Skip to content

Instantly share code, notes, and snippets.

@lukemurraynz

lukemurraynz/Windows10_Hardening.ps1

Created June 26, 2018 05:58
Show Gist options
  • Save lukemurraynz/70d465d069eccda9c2f6bbb25d7b9870 to your computer and use it in GitHub Desktop.
Save lukemurraynz/70d465d069eccda9c2f6bbb25d7b9870 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Windows10_Hardening.ps1
#requires -Version 4.0
<#
Author: Luke Murray (Luke.Geek.NZ)
Version: 0.1
Purpose: Windows 10 Baseline Hardening using DSC per DoD DISA STIG recommendations 22/06/18.
#>
Configuration 'Win10'
{
Import-DscResource -ModuleName PSDesiredStateConfiguration
Node localhost
{
Registry 'EnhancedAntiSpoofing' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Biometrics\FacialFeatures'
ValueName = 'EnhancedAntiSpoofing'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'EccCurves' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\Configuration\SSL\00010002'
ValueName = 'EccCurves'
ValueType = 'MultiString'
ValueData = 'System.String[]'
}
Registry 'DisableEnclosureDownload' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds'
ValueName = 'DisableEnclosureDownload'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'FormSuggest Passwords' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main'
ValueName = 'FormSuggest Passwords'
ValueType = 'String'
ValueData = 'no'
}
Registry 'AllowInPrivate' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main'
ValueName = 'AllowInPrivate'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'PreventOverride' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter'
ValueName = 'PreventOverride'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'PreventOverrideAppRepUnknown' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter'
ValueName = 'PreventOverrideAppRepUnknown'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'EnabledV9' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter'
ValueName = 'EnabledV9'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'ClearBrowsingHistoryOnExit' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Privacy'
ValueName = 'ClearBrowsingHistoryOnExit'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'TPM12' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\ExcludeSecurityDevices'
ValueName = 'TPM12'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'MinimumPINLength' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity'
ValueName = 'MinimumPINLength'
ValueType = 'DWord'
ValueData = '6'
}
Registry 'RequireSecurityDevice' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork'
ValueName = 'RequireSecurityDevice'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'DCSettingIndex' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
ValueName = 'DCSettingIndex'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'ACSettingIndex' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
ValueName = 'ACSettingIndex'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'DisableInventory' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat'
ValueName = 'DisableInventory'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'DisableWindowsConsumerFeatures' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CloudContent'
ValueName = 'DisableWindowsConsumerFeatures'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'AllowProtectedCreds' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation'
ValueName = 'AllowProtectedCreds'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'AllowTelemetry' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection'
ValueName = 'AllowTelemetry'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'DODownloadMode' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeliveryOptimization'
ValueName = 'DODownloadMode'
ValueType = 'DWord'
ValueData = '2'
}
Registry 'HypervisorEnforcedCodeIntegrity' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard'
ValueName = 'HypervisorEnforcedCodeIntegrity'
ValueType = 'DWord'
ValueData = '2'
}
Registry 'EnableVirtualizationBasedSecurity' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard'
ValueName = 'EnableVirtualizationBasedSecurity'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'HVCIMATRequired' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard'
ValueName = 'HVCIMATRequired'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'LsaCfgFlags' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard'
ValueName = 'LsaCfgFlags'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'RequirePlatformSecurityFeatures' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard'
ValueName = 'RequirePlatformSecurityFeatures'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'MaxSize' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application'
ValueName = 'MaxSize'
ValueType = 'DWord'
ValueData = '32768'
}
Registry 'MaxSize1' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security'
ValueName = 'MaxSize'
ValueType = 'DWord'
ValueData = '1024000'
}
Registry 'MaxSize2' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System'
ValueName = 'MaxSize'
ValueType = 'DWord'
ValueData = '32768'
}
Registry 'NoAutoplayfornonVolume' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer'
ValueName = 'NoAutoplayfornonVolume'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'AllowGameDVR' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GameDVR'
ValueName = 'AllowGameDVR'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'NoBackgroundPolicy' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'
ValueName = 'NoBackgroundPolicy'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'NoGPOListChanges' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'
ValueName = 'NoGPOListChanges'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'EnableUserControl' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer'
ValueName = 'EnableUserControl'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'AlwaysInstallElevated' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer'
ValueName = 'AlwaysInstallElevated'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'AllowInsecureGuestAuth' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanWorkstation'
