly secure Windows device
- [x] System up2date with latest Windows stable version
- [x] (default activated) and Up2date internal Microsoft Defender protection instead of external "Security" solutions
- [x] Latest Driver and Program updates
- [x] No "Tuning" tools (not even stuff like Ccleaner!)
- [x] Only necessary programs / apps / games which you realy need
- [x] avoid insecure software like 7-Zip (which e.g. lacks Anti-Exploit and MOTW support), Open/ LibreOffice, Firefox, True/Veracrypt, ...
- [x] stay away from "Anti-Spying"/ "Anti-Telemetry"/.. tools and use official documentation
- [x] Hardware Requirements for System Guard / Hardware-based Isolation
- [x] Hardware Requirements for Memory integrity
- [x] Hardware Requirements for Microsoft Defender Application Guard (WDAG)
- [x] Hardware Requirements for Microsoft Defender Credential Guard
Hardening
- [x] set User Account Control (UAC) to maximum
- [x] create another Admin account and transform your current one to limited/ restricted/ standard user account to reduce the attack surface enormously. Don't use Admin account for your tasks!
- [x] use Software Restriction Policies (SRP) with a default-deny mode
- [x] execute/ open new files with one-day-delay because after one day, the malware is not 0-day anymore
- [x] block all incoming connections with Microsoft Defender Firewall
- [x] Always display file type extension
- [x] Manage Microsoft Defender Credential Guard
- [x] Install Microsoft Defender Application Guard (WDAG)
- [x] Enable Memory integrity (HVCI)
- [x] Enable Network Protection (NP)
- [x] Enable SmartScreen and enable SmartScreen Log
- [x] Enable Controlled Folder Access (CFA)
- [x] Enable Attack Surface Reduction rules (ASR)
- [x] Harden Address Space Layout Randomization (ASLR)
- [x] Enable System Guard Secure Launch
- [x] Enable cloud-delivered protection
- [x] Activate Potentially unwanted applications (PUA) protection
- [x] Enable Bitlocker Encryption with TPM, optionally with Startup PIN & read about Countermeasures and reduce DMA threats
- [x] Use Windows Sandbox for unknown/ untrusted binarys - you can use it with right click menu - or use Virtual Machine with Hyper-V
- [x] Enable sandboxing for Microsoft Defender Antivirus
- [x] Only elevate executables which are signed and validated
- [x] use the only browser on Windows that natively supports hardware isolation: Edge
- [x] use EFS file encryption for very sensitive files - also compatible with Bitlocker
- [x] (if OneDrive is used), harden it with Windows CFA (Control Folder Access aka Ransomware Protection)
- [x] avoid old file systems like FAT32 as such format does not preserve Alternative NTFS Streams (Mark Of The Web is skipped)
- [x] While DNS encryption isn't perfect both Quad9 and AdGuard are recommend. Quad9 provide a easy solution with Apple signed profiles. NextDNS is another service, but it struggles with stability/performance and support issues.
Further Hardening
- [ ] Specify the cloud-delivered protection level
- [ ] Configure Exploit Protection, like Edge 90+ with enforced CET
- [ ] Microsoft recommended block rules
- [ ] Control USB devices and other removable media
- [ ] UEFI Hardening (NSA Defensive Practices Guidance) PDF & Hardware-and-Firmware-Security-Guidance
- [ ] Hardware and Firmware Security Guidance for Windows & AMD CPUs - you will find more in the overview
- [ ] Deploy Windows Security Baselines and keep it up2date
- [ ] use Mandatory Integrity Control
- [ ] Custom ADMX template focused on hardening Windows 10 systems
Enterprise level
- [ ] Application Control (WDAC) - Microsoft's Policy Wizard will help a lot
- [ ] Enterprise Certificate Pinning
- [ ] Block untrusted fonts in an enterprise
- [ ] Web protection
- [ ] Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
- [ ] Manage Windows Hello for Business
- [ ] Protect against DLL Search Order Hijacking
- [ ] report a vulnerable or malicious driver to the Windows and Defender teams
- [ ] Video from Matt Soseman: Investigating Backdoor Attacks w/ Microsoft Defender ATP
- [ ] Video from Matt Soseman: Investigating a Fileless Attack w/ Microsoft Defender ATP & Exploit Protection
- [ ] Video from Matt Soseman: What is the Microsoft Cybersecurity Reference Architectures (MCRA) and why should I care?
