Hardening Win10
Hardening Win10
Hardening Win10
May 2018
CONTENTS
Introduction 5
High priorities 6
Application hardening 6
Application versions and patches 6
Application whitelisting 7
Attack Surface Reduction 9
Credential caching 10
Controlled Folder Access 11
Credential entry 12
Early Launch Antimalware 12
Elevating privileges 13
Exploit Protection 13
Local administrator accounts 14
Measured Boot 15
Microsoft Edge 15
Multi-factor authentication 16
Operating system architecture 16
Operating system patching 16
Password policy 18
Restricting privileged accounts 18
Secure Boot 18
Medium priorities 20
Page 2 of 54
Command Prompt 27
Direct Memory Access 27
Endpoint device control 28
File and print sharing 29
Group Policy processing 29
Hard drive encryption 30
Installing applications 34
Internet printing 35
Legacy and run once lists 35
Microsoft accounts 35
MSS settings 36
NetBIOS over TCP/IP 37
Network authentication 37
NoLMHash policy 37
Operating system functionality 38
Power management 38
PowerShell 39
Registry editing tools 39
Remote Assistance 40
Remote Desktop Services 40
Remote Procedure Call 42
Reporting system information 42
Safe Mode 43
Secure channel communications 43
Security policies 43
Server Message Block sessions 44
Session locking 45
Software-based firewalls 46
Sound Recorder 46
Standard Operating Environment 46
System backup and restore 46
System cryptography 47
User rights policies 47
Virtualised web and email access 48
Web Proxy Auto Discovery protocol 48
Windows Remote Management 48
Windows Remote Shell access 49
Windows Search and Cortana 49
Windows To Go 50
Page 3 of 54
Low priorities 51
Contact details 53
Page 4 of 54
Introduction
1. Workstations are often targeted by an adversary using malicious webpages, emails with
malicious attachments and removable media with malicious content in an attempt to extract
sensitive information. Hardening workstations is an important part of reducing this risk.
2. This document provides guidance on hardening workstations using Enterprise and Education
editions of Microsoft Windows 10 version 1709. Some Group Policy settings used in this
document may not be available or compatible with Professional, Home or S editions of Microsoft
Windows 10 version 1709.
3. While this document refers to workstations, most Group Policy settings are equally applicable to
servers (with the exception of Domain Controllers) using Microsoft Windows Server, version
1709 or Microsoft Windows Server 2016. The names and locations of Group Policy settings
used in this document are taken from Microsoft Windows 10 version 1709; some differences
exist for earlier versions of Microsoft Windows.
4. Before implementing recommendations in this document, thorough testing should be undertaken
to ensure the potential for unintended negative impacts on business processes is reduced as
much as possible.
5. This document is intended for information technology and information security professionals
within organisations looking to undertake risk assessments or vulnerability assessments as well
as those wishing to develop a hardened Standard Operating Environment for workstations.
Page 5 of 54
High priorities
6. The following security controls, listed in alphabetical order, are considered to have an excellent
effectiveness and should be treated as high priorities when hardening Microsoft Windows 10
version 1709 workstations.
Application hardening
7. When applications are installed they are often not pre-configured in a secure state. By default,
many applications enable functionality that isn’t required by any users while in-built security
functionality may be disabled or set at a lower security level. For example, Microsoft Office by
default allows untrusted macros in Office documents to automatically execute without user
interaction. To reduce this risk, applications should have any in-built security functionality
enabled and appropriately configured along with unrequired functionality disabled. This is
especially important for key applications such as office productivity suites (e.g. Microsoft Office),
PDF readers (e.g. Adobe Reader), web browsers (e.g. Microsoft Internet Explorer, Mozilla
Firefox or Google Chrome), common web browser plugins (e.g. Adobe Flash), email clients
(Microsoft Outlook) and software platforms (e.g. Oracle Java Platform and Microsoft .NET
Framework). In addition, vendors may provide guidance on configuring their products securely.
For example, Microsoft provides the Microsoft Office 2013 Security Guide as part of the
Microsoft Security Compliance Manager tool1. In such cases, vendor guidance should be
followed to assist in securely configuring their products.
8. The Australian Cyber Security Centre (ACSC) also provides guidance for hardening Microsoft
Office. For more information see Hardening Microsoft Office 20132 and Hardening Microsoft
Office 20163.
Application versions and patches
9. While some vendors may release new application versions to address security vulnerabilities,
others may release patches. If new application versions and patches for applications are not
installed it can allow an adversary to easily compromise workstations. This is especially
important for key applications that interact with content from untrusted sources such as office
productivity suites (e.g. Microsoft Office), PDF readers (e.g. Adobe Reader), web browsers (e.g.
Microsoft Internet Explorer, Mozilla Firefox or Google Chrome), common web browser plugins
(e.g. Adobe Flash), email clients (Microsoft Outlook) and software platforms (e.g. Oracle Java
Platform and Microsoft .NET Framework). To reduce this risk, new application versions and
patches for applications should be applied in an appropriate timeframe as determined by the
severity of security vulnerabilities they address and any mitigating measures already in place. In
cases where a previous version of an application continues to receive support in the form of
patches it still should be upgraded to the latest version to receive the benefit of any new security
functionality; however, this may be done as soon as practical rather than within two days of
release.
10. For more information on determining the severity of security vulnerabilities and timeframes for
applying new application versions and patches for applications see Assessing Security
Vulnerabilities and Applying Patches4.
1
https://technet.microsoft.com/en-au/solutionaccelerators/cc835245.aspx
2
https://www.asd.gov.au/publications/protect/Hardening_MS_Office_2013.pdf
3
https://www.asd.gov.au/publications/protect/Hardening_MS_Office_2016.pdf
4
https://www.asd.gov.au/publications/protect/Assessing_Security_Vulnerabilities_and_Applying_Patches.pdf
Page 6 of 54
Application whitelisting
11. An adversary can email malicious code, or host malicious code on a compromised website, and
use social engineering techniques to convince users into executing it on their workstation. Such
malicious code often aims to exploit security vulnerabilities in existing applications and doesn’t
need to be installed on the workstation to be successful. To reduce this risk, an application
whitelisting solution should be appropriately implemented. Application whitelisting when
implemented in its most effective form (e.g. using hashes for executables, dynamic link libraries,
scripts, installers and packaged apps) can be an extremely effective mechanism in not only
preventing malicious code from executing but also ensuring only authorised applications can be
installed on workstations. Less effective implementations of application whitelisting (e.g. using
approved paths for installed applications in combination with access controls requiring privileged
access to write to these locations) can be used as a first step towards implementing a more
comprehensive application whitelisting solution.
