Skip to main content

Device Hardening

This document is designed specifcally for those who want to tighten up windows and add some preventative measures to lock down their machine, it should be made known that the more you lock down a machine the less functionality it will have.

You should find a balance for your own environment that works best for you by either disabling or enhancing the provided policies, this page breaks down the NCSC guidelines for systems hosting 'OFFICAL' data.

Windows Home

As home based editions of Windows cannot use Group Policy below are some things you should look into securing and enabling.

Permissions

When setting up a new environment it's easy to give anything and everything full admin credentials in order to get something up and running but STOP and take the time to do things right. You should consider implementing a principle of least privilege from the get-go as it:

  • Enables greater control over who can manage / change a system
  • Reduces the level of damage compromised accounts can cause
  • Reduces the attack surface (entry points)
  • Reduces risk through error / negligence / internal malicious attacks

While Home users can't use Group Policy for file permissions it can all be easily controlled via the Windows UI, as part of the least privilege principle this will assist in ensuring data access is only performed on a 'need to know' / 'required for function', you can find a good explanation for this here

Patching

Patch Tuesday, the second Tuesday of every month is the most important Tuesday in the calendar for your computer. It's the day that Microsoft delivers important updates that will address potentially dangerous exploits that can give an attacker full complete access to your machine, unless the machine will never be connected to the internet again after being deployed you should enable 'Automatically check for Windows Updates' (in Windows 10/11 you shouldn't be able to disable this via the settings UI).

Applications

Firstly, every application on your system is a potential entry point for an attacker, if you're never going to use it then uninstall it! This includes Windows features too, it's recommended that you atleast uninstall the following Windows features:

  • Internet Explorer
  • SMB 1.0

This can be done by going to 'Control Panel' > 'Uninstall a program' > 'Turn Windows features on or off' and removing the tickbox next to the above entries.

tip

A reboot will be required after completing this step

Windows (Defender) Security

The following settings are configured within 'Windows Security' application and should be enabled by default but regardless it's important to check.

  • Reputation based scanning is configured under the 'App and Browser control' setting
  • Core Isolation is configured under the 'Device security' setting
    • Memory Integrity is also a feature enabled within this section but you will need to 'View details' before you can toggle this on
  • Exploit protection is configured under the 'Device security' setting along side the below nested items for this category
    • Control Flow Guard
    • Data Execution Protection
    • Mandatory ASLR

Windows OS

There are a couple of things that are recommended if you're not actively using these features, firstly disable bluetooth if you're not using it and secondly turn off auto play as it has previously been used to exploit systems.

  • Autoplay settings can be found under 'Settings' > 'Devices' > 'Autoplay'

Windows Pro / Enterprise

You can download the Group Policy template files from here.

App Guard Policies

The Windows App Guard policy will make the following changes to your PC.

  • General hardening of Defender App Guard policies.

App Locker Policies

The Windows App Locker policy will make the following changes to your PC.

  • Allows only execution of Microsoft signed applications, dlls, installers, scripts and appx
tip

Development machines should be excluded from this policy otherwise they may end up not being able to run the required tools.

Bitlocker Policies

The Windows bitlocker policy will make the following changes to your PC.

  • Disables standby mode when sleeping
  • Encrypts the drive with XTS-AES 128
  • Disables devices such as thunderbolt that have direct memory access while a device is sleeping
  • TPM bitlocker settings are configured
  • Deny write access to removable media for devices configured to work with another organisation

Computer Policies

The Windows computer policy will make the following changes to your PC.

