hanfil · March 13, 2023 23:13
diff --git a/Harden.ps1 b/Harden.ps1
 # Enable Windows Firewall
 Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

 # SMB # require elevated privileges #
 ## Turn on SMB signing and encryption
 Set-SmbServerConfiguration -RequireSecuritySignature $True -EnableSecuritySignature $True -EncryptData $True -Confirm:$false -Verbose

 ## Turn off the default workstations shares
 Set-SmbServerConfiguration -AutoShareWorkstation $False -Confirm:$false -Verbose

 ## Turn off SMB1
 Set-SmbServerConfiguration -EnableSMB1Protocol $false -Confirm:$false -Verbose 

 # NTLM: Value 5 corresponds to the policy option 'Send NTLMv2 response only;'.
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 4 -Verbose
 # Enabling Windows Defender Remote Credential Guard
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 -Verbose


 # Configuring 'Application Identity' (AppLocker)
 Set-Service -Name AppIDSvc -StartupType Automatic -Verbose # sc.exe config appidsvc start= auto
 Start-Service -Name AppIDSvc -Verbose # sc.exe start appidsvc

 # Scripting Hardening #
 # Disabling Windows Script Host - Responsible for executing '.vbs' and '.js' and '.hta'.
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings" -Name "Enabled" -Value 0 -Verbose

 # Disable Powershell V2
 Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -Verbose

 # Setting ConstrainedLanguageMode
 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\Environment" -Name "__PSLockDownPolicy" -Value 4 -Verbose


 # Activating Microsoft Protection - Defender
 Set-MpPreference -DisableRealtimeMonitoring $false -Verbose
 Set-MpPreference -DisableScriptScanning $false -Verbose
 Set-MpPreference -DisableIntrusionPreventionSystem $false -Verbose
 Set-MpPreference -DisableBehaviorMonitoring $false -Verbose

 # Disable LLMNR
 If (!(Test-Path "KLM:\Software\policies\Microsoft\Windows NT\DNSClient")) {
  New-ItemProperty -Path "HKLM:\Software\policies\Microsoft\Windows NT\" -Name "DNSClient" -ErrorAction SilentlyContinue -Verbose | Out-Null
 }
 Set-ItemProperty -Path "HKLM:\Software\policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0 -Verbose

 # Disable NBT-NS
 $regkey = "HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
 Get-ChildItem $regkey |ForEach-Object -Process { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}


 # Exploit guard configuration - https://github.com/palantir/exploitguard/blob/master/configureBaseMachine.ps1
 # Blocking DLL loading from remote paths(UNC), Blocking 3rd party fonts, 3rd party system dlls loading
 Write-Host "Setting Process mitigations protection in ExploitGuard..."
 Set-ProcessMitigation -System -Enable DEP,BottomUp,CFG,SEHOP, BlockRemoteImageLoads, DisableNonSystemFonts, DisableExtensionPoints
 # Basic processes with added security
 Set-ProcessMitigation -Name outlook.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name winword.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name excel.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name powerpnt.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name visio.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name pptview.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name groove.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,BlockRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,DisallowChildProcessCreation
 Set-ProcessMitigation -Name onedrive.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name iexplore.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name microsoftedge.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name chrome.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
 Set-ProcessMitigation -Name AcroRd32.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name acrobat.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name firefox.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name slack.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
 Set-ProcessMitigation -Name quip.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
 Set-ProcessMitigation -Name zoom.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
 Set-ProcessMitigation -Name mspub.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name msaccess.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name lync.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name fltldr.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name infopath.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name wordpad.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name plugin-container.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name java.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name javaw.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name javaws.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
 Set-ProcessMitigation -Name wmplayer.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess

 
 # Restrict Windows Update P2P only to local network
 Write-Host "Restricting Windows Update P2P only to local network..."
 If (!(Test-Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) {
  New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Verbose | Out-Null
 }
 If (!(Test-Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config")) {
  New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Verbose | Out-Null
 }
 Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Type DWord -Value 1 -Verbose
 If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) {
  New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Verbose | Out-Null
 }
 Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Name "SystemSettingsDownloadMode" -Type DWord -Value 3 -Verbose


