From 9fd193e676f1f0646898f5130fbfaaf25050b2e3 Mon Sep 17 00:00:00 2001 From: undergroundwires Date: Sat, 11 May 2024 11:39:28 +0200 Subject: [PATCH] win: categorize and rename network security #131 This commit restructures the categorization of network security-related scripts to improve clarity and align with user expectations. It involves renaming and reorganizing categories to more accurately reflect their functions beyond just IIS configurations. This reorganization helps users find and utilize network security scripts more efficiently and ensures that the categorization accurately reflects the broader application of the scripts beyond server configurations. Changes: - Merge network security enhancements under a single category. - Rename categories for simplicity and increased technical accuracy. - Flatten nested categories to streamline navigation and enhance clarity. - Update documentation to match the new category structures. - Revise script recommendations to encourage broader use. - Fix revert codes of some related scripts to reflect default OS settings. --- docs/script-guidelines.md | 1 + src/application/collections/windows.yaml | 1601 ++++++++++++---------- 2 files changed, 870 insertions(+), 732 deletions(-) diff --git a/docs/script-guidelines.md b/docs/script-guidelines.md index 921fca5d..ebdf488a 100644 --- a/docs/script-guidelines.md +++ b/docs/script-guidelines.md @@ -27,6 +27,7 @@ Key attributes of a good script: - `Minimize` over `Limit`, `Reduce` - `Maximize` over `Extend`, `Delay`, `Postpone`, `Prolong` - `Remove` over `Uninstall` + - `Improve` over `Increase` - Structure your phrases for clarity, examples: - Prefer `Disable XX telemetry` over `Disable telemetry in XX` - Prefer `Clear XX data` over `Clear data from XX`, or `Clear data of XX`. diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index 04a5407b..75f4a366 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -5638,392 +5638,17 @@ actions: These scripts help protect your system against various types of cyber threats and unauthorized access. children: - - category: Disable clipboard data collection + category: Improve network security docs: |- - This category includes scripts that focus on disabling various aspects of clipboard data collection in Windows. - The clipboard is a critical component of the operating system, often containing sensitive data such as usernames, passwords, and other - personal information [1]. - However, features such as clipboard history and device synchronization can significantly increase privacy and security risks. + This category is dedicated to improving network security. - By default, Windows tends to store clipboard data in an unencrypted format [2], making it easily accessible to malicious applications or scripts. - Additionally, data synchronization features can lead to sensitive information being stored on remote servers or shared across devices, increasing the - risk of data exposure. + It aims to minimize vulnerabilities by offering various settings that improve the integrity and confidentiality + of data transmitted over the network. + It features a range of measures to protect data transmission from unauthorized access, interception, and other + cyber threats to maintain a secure and private communication environment. - The scripts in this category address these risks by disabling the related features.. - While these features offer convenience and productivity benefits, they can inadvertently compromise user privacy and security. - - > **Caution**: Applying these scripts may lead to a loss of certain functionalities. Users who rely on these features for their daily tasks should - > consider the trade-offs before proceeding with these changes. - - [1]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com" - [2]: https://web.archive.org/web/20240119151846/https://ghostvolt.com/blog/Is-the-Windows-Clipboard-Function-History-or-Sync-Secure.html "Is the Windows Clipboard Function, History or Sync Secure | ghostvolt.com" - children: - - - name: Disable Cloud Clipboard (breaks clipboard sync) - recommend: strict - docs: |- - This script disables the Cloud Clipboard feature [1], also known as the cross-device clipboard [2]. - The Cloud Clipboard, introduced in the Windows 10 October 2018 Update [3], synchronizes clipboard contents across Windows - devices [1] [2] [4]. While this feature enhances usability, it can pose a privacy risk as sensitive information like passwords or credit card - details [5] might be inadvertently synchronized and stored on Microsoft servers. - - Disabling Cloud Clipboard is recommended in secure environments where clipboard data should remain local to the system, avoiding - potential exposure or misuse of sensitive information [6]. The Center for Internet Security (CIS) recommends disabling this feature in - such settings for enhanced security [6]. Moreover, Microsoft acknowledges that disabling network connections linked to the Cloud Clipboard - can improve privacy [1]. This script secures your clipboard data by preventing unauthorized access from other processes on your computer - or network, reducing the risk of data theft. - - The script configures the following registry keys: - - - `HKLM\SOFTWARE\Policies\Microsoft\Windows\System!AllowCrossDeviceClipboard`: Disables the Cloud Clipboard feature, preventing - clipboard synchronization across devices [1] [2] [6]. - - `HKCU\SOFTWARE\Microsoft\Clipboard!CloudClipboardAutomaticUpload`: Stops the automatic upload of clipboard data to the cloud [7]. - - > **Caution**: After running this script, clipboard contents will not synchronize across devices [1] [2] [6]. - > Text or images copied on one device will not be accessible on other devices [3] [4] [5]. - > This enhances privacy and security but limits the clipboard's functionality across your Windows devices. - - [1]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#30-cloud-clipboard "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" - [2]: https://web.archive.org/web/20240119150031/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#allowcrossdeviceclipboard "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" - [3]: https://web.archive.org/web/20210619004804/https://community.windows.com/en-us/stories/cloud-clipboard-windows-10 "Copy and paste across Windows 10 devices using cloud clipboard | Windows Community | community.windows.com" - [4]: https://web.archive.org/web/20240119150040/https://support.microsoft.com/en-us/windows/clipboard-in-windows-c436501e-985d-1c8d-97ea-fe46ddf338c6 "Clipboard in Windows - Microsoft Support | support.microsoft.com" - [5]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com" - [6]: https://web.archive.org/web/20240119145854/https://www.tenable.com/audits/items/CIS_MS_InTune_for_Windows_11_Level_2_BitLocker_v1.0.0.audit:19bea796bd6a86f37028214bbed97ffd "18.8.31.1 