12. For more information on application whitelisting and how it can be appropriately implemented
see Implementing Application Whitelisting5.
13. If Microsoft AppLocker6 is used for application whitelisting, the following rules can be used as a
sample path-based implementation. In support of this, the rules, enforcement of rules and the
automatic starting of the Application Identity service should be set via Group Policy at a domain
level7.
Whitelisting Rule Recommended Value
Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\
AppLocker\DLL Rules
[Path] %ProgramFiles%\* Allow Everyone
[Path] %WinDir%\* Allow Everyone
Exceptions:
%System32%\spool\
drivers\color\*
%System32%\Tasks\*
%WinDir%\Tasks\*
%WinDir%\Temp\*
Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\
AppLocker\Executable Rules
[Path] %ProgramFiles%\* Allow Everyone
[Path] %WinDir%\* Allow Everyone
Exceptions:
%System32%\spool\
drivers\color\*
%System32%\Tasks\*
5
https://www.asd.gov.au/publications/protect/Application_Whitelisting.pdf
6
https://technet.microsoft.com/en-us/library/hh831409(v=ws.11).aspx
7
https://technet.microsoft.com/en-au/library/ee844118.aspx
Page 7 of 54
[Path] %WinDir%\* (continued) %WinDir%\Tasks\*
%WinDir%\Temp\*
Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\
AppLocker\Packaged app Rules
[Publisher] CN=Microsoft Corporation, O=Microsoft Corporation, L-Redmond, Allow Everyone
S=Washington, C=US
Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\
AppLocker\Script Rules
[Path] %ProgramFiles%\* Allow Everyone
[Path] %WinDir%\* Allow Everyone
Exceptions:
%System32%\Com\dmp\*
%System32%\FxsTmp\*
%System32%\spool\
drivers\color\*
%System32%\spool\PRINTER
S\*
%System32%\spool\SERVER
S\*
%System32%\Tasks\*
%WinDir%\Registration\CRML
og\*
%WinDir%\Tasks\*
%WinDir%\Temp\*
%WinDir%\tracing\*
Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\
AppLocker\Windows Installer Rules
[Publisher] CN=Microsoft Corporation, O=Microsoft Corporation, L-Redmond, Allow Everyone
S=Washington, C=US
14. Note, for those organisations using the latest version of Microsoft Windows 10 (i.e. version
1709), the following paths no longer need to be included as exceptions:
a. %WinDir%\servicing\Packages\*
b. %WinDir%\servicing\Sessions\*.
15. A new security feature introduced in Microsoft Windows 10 is Device Guard8. Device Guard uses
a Code Integrity Policy to restrict what can run in both kernel mode and on the desktop based on
its policy. Device Guard also uses virtualisation to protect itself from being disabled by an
adversary that has obtained administrative privileges. However, while Device Guard can
implement application whitelisting, organisations are likely to require an additional application
whitelisting solution to supplement Device Guard, especially if choosing to use a path-based
approach for application whitelisting.
16. If Device Guard is used for application whitelisting, the following Group Policy settings can be
implemented, assuming all software, firmware and hardware pre-requests are met.
8
https://docs.microsoft.com/en-au/windows/device-security/device-guard/device-guard-deployment-guide
Page 8 of 54
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\System\Device Guard
Deploy Windows Defender Application Control Enabled
9
https://docs.microsoft.com/en-au/windows/threat-protection/windows-defender-exploit-guard/attack-surface-
reduction-exploit-guard
Page 9 of 54
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender
Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction
Configure Attack Surface Reduction rules Enabled
3b576869-a4ec-4529- 1
8536-b80a7769e899
d4f940ab-401b-4efc- 1
aadc-ad5f3c50688a
92E97FA1-2EDF-4476- 1
BDD6-9DD0B4DDDC7B
5beb7efe-fd9a-4556- 1
801d-275e5ffc04cc
d3e037e1-3eb8-44c8- 1
a917-57927947596d
be9ba2d9-53ea-4cdc- 1
84e5-9b1eeee46550
Credential caching
21. Cached credentials are stored in the Security Accounts Manager (SAM) database and can allow
a user to log onto a workstation they have previously logged onto even if the domain is not
available. Whilst this functionality may be desirable from an availability of services perspective,
this functionality can be abused by an adversary who can retrieve these cached credentials
(potentially Domain Administrator credentials in a worst-case scenario). To reduce this risk,
cached credentials should be limited to only one previous logon.
22. The following Group Policy settings can be implemented to disable credential caching.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Interactive logon: Number of previous logons to cache (in case domain 1 logons
controller is not available)
Network access: Do not allow storage of passwords and credentials for Enabled
network authentication
23. Within an active user session, credentials are cached within the Local Security Authority
Subsystem Service (LSASS) process (including the user’s passphrase in plaintext if WDigest
authentication is enabled) to allow for access to network resources without users having to
continually enter their credentials. Unfortunately, these credentials are at risk of theft by an
adversary. To reduce this risk, WDigest authentication should be disabled.
Page 10 of 54
24. Credential Guard10, a new security feature of Microsoft Windows 10, is also designed to assist in
protecting the LSASS process.
25. The following Group Policy settings can be implemented to disable WDigest authentication and
enable Credential Guard functionality, assuming all software, firmware and hardware pre-
requests are met.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\MS Security Guide
WDigest Authentication Disabled
Computer Configuration\Policies\Administrative Templates\System\Device Guard
Turn On Virtualization Based Security Enabled
Credential Guard
Configuration: Enabled with
UEFI lock
10
https://docs.microsoft.com/en-au/windows/access-protection/credential-guard/credential-guard
11
https://docs.microsoft.com/en-au/windows/threat-protection/windows-defender-exploit-guard/controlled-
folders-exploit-guard
Page 11 of 54
Configure protected folders Enabled
Credential entry
29. When users enter their credentials on a workstation it provides an opportunity for malicious
code, such as a key logging application, to capture the credentials. To reduce this risk, users
should be authenticated by using a trusted path to enter their credentials on the Secure Desktop.