 # Stop and disable Diagnostics Tracking Service
 Write-Host "Stopping and disabling Diagnostics Tracking Service..."
 Stop-Service "DiagTrack"
 Set-Service "DiagTrack" -StartupType Disabled

 # Stop and disable WAP Push Service
 Write-Host "Stopping and disabling WAP Push Service..."
 Stop-Service "dmwappushservice"
 Set-Service "dmwappushservice" -StartupType Disabled


 # -------------------  #


 ##########
 # Service Tweaks
 ##########

 # Raise UAC level
 Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Type DWord -Value 1 -Verbose
 Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 1 -Verbose


 # Disable sharing mapped drives between users
 Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections" -Verbose -ErrorAction SilentlyContinue

 # Enable Firewall
 Set-NetFirewallProfile -Profile * -Enabled True

 # Enable Windows Defender
 Remove-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Verbose -ErrorAction SilentlyContinue
 Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWord -Value 0 -Verbose

 # Disable Windows Update automatic restart
 Write-Host "Disabling Windows Update automatic restart..def."
 Set-ItemProperty -Path "HKLM:\Software\Microsoft\WindowsUpdate\UX\Settings" -Name "UxOption" -Type DWord -Value 1 -Verbose

 # Disable Remote Assistance
 Write-Host "Disabling Remote Assistance..."
 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Type DWord -Value 0 -Verbose

 # Disable Remote Desktop
 #Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 1 -Verbose
 #Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Type DWord -Value 1 -Verbose

 # ------------- #

 ##########
 # Applications settings
 ##########

 # Force DEP to always on for every application (available options are: AlwaysOff, AlwaysOn, OptIn, OptOut)
 Write-Host "Turning on DEP for all applications."
 bcdedit /set nx AlwaysON
 Write-Host "Enable Exception Write-Protection SEHOP"
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" -Name "DisableExceptionChainValidation" -Value 0 -Verbose

 # Disable NetBios (Forces File Sharing over port 445 DirectSMB/stops various worms.)
 Write-Host "Disabling Outdated NetBIOS Protocol..."
 sc.exe config netbt start= disabled 
 sc.exe stop netbt

 # The Two Lines Below Enable Superfectch and Prefetch
 Write-Host "Enabling Superfetch and Prefetch..."
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name "EnableSuperfetch" -Value 00000003 -Verbose
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name "EnablePrefetcher" -Value 00000003 -Verbose

 Write-Host "Upgrading TCP Security..."
 If (!(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter")) {
  New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Verbose | Out-Null
 }
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "IPEnableRouter" -Value 00000000 -Verbose
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "EnableICMPRedirect" -Value 00000000 -Verbose
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "SynAttackProtect" -Value 00000002 -Verbose
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "TcpMaxHalfOpen" -Value 00000064 -Verbose
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "TcpMaxHalfOpenRetried" -Value 00000050 -Verbose
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "DisableIPSourceRouting" -Value 00000002 -Verbose
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "NoNameReleaseOnDemand" -Value 00000001 -Verbose
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "EnableDeadGWDetect" -Value 00000000 -Verbose
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "KeepAliveTime" -Value 0x000493E0 -Verbose

 # Enable NTFS Last-Access Timestamp
 Write-Host "Enabling NTFS Last-Access Timestamps..."
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name "NtfsDisableLastAccessUpdate" -Value 00000000 -Verbose

 # Force High Level of Remote Desktop Encryption and TLS Authentication.
 Write-Host "Requiring Strong Remote Desktop Encryption if enabled... And forcing TLS Authentication"
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "MinEncryptionLevel" -Value 00000003 -Verbose
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SecurityLayer" -Value 00000002 -Verbose

 # Enable safe DLL search order
 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name "SafeDllSearchMode" -Value 1 -Verbose

