Skip to content

Instantly share code, notes, and snippets.

@d3lta-v

d3lta-v/Hardening Windows 10.md

Created May 1, 2018 11:09
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save d3lta-v/6a742e02251476abd27dc7da1bd0b5ec to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save d3lta-v/6a742e02251476abd27dc7da1bd0b5ec to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Hardening Windows 10.md

Hardening Windows 10

This is a practical guide for hardening installations of Windows 10 for home use. This is derived from Hardening Windows 10 for Security which is an enterprise-style hardening guide.

Phase 0: Installation

During the installation and setup of Windows 10, there may be some questions the OS presents the user with. Not all of them are beneficial and some of them intentially track the user. The steps are listed below:

  1. Choose your language
  2. Choose the keyboard
  3. Add a second keyboard layout SKIP
  4. Connect to a network SKIP
  5. Who's going to use this PC: enter username 6. Enter password
  6. Enter password again
  7. Add a hint for your password
  8. Make Cortana your personal assistant NO
  9. Location OFF
  10. Diagnostics BASICS
  11. Relevant Ads OFF
  12. Speech Recognition OFF
  13. Tailored Experience with Diagnostic Data OFF

Phase I: Security patching

As this is a home use computer, the home network is assumed to be fairly safe to perform a standard Windows Update Internet-connected patching.

However, if the network is presumed to be unsafe, such as a school or enterprise network, the system must be disconnected from the Internet and manually patched with WSUSOffline which allows a known safe computer to download patches for the new computer and patch it offline.

Phase II: Antivirus

Install your antivirus of choice. The best antiviruses are the ones which are nonintrusive to daily work, but warns you when necessary. A few choices are:

Phase III: Hardening

Increasing UAC

This measure will increase the frequency of UAC prompts (Do you want this program to change your system?). These prompts will mainly occur during setup and will rarely occur in day-to-day usage.

Control Panel\All Control Panel Items\User Accounts\Change User Account Control Settings, drag slider to max

Firewall profiles

One should set all firewall profiles to "Public" when connecting an Ethernet cable which ensures maximum security no matter what network they're connected to.

Reducing attack surface through limiting network protocols

In order for a attacker to hack you remotely, he needs to interact with a network facing program running on your PC. Some networking components implement protocols. Networking protocols are grammar rules for bits and bytes to communicate with other PCs. And each has weaknesses. So unless your environment requires that a protocol must be used, we will want to disable all except the bare essentials. More protocols mean a larger attack surface.

Disabling Layer 3/4 protocols

Control Panel\Network and Sharing Center\Change Adapter Settings

Right click on Local Area Connection, choose Properties\

Uncheck the following:

  • Client for MS Networks
  • File and Printer Sharing for Microsoft Networks
  • Microsoft Network Adapter Multiplexor Protocol Microsoft LLDP Protocol Driver
  • Link Layer Topology Discovery Mapper IO Driver
  • Link Layer Topology Discovery Responder

Select Internet Protocol version 4 (TCP IPv4), click Properties, click Advanced,

  • click 'DNS' tab, uncheck 'register this connections address in DNS'
  • click 'WINS' tab, select 'Disable NETBIOS over TCP/IP'

Disabling SMBv1

Go to Control Panel > Programs and Features > Turn Windows Features on or off. Uncheck SMB 1.0/CIFS File Sharing Support

Disabling Distributed COM

Start button > All apps > Windows Administrative tools > Component Services. Computer Servies > Computers > right click on My Computer; choose Properties. Go to Default Protocols tab. Under DCOM protocols, remove Connection oriented TCP/IP.

Disabling UI

Disable Live Tiles

Delete or disable certain Live Tiles on the Start Menu, as Live Tiles are connected to the Internet and are therefore vulnerable.

Disable AutoPlay

Go to Settings > Devices > AutoPlay, set AutoPlay to off.

Turning off 16-bit apps

Why do they even exist?!

Run 'gpedit.msc'

Computer config/administrative templates/windows components/app compatability/prevent access to 16 bit applications=enable

Feature only available in Windows 10 Pro.

Phase IV: Post-hardening activities

Enabling auto-update for MS Office

Settings > Update & Security > Windows Update > Advanced Options > check Give me updates for additional Microsoft Products.

Disable Remote Assistance

Computer/Properties/Advanced System settings/Remote tab

Un-checkmark allow remote assistance

Increase file visibility

It may be possible that viruses exist in files with masqueraded file type extensions or otherwise hide their files from you.

Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab

CHECKMARK items below

  • Always show menus
  • Display the full path in the title bar
  • Show hidden files, folders and drives

UNCHECK items below

  • hide empty drives
  • hide folder merge conflicts
  • hide extensions for known file types
  • hide protected operating system files

Windows Explorer/ View pull down menu /

  • checkmark File Name Extensions
  • checkmark Hidden Items
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment