'Hardening' Windows

Sprout3425 · January 3, 2024, 4:33am

2nd Edit:

Sorry for the ping @sha123 and @anon34108895, I have one question, I have applied the Windows security baseline, and I do not want to use a standard (non-admin) account in conjunction with an administrator account, I just want to use one administrator account.

The above is not applicable, the Windows security baseline does not force you to use a non-administrator account in conjunction with an administrator account.

What settings should I revert back that the security baseline sets?

1st Edit: Do I need to apply the “Windows Server 2022 Security Baseline” or is this irrelevant to me using a private home computer and network?

2nd Edit: Answer: I didn’t need to do this according to some friendly users.

I will apply the Edge (I do not really use edge) and 365 baselines, but not the TLFB baseline, as per your opinions. I will do this before you all let me know what settings I should change back. Thank you so much! I highly appreciate you all.

pinkandwhite · January 3, 2024, 5:08am

That’s to be expected, the documentation is for people who are managing a business deployment and not just laypeople

anon34108895 · January 3, 2024, 7:06am

no. only find what’s matching your WIndows edition.

no afaik. tbh I donot know what this prompt means. I suggest you to ignore it.

instead of applying RTLFB, you can also read the web page and adjust settings manually by your needs. This is my way of adjusting privacy settings and I think it’s more versatile and easy to revert changes. I think for most people the section 2 12 17 18 21 24 28 29 33 are of top priority(especially 18.16 choose Security for Send your device data to Microsoft policy.

anon34108895 · January 3, 2024, 7:08am

Enable or Disable Ctrl+Alt+Delete Secure Desktop for UAC prompt in Local Group Policy Editor

Sprout3425 · January 3, 2024, 11:20am

Thanks a lot!

Sprout3425 · January 3, 2024, 11:25am

What are these settings, exactly? I found some information from Microsoft themselves, here.

So far, I have noticed that the “Windows 11 v23H2 Security Baseline” has turned off Controlled Folder Access, placing it on Audit Mode. I manually changed this setting to Block (Click Start > type and then click Edit group policy. Click Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security > Secure Launch Configuration), because Microsoft says:

To fully enable controlled folder access, you must set the Group Policy option to Enabled and select Block in the options drop-down menu.

More security settings that the baseline weakened/disabled include (that I was able to identify): Apply UAC restrictions to local accounts on network logons, System Guard Secure Launch and SMM protection, Firewall & network protection notifications, Firmware protection. Furthermore, I noticed that under Windows Security > App browser & control > Exploit protection settings > Programme settings, a lot of seemingly important settings seem to be untouched.

Now, to be honest, I can’t be bothered to look through the 63 (I think) changed Local Group Policy settings, for settings that the “Windows 11 v23H2 Security Baseline” may have counter intuitively turned off. Moreover, the baseline may have not configured/missed some settings in the first place. Can anyone alert me as to settings that I should manually override/change?

In general, I noticed that some (groan) group policy security settings had defaults that were different to their recommended state (as prescribed by Microsoft), meaning they were weakening the security of my device on purpose. This begs the question, why on Earth, does this “security” baseline weaken a small number of seemingly arbitrarily chosen security settings?

Note: I noticed that Microsoft are updating their baselines, you can find updates here.

Lastly, I could not be bothered to read the “Microsoft Edge Privacy Whitepaper”, does it provide anything of importance?

Update 2: This is how I set my settings for System Guard Secure Launch and SMM protection, would you all recommend any changes?

sha123 · January 3, 2024, 1:46pm

Computer Configuration
Windows Components\Microsoft Defender Antivirus\MAPS
Join Microsoft MAPS

I changed it from 2 → 0

and

Computer Configuration
Windows Components\Microsoft Defender Antivirus\MAPS
Send file samples when further analysis is required

3 → 2

are the most important ones.

You might also want to change:
Computer Configuration
Windows Components\Microsoft Defender Antivirus
Control whether or not exclusions are visible to Local Admins.

1 → 0

Pls read what they do before changing them.

Sprout3425 · January 3, 2024, 1:58pm

Interestingly, mine was defaulted to this.

Mine was set to: (0x0) Always prompt, by default.

Not sure whether this means enabled or disabled, since these options are not displayed like that, for me. Mine is enabled.

I read the Group Policy descriptions. Thanks a lot!

sha123 · January 3, 2024, 1:58pm

If you use Edge it is important, otherwise not.

Sprout3425 · January 3, 2024, 2:01pm

I applied the Microsoft Edge v117 Security Baseline and disabled all telemetry in the privacy and security settings, so I assume it is unimportant anyway.

sha123 · January 3, 2024, 2:03pm

Are you sure that the baseline was applied correctly? Did you restart the device afterwards? Did you do GPO changes to these settings before applying the policy?

Would recommend to compare your current state to the baseline them with the policy analyzer tool.

sha123 · January 3, 2024, 2:04pm

The main problem with Edge is not only diagnostic data. There is quite some invasive nonsense to deactivate.

sha123 · January 3, 2024, 2:18pm

Not in the security baseline and not recommended to activate according to Microsoft Blog post from 2019.

Sprout3425 · January 3, 2024, 2:19pm

I am silly, I mistook UAC for something else, UAC does not pester me at all. Aside from defaulting to no.

Sprout3425 · January 3, 2024, 2:33pm

This is the last step and the largest time investment. I do not know at the moment whether I will commit. Could it be smarter to apply the entire thing at once and then overwrite some of their prescribed settings?

The only other thing that worries me is this:

sha123 · January 3, 2024, 2:47pm

Except the controlled folder access setting, most other settings usually have good reasons to be that way, and what you think is weakening security might not in practice or can lead to instabilities if you force settings on hardware which does not fulfill the requirements. Problem is that Microsoft’s docs and descriptions are sometimes outdated or confusing, which is where a lot of the confusion comes from.

sha123 · January 3, 2024, 2:55pm

The two main conflicting settings, were the defender settings I wrote. But independently of the security baseline you should go through the most important privacy settings. Be it with RTLFB or via some other way.

Oh and learn to use the policy analyzer tool. It’s immensely helpful to compare different policies to each other and to your current state and to get an overview, including descriptions of the settings.

sha123 · January 3, 2024, 3:26pm

Some minor points: Just selecting Secure Boot would be enough, since Windows will turn on DMA protection automatically, if your device fulfills the requirements. Not checking the Require UEFI Memory Attributes Table can lead to instabilities, if your hardware does not fulfill the requirements. Aside from that it is fine. But shouldn’t this already be set from the security baseline?

Sprout3425 · January 4, 2024, 12:48am

No, I don’t think I did, because I don’t know what a GPO change is tbh. Could you explain what this is @sha123?

Sprout3425 · January 4, 2024, 12:51am

Thank you.

Also, I have noted some successes and failures, which I assume are due to me not having an Enterprise Windows edition.