'Hardening' Windows

Most of the ASR rules are already implemented by the security baselines.

Microsoft docs are terrible, but you don’t need prior computer science education to implement these things. It just takes a lot of effort and is really cumbersome.

no

In group Policy editor, open Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction> Configure Attack Surface Reduction rules. You would see 13 lines there. add these 3 lines
56a863a9-875e-4185-98a7-b882c64b5ce5
d1e49aac-8f56-4280-b9ba-993a6d77406c
01443614-cd74-433a-b99e-2ecdc07bfc25
then change the value of all 16 lines from 1 to 6.
Basiclly these rules warn you when you are doing sth that may get your pc infected. Only if you click allow can you continue to execute the dangerous operation.

If your CPU is Intel, execute the following command in an adminstrator command prompt or powershell:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v RetsPredictedFromRsbOnly /t REG_DWORD /d 1 /f

These settings slow down your PC a bit but make your PC more secure against some CPU exploit.

The security baseline do not include privacy related settings, no matter if it’s Windows, Office or Edge.

Yes. I’m not sure if security baseline can do this for you automaticlly. Open group policy editor, if you can see items like

Administrative template
    >start menu and task bar
    ...
    >Microsoft Edge
    ...
    >Microsoft office 2016
    ...
    >Windows Components
    ...

then you donot have to do it manually.
To do it manually, take edge for example. In this page, click Download Windows 64-bit Policy. extract cab file. find MicrosoftEdgePolicyTemplates.zip>windows>admx>msedge.admx. put this file in your C:\Windows\PolicyDefinitions folder. then find icrosoftEdgePolicyTemplates.zip>windows>admx>(your locale code)>msedge.adml and put this in C:\Windows\PolicyDefinitions(your locale code) folder.

If you have sign in MS account in your Windows (i.e. you are not using a loocal account) and your using Windowsm Hello, then WIndows Hello(PIN, finderprint and face) won’t work after you setting these polices. You can also not log in Microsoft store and any other native apps using MS account.

6 settings for 5 links (command prompt in adminstrator)

setx /M MP_FORCE_USE_SANDBOX 1
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\OLELinkConversionFromOLESTREAMToIStorage" /v Disabled /t REG_DWORD /d 1 /f

SAC requires a clean install. If you cannot do this, use WDAC.

1. Install WDAC Wizard then open it
2. policy creater-base policy-signed and reputable mode- policy Rules:disable audit mode-File rules:merge with 2 rules checked-done.
3. find your creatd cip file. in your adminstrator command prompt

$PolicyBinary = ""C:\Users\aaaaaaaaaaa\Documents\{86983A4B-5CF4-4E82-9E54-4A6DF14E3FA3}.cip""
CiTool --update-policy $PolicyBinary [-json]

done.
4. to disable the WDAC policy
CiTool.exe -rp "{86983A4B-5CF4-4E82-9E54-4A6DF14E3FA3}" -json
5. WDAC is not suitable for everyone.

Before properly reading this I can say: thanks you are a saint, this seems to be the level of detail I was looking for.

There are a few final settings to note. they are not in the baseline and not mentioned before.
1 Recently Microsoft Edge decides some policies are not applicable if you are logging in Edge using a personal account. so do not log in Edge. Enable this and set it to disallow.
2 disallow Microsoft account in office: Administrative Templates (Users)>Microsoft Office 2016>Miscellaneous> Block signing into Office
3 do not add your personal pc to a domain. I also do not suggest logging your work or school MS account in your personal PC. use browser in incognito mode to access school or work resource. your work or school MS account is not controled by you. your school can see everything in it. often these kind of account are not secure(lack of 2fa, security key etc). usually you can also not delete your school account. you have to ask for school admin for deleting. avoid using school or work ms account unless it’s a must for you.

Hmm, I need to log in to Excel, Word and PowerPoint to get licenses for them I think. May be wrong

Not sure which ones to disable, pretty sure connected experiences are essential for me as a uni student, but not 100% sure what they do. I did read their descriptions
Allow the use of connected experiences in Office that analyze content
Allow the use of connected experiences in Office that download online content
Allow the use of additional optional connected experiences in Office
Allow the use of connected experiences in Office

Thanks so much though, all of this went pretty smoothly!

Final solution

Disclaimer: I have no knowledge in this field, therefore, I have certainly missed steps, or done steps incorrectly, so please feel free to correct me. Furthermore, make sure you understand the purposes of the recommended settings before applying them (you can always revert individual settings). Please feel free to suggest edits to this post so I can add more information on the purpose of each setting and the impacts of each settings on your system, as well as formatting advice.

Shout out to @fiwayan173 and @sha123.

1. Before applying the security baseline you need to do the following:

• Navigate to the Microsoft Edge for Business download page.

• Click on ‘Download Windows 64-bit Policy’. Please note that this is different from the main download button located above it.

• After downloading, extract the ‘MicrosoftEdgePolicyTemplates.cab’ file. This will create a file named ‘MicrosoftEdgePolicyTemplates.zip’.

• Open the ‘MicrosoftEdgePolicyTemplates.zip’ file.

• Navigate to the following path within the zip file: MicrosoftEdgePolicyTemplates.zip > windows > admx > msedge.admx.

• Move the ‘msedge.admx’ file to your C:\Windows\PolicyDefinitions folder.

• Next, find the file at this path: MicrosoftEdgePolicyTemplates.zip > windows > admx > (your locale code) > msedge.adml.

• Move the ‘msedge.adml’ file to your C:\Windows\PolicyDefinitions(your locale code) folder.

• Download the Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016.

• Click the big blue download button.

• Find the ‘admintemplates_x64_5423.1000_en-us.exe’ file, open it, accept the conditions, then choose a folder for it to extract files there. For example, you can choose the ‘Downloads’ folder.

• It will create two side-by-side folders named ‘admin’ and ‘admx’.

• Open the ‘admx’ folder and copy all the files with the format ‘something16.admx’ over to the C:\Windows\PolicyDefinitions folder.

• Similarly, for the language-specific files, navigate to the ‘admx > (your locale code)’ folder within the ‘admin’ folder.

• Copy all the ‘something16.adml’ files to your C:\Windows\PolicyDefinitions(your locale code) folder.

I am using Fluent Reader to subscribe to the Microsoft Security Baselines Blog articles (use the URL and click ‘add source’ on Fluent Reader), where update for the security baseline are updated by Microsoft. However, I do not know whether I have the time to update these baselines and apply them again.

2. Apply the Windows security baselines.

• Warning: Baselines affect hundreds of settings, but you can create a recovery point before proceeding with the following steps!

1. Download the ‘Windows 11 v23H2 Security Baseline.zip’, ‘Microsoft Edge v117 Security Baseline.zip’ and ‘Microsoft 365 Apps for Enterprise 2306.zip’ and ‘LGPO.zip’ files from here.

• I will show you how to apply the ‘Windows 11 v23H2 Security Baseline’ below, the steps are the same for the ‘Microsoft Edge v117 Security Baseline.zip’ and ‘Microsoft 365 Apps for Enterprise 2306.zip’ files.

• Begin by unzipping both the ‘LGPO.zip’ and ‘Windows 11 v23H2 Security Baseline.zip’ files.

• In the unzipped LGPO file, navigate to LGPO_30 > LGPO.exe.

• Copy the LGPO.exe file to Windows 11 v23H2 Security Baseline > Scripts > Tools.

• Open Windows PowerShell as an administrator.

• Change the directory to the Scripts folder in the Windows 11 v23H2 Security Baseline file by typing:

cd 'C:\Users\Redacted\Downloads\Windows 11 v23H2 Security Baseline\Windows 11 v23H2 Security Baseline\Scripts'

• Set the execution policy to unrestricted for the current process by typing:

Set-ExecutionPolicy -Scope Process Unrestricted

• You will be prompted with a message about the execution policy change. Respond with Y to confirm the change.

• Run the Baseline-LocalInstall.ps1 script with the -Win11NonDomainJoined parameter (if your device is not connected to a domain [which I don’t know what this is to be honest]) by typing:

.\Baseline-LocalInstall.ps1 -Win11NonDomainJoined

• You will receive a security warning. Respond with R to run the script once.

• Leave PowerShell open and repeat the steps above for the other two baselines: ‘Microsoft Edge v117 Security Baseline.zip’ and ‘Microsoft 365 Apps for Enterprise 2306.zip’.

• Once you have finished applying the three baselines, open PowerShell as an administrator and type in the following to set the execution policy for the LocalMachine scope to AllSigned:

Set-ExecutionPolicy -ExecutionPolicy AllSigned

• Now, click enter. You will be prompted with a message about the execution policy change. Respond with Y to confirm the change.

3. The baseline configuration will disable Controlled Folder Access, setting it to Audit Mode. If you want to change this setting to Block, you can do so manually.

• Open the Group Policy Management Editor.

• Navigate to Computer Configuration and select Administrative Templates.

• Expand the tree to the following path:

Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access

• Double-click on the Configure Controlled folder access setting.

• In the options, set it to Enabled.

• This will enable the Controlled Folder Access setting in Microsoft Defender. Please note that this might restrict access to protected folders by applications, which can affect their functionality.

• After applying the baseline, there is an additional step you should take. There is a specific file for this in the baseline package.

• Locate the file ep-reset.xml in the following path within the baseline package:

Windows 11 v23H2 Security Baseline.zip/scripts/configfiles/ep-reset.xml

• You need to configure a policy to use this XML file. In the Group Policy Management Editor, navigate to the following path:

Windows components > Windows Defender Exploit Guard > Exploit Protection > Use a common set of exploit protection settings

• Configure this policy to use the ep-reset.xml file.

• This will apply a common set of exploit protection settings across your system, enhancing its security. Please note that changes to security settings can have significant impacts on your system. Always ensure you understand the changes you’re making, and consider backing up your system before making any modifications. If you’re unsure, seek assistance from a professional.

4. Important settings:

• Before adjusting the Virtualization Based Security policy, there are several BIOS settings you should modify:

• Secure Boot: Turn this on and (if applicable) disable the third-party Microsoft UEFI CA which is for Linux.

• Virtualization Settings: Turn these on (this was @fiwayan173’s advice, I have no idea what these are specifically).

• Thunderbolt Security Settings: Set these to the highest level (again, if applicable I couldn’t find these).

• BIOS Password: Set a BIOS password.

• Boot Sequence Settings: Only boot your hard drive and disable all other items (if applicable, I couldn’t find these).

• TPM: Turn on TPM and set Pluton as default if you have it (if applicable, I couldn’t find these).

• After adjusting the BIOS settings, navigate to the policy by clicking Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security. This policy contains several important settings that cannot be easily reverted to default status:

• Secure Boot and DMA Protection: If your laptop was shipped after 2018, select it to secure boot and DMA protection.

• VBS (Code Integrity): Most hardware is compatible with this. Select it to on/on with UEFI lock. UEFI lock means this setting is written to your BIOS rather than only the system (Windows). Also, turn on Require UEFI Memory Attributes Table.

• Credential Guard: Select it to on/on with UEFI lock.

• Secure Launch (System Guard Secure Launch/Firmware Protection): SMM protection is included in secure launch. This requires an Intel vPro CPU. If your device is compatible, turn it on.

• Hardware Enforced Stack Protection: If your device is compatible, turn it on.

5. Turning on Smart App Control without using Windows Defender settings:

• First, install the WDAC Wizard on your system.

• Open the WDAC Wizard and follow these steps:

  Select ‘Policy Creator’.
  Choose ‘Base Policy’.
  Select ‘Signed and Reputable Mode’.
  Under ‘Policy Rules’, disable ‘Audit Mode’.
  Under ‘File Rules’, check ‘Merge and the 2 rules’.

• Once done, click ‘Finish’.

• Find the .cip file you created (it should be in your Documents folder). Open an administrator command prompt and execute the following command:

$PolicyBinary = "C:\Users\YourUsername\Documents\{BF7C2699-87B0-4A61-B0D5-EED077419032}.cip"
CiTool --update-policy $PolicyBinary [-json]

• Replace YourUsername with your actual username.

• If you need to disable the WDAC policy, use the following command:

CiTool.exe -rp "{BF7C2699-87B0-4A61-B0D5-EED077419032}" -json

• Note: WDAC might not be suitable for everyone due to its strict control over applications. Please consider your needs and system requirements before enabling it.

