Hardening OS (Windows 10 non-domain)
Options to set:
- Disabling WDigest credentials caching. More info here: https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-71763"
- Disable AutoLogin
- Enable always install elevated
- Check is WSUS is using HTTP over HTTPS
- Stop Service: SSDP
- Disable SMB version 1
- Enabled SMB version 3
- Enabled SMB signing
- Blocking list of common ports to prevent reverse shells
- Enable DNS over HTTPS for all Windows applications
- Diable the user of the LMHOSTS file
- Disable the use of NetBIOS
- Disable Remote Assistance
- Disable outdated SSL ciphers
- Remove outdated PowerShell version 2
- Updated any unquoted service paths
- Disable extraneous services
- Define logging for firewall
- Enable UAC on all processes that require elevation
- Clear the Windows password vault
- Enable logging for PowerShell/CLI
- Enable logging for Advanced Audit Policies
- Enable logging for Task Scheduler
- Enabled DNS logging
- Enable USB logging
- Enable DEP
- Enable Windows Auto updates
- Enable Windows Defender to check archive file types
- Enable Windows Defender PUP
- Enable the sandbox of Windows Defender
- Enabled SEHOP
- Apply UAC to restrictions to local accounts on network logons
- Configure SMB version 1 client driver to disabled
- Secure against NetBIOS NBT-NS
- Disable IPv4 source routing
- Disable IPv6 source routing
- Disable ICMP redirects
- Prevent a WINS DoS attack avenue
- Ensure the use of Safe DLL Search mode
- Generate an event when security logs reach 90% capacity
- Set Windows to have password protection take effect within a limited time frame when the screen saver becomes active
- Enable Windows Defender AV to prevent users and apps from accessing dangerous websites