Ensure 'Allow Clipboard synchronization across devic... | Tenable® | www.tenable.com" - [7]: https://web.archive.org/web/20240119145950/https://www.elevenforum.com/t/enable-or-disable-clipboard-sync-across-devices-in-windows-11.976/ "Enable or Disable Clipboard Sync Across Devices in Windows 11 Tutorial | Windows 11 Forum | elevenforum.com" - call: - - - function: RunInlineCode - parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "AllowCrossDeviceClipboard" /t "REG_DWORD" /d "0" /f - # This key does not exist by default since Windows 10 22H2 and Windows 11 23H2 - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "AllowCrossDeviceClipboard" /f 2>nul - - - function: RunInlineCode - parameters: - code: reg add "HKCU\Software\Microsoft\Clipboard" /v "CloudClipboardAutomaticUpload" /t "REG_DWORD" /d "0" /f - # This key does not exist by default since Windows 10 22H2 and Windows 11 23H2 - revertCode: reg delete "HKCU\Software\Microsoft\Clipboard" /v "CloudClipboardAutomaticUpload" /f 2>nul - - - name: Disable clipboard history - recommend: standard - docs: |- - This script deactivates the clipboard history feature in Windows, a feature that is enabled by default [1] [2]. - Regularly, users copy sensitive data such as usernames and passwords to their clipboard, making clipboard history - valuable to attackers for gathering information for post-exploitation activities like lateral movement. - - Microsoft introduced clipboard history in the Windows 10 October 2018 Update [1], offering enhanced functionality, including - multi-device sync and customizable history management [1]. - Despite these benefits, clipboard history poses several security risks: - - - **Plain Text Storage**: Clipboard data is stored unencrypted, making it vulnerable to access by malicious applications [3]. - - **Persistent Memory**: The data remains in memory until overwritten or the machine restarts, exposing it to unauthorized access - by other users or malware [3]. - - **Process Accessibility**: Most running processes and applications can access clipboard data, increasing the risk if any are malicious [3]. - - **Open Network Threats**: Malicious website scripts could potentially access clipboard data, leading to data theft [3]. - - **Windows Clipboard History**: Stores the last 25 copied text and image items, which could include sensitive information [3]. - - **Increased Attack Surface**: Clipboard history is susceptible to exploitation by malware that silently accesses and logs clipboard data [3]. - - Microsoft's privacy statement also indicates that clipboard data could be used for marketing and advertising purposes [4]. - - Given these risks, especially when handling sensitive data like passwords or credit card numbers [5], it is advisable for - users concerned about security to disable clipboard history to safeguard their privacy. - - This script modifies Windows Registry keys to turn off clipboard history and sync features: - - - `HKCU\Software\Microsoft\Clipboard!EnableClipboardHistory`: Disables the local clipboard history for the current user [6] [7] [8]. - - `HKLM\SOFTWARE\Policies\Microsoft\Windows\System!AllowClipboardHistory`: Disables the policy for storing clipboard contents [2] [9]. - - [1]: https://web.archive.org/web/20210619004804/https://community.windows.com/en-us/stories/cloud-clipboard-windows-10 "Copy and paste across Windows 10 devices using cloud clipboard | Windows Community | community.windows.com" - [2]: https://web.archive.org/web/20240119153212/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#allowclipboardhistory "Experience Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" - [3]: https://web.archive.org/web/20240119151846/https://ghostvolt.com/blog/Is-the-Windows-Clipboard-Function-History-or-Sync-Secure.html "Is the Windows Clipboard Function, History or Sync Secure | ghostvolt.com" - [4]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" - [5]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com" - [6]: https://web.archive.org/web/20240119153118/https://www.elevenforum.com/t/enable-or-disable-clipboard-history-in-windows-11.973/ "Enable or Disable Clipboard History in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" - [7]: https://web.archive.org/web/20240119153113/https://itechbrand.com/how-to-enable-and-use-clipboard-history-on-windows-10/ "How to: Enable and Use Clipboard History on Windows 10 | ITechBrand | itechbrand.com" - [8]: https://web.archive.org/web/20240119153250/https://labs.withsecure.com/tools/sharpcliphistory "SharpClipHistory | WithSecure™ Labs | labs.withsecure.com" - [9]: https://web.archive.org/web/20240119153231/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OSPolicy::AllowClipboardHistory "Allow Clipboard History | admx.help" - call: - - - function: RunInlineCode - parameters: - code: reg add "HKCU\Software\Microsoft\Clipboard" /v "EnableClipboardHistory" /t REG_DWORD /d 0 /f - # This key does not exist by default since Windows 10 22H2 and Windows 11 23H2 - revertCode: reg delete "HKCU\Software\Microsoft\Clipboard" /v "EnableClipboardHistory" /f 2>nul - - - function: RunInlineCode - parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "AllowClipboardHistory" /t "REG_DWORD" /d "0" /f - # This key does not exist by default since Windows 10 22H2 and Windows 11 23H2 - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "AllowClipboardHistory" /f 2>nul - - - name: Disable background clipboard data collection (`cbdhsvc`) (breaks clipboard history and sync) - recommend: strict - docs: |- - This script disables `cbdhsvc` also known as "Clipboard User Service" [1]. - This service is responsible for clipboard history and synchronization across devices [1]. - - Microsoft acknowledges that disabling this service does not adversely affect the system's core functionality [2]. - - Disabling this service enhances your security by reducing your system's - vulnerability surface. This service has been historically susceptible to vulnerabilities such as Privilege Escalation vulnerability [3]. - Turning off `cbdhsvc` also helps improve system performance by reducing the number of background processes as `cbdhsvc` runs automatically - in the background [1]. - Additionally, it enhances privacy by preventing the storage and sharing of clipboard history with Microsoft servers. - Clipboard data often contains sensitive information, including passwords and credit card numbers [4]. - - > **Caution**: Disabling this service will remove the functionalities for clipboard history and synchronization across devices. - > If you depend on these features, you should weigh the benefits against the loss of these functionalities. - - [1]: https://web.archive.org/web/20240119153912/https://learn.microsoft.com/en-us/windows/application-management/per-user-services-in-windows "Per-user services - Windows Application Management | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services#per-user-services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" - [3]: https://archive.ph/2024.01.19-154717/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21869 "CVE-2022-21869 - Security Update Guide - Microsoft - Clipboard User Service Elevation of Privilege Vulnerability | rc.microsoft.com" - [4]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com" - call: - function: DisablePerUserService - parameters: - # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\cbdhsvc").Start - # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\cbdhsvc_*").Start - serviceName: cbdhsvc - defaultStartupMode: Automatic - - - name: Disable hidden remote file access via administrative shares (breaks remote system management software) - recommend: strict - docs: |- - This script improves your privacy and security by disabling Windows administrative shares, - which are typically used for remote access to your computer's file system. - - Windows automatically creates hidden administrative shares, such as `C$` and `D$`, that allow system administrators remote access to - every disk volume on your computer [1] [2]. These shares are often targeted as potential attack vectors [3]. - - Disabling administrative shares is generally a good practice for enhancing security. It is recommended by various security standards - and compliance frameworks, including some government standards [3], PCI-DSS [4], and CIS [2]. It reduces the system's vulnerability - to unauthorized remote access. - - These shares are often used for system administrators to perform tasks like software installation and vulnerability scanning - remotely [1]. Disabling them may limit remote management capabilities. This might require setting up network shares manually - for specific folders or drives, which is more secure but requires additional effort. - - Some software, such as Microsoft Systems Management Server (SMS) [2], Microsoft Operations Manager [2], Microsoft PsTools [5], - and certain third-party network backup applications [2], rely on administrative shares. Therefore, disabling these shares could - disrupt their functionality. - - > **Caution**: Disabling administrative shares can impact remote management software and may interrupt the ability to remotely control - > machines. Consider your operational and security needs before making this change. - - [1]: https://web.archive.org/web/20230831114315/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/remove-administrative-shares "Remove administrative shares - Windows Server | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20231206152703/http://www.itref.ir/uploads/editor/1edad0.pdf "CIS Microsoft Windows 8 Benchmark | itref.ir" - [3]: https://web.archive.org/web/20230831124304/https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/Business-Partner-System-Security-Manual-BPSSM.pdf "CMS Manual System | Pub 100-17 Medicare Business Partners | Department of Health & Human Services (DHHS) & Centers for Medicare & Medicaid Services (CMS) | cms.gov" - [4]: https://web.archive.org/web/20230831124324/https://www.unifiedcompliance.com/products/search-authority-documents/authority-document/1071/ "Payment Card Organizations > PCI Security Standards Council | Unified Compliance | www.unifiedcompliance.com" - [5]: https://github.com/undergroundwires/privacy.sexy/issues/249 "Disabling administrative shares breaks PsTools | undergroundwires/privacy.sexy | github.com" - code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /f # Key does not exist since Windows 11 22H2 - - - category: Enable protection against Meltdown and Spectre - docs: https://support.microsoft.com/en-us/topic/kb4072698-windows-server-and-azure-stack-hci-guidance-to-protect-against-silicon-based-microarchitectural-and-speculative-execution-side-channel-vulnerabilities-2f965763-00e2-8f98-b632-0d96f30c8c8e - children: - - - name: Mitigate Spectre Variant 2 and Meltdown in host operating system - code: |- - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f - wmic cpu get name | findstr "Intel" >nul && ( - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 0 /f - ) - wmic cpu get name | findstr "AMD" >nul && ( - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 64 /f - ) - revertCode: |- - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 3 /f - - - name: Mitigate Spectre Variant 2 and Meltdown in Hyper-V - code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f - revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /f - - - name: Enable Data Execution Prevention (DEP) - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f - revertCode: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 1 /f - - - name: Disable AutoPlay and AutoRun - docs: - - https://en.wikipedia.org/wiki/AutoRun - - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667 - - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671 - - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673 - recommend: standard - code: |- - :: 255 (0xff) means all drives - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /t REG_DWORD /d 1 /f - revertCode: |- - reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 2 /f - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /f - - - name: Disable remote assistance feature - recommend: standard - docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651 - code: |- - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f - revertCode: |- - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 1 /f - - - name: Disable lock screen camera access - recommend: standard - docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /f - - - name: Disable storage of the LAN Manager password hashes - recommend: standard - docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797 - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 0 /f - - - name: Disable "Always install with elevated privileges" in Windows Installer - recommend: standard - docs: https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 1 /f - - - name: Disable Basic Authentication usage in WinRM - recommend: standard - docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 1 /f - - - name: Disable anonymous enumeration of shares - recommend: standard - docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749 - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 0 /f - - - name: Disable usage of insecure authentication - recommend: standard - docs: - - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801 - - https://web.archive.org/web/20240315114408/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 5 /f - revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 3 /f - - - name: Enable Structured Exception Handling Overwrite Protection (SEHOP) - recommend: standard - docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849 - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 1 /f - - - name: Disable unauthorized user account discovery (anonymous SAM enumeration) - recommend: standard - docs: |- - This script increases your system's security by preventing unauthorized users from seeing account names in the - Security Accounts Manager (SAM) [1] [2] [3] [4] [5] [6]. - When account names are exposed, attackers might use them for guessing passwords or tricking people into revealing - sensitive information [4] [6] [7] [8]. - This is a security action recommended by organizations like the Department of Defense [1], NASA [2], IRS [8], - NIST [6], CIS [4], and Microsoft [3]. - - The change is enacted through the `HKLM\SYSTEM\CurrentControlSet\Control\Lsa!RestrictAnonymousSAM` registry - value [1] [2] [4] [5]. By default, it's enabled [4] and Windows restricts this setting if the registry value does - not exist [3]. - - While the script secures the system from these threats, it also has implications for interoperability with older systems. - It will prevent the establishment of trusts with Windows NT 4.0 domains [4] [5] [7] [9] and cause issues for older - client operating systems, like Windows NT 3.51 and Windows 95, when they try to access server resources [4] [5] [7]. - Typically, anonymous connections are requested by earlier versions of clients (down-level clients) during SMB session setup [7]. - - The script has no impact on domain controllers since their behavior in this aspect is controlled by different settings [5] [7]. - The policy setting does not require a restart to become effective [5], and there is no impact on current systems - where the default behavior already includes this restriction [4]. - - Despite the potential interoperability issues with older systems, the script maintains a security posture that is - important in modern networks to minimize unauthorized access and protect user privacy. - - [1]: https://web.archive.org/web/20231105200434/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745 "Anonymous enumeration of SAM accounts must not be allowed. | www.stigviewer.com" - [2]: https://web.archive.org/web/20231105200713/https://asapdata.arc.nasa.gov/share/Paul/CIS_Microsoft_Windows_Server_2016_RTM_Release_1607_Benchmark_v1.1.0.pdf "CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark | nasa.gov" - [3]: https://web.archive.org/web/20231105200918/https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows#security-options---network-access "Reference - Azure Policy guest configuration baseline for Windows - Azure Policy | Microsoft Learn | learn.microsoft.com" - [4]: https://web.archive.org/web/20231105201133/https://community.mis.temple.edu/mis5170sec001sec701sp2018/files/2018/02/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.1.pdf "CIS Microsoft Windows Server 2012 R2 Benchmark | temple.edu" - [5]: https://web.archive.org/web/20231105201446/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852230%28v=ws.11%29 "Network access: Do not allow anonymous enumeration of SAM accounts | Microsoft Learn | learn.microsoft.com" - [6]: https://web.archive.org/web/20230927174843/https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/documentation/USGCB-Windows-Settings.xls "USGCB Windows Settings | nist.gov" - [7]: https://web.archive.org/web/20231105201346/https://support.microsoft.com/en-us/topic/client-service-and-program-issues-can-occur-if-you-change-security-settings-and-user-rights-assignments-0cb6901b-dcbf-d1a9-e9ea-f1b49a56d53a "Client, service, and program issues can occur if you change security settings and user rights assignments - Microsoft Support | support.microsoft.com" - [8]: https://web.archive.org/web/20231105200853/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-server2016.xlsx "IRS Office of Safeguards SCSEM | irs.gov" - [9]: https://web.archive.org/web/20231105201413/https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/trust-between-windows-ad-domain-not-work-correctly "Trust between a Windows NT domain and an Active Directory domain can't be established or it doesn't work as expected - Windows Server | Microsoft Learn | learn.microsoft.com" - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f - revertCode: |- - :: Default value is `1` on modern Windows versions (Windows 10 since 22H2, Windows 11 since 22H2) - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f - - - name: Disable anonymous access to named pipes and shares - recommend: standard - docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759 - code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 0 /f - - - category: Disable unsafe features - children: - - - name: Enable security against PowerShell 2.0 downgrade attacks - recommend: standard - docs: |- - See: [The Windows PowerShell 2.0 feature must be disabled on the system. | stigviewer.com](https://web.archive.org/web/20240406114721/https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-70637) - - ### Overview of default feature statuses - - `MicrosoftWindowsPowerShellV2`: - - | | | - | ---- | --- | - | **Feature name** | `MicrosoftWindowsPowerShellV2` | - | **Display name** | Windows PowerShell 2.0 Engine | - | **Description** | Adds or Removes Windows PowerShell 2.0 Engine | - | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | - | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | - - `MicrosoftWindowsPowerShellV2Root`: - - | | | - | ---- | --- | - | **Feature name** | `MicrosoftWindowsPowerShellV2Root` | - | **Display name** | Windows PowerShell 2.0 | - | **Description** | Adds or Removes Windows PowerShell 2.0 | - | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | - | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | - call: - - - function: DisableWindowsFeature - parameters: - featureName: MicrosoftWindowsPowerShellV2 # Get-WindowsOptionalFeature -FeatureName 'MicrosoftWindowsPowerShellV2' -Online - - - function: DisableWindowsFeature - parameters: - featureName: MicrosoftWindowsPowerShellV2Root # Get-WindowsOptionalFeature -FeatureName 'MicrosoftWindowsPowerShellV2Root' -Online - - - name: Disable "Windows Connect Now" wizard - recommend: standard - docs: - - https://web.archive.org/web/20240314130322/https://learn.