Table of Contents
Introduction
Windows hardening is the process of strengthening the security of a Windows operating system to mitigate potential risks and vulnerabilities.
Ultimate Windows Hardening Guide involves implementing various measures such as enforcing strong password policies, regularly updating software to patch known vulnerabilities, configuring firewalls to control network traffic, installing and updating antivirus software, encrypting sensitive data, and employing auditing and logging practices. Additionally, utilizing Group Policy settings, application whitelisting, and secure remote access methods contribute to a more robust security posture.
At xIoTz, we take a comprehensive approach to minimize the potential for unauthorized access, malware, and other security threats, making the Windows system more resilient to attacks and ensuring the protection of sensitive information. Regular security audits and staying informed about evolving security practices are integral to maintaining a secure Windows environment.
What do we do at xIoTz to harden your windows system?
Password Policy
Keeping CIS(Centre of Information Security) guidelines, about what makes a password secure, we have come up with a policy to set some rules which would direct your employees to set-up a secure password for their workstations.
Features of Password policy:
- We first ensure that the password the user is setting is complex, meaning they are using a combination of letters, both upper and lower, numbers and special characters.
- The length of the password is also set to a minimum of 6 digits as smaller passwords are easier to crack or guess.
- We also ensure that the user is regularly changing his passwords over a period of 60 days. This makes sure that no password leaked by attackers can be used on these systems again.
- The password set today cannot be used again. This ensures that the user cannot reuse the same passwords.
- We have also implemented a rule, where if the user or threat actor tries to login to the system by giving 5 incorrect passwords, then they will be logged out of the system for a total of 30 mins, before they can try logging in again.
Pin policy
It’s not just enough to keep your password protected, it is also essential to protect the pin of the computers. So, we have set up a rule set to ensure users are setting the right pins for their workstations.
Features of Pin policy:
- We make sure that the pin set is a combination of letters, both upper and lower, numbers and special characters. Making it harder to guess or crack by threat actors.
- The length of the pin is also set to be of 6 digits, as smaller pins are easier to crack.
- The pin set today cannot be used again. This ensures that the user cannot reuse the same pins.
- We also ensure that the user is regularly changing his pin over a period of 60 days.
Privacy Features
We remove things like news feed, internet search feature in search bar, and prevent Microsoft from using your personal data to advertise and so much more. This will overall increase the work experience of the user.
Windows security Features
- UI lockdown – We ensure that the low privilege users don’t have access to sensitive features like windows defender UI. This is done, so that they don’t disable it and open doors for possible viruses and ransomware to get into the system
- Enabling windows Defender sandboxing – Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm.
- Enable Defender signatures for Potentially Unwanted Applications – Potentially Unwanted Applications (PUAs) are unwanted software programs that come bundled in legitimate free software programs as a package.
- Enable Defender periodic scanning – Periodically scanning for virus and potential malicious files to keep your system clean.
- Enable Windows Defender real time monitoring – While real-time protection is off, files you open or download won’t be scanned for threats. So, it is advised to keep it on
- Enable early launch antimalware driver for scan of boot-start drivers – Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. Malicious software can load as a driver or rootkits might attack before the operating system completely loads and infect the system.
- Enable Cloud functionality of Windows Defender – Submits the samples to Microsoft to check and prevent malware
- Enable SmartScreen for Edge – Microsoft Defender SmartScreen helps safeguard your security against phishing and malware sites and software and helps you make informed decisions about downloads.
Attack Surface Reductions
An attack surface is the total number of all possible entry points for unauthorized access into any system. We have come up with a bunch of rules to reduce this attack surface.
- In attacks that involve exploiting vulnerabilities in Office processes or abusing the features and functionalities of Office applications, one of the common successive stages is to drop and execute a malicious file on the affected device. This is where the attacker succeeds in successfully intruding into the device and can perform any number of malicious activities from this point onward.
- This rule prevents Office applications, Word, Excel, PowerPoint, and OneNote from dropping the executable content on the disk. In doing so, the rule aims to block the attacks at a crucial stage where attackers are looking to gain access and obtain a foothold on the machines.
