This is a hardening checklist that can be used in private and business environments for hardening Windows 10. The checklist can be used for all Windows versions, but in Windows 10 Home the Group Policy Editor is not integrated and the adjustment must be done directly in the registry.
The settings should be seen as security and privacy recommendation and should be carefully checked whether they will affect the operation of your infrastructure or impact the usability of key functions. It is important to weigh security against usability.
Policy Analzyer reads out and compares local registry and local policy values to a defined baseline. The PolicyRule file from aha-181 contains all rules which are needed to check Group Policy and Registry settings that are defined in the Windows 10 Hardening checklist.
Policy Analyzer supports the Hardening checklist up to version 0.2.0, additional entries are not yet supported.
HardeningKitty supports hardening of a Windows system. The configuration of the system is retrieved and assessed using a finding list. In addition, the system can be hardened according to predefined values. HardeningKitty reads settings from the registry and uses other modules to read configurations outside the registry.
Attention: HardeningKitty has a dependency for the tool AccessChk by Mark Russinovich. This must be present on the computer and defined in the script accordingly.
The script was developed for English systems. It is possible that in other languages the analysis is incorrect. Please create an issue if this occurs.
Run the script with administrative privileges to access machine settings. For the user settings it is better to execute them with a normal user account. Ideally, the user account is used for daily work.
Download HardeningKitty and copy it to the target system (script and lists). Additionally, AccessChk (tested with version 1.6.2) must be available on the target system. The path of the variable $BinaryAccesschk must be modified accordingly. After that HardeningKitty can be imported and executed:
PS C:\> Import-Module Invoke-HardeningKitty.ps1
PS C:\> Invoke-HardeningKitty -EmojiSupport
=^._.^=
_( )/ HardeningKitty
[*] 5/28/2020 4:39:16 PM - Starting HardeningKitty
[*] 5/28/2020 4:39:16 PM - Getting machine information
[*] Hostname: w10
[*] Domain: WORKGROUP
...
[*] 5/28/2020 4:39:21 PM - Starting Category Account Policies
[😺] ID 1100, Account lockout duration, Result=30, Severity=Passed
[😺] ID 1101, Account lockout threshold, Result=5, Severity=Passed
[😺] ID 1102, Reset account lockout counter, Result=30, Severity=Passed
...
[*] 5/28/2020 4:39:23 PM - Starting Category Advanced Audit Policy Configuration
[😼] ID 1513, Kernel Object, Result=, Recommended=Success and Failure, Severity=Low
...
[*] 5/28/2020 4:39:24 PM - Starting Category System
[😿] ID 1614, Device Guard: Virtualization Based Security Status, Result=Not available, Recommended=2, Severity=Medium
...
[*] 5/28/2020 4:39:25 PM - Starting Category Windows Components
[🙀] ID 1708, BitLocker Drive Encryption: Volume status, Result=FullyDecrypted, Recommended=FullyEncrypted, Severity=High
...
[*] 5/28/2020 4:39:34 PM - HardeningKitty is doneThe lists were last updated/checked against the following Microsoft Security Baseline or other frameworks:
- Hardening list Windows 10
- Security baseline for Windows 10 and Windows Server, version 2004 (DRAFT)
- Security baseline for Office 365 ProPlus, version 1908
- finding_list_0x6d69636b_machine and finding_list_0x6d69636b_user
- Security baseline for Windows 10 and Windows Server, version 2004 (DRAFT)
- Security baseline for Office 365 ProPlus, version 1908
- 0x6d69636b own knowledge
- finding_list_msft_security_baseline_edge_machine
- Security baseline for Microsoft Edge, version 84
- finding_list_msft_security_baseline_windows_10_machine
- Security baseline for Windows 10 and Windows Server, version 2004 (DRAFT)
- finding_list_msft_security_baseline_windows_server_dc_machine
- Security baseline for Windows 10 and Windows Server, version 2004 (DRAFT)
- finding_list_msft_security_baseline_windows_server_member_machine
- Security baseline for Windows 10 and Windows Server, version 2004 (DRAFT)
- CIS Benchmarks for Microsoft Windows 10 Enterprise Release 1909 v1.8.1
- Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909
- Security baseline (DRAFT): Windows 10 and Windows Server, version 2004
- Kernel DMA Protection for Thunderbolt 3
- BitLocker Countermeasures
- Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker
- Manage Windows Defender Credential Guard
- Reduce attack surfaces with attack surface reduction rules
- Configuring Additional LSA Protection
- Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields
- DDE registry settings
- Sysmon
- SwiftOnSecurity/sysmon-config
- Dane Stuckey - @cryps1s Endpoint Isolation with the Windows Firewall
- Microsoft Security Compliance Toolkit 1.0
- Policy Analyzer
- Security baseline for Office 365 ProPlus (v1908, Sept 2019) - FINAL
- mackwage/windows_hardening.cmd
- Security baseline for Microsoft Edge v84