30. The following Group Policy settings can be implemented to ensure credentials are entered in a
secure manner as well as prevent the disclosure of usernames of previous users.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\System\Logon
Do not display network selection UI Enabled
Enumerate local users on domain-joined computers Disabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User
Interface
Do not display the password reveal button Enabled
Enumerate administrator accounts on elevation Disabled
Require trusted path for credential entry Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Logon
Options
Disable or enable software Secure Attention Sequence Disabled
Sign-in last interactive user automatically after a system-initiated restart Disabled
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Interactive logon: Do not require CTRL+ALT+DEL Disabled
Interactive logon: Don’t display username at sign-in Enabled
Page 12 of 54
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\System\Early Launch Antimalware
Boot-Start Driver Initialization Policy Enabled
Elevating privileges
33. Microsoft Windows provides the ability to require confirmation from users, via the User Access
Control (UAC) functionality, before any sensitive actions are performed. The default settings
allow privileged users to perform sensitive actions without first providing credentials and while
standard users must provide privileged credentials they are not required to do so via a trusted
path on the Secure Desktop. This provides an opportunity for an adversary that gains access to
an open session of a privileged user to perform sensitive actions at will or for malicious code to
capture any credentials entered via a standard user when attempting to elevate their privileges.
To reduce this risk, UAC functionality should be implemented to ensure all sensitive actions are
authorised by providing credentials on the Secure Desktop.
34. The following Group Policy settings can be implemented to configure UAC functionality
effectively.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
User Account Control: Admin Approval Mode for the Built-in Administrator Enabled
account
User Account Control: Allow UIAccess applications to prompt for elevation Disabled
without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in Prompt for credentials on the
Admin Approval Mode secure desktop
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials on the
secure desktop
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate UIAccess applications that are installed in Enabled
secure locations
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for Enabled
elevation
User Account Control: Virtualize file and registry write failures to per-user Enabled
locations
Exploit Protection
35. An adversary that develops exploits for Microsoft Windows or 3rd party applications will have a
higher success rate when security measures designed by Microsoft to help prevent security
vulnerabilities from being exploited are not implemented. Windows Defender Exploit Guard’s
Exploit Protection12 functionality was introduced in Microsoft Windows 10 version 1709 to
12
https://docs.microsoft.com/en-au/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-
exploit-guard
Page 13 of 54
provide system-wide and application-specific security measures. Exploit Protection is designed
to replace the Enhanced Mitigation Experience Toolkit (EMET) that was used on earlier versions
of Microsoft Windows 10.
36. System-wide security measures configurable via Exploit Protection include: Control Flow Guard
(CFG), Data Execution Prevention (DEP), mandatory Address Space Layout Randomization
(ASLR), bottom-up ASLR, Structured Exception Handling Overwrite Protection (SEHOP) and
heap corruption protection. Many more application-specific security measures are also available.
37. The following Group Policy settings can be implemented to define Exploit Protection settings and
to prevent users from modifying these settings on their devices.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender
Exploit Guard\Exploit Protection
Use a common set of exploit protection settings Enabled
13
https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems
Page 14 of 54
41. The following Group Policy setting can be implemented to disable built-in administrator
accounts.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Accounts: Administrator account status Disabled
42. If a common local administrator account absolutely must be used for workstation management
then Microsoft’s Local Administrator Password Solution (LAPS)14 needs to be used to ensure
unique passphrases are used for each workstation. In addition, User Account Control restrictions
should be applied to remote connections using such accounts15.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\MS Security Guide
Apply UAC restrictions to local accounts on network logons Enabled
Measured Boot
43. The third key security feature of Trusted Boot supported by Microsoft Windows 10 and
motherboards with both an UEFI and a Trusted Processing Module (TPM) is Measured Boot.
Measured Boot is used to develop a reliable log of components that are initialised before the
ELAM driver. This information can then be scrutinised by antimalware software for signs of
tampering of boot components. To reduce the risk that malicious changes to boot components
go unnoticed, Measured Boot should be used on workstations that support it.
Microsoft Edge
44. Microsoft Edge is a web browser that was first introduced in Microsoft Windows 10 to replace
Internet Explorer. Microsoft Edge contains significant security enhancements over Internet
Explorer and should be used wherever possible.
45. Internet Explorer 11’s use should be restricted to supporting any legacy web applications hosted
on corporate intranets. If Internet Explorer 11 is not required, it should be uninstalled from
Microsoft Windows 10 to reduce the operating system’s attack surface.
46. For organisations using Microsoft Edge instead of 3rd party web browsers, the following Group
Policy settings can be implemented to harden Microsoft Edge.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Edge
Allow Adobe Flash Disabled
Allow Developer Tools Disabled
Configure Do Not Track Enabled
Configure Password Manager Disabled
Configure Pop-up Blocker Enabled
Configure Windows Defender SmartScreen Enabled
14
https://www.microsoft.com/en-au/download/details.aspx?id=46899
15
https://support.microsoft.com/en-au/help/951016/description-of-user-account-control-and-remote-restrictions-
in-windows
Page 15 of 54
Prevent access to the about:flags page in Microsoft Edge Enabled
Prevent bypassing Windows Defender SmartScreen prompts for files Enabled
Prevent bypassing Windows Defender SmartScreen prompts for sites Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender
Antivirus\Windows Defender Exploit Guard\Network Protection
Prevent users and apps from accessing dangerous websites Enabled
Block
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender
Application Guard
Turn on Windows Defender Application Guard in Enterprise Mode Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender
SmartScreen\Microsoft Edge
Configure Windows Defender SmartScreen Enabled
Prevent bypassing Windows Defender SmartScreen prompts for sites Enabled
Multi-factor authentication
47. As privileged credentials often allow users to bypass security functionality put in place to protect
workstations, and are susceptible to key logging applications, it is important that they are
appropriately protected against compromise. In addition, an adversary that brute forces captured
password hashes can gain access to workstations if multi-factor authentication hasn’t been
implemented. To reduce this risk, hardware-based multi-factor authentication should be used for
users as they perform a privileged action or access any important or sensitive data repositories.