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now - - https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-15698 - code: |- - reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 0 /f - revertCode: |- - reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 1 /f - - - category: Secure cryptography on IIS (Internet Information Services) server + By improving network security, you secure your system and data from attackers, ISPs, VPN companies, + and state actors. children: - category: Enable strong secret key requirements @@ -6150,7 +5775,7 @@ actions: It also protects against threats such as attackers exploiting cryptographic weaknesses, malicious insiders, state actors, and cybercriminals [8]. - > **Caution:** Disabling a cipher may cause compatibility issues with older devices or software. + > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240421101955/https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel "Cipher Suites in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240421102018/https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/ "Recommendations for TLS/SSL Cipher Hardening | Acunetix | www.acunetix.com" @@ -6181,19 +5806,19 @@ actions: This script disables these cipher algorithms: - `RC2 40/128` [1] [4] [5] [6] (40-bit RC2 [4]) - - Enabled by default [4]. - - Disabling it disallows the following cipher suites: + - Enabled by default [4]. + - Disabling it disallows the following cipher suites: - `SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5` [1] [4] - `TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5` [1] [4] - `RC2 56/128` [2] [4] [5] [6] (56-bit RC2 [4]) - - Enabled by default [4]. - - Disabling it disallows the following cipher suites: + - Enabled by default [4]. + - Disabling it disallows the following cipher suites: - `SSL_RSA_WITH_DES_CBC_SHA` [2] - `TLS_RSA_WITH_DES_CBC_SHA` [2] - `RC2 128/128` [3] [4] [6] (128-bit RC2 [4]) - - Enabled by default [4]. + - Enabled by default [4]. - > **Caution:** Disabling a cipher may cause compatibility issues with older devices or software. + > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240421111726/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC2_40 "RC2 40/128 | admx.help" [2]: https://web.archive.org/web/20240421111927/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC2_56 "RC2 56/128 | admx.help" @@ -6233,26 +5858,26 @@ actions: This script disables these cipher algorithms: - `RC4 128/128` [1] [6] [7] [8] (128-bit RC4 [6]): - - Enabled by default [6] [7]. - - Disabling it disallows the following cipher suites: + - Enabled by default [6] [7]. + - Disabling it disallows the following cipher suites: - `SSL_RSA_WITH_RC4_128_MD5` [1] [6] - `SSL_RSA_WITH_RC4_128_SHA` [1] [6] - `TLS_RSA_WITH_RC4_128_MD5` [1] [6] - `TLS_RSA_WITH_RC4_128_SHA` [1] [6] - `RC4 64/128` [2] [6] [7] [8] (64-bit RC4 [6]): - - Enabled by default [6]. - - Disabling it affects the functionality of the **Microsoft Money application [6]. + - Enabled by default [6]. + - Disabling it affects the functionality of the **Microsoft Money application [6]. - `RC4 56/128` [3] [6] [7] [8] (56-bit RC4 [6]): - - Enabled by default [6]. - - Disabling it disallows the following cipher suites: + - Enabled by default [6]. + - Disabling it disallows the following cipher suites: - `TLS_RSA_EXPORT1024_WITH_RC4_56_SHA` [3] [6] - `RC4 40/128` [4] [6] [7] [8] (40-bit RC4 [6]): - - Enabled by default [6]. - - Disabling this algorithm will disallow the following cipher suites: + - Enabled by default [6]. + - Disabling this algorithm will disallow the following cipher suites: - `SSL_RSA_EXPORT_WITH_RC4_40_MD5` [4] [6] - `TLS_RSA_EXPORT_WITH_RC4_40_MD5` [4] [6] - > **Caution:** Disabling a cipher may cause compatibility issues with older devices or software. + > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240421101752/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC4_128 "RC4 128/128 | admx.help" [2]: https://web.archive.org/web/20240421101700/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC4_64 "RC4 64/128 | admx.help" @@ -6305,7 +5930,7 @@ actions: - `SSL_RSA_WITH_DES_CBC_SHA` [1] [2] - `TLS_RSA_WITH_DES_CBC_SHA` [1] [2] - > **Caution:** Disabling a cipher may cause compatibility issues with older devices or software. + > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240421101711/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::DES_56 "DES 56/56 | admx.help" [2]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" @@ -6346,7 +5971,7 @@ actions: - `TLS_RSA_WITH_3DES_EDE_CBC_SHA` [1] [2] - `TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA` [1] [2] - > **Caution:** Disabling a cipher may cause compatibility issues with older devices or software. + > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240421101519/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::3DES "Triple DES 168 | admx.help" [2]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" @@ -6392,7 +6017,7 @@ actions: - `TLS_RSA_WITH_NULL_SHA` [2] - `TLS_RSA_WITH_NULL_SHA256` [2] - > **Caution:** Disabling a cipher may cause compatibility issues with older devices or software. + > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240421101539/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::NULL "NULL | admx.help" @@ -6415,7 +6040,7 @@ actions: Consequently, an attacker could intercept or modify data transmitted over what is believed to be a secure connection, without being detected. For instance, attackers could exploit this to divert your payments to their accounts, creating significant risks. - > **Caution:** Disabling a hash algorithm may cause compatibility issues with older devices or software. + > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240426084410/https://www.win.tue.nl/hashclash/rogue-ca/ "MD5 considered harmful today | win.tue.nl" [2]: https://web.archive.org/web/20240426084414/https://phys.org/news/2017-02-cwi-google-collision-industry-standard.html "CWI, Google announce first collision for Industry Security Standard SHA-1 | phys.org" @@ -6457,7 +6082,7 @@ actions: - `TLS_RSA_WITH_RC4_128_MD5` [1] [2] - `TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5` [2] - > **Caution:** Disabling a hash algorithm may cause compatibility issues with older devices or software. + > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240426090518/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::MD5 "MD5 | admx.help" [2]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" @@ -6527,7 +6152,7 @@ actions: - `TLS_RSA_WITH_NULL_SHA` [1] - `TLS_RSA_WITH_RC4_128_SHA` [1] [2] - > **Caution:** Disabling a hash algorithm may cause compatibility issues with older devices or software. + > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240426091852/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::SHA "SHA | admx.help" [2]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" @@ -6573,15 +6198,15 @@ actions: It modifies the following system settings to achieve this: - `HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL!AllowInsecureRenegoClients` [1] [3]: - Stops the client from responding to insecure renegotiation attempts [1] [3]. + Stops the client from responding to insecure renegotiation attempts [1] [3]. - `HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL!AllowInsecureRenegoServers` [1] [3]: - Stops the server from responding to insecure renegotiation attempts [1] [3]. + Stops the server from responding to insecure renegotiation attempts [1] [3]. - `HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL!DisableRenegoOnClient` [3] [4]: - Prevents the client from initiating or responding to insecure renegotiation requests [3] [4]. + Prevents the client from initiating or responding to insecure renegotiation requests [3] [4]. - `HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL!DisableRenegoOnServer` [3] [4]: - Prevents the server from initiating or responding to insecure renegotiation requests [3] [4]. + Prevents the server from initiating or responding to insecure renegotiation requests [3] [4]. - `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL!UseScsvForTls` [1]: - Enhances compatibility with older software, preventing potential communication issues [1]. + Enhances compatibility with older software, preventing potential communication issues [1]. This script may impact the functionality of software using outdated and insecure communication methods [3]. Affected software includes older versions of: @@ -6654,13 +6279,13 @@ actions: This category excludes the following protocols: - **DTLS 1.1**: - DTLS 1.1 does not exist [8] [9]; - its numbering was skipped to align with TLS versioning [8]. + DTLS 1.1 does not exist [8] [9]; + its numbering was skipped to align with TLS versioning [8]. - **TLS 1.2**, and **DTLS 1.2** (based on TLS 1.2 [8]): - TLS 1.2 and DTLS 1.2 are enabled by default on Windows [7] and are approved by authorities like - NIST [2], and German Federal Office for Information Security [10]. - Disabling them could affect application functionality, and earlier versions are not - widely supported by Windows [7] [10]. + TLS 1.2 and DTLS 1.2 are enabled by default on Windows [7] and are approved by authorities like + NIST [2], and German Federal Office for Information Security [10]. + Disabling them could affect application functionality, and earlier versions are not + widely supported by Windows [7] [10]. > **Caution:** This may cause compatibility issues with older devices or software. @@ -6834,6 +6459,8 @@ actions: (`HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\{Interface}!NetbiosOptions` [1] [8]) from their default of `0` (enabled) [5] to `2` (disabled) [5] [8] for each network interface. + > **Caution:** This may cause compatibility issues with older devices or software. + [1]: https://web.archive.org/web/20240218210552/https://bobcares.com/blog/disable-netbios-and-llmnr-protocols-in-windows-using-gpo/ "Disable NetBIOS and LLMNR Protocols in Windows Using GPO | bobcares.com" [5]: https://web.archive.org/web/20240218210635/https://10dsecurity.com/blog-saying-goodbye-netbios.html "Saying Goodbye To NetBIOS | 10-D Security | 10dsecurity.com" [3]: https://web.archive.org/web/20240218210736/https://4sysops.com/archives/disable-netbios-in-windows-networks/ "Disable NetBIOS in Windows networks – 4sysops | 4sysops.com" @@ -7037,6 +6664,32 @@ actions: function: DisableTLSProtocol parameters: protocolName: DTLS 1.0 + - + name: Disable insecure "LM & NTLM" protocols + recommend: standard + docs: |- + This script improves security by setting the LanMan authentication level to send NTLMv2 responses only, + refusing LM and NTLM [1] [2], which are older and less secure methods [1] [3]. + + While Kerberos v5 is the default authentication protocol for domain accounts, NTLM is still used for compatibility + with older systems and for authenticating logons to standalone computers [1]. + + The script modifies the `HKLM\System\CurrentControlSet\Control\Lsa!LmCompatibilityLevel` registry key to enforce + this security measure [1] [2]. + + > **Caution:** This may cause compatibility issues with older devices or software. + + [1]: https://web.archive.org/web/20240510175526/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801 "The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. | www.stigviewer.com" + [2]: https://web.archive.org/web/20240315114408/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level "Network security LAN Manager authentication level - Windows 10 | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240510182417/https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73 "Security guidance for NTLMv1 and LM network authentication - Microsoft Support | support.microsoft.com" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa + valueName: LmCompatibilityLevel + dataType: REG_DWORD + data: 5 + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Windows 10 Pro (≥ 23H2) - name: Disable insecure connections from .NET apps recommend: strict # Default since .NET 4.6 and above, absence considered vulnerabiltiy, but can still break legacy apps @@ -7195,7 +6848,7 @@ actions: It may also resolve compatibility issues with older devices or software [7]. However, it may also result in compatibility issues if the system defaults are too restrictive [8]. - > **Caution**: This may cause compatibility issues with older devices or software. + > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240503121044/https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls "Transport Layer Security (TLS) best practices with .NET Framework | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240503120928/https://support.microsoft.com/en-us/topic/cumulative-update-for-windows-10-version-1511-and-windows-server-2016-technical-preview-4-may-10-2016-aaff80d8-b207-2238-fc9c-bf13fea1c566 "Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: May 10, 2016 - Microsoft Support | support.microsoft.com" @@ -7210,6 +6863,742 @@ actions: parameters: valueName: SystemDefaultTlsVersions valueData: '1' + - + category: Disable insecure remote administration access + docs: |- # refactor-with-variables: Same • Caution + This category improves security by disabling insecure remote administration features. + Organizations use remote administration tools to manage multiple systems from a central location, + performing tasks such as software updates, system checks, and configuration changes. + + However, if not properly secured, unauthorized users could exploit these tools to access sensitive data + or control systems. + This category addresses such vulnerabilities by disabling outdated or insecure remote access methods, + thus securing systems against potential cyber threats. + + While these measures maintain information confidentiality and integrity, they may restrict some remote + management functionalities. + + > **Caution:** + > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote + > administration is necessary. + children: + - + name: Disable basic authentication in WinRM + recommend: standard + docs: |- # refactor-with-variables: Same • Caution + This script configures the Windows Remote Management (WinRM) client to disable **basic authentication** [1] [2]. + Basic authentication is a security protocol where a user provides a username and password in plain text for verification [3]. + It improves security by preventing the