 # If it's a workstation
 If ((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
  #Disable RDP
  Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1 -Verbose
 }

 # Enforce code integrity (restart required)
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\" -Name "HypervisorEnforcedCodeIntegrity" -Value 1 -Verbose
 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1 -Verbose
 Write-Host "Restart reuired to enable code integrity - core isolation!" -ForegroundColor Yellow

 # List Active local users on computer
 (Get-WmiObject Win32_UserAccount -filter "LocalAccount=True AND Disabled=False")

 # Search for unqoated service paths and add quotes
 Get-CimInstance -ClassName Win32_Service | Where-Object {$_.PathName -notLike '*"*'} | Where-Object {$_.PathName -like '*Program *'} | 
 Select-Object name,pathname,displayname,startmode | ForEach-Object {
  $reg_root = "HKLM:\System\CurrentControlSet\Services"
  $scvBinaryPath = '"'+ $_.PathName + '"'
  Set-ItemProperty -Path $reg_root\$($_.Name) -Name ImagePath -Value $scvBinaryPath -Verbose
  sc.exe qc $_.Name
 }

 # search for user writable folders
 Get-ChildItem -Recurse  -ErrorAction SilentlyContinue -Path C:| Get-Acl | Out-String -Stream | Select-String -Pattern "everyone" | Select-String -Pattern "Write","FullControl"

 # Limiting Cached accounts on host
 Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "CachedLogonsCount" -Value 1 -Verbose

 # If it's a Domain Controller
 if ((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 2) { # Doesn't work
  # Not tested. Checking AES encryption - preventing kerberos attack
  #$Users = Get-ADUser -Filter * -Properties "msDS-SupportedEncryptionTypes"
  #foreach($User in $Users)
  #{
  #  # If none are currently supported, enable AES256
  #  $encTypes = $User."msDS-SupportedEncryptionType"
  #  if(($encTypes -band $AES128) -ne $AES128 -and ($encTypes -band $AES256) -ne $AES256)
  #  {
  #    Set-ADUser $User -Replace @{"msDS-SupportedEncryptionTypes"=($encTypes -bor $AES256)}
  #  }
  #}
 }
	# Enable Windows Firewall
	Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

	# SMB # require elevated privileges #
	## Turn on SMB signing and encryption
	Set-SmbServerConfiguration -RequireSecuritySignature $True -EnableSecuritySignature $True -EncryptData $True -Confirm:$false -Verbose

	## Turn off the default workstations shares
	Set-SmbServerConfiguration -AutoShareWorkstation $False -Confirm:$false -Verbose

	## Turn off SMB1
	Set-SmbServerConfiguration -EnableSMB1Protocol $false -Confirm:$false -Verbose

	# NTLM: Value 5 corresponds to the policy option 'Send NTLMv2 response only;'.
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 4 -Verbose
	# Enabling Windows Defender Remote Credential Guard
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 -Verbose


	# Configuring 'Application Identity' (AppLocker)
	Set-Service -Name AppIDSvc -StartupType Automatic -Verbose # sc.exe config appidsvc start= auto
	Start-Service -Name AppIDSvc -Verbose # sc.exe start appidsvc

	# Scripting Hardening #
	# Disabling Windows Script Host - Responsible for executing '.vbs' and '.js' and '.hta'.
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings" -Name "Enabled" -Value 0 -Verbose

	# Disable Powershell V2
	Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -Verbose

	# Setting ConstrainedLanguageMode
	Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\Environment" -Name "__PSLockDownPolicy" -Value 4 -Verbose


	# Activating Microsoft Protection - Defender
	Set-MpPreference -DisableRealtimeMonitoring $false -Verbose
	Set-MpPreference -DisableScriptScanning $false -Verbose
	Set-MpPreference -DisableIntrusionPreventionSystem $false -Verbose
	Set-MpPreference -DisableBehaviorMonitoring $false -Verbose

	# Disable LLMNR
	If (!(Test-Path "KLM:\Software\policies\Microsoft\Windows NT\DNSClient")) {
	New-ItemProperty -Path "HKLM:\Software\policies\Microsoft\Windows NT\" -Name "DNSClient" -ErrorAction SilentlyContinue -Verbose \| Out-Null
	}
	Set-ItemProperty -Path "HKLM:\Software\policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0 -Verbose

	# Disable NBT-NS
	$regkey = "HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
	Get-ChildItem $regkey \|ForEach-Object -Process { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}


	# Exploit guard configuration - https://github.com/palantir/exploitguard/blob/master/configureBaseMachine.ps1
	# Blocking DLL loading from remote paths(UNC), Blocking 3rd party fonts, 3rd party system dlls loading
	Write-Host "Setting Process mitigations protection in ExploitGuard..."
	Set-ProcessMitigation -System -Enable DEP,BottomUp,CFG,SEHOP, BlockRemoteImageLoads, DisableNonSystemFonts, DisableExtensionPoints
	# Basic processes with added security
	Set-ProcessMitigation -Name outlook.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name winword.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name excel.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name powerpnt.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name visio.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name pptview.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name groove.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,BlockRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,DisallowChildProcessCreation
	Set-ProcessMitigation -Name onedrive.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name iexplore.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name microsoftedge.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name chrome.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
	Set-ProcessMitigation -Name AcroRd32.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name acrobat.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name firefox.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name slack.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
	Set-ProcessMitigation -Name quip.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
	Set-ProcessMitigation -Name zoom.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
	Set-ProcessMitigation -Name mspub.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name msaccess.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name lync.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name fltldr.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name infopath.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name wordpad.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name plugin-container.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name java.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name javaw.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name javaws.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name wmplayer.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess


	# Restrict Windows Update P2P only to local network
	Write-Host "Restricting Windows Update P2P only to local network..."
	If (!(Test-Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) {
	New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Verbose \| Out-Null
	}
	If (!(Test-Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config")) {
	New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Verbose \| Out-Null
	}
	Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Type DWord -Value 1 -Verbose
	If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) {
	New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Verbose \| Out-Null
	}
	Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Name "SystemSettingsDownloadMode" -Type DWord -Value 3 -Verbose


	# Stop and disable Diagnostics Tracking Service
	Write-Host "Stopping and disabling Diagnostics Tracking Service..."
	Stop-Service "DiagTrack"
	Set-Service "DiagTrack" -StartupType Disabled

	# Stop and disable WAP Push Service
	Write-Host "Stopping and disabling WAP Push Service..."
	Stop-Service "dmwappushservice"
	Set-Service "dmwappushservice" -StartupType Disabled


	# ------------------- #


	##########
	# Service Tweaks
	##########

	# Raise UAC level
	Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Type DWord -Value 1 -Verbose
	Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 1 -Verbose


	# Disable sharing mapped drives between users
	Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections" -Verbose -ErrorAction SilentlyContinue

	# Enable Firewall
	Set-NetFirewallProfile -Profile * -Enabled True

	# Enable Windows Defender
	Remove-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Verbose -ErrorAction SilentlyContinue
	Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWord -Value 0 -Verbose

	# Disable Windows Update automatic restart
	Write-Host "Disabling Windows Update automatic restart..def."
	Set-ItemProperty -Path "HKLM:\Software\Microsoft\WindowsUpdate\UX\Settings" -Name "UxOption" -Type DWord -Value 1 -Verbose

	# Disable Remote Assistance
	Write-Host "Disabling Remote Assistance..."
	Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Type DWord -Value 0 -Verbose

	# Disable Remote Desktop
	#Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 1 -Verbose
	#Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Type DWord -Value 1 -Verbose

	# ------------- #

	##########
	# Applications settings
	##########

	# Force DEP to always on for every application (available options are: AlwaysOff, AlwaysOn, OptIn, OptOut)
	Write-Host "Turning on DEP for all applications."
	bcdedit /set nx AlwaysON
	Write-Host "Enable Exception Write-Protection SEHOP"
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" -Name "DisableExceptionChainValidation" -Value 0 -Verbose