48. For more information on how to effectively implement multi-factor authentication see Multi-factor
authentication16.
Operating system architecture
49. The x64 (64-bit) versions of Microsoft Windows include additional security functionality that the
x86 (32-bit) versions lack. This includes native hardware-based Data Execution Prevention
(DEP) kernel support, Kernel Patch Protection (PatchGuard), mandatory device driver signing
and lack of support for malicious 32-bit drivers. Using x86 (32-bit) versions of Microsoft Windows
exposes organisations to exploit techniques mitigated by x64 (64-bit) versions of Microsoft
Windows. To reduce this risk, workstations should use the x64 (64-bit) versions of Microsoft
Windows.
Operating system patching
50. Patches are released either in response to previously disclosed security vulnerabilities or to
proactively address security vulnerabilities that have not yet been publicly disclosed. In the case
of disclosed security vulnerabilities, it is possible that exploits have already been developed and
are freely available in common hacking tools. In the case of patches for security vulnerabilities
that have not yet been publically disclosed, it is relatively easy for an adversary to use freely
available tools to identify the security vulnerability being patched and develop an associated
exploit. This activity can be undertaken in less than one day and has led to an increase in 1-day
attacks. To reduce this risk, operating system patches and driver updates should be centrally
managed and deployed in an appropriate timeframe as determined by the severity of the
16
https://www.asd.gov.au/publications/protect/Multi_Factor_Authentication.pdf
Page 16 of 54
security vulnerability and any mitigating measures already in place. This can be achieved using
Microsoft System Center Configuration Manager (SCCM)17. Microsoft Windows Server Update
Services (WSUS)18 can also centrally deploy patches but only for Microsoft applications.
51. For more information on determining the severity of security vulnerabilities and timeframes for
applying patches see Assessing Security Vulnerabilities and Applying Patches19.
52. The following Group Policy settings can be implemented to ensure operating systems remain
appropriately patched.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
Allow Automatic Updates immediate installation Enabled
Configure Automatic Updates Enabled
17
https://www.microsoft.com/en-au/cloud-platform/system-center-configuration-manager
18
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-
started/windows-server-update-services-wsus
19
https://www.asd.gov.au/publications/protect/Assessing_Security_Vulnerabilities_and_Applying_Patches.pdf
Page 17 of 54
Password policy
55. The use of weak passwords, such as eight character passwords with no complexity, can allow
them to be brute forced within minutes using applications freely available on the Web. In
addition, having no maximum password age can allow an adversary to maintain extended
access to a workstation or network once a password has been compromised while having no
minimum password age can allow an adversary to recycle passwords if forced to change them
due to maximum password ages. To reduce this risk, a secure password policy should be
implemented.
56. The following Group Policy settings can be implemented to achieve a secure password policy.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\System\Logon
Turn off picture password sign-in Enabled
Turn on convenience PIN sign-in Disabled
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy
Enforce password history 8 passwords remembered
Maximum password age 90 days
Minimum password age 1 days
Minimum password length 10 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Accounts: Limit local account use of blank passwords to console logon only Enabled
20
https://www.asd.gov.au/publications/protect/Restricting_Admin_Privileges.pdf
Page 18 of 54
Interface (UEFI). Secure Boot works by checking at boot time that the boot loader is signed and
matches a Microsoft signed certificate stored in the UEFI. If the certificate signatures match the
boot loader is allowed to run, otherwise it is prevented from running and the workstation will not
boot.
Page 19 of 54
Medium priorities
60. The following security controls, listed in alphabetical order, are considered to have a very good
effectiveness and should be treated as medium priorities when hardening Microsoft Windows 10
version 1709 workstations.
Account lockout policy
61. Allowing unlimited attempts to access workstations will fail to prevent an adversary’s attempts to
brute force authentication measures. To reduce this risk, accounts should be locked out after a
defined number of invalid authentication attempts. The threshold for locking out accounts does
not need to be overly restrictive in order to be effective. For example, a threshold of 5 incorrect
attempts, with a reset period of 15 minutes for the lockout counter, will prevent any brute force
attempt while being unlikely to lock out a legitimate user who accidently enters their password
incorrectly a few times.
62. The following Group Policy settings can be implemented to achieve a reasonable lockout policy.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout
Policy
Account lockout duration 0
Account lockout threshold 5 invalid logon attempts
Reset account lockout counter after 15 minutes
Anonymous connections
63. An adversary can use anonymous connections to gather information about the state of
workstations. Information that can be gathered from anonymous connections (i.e. using the net
use command to connect to the IPC$ share) can include lists of users and groups, SIDs for
accounts, lists of shares, workstation policies, operating system versions and patch levels. To
reduce this risk, anonymous connections to workstations should be disabled.
64. The following Group Policy settings can be implemented to disable the use of anonymous
connections.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Network\Lanman Workstation
Enable insecure guest logons Disabled
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and Enabled
shares
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Restrict anonymous access to Named Pipes and Shares Enabled
Network access: Restrict clients allowed to make remote calls to SAM O:BAG:BAD:(A;;RC;;;BA)
Network security: Allow Local System to use computer identity for NTLM Enabled
Network security: Allow LocalSystem NULL session fallback Disabled
Page 20 of 54
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights
Assignment
Access this computer from the network Administrators
Remote Desktop Users
Deny access to this computer from the network Guests
NT AUTHORITY\Local
Account
Antivirus software
65. An adversary can develop malicious code to exploit security vulnerabilities in software not
detected and remedied by vendors during testing. As significant time and effort is often involved
in the development of functioning and reliable exploits, an adversary will often reuse their
exploits as much as possible before being forced to develop new exploits. To reduce this risk,
endpoint security applications with signature-based antivirus functionality should be
implemented. In doing so, signatures should be updated at least on a daily basis.
66. Whilst using signature-based antivirus functionality can assist in reducing risk, they are only
effective when a particular piece of malicious code has already been profiled and signatures are
current. An adversary can create variants of known malicious code, or develop new unseen
malicious code, to bypass traditional signature-based detection mechanisms. To reduce this risk,
endpoint security applications with host-based intrusion prevention functionality, or equivalent
functionality leveraging cloud-based services, should also be implemented. In doing so, such
functionality should be set at the highest level available.
