'Hardening' Windows

Privacy Questions
95

Final solution

Disclaimer: I have no knowledge in this field, therefore, I have certainly missed steps, or done steps incorrectly, so please feel free to correct me. Furthermore, make sure you understand the purposes of the recommended settings before applying them (you can always revert individual settings). Please feel free to suggest edits to this post so I can add more information on the purpose of each setting and the impacts of each settings on your system, as well as formatting advice.

Shout out to @fiwayan173 and @sha123.

1. Before applying the security baseline you need to do the following:

  • Navigate to the Microsoft Edge for Business download page.

  • Click on ‘Download Windows 64-bit Policy’. Please note that this is different from the main download button located above it.

  • After downloading, extract the ‘MicrosoftEdgePolicyTemplates.cab’ file. This will create a file named ‘MicrosoftEdgePolicyTemplates.zip’.

  • Open the ‘MicrosoftEdgePolicyTemplates.zip’ file.

  • Navigate to the following path within the zip file: MicrosoftEdgePolicyTemplates.zip > windows > admx > msedge.admx.

  • Move the ‘msedge.admx’ file to your C:\Windows\PolicyDefinitions folder.

  • Next, find the file at this path: MicrosoftEdgePolicyTemplates.zip > windows > admx > (your locale code) > msedge.adml.

  • Move the ‘msedge.adml’ file to your C:\Windows\PolicyDefinitions(your locale code) folder.

  • Download the Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016.

  • Click the big blue download button.

  • Find the ‘admintemplates_x64_5423.1000_en-us.exe’ file, open it, accept the conditions, then choose a folder for it to extract files there. For example, you can choose the ‘Downloads’ folder.

  • It will create two side-by-side folders named ‘admin’ and ‘admx’.

  • Open the ‘admx’ folder and copy all the files with the format ‘something16.admx’ over to the C:\Windows\PolicyDefinitions folder.

  • Similarly, for the language-specific files, navigate to the ‘admx > (your locale code)’ folder within the ‘admin’ folder.

  • Copy all the ‘something16.adml’ files to your C:\Windows\PolicyDefinitions(your locale code) folder.

I am using Fluent Reader to subscribe to the Microsoft Security Baselines Blog articles (use the URL and click ‘add source’ on Fluent Reader), where update for the security baseline are updated by Microsoft. However, I do not know whether I have the time to update these baselines and apply them again.

2. Apply the Windows security baselines.

  • Warning: Baselines affect hundreds of settings, but you can create a recovery point before proceeding with the following steps!
  1. Download the ‘Windows 11 v23H2 Security Baseline.zip’, ‘Microsoft Edge v117 Security Baseline.zip’ and ‘Microsoft 365 Apps for Enterprise 2306.zip’ and ‘LGPO.zip’ files from here.

  • I will show you how to apply the ‘Windows 11 v23H2 Security Baseline’ below, the steps are the same for the ‘Microsoft Edge v117 Security Baseline.zip’ and ‘Microsoft 365 Apps for Enterprise 2306.zip’ files.

  • Begin by unzipping both the ‘LGPO.zip’ and ‘Windows 11 v23H2 Security Baseline.zip’ files.

  • In the unzipped LGPO file, navigate to LGPO_30 > LGPO.exe.

  • Copy the LGPO.exe file to Windows 11 v23H2 Security Baseline > Scripts > Tools.

  • Open Windows PowerShell as an administrator.

  • Change the directory to the Scripts folder in the Windows 11 v23H2 Security Baseline file by typing:

cd 'C:\Users\Redacted\Downloads\Windows 11 v23H2 Security Baseline\Windows 11 v23H2 Security Baseline\Scripts'
  • Set the execution policy to unrestricted for the current process by typing:
Set-ExecutionPolicy -Scope Process Unrestricted

  • You will be prompted with a message about the execution policy change. Respond with Y to confirm the change.

  • Run the Baseline-LocalInstall.ps1 script with the -Win11NonDomainJoined parameter (if your device is not connected to a domain [which I don’t know what this is to be honest]) by typing:

.\Baseline-LocalInstall.ps1 -Win11NonDomainJoined

  • You will receive a security warning. Respond with R to run the script once.

  • Leave PowerShell open and repeat the steps above for the other two baselines: ‘Microsoft Edge v117 Security Baseline.zip’ and ‘Microsoft 365 Apps for Enterprise 2306.zip’.

  • Once you have finished applying the three baselines, open PowerShell as an administrator and type in the following to set the execution policy for the LocalMachine scope to AllSigned:

Set-ExecutionPolicy -ExecutionPolicy AllSigned
  • Now, click enter. You will be prompted with a message about the execution policy change. Respond with Y to confirm the change.

3. The baseline configuration will disable Controlled Folder Access, setting it to Audit Mode. If you want to change this setting to Block, you can do so manually.

  • Open the Group Policy Management Editor.

  • Navigate to Computer Configuration and select Administrative Templates.

  • Expand the tree to the following path:

Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access

  • Double-click on the Configure Controlled folder access setting.

  • In the options, set it to Enabled.

  • This will enable the Controlled Folder Access setting in Microsoft Defender. Please note that this might restrict access to protected folders by applications, which can affect their functionality.

  • After applying the baseline, there is an additional step you should take. There is a specific file for this in the baseline package.

