Custom ADMX template focused on hardening Windows 10 systems
Custom ADMX template focused on hardening Windows 10 systems
The available settings are listed in separate Markdown tables, in french and in english
The Schannel configuration part is taken almost as-is from the Crosse/SchannelGroupPolicy repository, a big kudo to him for his work :)
I recently tried to import the template into intune. It uploaded and all the options are there, but I receive the following error when I tried to apply the setting:
SETTING
Limits print driver installation to Administrators (\Additional hardening settings\Additional system hardening settings)
STATE
Error
ERROR CODE
0x20101
ERROR DETAILS
The administrative template file failed to be sent to the device.
Error code: 131329
Looking up the error code seems to point to: The administrative template file failed to be sent to the device.
I have imported other GPOs such as FireFox, Google Chrome Update, etc. into Intune before. Is there another ADMX dependency I need to upload also? For example, in order to get Google Chrome Update admx file to upload, I needed to upload the Windows.admx and google.admx in addition.
When .NET Framework 2 Strong Crypro is enabled, it is displayed as Disabled in the GPO settings page. But the settings are made correct in the GPO - so the basic mechanism is correct.
When searching where this could be wrong, I discovered that in the "" for Strong Crypto the last disabled setting has a value of 1 instead of 0.
Brgds Deas
An adversary with standard user credentials that can boot into Microsoft Windows using Safe Mode, Safe Mode with Networking or Safe Mode with Command Prompt options may be able to bypass system protections and security functionality. To reduce this risk, users with standard credentials should be prevented from using Safe Mode options to log in.
The following registry entry can be implemented using Group Policy preferences to prevent non-administrators from using Safe Mode options.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SafeModeBlockNonAdmins
REG_DWORD 0x00000001 (1)
Taken from : https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-21h1-workstations
Hello,
We just had an internal security check and one finding was this: https://www.tenable.com/plugins/nessus/161691
Nessus just checks for the presence of this key. I know it is easy to add a preference that deletes this key, but we built a SCCM package where we use exported Group Policies and apply them with lgpo.exe to standalone servers. Unfortunately lgpo.exe only applies admx files, no preferences.
As I have no clue on how to build custom admx files - is it possible to delete the ms-msdt key with a custom built admx?
Thanks a lot for your help!
Brgds Deas
There is a typo in the explanation text.
Harden against DLL hijacking attacks, as proposed by @Deas-h in #9 (comment)
Will probably only support 0xFFFFFFFF (enabled, DWORD = 4294967295) and 0 (disabled).
reg add "HKLM\SOFTWARE\Microsoft\Ole" /v EnableDCOM /t REG_SZ /d N /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule" /v DisableRpcOverTcp /t REG_DWORD /d 1 /f
Extra character - closing square bracket - in the setting name
TLS 1.3 - DO NOT ENABLE]
Add policy to disable Time Travel Debugging:
HKLM:\SOFTWARE\Microsoft\TTD\RecordingPolicy = 2 (DWORD)
Security-ADMX/en-US/AdditionalHardening.adml
Line 231 in e39b071
So I need to enable this policy to disable DES 56? Just checking.
# Adobe AI in Windows blocken
$Path = 'HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown'
if (!(Test-Path $Path))
{
$null = New-Item $Path -Force -ErrorAction Stop
}
New-ItemProperty $Path -Name bEnableGentech -PropertyType Dword -Value 0 -Force
Increase it to at least 1269 to match latest OWASP recommendations about PBKDF2-HMAC-SHA1 iterations count:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
Hello, another one that was discovered on a recent internal sec-check:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2013-3900
Is this something you would add?
Brgds Deas
Cf. https://attack.mitre.org/techniques/T1553/004/ & https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots - Flags (REG_DWORD) - 1
You currently don´t have this setting in your GPO, but I found it on a recent blog post. If we completely disable everything below TLS 1.2, I think this is missing to allow WinHttp to work only with TLS 1.2.
Would it be possible to add "LocalAccountTokenFilterPolicy" as a GPO? It is not 100% related to what you do here, but it enables on an standalone server a NOT builtin admin with enabled UAC to remotely access a server (for security scanning with Nessus or Rapid7).
https://docs.rapid7.com/nexpose/authentication-on-windows-best-practices
I searched the .admx and was not able to find this key so it should not be already implemented this time... :)
Thanks alot for your help!
Brgds Deas
Currently incorrect, needs to be changed to SUPPORTED_Windows_10_0_RS6_NOSERVER
reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v DisableRemoteScmEndpoints /t REG_DWORD /d 1 /f
When extensions for known file types are hidden, an adversary can more easily use social engineering techniques to convince users to execute malicious email attachments. For example, a file named vulnerability_assessment.pdf.exe could appear as vulnerability_assessment.pdf to a user. To reduce this risk, hiding extensions for known file types should be disabled. Showing extensions for all known file types, in combination with user education and awareness of dangerous email attachment file types, can help reduce the risk of users executing malicious email attachments.
The following registry entry can be implemented using Group Policy preferences to prevent extensions for known file types from being hidden.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExtREG_DWORD 0x00000000 (0)
Taken from : https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-21h1-workstations
New policy to disable WPBT to add, with the following registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"DisableWpbtExecution"=dword:00000001
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.