67. If using Microsoft’s Windows Defender Antivirus solution, the following Group Policy settings can
be implemented to optimally configure it.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender
Antivirus
Turn off Windows Defender Antivirus Disabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender
Antivirus\MAPS
Configure local setting override for reporting to Microsoft MAPS Disabled
Configure the ‘Block at First Sight’ feature Enabled
Join Microsoft MAPS Enabled
Page 21 of 54
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender
Antivirus\MpEngine
Configure extended cloud check Enabled
Attachment Manager
68. The Attachment Manager within Microsoft Windows works in conjunction with applications such
as the Microsoft Office suite and Internet Explorer to help protect workstations from attachments
that have been received via email or downloaded from the Internet. The Attachment Manager
classifies files as high, medium or low risk based on the zone they originated from and the type
of file. Based on the risk to the workstation, the Attachment Manager will either issue a warning
to a user or prevent them from opening a file. If zone information is not preserved, or can be
removed, it can allow an adversary to socially engineer a user to bypass protections afforded by
the Attachment Manager. To reduce this risk, the Attachment Manager should be configured to
preserve and protect zone information for files.
69. The following Group Policy settings can be implemented to ensure zone information associated
with attachments is preserved and protected.
Page 22 of 54
Group Policy Setting Recommended Option
User Configuration\Policies\Administrative Templates\Windows Components\Attachment Manager
Do not preserve zone information in file attachments Disabled
Hide mechanisms to remove zone information Enabled
Page 23 of 54
Audit Security Group Management Success and Failure
Audit User Account Management Success and Failure
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy
Configuration\Audit Policies\Detailed Tracking
Audit Process Creation Success
Audit Process Termination Success
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy
Configuration\Audit Policies\Logon/Logoff
Audit Account Lockout Success
Audit Group Membership Success
Audit Logoff Success
Audit Logon Success and Failure
Audit Other Logon/Logoff Events Success and Failure
Audit Special Logon Success and Failure
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy
Configuration\Audit Policies\Object Access
Audit File Share Success and Failure
Audit File System Success and Failure
Audit Kernel Object Success and Failure
Audit Other Object Access Events Success and Failure
Audit Registry Success and Failure
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy
Configuration\Audit Policies\Policy Change
Audit Audit Policy Change Success and Failure
Audit Other Policy Change Events Success and Failure
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy
Configuration\Audit Policies\System
Audit System Integrity Success and Failure
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Audit: Force audit policy subcategory settings (Windows Vista or later) to Enabled
override audit policy category settings
Page 24 of 54
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies
Disallow Autoplay for non-volume devices Enabled
Set the default behavior for AutoRun Enabled
Page 25 of 54
Route all traffic through the internal network Enabled
Case locks
81. Without the use of case locks an adversary can gain physical access to the insides of a
workstation. An adversary with this access can install or remove hardware, remove and replace
the CMOS battery to reset the BIOS or UEFI to default settings (i.e. no password), or temporarily
remove hard drives to create copies for offline analysis at a later date. To reduce this risk, case
locks should be used on workstations to prevent an adversary from gaining unauthorised
access.
CD burner access
82. If CD burning functionality is enabled, and CD burners are installed in workstations, an
adversary may attempt to steal sensitive information by burning it to CD. To reduce this risk,
users should not have access to CD burning functionality except when explicitly required.
83. The following Group Policy setting can be implemented to prevent access to CD burning
functionality, although as this Group Policy setting only prevents access to native CD burning
functionality in Microsoft Windows, users should also be prevented from installing 3rd party CD
burning applications. Alternatively, CD readers can be used in workstations instead of CD
burners.
Group Policy Setting Recommended Option
User Configuration\Policies\Administrative Templates\Windows Components\File Explorer
Remove CD Burning features Enabled
Page 26 of 54
prevent the correlation of audit events and increase the complexity of any investigations after
security incidents. To reduce this risk, audit event logs from workstations should be transferred
to a secure central logging server.
Command Prompt
85. An adversary who gains access to a workstation can use the Command Prompt to execute in-
built Microsoft Windows tools such as net and schtasks to gather information about the
workstation or domain as well as schedule malicious code to execute on other workstations on
the network. To reduce this risk, users should not have Command Prompt access or the ability
to execute batch files and scripts. Should a legitimate business requirement exist to allow users
to execute batch files (e.g. cmd and bat files); run logon, logoff, startup or shutdown batch file
scripts; or use Remote Desktop Services, this risk will need to be accepted.
86. The following Group Policy setting can be implemented to prevent access to the Command
Prompt and script processing functionality.
Group Policy Setting Recommended Option
User Configuration\Policies\Administrative Templates\System
Prevent access to the command prompt Enabled
21
https://support.microsoft.com/en-au/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-
reduce-1394-d
Page 27 of 54
Prevent installation of devices using drivers that match these device setup Enabled
classes
Prevent installation of devices
using drivers for these device
setup classes:
{d48179be-ec20-11d1-b6b8-
00c04fa372a7}
Page 28 of 54
Tape Drives: Deny write access Enabled
WPD Devices: Deny read access Disabled
WPD Devices: Deny write access Enabled
\\*\NETLOGON
RequireMutualAuthentication=
1, RequireIntegrity=1
Page 29 of 54
Computer Configuration\Policies\Administrative Templates\System\Group Policy
Configure registry policy processing Enabled
Page 30 of 54
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive
Encryption\Fixed Data Drives
Choose how BitLocker-protected fixed drives can be recovered Enabled
Configure password
complexity for fixed data
drives: Require password
complexity
Page 31 of 54
Allow network unlocked at startup Enabled
Allow Secure Boot for integrity validation Enabled
Choose how BitLocker-protected operating system drives can be recovered Enabled
Minimum characters: 13
Configure use of passwords for operating system drives Enabled
Configure password
complexity for operating
system drives: Require
password complexity
Page 32 of 54
Require additional authentication at startup Enabled
Page 33 of 54
Choose how BitLocker-protected removable drives can be recovered Do not enable BitLocker until
(continued) recovery information is stored
to AD DS for removable data
drives
Configure use of passwords for removable data drives Enabled
Configure password
complexity for removable data
drives: Require password
complexity
Installing applications
99. While the ability to install applications may be a business requirement for users, this privilege
can be exploited by an adversary. An adversary can email a malicious application, or host a
malicious application on a compromised website, and use social engineering techniques to
convince users into installing the application on their workstation. Even if privileged access is
required to install applications, users will use their privileged access if they believe, or can be
convinced that, the requirement to install the application is legitimate. Additionally, if applications
are configured to install using elevated privileges, an adversary can exploit this by creating a
Windows Installer installation package to create a new account that belongs to the local built-in
administrators group or to install a malicious application. To reduce this risk, all application
installations should be strictly controlled.