interception and misuse of plain text passwords [1]. + + It achieves this by modifying the `HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client!AllowBasic` + registry key [1] [2]. + + While WinRM clients do not use Basic authentication by default [2], this script ensures that this less + secure method remains disabled. + + > **Caution:** + > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote + > administration is necessary. + + [1]: https://web.archive.org/web/20240510175428/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335 "The Windows Remote Management (WinRM) client must not use Basic authentication. | www.stigviewer.com" + [2]: https://web.archive.org/web/20240510175528/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remotemanagement#allowbasicauthentication_client "RemoteManagement Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240510223209/https://datatracker.ietf.org/doc/html/rfc7617 "RFC 7617 - The 'Basic' HTTP Authentication Scheme | datatracker.ietf.org" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client + valueName: AllowBasic + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Windows 10 Pro (≥ 23H2) + - + name: Disable unauthorized user account discovery (anonymous SAM enumeration) + recommend: standard + docs: |- # refactor-with-variables: Same • Caution + This script increases your system's security by preventing unauthorized users from seeing account names in the + Security Accounts Manager (SAM) [1] [2] [3] [4] [5] [6]. + The Security Accounts Manager (SAM) is a database in Windows that stores user account information and + is critical for user authentication processes. + When account names are exposed, attackers might use them for guessing passwords or tricking people into revealing + sensitive information [4] [6] [7] [8]. + This is a security action recommended by organizations like the Department of Defense [1], NASA [2], IRS [8], + NIST [6], CIS [4], and Microsoft [3]. + + The change is enacted through the `HKLM\SYSTEM\CurrentControlSet\Control\Lsa!RestrictAnonymousSAM` registry + value [1] [2] [4] [5]. By default, it's enabled [4] and Windows restricts this setting if the registry value does + not exist [3]. + + While the script protects against these threats, it may also affect compatibility with older systems. + It prevents trust with Windows NT 4.0 domains [4] [5] [7] [9] and causes issues for older systems such as Windows NT 3.51 + and Windows 95 when accessing server resources [4] [5] [7]. + Typically, anonymous connections are requested by earlier versions of clients (down-level clients) during SMB session setup [7]. + + The script has no impact on domain controllers since their behavior in this aspect is controlled by different settings [5] [7]. + The policy setting does not require a restart to become effective [5], and there is no impact on current systems + where the default behavior already includes this restriction [4]. + + Despite the potential interoperability issues with older systems, the script maintains a security posture that is + important in modern networks to minimize unauthorized access and protect user privacy. + + > **Caution:** + > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote + > administration is necessary. + + [1]: https://web.archive.org/web/20231105200434/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745 "Anonymous enumeration of SAM accounts must not be allowed. | www.stigviewer.com" + [2]: https://web.archive.org/web/20231105200713/https://asapdata.arc.nasa.gov/share/Paul/CIS_Microsoft_Windows_Server_2016_RTM_Release_1607_Benchmark_v1.1.0.pdf "CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark | nasa.gov" + [3]: https://web.archive.org/web/20231105200918/https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows#security-options---network-access "Reference - Azure Policy guest configuration baseline for Windows - Azure Policy | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20231105201133/https://community.mis.temple.edu/mis5170sec001sec701sp2018/files/2018/02/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.1.pdf "CIS Microsoft Windows Server 2012 R2 Benchmark | temple.edu" + [5]: https://web.archive.org/web/20231105201446/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852230%28v=ws.11%29 "Network access: Do not allow anonymous enumeration of SAM accounts | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20230927174843/https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/documentation/USGCB-Windows-Settings.xls "USGCB Windows Settings | nist.gov" + [7]: https://web.archive.org/web/20231105201346/https://support.microsoft.com/en-us/topic/client-service-and-program-issues-can-occur-if-you-change-security-settings-and-user-rights-assignments-0cb6901b-dcbf-d1a9-e9ea-f1b49a56d53a "Client, service, and program issues can occur if you change security settings and user rights assignments - Microsoft Support | support.microsoft.com" + [8]: https://web.archive.org/web/20231105200853/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-server2016.xlsx "IRS Office of Safeguards SCSEM | irs.gov" + [9]: https://web.archive.org/web/20231105201413/https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/trust-between-windows-ad-domain-not-work-correctly "Trust between a Windows NT domain and an Active Directory domain can't be established or it doesn't work as expected - Windows Server | Microsoft Learn | learn.microsoft.com" + code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f + revertCode: |- + :: Default value is `1` on modern Windows versions (Windows 10 since 22H2, Windows 11 since 22H2) + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f + - + name: Disable anonymous access to named pipes and shares + recommend: standard + docs: |- # refactor-with-variables: Same • Caution + This script restricts anonymous access to Named Pipes and Shares [1] [2]. + It reduces security risks by preventing unauthorized access [1] [2]. + *Named Pipes* allow programs on a computer or network to communicate with each other. + *Anonymous access* lets users connect to services without a username or password, increasing + the risk of unauthorized access. + + It configures the `HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters!RestrictNullSessAccess` registry + setting [1] [2] to control null session access, which is a common exploit method via shared folders [2]. + + > **Caution:** + > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote + > administration is necessary. + + [1]: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759 "Anonymous access to Named Pipes and Shares must be restricted. | www.stigviewer.com" + [2]: https://web.archive.org/web/20240510180133/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares "Network access Restrict anonymous access to Named Pipes and Shares - Windows 10 | Microsoft