  • Prevents login with personal Microsoft accounts
  • Disables user trusted root CAs
  • Disables the ability for users to trust certificates
  • Defines trusted root CAs for the device to use
  • Prevents lock screen camera
  • Requires a domain admin to change network location
  • Defines proxy values
  • Prevents installation of devices that match X hardware IDs
  • Prevents installation of devices that use drivers matching X setup classes
  • Disables Windows 'PC-Phone' link
  • Disables sign-in with picture login
  • Disables clipboard history
  • Disables clipboard sync across devices
  • Disables upload and publishing of user activities
  • Disables activity feed
  • Blocks universal windows apps from launching with Windows runtime API
  • Removes the display password button on login forms
  • Disables telemetry gathering
  • Disables diagnostic data viewer
  • Disables windows-to-go
  • Disables cortana
  • Disables search the web in windows start menu
  • Disables all store applications within the MS Store
  • Disables the MS Store
  • Disables syncronisation of windows settings
  • Ensures defender is enabled
  • Disables windows error reporting
  • Ensures Windows Hello is enabled for TPM 2.0 and disables lower
  • Removes access to 'pause windows updates'
  • Disables preview builds of windows
  • Ensures a semi-annual release channel is configured using Windows update for business
  • Disables Edge data collection
  • Disables further telemetry
  • Removes local password reset questions
  • Edge pre-loading tabs disabled
  • Edge extension sideloading disabled
  • Blocks non-admins from enterting the device into safe-mode

Device Guard

The Windows device guard policy will make the following changes to your PC.

  • Enables virtualisation based securty
  • Ensures code integrity
  • Ensures credential guard is configured
  • Ensures secure boot and direct memory access protection is configured
tip

When enabling this policy you will need to ensure the VMs are created with Nested support otherwise Credential guard will fail to deploy. Option B would be to disable the 'Turn on Virtualisation Based Security' policy located in 'Computer Configuration' > 'Policies' > 'Administrative Templates' > 'System' > 'Device Guard'

Device Health

This policy can be considered optional unless the device is enrolled into SCCM or another MDM platform.

  • Enables Device Health monitoring and reporting services

Firewall Settings

You should add further rules here if additional services are required for the network otherwise additional device / group based policies should be created using the 'Duplicate' feature and adding additional policies.

  • Enables Windows firewall
  • Blocks inbound connections (unless explicitly stated)
  • Allows outbound connections
  • For both 'Private' and 'Personal' network settings outbound connections are blocked
  • Configures outbound rules for the following services
    • DHCP
    • DNS
    • Kerbose
    • LDAP
    • NCSI Probe

OneDrive Settings

This policy is entirely optional for home / lab environments where Office 365 business / dev subscriptions are not present.

  • Prevents personal OneDrive accounts syncing

User Settings

This policy is entirely optional but recommended for laptops / busy environments.

  • Ensures screen lockout time is set to 600 seconds

Windows Defender

The Windows defender policy will make the following changes to your PC.

  • Enables block on first sight
  • Enrolls device to Microsoft MAPs (requirement for 'block on first sight' to work)
  • Send sample file analysis
  • Ensures real-time protection is enabled
  • Prevents app installation from sources outside of the Microsoft Store
  • Ensures smart screen is configured for Windows
  • Ensures smart screen is configured for Edge
  • Prevents you from being able to bypass the smartscreen prompt

Installation Guide

For Active Directory deployments you should use Group Policy Management Editor to import the policies.

For single machine deployments you should consider Powershell to import the policies, the below command may help.


...

import-gpo -BackupId {folder-name} -TargetName {gpo} -path {c:\full\path\to\folder} -CreateIfNeeded

...

Closing Thoughts

From using these settings within our own environment you will want to make some changes, most specifically in the following areas.

  • Windows Firewall (opening RDP will prevent you needing to use proxmox viewer)
  • App Guard (you will want to add any core non-ms apps you use in this policy e.g. chrome, firefox, vscode... anything that isn't published by Microsoft Corporation)

Ubuntu Script

You can download the post-deployment bash script from here and manually run it on the server.

Ubuntu, unlike Microsoft, does not require a certain edition for the script to work, at the time of writing this script worked on the latest LTS build of Ubuntu.

Script break down

  • Firstly the script must be run as 'sudo'
  • Secondly it will fetch the admin user
  • You will then need to select the administrator account that you created during installation
  • You will confirm the app repositories
  • The system will complete an update, upgrade and install app armour
  • Grub password is configured
  • Automatic updates are configured
  • Prevents standard users executing as super user
  • Protects home directories
  • Modified shell access for other users on the machine except admin account specified
  • Configures pw complexity
  • Enables app armour
  • Enables system audting
  • Disables error reporting service
  • Option to disable Bluetooth
  • Configures 600s lock screen timer
  • Modifies lockscreen behaviour
  • Optional settings for location services, privacy and usb restrictions
  • Fixes folder permissions
  • Sets up UFW without any rules