100. The following Group Policy settings can be implemented to control application installations.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer
Configure Windows Defender SmartScreen Enabled
Page 34 of 54
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender
SmartScreen\Explorer
Configure Windows Defender SmartScreen Enabled
Internet printing
101. Microsoft Windows has the ability to print to internet printers over HTTP. If not disabled, this
functionality could result in the accidental or intentional release of sensitive information into the
public domain. To reduce this risk, internet printing should be disabled.
102. The following Group Policy settings can be implemented to prevent the use of internet printing.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\System\Internet Communication
Management\Internet Communication settings
Turn off downloading of print drivers over HTTP Enabled
Turn off printing over HTTP Enabled
Microsoft accounts
105. A feature of Microsoft Windows 10 is the ability to link Microsoft accounts (formerly Windows
Live IDs) to local or domain accounts. When this occurs, a user’s settings and files are stored in
Page 35 of 54
the cloud using OneDrive rather than locally or on a domain controller. While this may have the
benefit of allowing users to access their settings and files from any Microsoft Windows 10
workstation (e.g. corporate workstation, home PC, Internet café) it can also pose a risk to an
organisation as they lose control over where sensitive information may be accessed from. To
reduce this risk, users should not link Microsoft accounts with local or domain accounts.
106. The following Group Policy settings can be implemented to disable the ability to link Microsoft
accounts to local or domain accounts.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft account
Block all consumer Microsoft account user authentication Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\OneDrive
Prevent the usage of OneDrive for file storage Enabled
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Accounts: Block Microsoft accounts Users can’t add or log on with
Microsoft accounts
MSS settings
107. By failing to specify MSS specific registry values an adversary may be able to exploit
weaknesses in a workstation’s security posture to gain access to sensitive information. To
reduce this risk, MSS specific registry values that are still relevant to modern versions of
Microsoft Windows should be specified using Group Policy settings.
108. The Group Policy Administrative Templates for MSS specific registry values are available from
the Microsoft Security Guidance blog22. The ADMX and associated en-us ADML file can be
placed in %SystemDrive%\Windows\SYSVOL\domain\Policies\PolicyDefinitions on the Domain
Controller and they will automatically be loaded in the Group Policy Management Editor.
109. The following Group Policy settings can be implemented to configure MSS specific registry
values that are still relevant to modern versions of Microsoft Windows.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\MSS (Legacy)
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level Enabled
(protects against packet spoofing)
DisableIPSourceRoutingIPv6:
Highest protection, source
routing is completely disabled
MSS: (DisableIPSourceRouting) IP source routing protection level (protects Enabled
against packet spoofing)
DisableIPSourceRouting:
Highest protection, source
routing is completely disabled
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated Disabled
routes
22
https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
Page 36 of 54
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS Enabled
name release requests except from WINS servers
NoLMHash policy
113. When Microsoft Windows hashes a password that is less than 15 characters, it stores both a
LAN Manager hash (LM hash) and Windows NT hash (NT hash) in the local SAM database for
local accounts, or in Activity Directory for domain accounts. The LM hash is significantly weaker
than the NT hash and can easily be brute forced. To reduce this risk, the NoLMHash Policy
should be implemented on all workstations and domain controllers. As the LM hash is designed
for authentication of legacy Microsoft Windows operating systems, such as those prior to
Microsoft Windows 2000, there shouldn’t be a business requirement for its use except in very
rare circumstances.
114. The following Group Policy setting can be implemented to prevent the storage of LM hashes for
passwords. All users should be encouraged to change their password once this Group Policy
setting has been set as until they do they will remain vulnerable.
Page 37 of 54
Group Policy Setting Recommended Option
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Network security: Do not store LAN Manager hash value on next password Enabled
change
Page 38 of 54
Specify the unattended sleep timeout (on battery) Enabled
PowerShell
118. Allowing any PowerShell script to execute exposes a workstation to the risk that a malicious
script may be unwittingly executed by a user. To reduce this risk, users should not have the
ability to execute PowerShell scripts; however, if using PowerShell scripts is an essential
business requirement, only signed scripts should be allowed to execute. Ensuring that only
signed scripts are allowed to execute can provide a level of assurance that a script is trusted and
has been endorsed as having a legitimate business purpose.
119. For more information on how to effectively implement PowerShell see Securing PowerShell in
the Enterprise23.
120. The following Group Policy settings can be implemented to control the use of PowerShell scripts.
Group Policy Setting Recommended Value
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell
Turn on PowerShell Script Block Logging Enabled
Turn on Script Execution Enabled
23
https://www.asd.gov.au/publications/protect/Securing_PowerShell.pdf
Page 39 of 54
Group Policy Setting Recommended Option
User Configuration\Policies\Administrative Templates\System
Prevent access to registry editing tools Enabled
Remote Assistance
123. While Remote Assistance can be a useful business tool to allow system administrators to
remotely administer workstations, it can also pose a risk. When a user has a problem with their
workstation they can generate a Remote Assistance invitation. This invitation authorises anyone
that has access to it to remotely control the workstation that issued the invitation. Invitations can
be sent by email, instant messaging or saved to a file. If an adversary manages to intercept an
invitation they will be able to use it to access the user’s workstation. Additionally, if network
traffic on port 3389 is not blocked from reaching the Internet, users may send Remote
Assistance invitations over the Internet which could allow for remote access to their workstation
by an adversary. While Remote Assistance only grants access to the privileges of the user that
generated the request, an adversary could install a key logging application on the workstation in
preparation of a system administer using their privileged credentials to fix any problems. To
reduce this risk, Remote Assistance should be disabled.
124. The following Group Policy settings can be implemented to disable Remote Assistance.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\System\Remote Assistance
Configure Offer Remote Assistance Disabled
Configure Solicited Remote Assistance Disabled
Page 40 of 54
127. Alternatively, if it is an essential business requirement to use Remote Desktop Services, it
should be configured in a manner that is as secure as possible and only on workstations and for
users for which it is explicitly required.
128. The following Group Policy settings can be implemented to use Remote Desktop Services in as
secure a manner as possible.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation
Remote host allows delegation of non-exportable credentials Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop
Services\Remote Desktop Connection Client
Configure server authentication for client Enabled
Authentication setting:
Do not connect if
authentication fails
Do not allow passwords to be saved Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop
Services\Remote Desktop Session Host\Connections
Allow users to connect remotely by using Remote Desktop Services Enabled
Deny logoff of an administrator logged in to the console session Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop
Services\Remote Desktop Session Host\Device and Resource Redirection
Do not allow Clipboard redirection Enabled
Do not allow drive redirection Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop
Services\Remote Desktop Session Host\Security
Always prompt for password upon connection Enabled
Do not allow local administrators to customize permissions Enabled
Require secure RPC communication Enabled
Require use of specific security layer for remote (RDP) connections Enabled
Page 41 of 54
Remote Procedure Call
129. Remote Procedure Call (RPC) is a technique used for facilitating client and server application
communications using a common interface. RPC is designed to make client and server
interaction easier and safer by using a common library to handle tasks such as security,
synchronisation and data flows. If unauthenticated communications are allowed between client
and server applications, it could result in accidental disclosure of sensitive information or the
failure to take advantage of RPC security functionality. To reduce this risk, all RPC clients should
authenticate to RPC servers.
130. The following Group Policy setting can be implemented to ensure RPC clients authenticate to
RPC servers.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\System\Remote Procedure Call
Restrict Unauthenticated RPC clients Enabled
RPC Runtime
Unauthenticated Client
Restriction to Apply:
Authenticated
Page 42 of 54
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Error
Reporting\Advanced Error Reporting Settings
Configure Corporate Windows Error Reporting Enabled
Safe Mode
133. An adversary with standard user credentials that can boot into Microsoft Windows using Safe
Mode, Safe Mode with Networking or Safe Mode with Command Prompt options may be able to
bypass system protections and security functionality such as application whitelisting solutions.
To reduce this risk, users with standard credentials should be prevented from using Safe Mode
options to log in.
134. The following registry entry can be implemented using Group Policy preferences to prevent non-
administrators from using Safe Mode options.
Registry Entry Recommended Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SafeModeBlockNonAdmins REG_DWORD 0x00000001
(1)
Security policies
137. By failing to comprehensively specify security policies, an adversary may be able to exploit
weaknesses in a workstation’s Group Policy settings to gain access to sensitive information. To
reduce this risk, security policies should be comprehensively specified.
Page 43 of 54
138. The following Group Policy settings can be implemented, in addition to those specifically
mentioned in other areas of this document, to form a comprehensive set of security policies.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Network\DNS Client
Turn off multicast name resolution Enabled
Computer Configuration\Policies\Administrative Templates\Network\WLAN Service\WLAN Settings
Allow Windows to automatically connect to suggested open hotspots, to Disabled
networks shared by contacts, and to hotspots offering paid services
Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content
Turn off Microsoft consumer experiences Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer
Turn off heap termination on corruption Disabled
Turn off shell protocol protected mode Disabled
Computer Configuration\Policies\Administrative Templates\Windows Components\RSS Feeds
Prevent downloading of enclosures Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Search
Allow indexing of encrypted files Disabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Game
Recording and Broadcasting
Enables or disables Windows Game Recording and Broadcasting Disabled
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Network security: Allow PKU2U authentication requests to this computer to use Disabled
online identities.
Network security: Force logoff when logon hours expire Enabled
Network security: LDAP client signing requirements Negotiate signing
System objects: Require case insensitivity for non-Windows subsystems Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Enabled
Symbolic Links)
Page 44 of 54
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\MS Security Guide
Configure SMB v1 client driver Enabled
Session locking
141. An adversary with physical access to an unattended workstation may attempt to inappropriately
access other users’ sessions in order to use their credentials to access sensitive information
they don’t have access to or to conduct actions on the network that won’t be attributed to them.
To reduce this risk, a session lock should be configured to activate after a maximum of 15
minutes of user inactivity.
142. The following Group Policy settings can be implemented to set session locks.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Control Panel\Personalization
Prevent enabling lock screen camera Enabled
Prevent enabling lock screen slide show Enabled
Computer Configuration\Policies\Administrative Templates\System\Logon
Allow users to select when a password is required when resuming from Disabled
connected standby
Turn off app notifications on the lock screen Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer
Show lock in the user tile menu Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Ink
Workspace
Allow Windows Ink Workspace Enabled
Page 45 of 54
Computer Configuration\Policies\Windows Settings\Local Policies\Security Options
Interactive logon: Machine inactivity limit 900 seconds
User Configuration\Policies\Administrative Templates\Control Panel\Personalization
Enable screen saver Enabled
Password protect the screen saver Enabled
Screen saver timeout Enabled
Seconds: 900
User Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Notifications
Turn off toast notifications on the lock screen Enabled
User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content
Do not suggest third-party content in Windows spotlight Enabled
Software-based firewalls
143. Network firewalls often fail to prevent the propagation of malicious code on a network, or an
adversary from extracting sensitive information, as they generally only control which ports or
protocols can be used between segments on a network. Many forms of malicious code are
designed specifically to take advantage of this by using common protocols such as HTTP,
HTTPS, SMTP and DNS. To reduce this risk, software-based firewalls that filter both incoming
and outgoing traffic should be appropriately implemented. Software-based firewalls are more
effective than network firewalls as they can control which applications and services can
communicate to and from workstations. The in-built Windows firewall (from Microsoft Windows 7
onwards) can be used to control both inbound and outbound traffic for specific applications.