	# Disable NetBios (Forces File Sharing over port 445 DirectSMB/stops various worms.)
	Write-Host "Disabling Outdated NetBIOS Protocol..."
	sc.exe config netbt start= disabled
	sc.exe stop netbt

	# The Two Lines Below Enable Superfectch and Prefetch
	Write-Host "Enabling Superfetch and Prefetch..."
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name "EnableSuperfetch" -Value 00000003 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name "EnablePrefetcher" -Value 00000003 -Verbose

	Write-Host "Upgrading TCP Security..."
	If (!(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter")) {
	New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Verbose \| Out-Null
	}
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "IPEnableRouter" -Value 00000000 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "EnableICMPRedirect" -Value 00000000 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "SynAttackProtect" -Value 00000002 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "TcpMaxHalfOpen" -Value 00000064 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "TcpMaxHalfOpenRetried" -Value 00000050 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "DisableIPSourceRouting" -Value 00000002 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "NoNameReleaseOnDemand" -Value 00000001 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "EnableDeadGWDetect" -Value 00000000 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "KeepAliveTime" -Value 0x000493E0 -Verbose

	# Enable NTFS Last-Access Timestamp
	Write-Host "Enabling NTFS Last-Access Timestamps..."
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name "NtfsDisableLastAccessUpdate" -Value 00000000 -Verbose

	# Force High Level of Remote Desktop Encryption and TLS Authentication.
	Write-Host "Requiring Strong Remote Desktop Encryption if enabled... And forcing TLS Authentication"
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "MinEncryptionLevel" -Value 00000003 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SecurityLayer" -Value 00000002 -Verbose

	# Enable safe DLL search order
	Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name "SafeDllSearchMode" -Value 1 -Verbose

	# If it's a workstation
	If ((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
	#Disable RDP
	Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1 -Verbose
	}

	# Enforce code integrity (restart required)
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\" -Name "HypervisorEnforcedCodeIntegrity" -Value 1 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1 -Verbose
	Write-Host "Restart reuired to enable code integrity - core isolation!" -ForegroundColor Yellow

	# List Active local users on computer
	(Get-WmiObject Win32_UserAccount -filter "LocalAccount=True AND Disabled=False")

	# Search for unqoated service paths and add quotes
	Get-CimInstance -ClassName Win32_Service \| Where-Object {$_.PathName -notLike '"'} \| Where-Object {$_.PathName -like 'Program '} \|
	Select-Object name,pathname,displayname,startmode \| ForEach-Object {
	$reg_root = "HKLM:\System\CurrentControlSet\Services"
	$scvBinaryPath = '"'+ $_.PathName + '"'
	Set-ItemProperty -Path $reg_root\$($_.Name) -Name ImagePath -Value $scvBinaryPath -Verbose
	sc.exe qc $_.Name
	}

	# search for user writable folders
	Get-ChildItem -Recurse -ErrorAction SilentlyContinue -Path C:\| Get-Acl \| Out-String -Stream \| Select-String -Pattern "everyone" \| Select-String -Pattern "Write","FullControl"

	# Limiting Cached accounts on host
	Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "CachedLogonsCount" -Value 1 -Verbose

	# If it's a Domain Controller
	if ((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 2) { # Doesn't work
	# Not tested. Checking AES encryption - preventing kerberos attack
	#$Users = Get-ADUser -Filter * -Properties "msDS-SupportedEncryptionTypes"
	#foreach($User in $Users)
	#{
	# # If none are currently supported, enable AES256
	# $encTypes = $User."msDS-SupportedEncryptionType"
	# if(($encTypes -band $AES128) -ne $AES128 -and ($encTypes -band $AES256) -ne $AES256)
	# {
	# Set-ADUser $User -Replace @{"msDS-SupportedEncryptionTypes"=($encTypes -bor $AES256)}
	# }
	#}
	}