6. Apply additional measures as recommended by @fiwayan173:

• Configuring Attack Surface Reduction Rules:

• In the Group Policy Editor, navigate to the following path:

Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction > Configure Attack Surface Reduction rules

• This policy should already be enabled by the security baseline. Then, click the ‘Show’ option next to ‘See the state for each ASR rule’. You will see 13 lines there. Add these 3 lines:

56a863a9-875e-4185-98a7-b882c64b5ce5
d1e49aac-8f56-4280-b9ba-993a6d77406c
01443614-cd74-433a-b99e-2ecdc07bfc25

• Then, change the value of all 16 lines from 1 to 6. These rules warn you when you are about to perform an action that may infect your PC. You can only continue to execute the potentially dangerous operation if you click ‘allow’.

• Securing your Intel CPU:

• If your CPU is Intel, execute the following commands in an administrator command prompt or PowerShell:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v RetsPredictedFromRsbOnly /t REG_DWORD /d 1 /f

• These settings may slow down your PC a bit but will make your PC more secure against some CPU exploits.

• Some more recommended settings:

• Open the command prompt as an administrator.

• Execute the following commands:

setx /M MP_FORCE_USE_SANDBOX 1
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\OLELinkConversionFromOLESTREAMToIStorage" /v Disabled /t REG_DWORD /d 1 /f

Below are what the commands do:

setx /M MP_FORCE_USE_SANDBOX 1

• This command sets the environment variable MP_FORCE_USE_SANDBOX to 1.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f

• This command disables the LocalAccountTokenFilterPolicy.

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

• This command disables the DisableRestrictedAdmin policy.

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f

• This command enables the EnableCertPaddingCheck policy.

reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f

• This command enables the EnableCertPaddingCheck policy for 32-bit applications on 64-bit platforms.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\OLELinkConversionFromOLESTREAMToIStorage" /v Disabled /t REG_DWORD /d 1 /f

• This command disables the OLELinkConversionFromOLESTREAMToIStorage policy.

Windows privacy

• Just like the Windows security baselines you can apply the Windows Restricted Traffic Limited Functionality Baseline, however, not all settings within this baseline are recommended. Which settings to apply and not to apply is a work in progress for me. We will need more discussion on this matter.

Well done! Congradulations

What are these specifically, I can’t find what you are referring to?

One of my last questions goes unaddressed: Regarding the Windows Restricted Traffic Limited Functionality Baseline, @fiwayan173 you recommend applying the 24. Microsoft Defender Antivirus, 29. Windows Update and 28. Delivery Optimization settings, whereas Microsoft states: “For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Microsoft Defender Antivirus. Accordingly, we do not recommend disabling any of these features. Why is this?

Yay, you did it!

Nice write-up. Haven’t looked into it in detail, but looks good on first sight.

Two important points to edit into your comment:

1. Some settings in the security baselines are privacy invasive, which is why you need to take care about privacy afterwards. Especially take a look at Smartscreen and MS Defender settings.

2. A warning that RTLFB should never be applied blindly because it breaks Windows, Defender and certificate updates and a few other things.

'Hardening' Windows - #51 by Sprout3425 . These are the most important, but not the only ones.

MS Office and Edge also need privacy settings, the former only a few, the latter quite many.

Haha bittersweet was a pain in the… Yay to you for helping. also Couldn’t have done it without @fiwayan173

See my reply, I think we should also consider some of the feedback in Windows guide by IkelAtomig · Pull Request #1659 · privacyguides/privacyguides.org · GitHub

Ideally a PR which could perhaps include some of that/superseed would be good, we can always give credit to all authors (as co-authors).

Some great information in this thread.

I haven’t seen much comparisons done between the security differences between Windows 10 and Windows 11.

I’ve learned the hard way that “newer doesn’t translates to better”.

Perhaps a thread dedicated to ‘Hardening Windows 11’ would be helpful as it seems like a big install compared to Windows 10.

Any guide should really mainly focus on Windows 11 as windows 10 is quite similar and will be unsupported end of next year anyway

hey guys I created a new Windows Guide pr. everyone is welcomed!

Legend

@fiwayan173 Are we still allowed to post Windows Hardening stuff here?

I just had a quick addition. I’ve been using these two tools to set up my Windows 11.

Both are open source and much easier than doing a bunch of settings manually. Maybe there should be a basic hardening and an expert hardening section?