- Block execution of obfuscated scripts, which most hacker use to confuse the defender and powershell policies
- Block javascript and VBScript from launching downloaded executable content which are one of the ways payloads are delivered to the users.
- Blocking certain tools from stealing credentials by stealing or making a copy of LASS, is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.
- Block process from being run from a USB.
Network Protection / Firewall Hardening
Ultimate Windows Hardening Guide, involves setting it up in audit mode network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet.
Microsoft Office Hardening
Malspam, short for malicious spam or spam containing malware, is a spam email that delivers malware as the malicious payload. Malspam emails contain malicious content, such as links or attachments with viruses or malware. We ensure that your system is protected from these attacks which are targeted towards employees.
Disable storing password in memory in cleartext
We make sure that the password are not being stored in clear text in memory, this helps in case of mitigating insider threats where
Disable solicited remote assistance
On windows, by default you can let someone you trust take over your pc to fix your problems, this can be a security risk as someone can trick the user and take over their system. This is not a required feature and can be taken advantage of easily, hence we are disabling this feature.
Require encrypted RPC connections to Remote Desktop
Another layer of security over RDP. If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients. If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic.
Disable autorun/autoplay on all drives
Why Disabling Autorun is Important. Minimized Risk of Malware: Autorun, when enabled, can allow harmful software to execute automatically from USBs or other external drives. By disabling this feature, the script helps in mitigating the risk of malware spreading across networked systems.
Harden lsass(Local Security Authority Subsystem Service) to help protect against credential dumping
Hackers, after getting initial access, the first thing they do is to check if they can dump password hashes. The memory of the LSASS process can contain credentials such as hashes, PIN-type codes and even plain-text passwords, among others. So, to prevent this, we at xiotz take measures to harden LASS and make it so that it becomes harder to exploit this service.
Disable the ClickOnce trust prompt
An application that uses ClickOnce runs under Full Trust by default. Under Full Trust, the application has unrestricted access to resources such as files and the registry, as well as the network. This potentially can be dangerous, as it opens the possibility of your code being exploited by malicious code.
Enable Firewall Logging
Enabling logging for firewall to check and keep track of all the events
We also make sure that the users or threat actors are hiding anything on the system using hidden files feature or through some obscure file extensions.
We also make an effort to uninstall all the unwanted apps like xboxApp bing news etc etc.
Enable PowerShell Logging
Log all the powershell commands being run to keep better logs to see if any suspicious powershell commands are being run.
Edge Hardening
- Enhanced safe browsing (Automatically warns you about potentially risky sites, downloads, and extensions.
- Automatically warns you about leaked passwords.
- AutoFill disabled
- Browser history deletion is not allowed
- Doesn’t allow outdated plugins to be installed
- Audio sandbox and video sandbox enabled
Chrome Hardening
- Enhanced safe browsing (Automatically warns you about potentially risky sites, downloads, and extensions. Automatically warns you about leaked passwords.)
- AutoFill disabled
- Browser history deletion is not allowed
- Doesn’t allow outdated plugins to be installed
- Audio sandbox and video sandbox enabled
Conclusion
In an ever-evolving threat landscape, a strong Ultimate Windows Hardening Guide is essential to safeguard your system and sensitive data.
By following Ultimate Windows Hardening Guide, in conjunction with the xIoTz Cyber Assurance Platform, you can fortify your Windows environment against potential security threats and ensure a resilient defense posture in 2024 and beyond.
“Regular updates, audits, and adherence to best practices are crucial for maintaining a secure and trustworthy computing environment.”
Related Blogs:
xIoTz End-point Detection & Response (EDR)
xIoTz Network Behavior & Anomaly Detection (NBAD)
Windows System Auditing – xIoTz | Managed Cyber Assurance Platform
Related Terms:
https://www.cyber.gov.au system-hardening
Reference:
https://www.meity.gov.in/writereaddata/files/Password_Policy_1.pdf
https://www.cisecurity.org/cis-benchmarks
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction
https://learn.microsoft.com/en-us/compliance/essential-eight/e8-app-harden
https://www.cert.govt.nz/it-specialists/guides/hardening-rdp-if-you-have-to-use-it/