- [ ] Microsoft Defender ATP secure score
Test Config
- Validate connections between your network and the Microsoft Defender Antivirus cloud service
- Verify client connectivity to Microsoft Defender ATP service URLs
- Validate Microsoft Defender Tamper protection
- Confirm and validate that Defender "Block at First Sight" (BAFS) is enabled
- Microsoft Defender Testground
- Microsoft Defender SmartScreen Demo Pages
- Validate your Kernel DMA Protection
- Test your Antimalware Scan Interface (AMSI)
- Test your Network protection
- Changelogs for Defender security intelligence updates
- check if your Bitlocker is safe against Bitleaker: Blog
- Process Monitor (tool from Microsoft) filter for finding privilege escalation vulnerabilities on Windows
- winchecksec performs static detection of common Windows security features
- Sysmon configuration file template with default high-quality event tracing
Reading Material:
- Defender Firewall with Advanced Security
- https://github.com/frizb/Windows-Privilege-Escalation
- https://github.com/LOLBAS-Project/LOLBAS
- https://github.com/api0cradle/UltimateAppLockerByPassList
- https://trustedwindows.wordpress.com/
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware
- https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
- https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10
- https://docs.microsoft.com/en-us/windows/security/
- a picture about Microsoft Defender local and cloud script protection
- a picture about Attack Surface Reduction (ASR) Rules
- Security Unlocked - The Microsoft Security Podcast
- How the hell WD works on Windows Home & Pro documentation from AndyFul
- Windows AppContainer Isolation - what it does? from AndyFul
- Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection
- Windows Defender Application Control (WDAC) Resources / PowerShell script
- Why UAC is important at maximum (not default) level: 1, 2, 3, 4, ..
- Testing DLL Search Order Hijacking against security features from AndyFul
- Some info about training AMSI machine learning models from AndyFul
- Cheap sandboxing with AppContainers Blog
- Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs Blog
- Complete W^X implementation in Windows with ACG
- Understanding Hardware-enforced Stack Protection (CET)
- Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode Blog
- Security Unlocked - The Microsoft Security Podcast about Below the OS: UEFI Scanning in Defender
- How the (Powershell) Constrained Language Mode is enforced Blog
- Application Control denies execution of randomly generated PowerShell PS1 files Blog
- Applocker and PowerShell: how do they tightly work together? Blog
- PowerShell 5.0 and Applocker. When security doesn’t mean security Blog
- German BSI - SiSyPHuS Win10: Study on System Integrity, Logging, Hardening and Security relevant Functionality in Windows 10
- rc3 event - Breaking Thunderbolt 3 Security
- CIS Security Benchmark
- NIST Security Technical Implementation Guide
- AppLocker and WDAC help Blog
- Microsoft Defender Attack Surface Reduction (ASR) recommendations
- Adventures in Extremely Strict Device Guard (WDAC) Policy Configuration Blog
- Building a Simple, Secure Windows-only WDAC Policy Blog
- Application Control on Windows 10 Home
- Windows Hello - Why a PIN is better than a password
- Battle of the SKM and IUM: How Windows 10 Rewrites OS Architecture (blackhat USA 2015 talk)
- Defender (with ConfigureDefender tool) vs fileless malware
- Offense and Defense – A Tale of Two Sides: Bypass UAC
- Microsoft Windows Antimalware Scan Interface (AMSI) Bypasses
- Windows security book in web doc form
- Video from Matt Soseman: Smartscreen in Edge (& Chrome) to block phishing & malicious websites
- Video from Matt Soseman: Block at First Sight (BAFS): Windows Defender blocking malware in SECONDS!
- Video from Matt Soseman: How Controlled Folder Access (CFA) works in Windows
- Video from Matt Soseman: Block Potentially Unwanted Applications (PUA) in Microsoft Defender Antivirus
- Video1, Video2 from Matt Soseman: Attack Surface Reduction (ASR) in Windows
- Video from Matt Soseman: Hardware Isolated Browsing w/ Microsoft Defender Application Guard
- what is meant by "User Space"
- what the feature "Allow apps from the store only" does