  • Locate the file ep-reset.xml in the following path within the baseline package:

Windows 11 v23H2 Security Baseline.zip/scripts/configfiles/ep-reset.xml
  • You need to configure a policy to use this XML file. In the Group Policy Management Editor, navigate to the following path:
Windows components > Windows Defender Exploit Guard > Exploit Protection > Use a common set of exploit protection settings

  • Configure this policy to use the ep-reset.xml file.

  • This will apply a common set of exploit protection settings across your system, enhancing its security. Please note that changes to security settings can have significant impacts on your system. Always ensure you understand the changes you’re making, and consider backing up your system before making any modifications. If you’re unsure, seek assistance from a professional.

4. Important settings:

  • Before adjusting the Virtualization Based Security policy, there are several BIOS settings you should modify:

  • Secure Boot: Turn this on and (if applicable) disable the third-party Microsoft UEFI CA which is for Linux.

  • Virtualization Settings: Turn these on (this was @fiwayan173’s advice, I have no idea what these are specifically).

  • Thunderbolt Security Settings: Set these to the highest level (again, if applicable I couldn’t find these).

  • BIOS Password: Set a BIOS password.

  • Boot Sequence Settings: Only boot your hard drive and disable all other items (if applicable, I couldn’t find these).

  • TPM: Turn on TPM and set Pluton as default if you have it (if applicable, I couldn’t find these).

  • After adjusting the BIOS settings, navigate to the policy by clicking Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security. This policy contains several important settings that cannot be easily reverted to default status:

  • Secure Boot and DMA Protection: If your laptop was shipped after 2018, select it to secure boot and DMA protection.

  • VBS (Code Integrity): Most hardware is compatible with this. Select it to on/on with UEFI lock. UEFI lock means this setting is written to your BIOS rather than only the system (Windows). Also, turn on Require UEFI Memory Attributes Table.

  • Credential Guard: Select it to on/on with UEFI lock.

  • Secure Launch (System Guard Secure Launch/Firmware Protection): SMM protection is included in secure launch. This requires an Intel vPro CPU. If your device is compatible, turn it on.

  • Hardware Enforced Stack Protection: If your device is compatible, turn it on.

5. Turning on Smart App Control without using Windows Defender settings:

  • First, install the WDAC Wizard on your system.

  • Open the WDAC Wizard and follow these steps:

    Select ‘Policy Creator’.
    Choose ‘Base Policy’.
    Select ‘Signed and Reputable Mode’.
    Under ‘Policy Rules’, disable ‘Audit Mode’.
    Under ‘File Rules’, check ‘Merge and the 2 rules’.

  • Once done, click ‘Finish’.

  • Find the .cip file you created (it should be in your Documents folder). Open an administrator command prompt and execute the following command:

$PolicyBinary = "C:\Users\YourUsername\Documents\{BF7C2699-87B0-4A61-B0D5-EED077419032}.cip"
CiTool --update-policy $PolicyBinary [-json]

  • Replace YourUsername with your actual username.

  • If you need to disable the WDAC policy, use the following command:

CiTool.exe -rp "{BF7C2699-87B0-4A61-B0D5-EED077419032}" -json
  • Note: WDAC might not be suitable for everyone due to its strict control over applications. Please consider your needs and system requirements before enabling it.

6. Apply additional measures as recommended by @fiwayan173:

  • Configuring Attack Surface Reduction Rules:

  • In the Group Policy Editor, navigate to the following path:

Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction > Configure Attack Surface Reduction rules
  • This policy should already be enabled by the security baseline. Then, click the ‘Show’ option next to ‘See the state for each ASR rule’. You will see 13 lines there. Add these 3 lines:
56a863a9-875e-4185-98a7-b882c64b5ce5
d1e49aac-8f56-4280-b9ba-993a6d77406c
01443614-cd74-433a-b99e-2ecdc07bfc25

  • Then, change the value of all 16 lines from 1 to 6. These rules warn you when you are about to perform an action that may infect your PC. You can only continue to execute the potentially dangerous operation if you click ‘allow’.

  • Securing your Intel CPU:

  • If your CPU is Intel, execute the following commands in an administrator command prompt or PowerShell:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v RetsPredictedFromRsbOnly /t REG_DWORD /d 1 /f

  • These settings may slow down your PC a bit but will make your PC more secure against some CPU exploits.

  • Some more recommended settings:

  • Open the command prompt as an administrator.

  • Execute the following commands:

setx /M MP_FORCE_USE_SANDBOX 1
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\OLELinkConversionFromOLESTREAMToIStorage" /v Disabled /t REG_DWORD /d 1 /f

Below are what the commands do:

setx /M MP_FORCE_USE_SANDBOX 1
  • This command sets the environment variable MP_FORCE_USE_SANDBOX to 1.
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f
  • This command disables the LocalAccountTokenFilterPolicy.
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
  • This command disables the DisableRestrictedAdmin policy.
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f
  • This command enables the EnableCertPaddingCheck policy.
reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f
  • This command enables the EnableCertPaddingCheck policy for 32-bit applications on 64-bit platforms.
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\OLELinkConversionFromOLESTREAMToIStorage" /v Disabled /t REG_DWORD /d 1 /f
  • This command disables the OLELinkConversionFromOLESTREAMToIStorage policy.

Windows privacy

  • Just like the Windows security baselines you can apply the Windows Restricted Traffic Limited Functionality Baseline, however, not all settings within this baseline are recommended. Which settings to apply and not to apply is a work in progress for me. We will need more discussion on this matter.

Well done! Congradulations :slight_smile:

3 Likes