ValueName = 'AllowInsecureGuestAuth'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'NC_ShowSharedAccessUI' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections'
ValueName = 'NC_ShowSharedAccessUI'
ValueType = 'DWord'
ValueData = '0'
}
Registry '\\*\NETLOGON' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths'
ValueName = '\\*\NETLOGON'
ValueType = 'String'
ValueData = 'RequireMutualAuthentication=1,RequireIntegrity=1'
}
Registry '\\*\SYSVOL' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths'
ValueName = '\\*\SYSVOL'
ValueType = 'String'
ValueData = 'RequireMutualAuthentication=1,RequireIntegrity=1'
}
Registry 'DisableFileSyncNGSC' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive'
ValueName = 'DisableFileSyncNGSC'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'NoLockScreenCamera' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization'
ValueName = 'NoLockScreenCamera'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'NoLockScreenSlideshow' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization'
ValueName = 'NoLockScreenSlideshow'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'EnableScriptBlockLogging' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
ValueName = 'EnableScriptBlockLogging'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'ShellSmartScreenLevel' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System'
ValueName = 'ShellSmartScreenLevel'
ValueType = 'String'
ValueData = 'Block'
}
Registry 'DontDisplayNetworkSelectionUI' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System'
ValueName = 'DontDisplayNetworkSelectionUI'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'EnumerateLocalUsers' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System'
ValueName = 'EnumerateLocalUsers'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'EnableSmartScreen' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System'
ValueName = 'EnableSmartScreen'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'fBlockNonDomain' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy'
ValueName = 'fBlockNonDomain'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'AllowIndexingEncryptedStoresOrItems' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search'
ValueName = 'AllowIndexingEncryptedStoresOrItems'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'AllowBasic' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client'
ValueName = 'AllowBasic'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'AllowDigest' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client'
ValueName = 'AllowDigest'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'AllowUnencryptedTraffic' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client'
ValueName = 'AllowUnencryptedTraffic'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'AllowBasic1' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service'
ValueName = 'AllowBasic'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'DisableRunAs' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service'
ValueName = 'DisableRunAs'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'AllowUnencryptedTraffic1' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service'
ValueName = 'AllowUnencryptedTraffic'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'DisableHTTPPrinting' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
ValueName = 'DisableHTTPPrinting'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'DisableWebPnPDownload' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
ValueName = 'DisableWebPnPDownload'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'RestrictRemoteClients' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc'
ValueName = 'RestrictRemoteClients'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'fAllowFullControl' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services'
ValueName = 'fAllowFullControl'
ValueType = 'String'
ValueData = ' '
}
Registry 'MaxTicketExpiryUnits' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services'
ValueName = 'MaxTicketExpiryUnits'
ValueType = 'String'
ValueData = ' '
}
Registry 'fAllowToGetHelp' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services'
ValueName = 'fAllowToGetHelp'
ValueType = 'DWord'
ValueData = '0'
}
Registry 'fUseMailto' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services'
ValueName = 'fUseMailto'
ValueType = 'String'
ValueData = ' '
}
Registry 'MaxTicketExpiry' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services'
ValueName = 'MaxTicketExpiry'
ValueType = 'String'
ValueData = ' '
}
Registry 'MinEncryptionLevel' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services'
ValueName = 'MinEncryptionLevel'
ValueType = 'DWord'
ValueData = '3'
}
Registry 'DisablePasswordSaving' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services'
ValueName = 'DisablePasswordSaving'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'fEncryptRPCTraffic' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services'
ValueName = 'fEncryptRPCTraffic'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'fDisableCdm' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services'
ValueName = 'fDisableCdm'
ValueType = 'DWord'
ValueData = '1'
}
Registry 'fPromptForPassword' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services'
ValueName = 'fPromptForPassword'
ValueType = 'DWord'
ValueData = '1'
}
}
}
Win10
#Start-DscConfiguration -Path ./Win10 -Wait -Verbose -Force
@frankiem-4
Copy link

frankiem-4 commented Jan 22, 2019
edited
Loading

Any reason for
Registry 'AllowTelemetry' { Ensure = 'Present' Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection' ValueName = 'AllowTelemetry' ValueType = 'DWord' ValueData = '1' }
You set ValueData to 1?
According to https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63683 setting the Value to 0 would allow for more secure config.

The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services.

My guess is you don't want admins/users to inadvertently break some applications?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment