Forum Discussion

Anonymous's avatar
Anonymous
Apr 19, 2019

Harden Windows 10

for a while I have been aware of this Microsoft documentation, which is very useful for hardening windows 10: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp...
Anonymous's avatar
Anonymous
Jul 06, 2019

some updates


Windows Secure Score
https://docs.microsoft.com/en-gb/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard


defender updates seem to have been renamed to security intelligence, but otherwise remains the same and should be auto updated within the hour


Windows Security Configuration Framework
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework


this been updated and the numbering has been reversed so that you now have to implement 1+2 to reach level 2, and 1+2+3 to reach level 3 etc, this seems less confusing than it was initially, hence i felt the need to explain it at all


disabled by default but easy to enable Windows Defender features that I highly recommend:


Enable Potentially Unwanted Application (PUA) Protection
Set-MpPreference -PUAProtection Enabled


this enables defender to remove adware and similar junk

Enable Network Protection
Set-MpPreference -EnableNetworkProtection Enabled


think of this as system wide smartscreen, rather than limited to just the browser

Enable Attack Surface Reduction (ASR) Rules
Set-MpPreference -AttackSurfaceReductionRules_Ids be9ba2d9-53ea-4cdc-84e5-9B1eeee46550, d4f940ab-401b-4efc-aadc-ad5f3c50688a, 3b576869-a4eC-4529-8536-b80a7769e899, 75668c1f-73b5-4Cf0-bb93-3ecf5cb7cc84, d3e037e1-3eb8-44c8-a917-57927947596d, 5beb7efe-fd9A-4556-801d-275e5ffc04cc, 92e97fa1-2edf-4476-bdd6-9dd0B4dddc7b, 01443614-cd74-433a-b99e-2ecdc07bfc25, c1db55ab-c21a-4637-bb3f-a12568109d35, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, d1e49aac-8f56-4280-b9ba-993a6d77406c, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, 26190899-1602-49e8-8b27-eb1d0a1ce869, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled, Enabled, Enabled, Enabled, Enabled, Enabled, Enabled, Enabled, Enabled, Enabled, Enabled, Enabled, Enabled, Enabled, Enabled


attack surface reduction rules block common infection behaviours used by malware


enjoy! - beary


PS haveibeenpwned.com
not only can you check your personal emails and passwords to see if they are present in public data breaches, you can implement company wide password blacklisting in active directory etc which is recommended by Microsoft as a replacement for the harmful/misguided time based expiring passwords feature which has been depreciated

Resources