Sound Recorder
144. Sound Recorder is a feature of Microsoft Windows that allows audio from a device with a
microphone to be recorded and saved as an audio file on the local hard drive. An adversary with
remote access to a workstation can use this functionality to record sensitive conversations in the
vicinity of the workstation. To reduce this risk, Sound Recorder should be disabled.
145. The following Group Policy setting can be implemented to disable the use of Sound Recorder.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Windows Components\Sound Recorder
Do not allow Sound Recorder to run Enabled
Page 46 of 54
access. From here an adversary can restore the contents and take ownership, thereby
circumventing all original access controls that were in place. In addition, if a user has privileges
to restore files and directories, an adversary could exploit this privilege by using it to either
restore previous versions of files that may have been removed by system administrators as part
of malicious code removal activities or to replace existing files with malicious variants. To reduce
this risk, the ability to use backup and restore functionality should be limited to administrators.
148. The following Group Policy settings can be implemented to control the use of backup and
restore functionality.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights
Assignment
Back up files and directories Administrators
Restore files and directories Administrators
System cryptography
149. By default, when cryptographic keys are stored in Microsoft Windows, users can access them
without first entering a password to unlock the certificate store. An adversary that compromises
a workstation, or gains physical access to an unlocked workstation, can use these user keys to
access sensitive information or resources that are cryptographically protected. To reduce this
risk, strong encryption algorithms and strong key protection should be used on workstations.
150. The following Group Policy settings can be implemented to ensure strong encryption algorithms
and strong key protection is used.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
System cryptography: Force strong key protection for user keys stored on the User must enter a password
computer each time they use a key
System cryptography: Use FIPS compliant algorithms for encryption, hashing, Enabled
and signing
Page 47 of 54
Create global objects Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
Create permanent shared objects <blank>
Create symbolic links Administrators
Debug programs Administrators
Enable computer and user accounts to be trusted for delegation <blank>
Force shutdown from a remote system Administrators
Impersonate a client after authentication Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
Increase scheduling priority Administrators
Load and unload device drivers Administrators
Lock pages in memory <blank>
Modify an object label <blank>
Modify firmware environment values Administrators
Perform volume maintenance tasks Administrators
Profile single process Administrators
Take ownership of files or other objects Administrators
24
https://msdn.microsoft.com/en-au/library/aa384426(v=vs.85).aspx
Page 48 of 54
management data between devices that implement the protocol. If appropriate authentication
and encryption is not implemented for this protocol, traffic may be subject to inception by an
adversary. To reduce this risk, Windows Remote Management should be securely configured.
156. The following Group Policy settings can be implemented to secure the use of the Windows
Remote Management.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote
Management (WinRM)\WinRM Client
Allow Basic authentication Disabled
Allow unencrypted traffic Disabled
Disallow Digest authentication Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote
Management (WinRM)\WinRM Service
Allow Basic authentication Disabled
Allow unencrypted traffic Disabled
Disallow WinRM from storing RunAs credentials Enabled
25
https://msdn.microsoft.com/en-au/library/windows/desktop/aa384470(v=vs.85).aspx
Page 49 of 54
Windows To Go
161. A feature of Microsoft Windows 10 is Windows To Go. Windows To Go allows users to boot into
a Microsoft Windows 10 workspace stored on USB media from any machine that supports the
minimum hardware requirements. While this may be highly beneficial for Bring Your Own Device
(BYOD) or remote access initiatives, it can also pose a risk to an organisation’s network.
Workstations that allow automatic booting of Windows To Go workspaces do not discriminate
between approved workspaces and malicious workspaces developed by an adversary. As such,
an adversary may use a malicious workspace they have customised with their desired toolkit to
attempt to gain access to sensitive information on the network. To reduce this risk, automatic
booting of Windows To Go media should be disabled.
162. The following Group Policy setting can be implemented to disable the automatic booting of
Windows To Go media.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Windows Components\Portable Operating
System
Windows To Go Default Startup Options Disabled
Page 50 of 54
Low priorities
163. The following security controls, listed in alphabetical order, are recommended for consideration
and should be treated as low priorities when hardening Microsoft Windows 10 version 1709
workstations.
Displaying file extensions
164. When extensions for known file types are hidden, an adversary can more easily use social
engineering techniques to convince users to execute malicious email attachments. For example,
a file named vulnerability_assessment.pdf.exe could appear as vulnerability_assessment.pdf to
a user. To reduce this risk, hiding extensions for known file types should be disabled. Showing
extensions for all known file types, in combination with user education and awareness of
dangerous email attachment file types, can help reduce the risk of users executing malicious
email attachments.
165. The following registry entry can be implemented using Group Policy preferences to prevent
extensions for known file types from being hidden.
Registry Entry Recommended Value
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt REG_DWORD 0x00000000
(0)
Location awareness
168. When users interact with the Internet their workstations often automatically provide geo-location
details to websites or online services to assist them in tailoring content specific to the user’s
geographical region (i.e. the city they are accessing the Internet from). This information can be
captured by an adversary to determine the location of a specific user. To reduce this risk,
location services in the operating system and applications should be disabled.
169. The following Group Policy settings can be implemented to disable location services within the
operating system.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\Windows Components\Location and
Sensors
Turn off location Enabled
Page 51 of 54
Turn off location scripting Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Location and
Sensors\Windows Location Provider
Turn off Windows Location Provider Enabled
Microsoft Store
170. Whilst applications in the Microsoft Store are vetted by Microsoft, there is still a risk that users
given access to the Microsoft Store could download and install potentially malicious applications
or applications that cause conflicts with other endorsed applications on their workstation. To
reduce this risk, access to the Microsoft Store should be disabled.
171. The following Group Policy settings can be implemented to prevent Microsoft Store access.
Group Policy Setting Recommended Option
Computer Configuration\Policies\Administrative Templates\System\Internet Communication
Management\Internet Communication settings
Turn off access to the Store Enabled
Computer Configuration\Policies\Administrative Templates\Windows Components\Store
Turn off the Store application Enabled
Page 52 of 54
Contact details
176. Organisations or individuals with questions regarding this advice can contact the ACSC by
emailing [email protected] or calling 1300 CYBER1 (1300 292 371).
Page 53 of 54
Page 54 of 54