Learn | learn.microsoft.com" + code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f + revertCode: |- + :: Default value is `1` on modern Windows versions (Windows 10 since 22H2, Windows 11 since 23H2) + reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f + - + name: Disable hidden remote file access via administrative shares (breaks remote system management software) + recommend: strict + docs: |- # refactor-with-variables: Same • Caution + This script improves your privacy and security by disabling Windows administrative shares, + which are typically used for remote access to your computer's file system. + + Windows automatically creates hidden administrative shares, such as `C$` and `D$`, that allow system administrators remote access to + every disk volume on your computer [1] [2]. These shares are often targeted as potential attack vectors [3]. + + Disabling administrative shares is generally a good practice for enhancing security. It is recommended by various security standards + and compliance frameworks, including some government standards [3], PCI-DSS [4], and CIS [2]. It reduces the system's vulnerability + to unauthorized remote access. + + These shares are often used for system administrators to perform tasks like software installation and vulnerability scanning + remotely [1]. Disabling them may limit remote management capabilities. This might require setting up network shares manually + for specific folders or drives, which is more secure but requires additional effort. + + Some software, such as Microsoft Systems Management Server (SMS) [2], Microsoft Operations Manager [2], Microsoft PsTools [5], + and certain third-party network backup applications [2], rely on administrative shares. Therefore, disabling these shares could + disrupt their functionality. + + > **Caution:** + > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote + > administration is necessary. + + [1]: https://web.archive.org/web/20230831114315/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/remove-administrative-shares "Remove administrative shares - Windows Server | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20231206152703/http://www.itref.ir/uploads/editor/1edad0.pdf "CIS Microsoft Windows 8 Benchmark | itref.ir" + [3]: https://web.archive.org/web/20230831124304/https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/Business-Partner-System-Security-Manual-BPSSM.pdf "CMS Manual System | Pub 100-17 Medicare Business Partners | Department of Health & Human Services (DHHS) & Centers for Medicare & Medicaid Services (CMS) | cms.gov" + [4]: https://web.archive.org/web/20230831124324/https://www.unifiedcompliance.com/products/search-authority-documents/authority-document/1071/ "Payment Card Organizations > PCI Security Standards Council | Unified Compliance | www.unifiedcompliance.com" + [5]: https://web.archive.org/web/20240510180222/https://github.com/undergroundwires/privacy.sexy/issues/249 "Disabling administrative shares breaks PsTools | undergroundwires/privacy.sexy | github.com" + code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f + revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /f # Key does not exist since Windows 11 22H2 + - + name: Disable anonymous enumeration of shares + recommend: standard + docs: |- # refactor-with-variables: Same • Caution + This script disables the anonymous enumeration of shares to prevent unauthorized users from + listing account names and shared resources, which could serve as a roadmap for attackers [1]. + + It configures the `HKLM\SYSTEM\CurrentControlSet\Control\LSA!RestrictAnonymous` registry key to ensure that + such enumeration is blocked, improving system security against potential breaches [1]. + + > **Caution:** + > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote + > administration is necessary. + + [1]: https://web.archive.org/web/20240510180528/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749 "Anonymous enumeration of shares must be restricted. | www.stigviewer.com" + code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d "1" /f + revertCode: |- # 0 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Windows 10 Pro (≥ 23H2) + reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d "0" /f + - + name: Disable "Telnet Client" feature + recommend: standard # Already disabled by default in Windows + docs: |- # refactor-with-variables: Same • Caution + This script disables the **Telnet Client** feature in Windows. + + The Telnet Client enables remote server connections [1]. + It is inherently insecure because it transmits all data, including sensitive credentials, + in clear text without encryption [2] [3]. + This lack of encryption makes it vulnerable to interception and misuse [3]. + Due to these security flaws, entities such as NIST [2], Department of Defense [2] + and Microsoft [1] recommend removing or disabling this feature. + + Although this feature is disabled by default in newer versions of Windows [1], ensuring + that it remains disabled can prevent accidental or unauthorized use. + + > **Caution:** + > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote + > administration is necessary. + + ### Overview of default feature statuses + + | | | + | ---- | --- | + | **Feature name** | `TelnetClient` | + | **Display name** | Telnet Client | + | **Description** | Allows you to connect to other computers remotely. | + | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | + | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | + + [1]: https://web.archive.org/web/20231207105605/https://social.technet.microsoft.com/wiki/contents/articles/38433.windows-10-enabling-telnet-client.aspx "Windows 10: Enabling Telnet Client - TechNet Articles - United States (English) - TechNet Wiki | social.technet.microsoft.com" + [2]: https://web.archive.org/web/20240413140012/https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220721 "The Telnet Client must not be installed on the system. | stigviewer.com" + [3]: https://web.archive.org/web/20240413140230/https://it.mst.edu/policies/secure-telnet/ "Secure Telnet – Information Technology | Missouri S&T | it.mst.edu" + call: + function: DisableWindowsFeature + parameters: + featureName: TelnetClient # Get-WindowsOptionalFeature -FeatureName 'TelnetClient' -Online + disabledByDefault: true + - + name: Remove "RAS Connection Manager Administration Kit (CMAK)" capability + docs: |- # refactor-with-variables: Same • Caution + This script removes the "RAS Connection Manager Administration Kit (CMAK)" (`RasCMAK.Client` [1]) capability. + + CMAK is a tool that allows the creation of profiles for connecting to remote servers and networks [1]. + + Though useful for remote connections, this capability might be unnecessary for many users. + Removing it can simplify the system's network configuration and enhance security by reducing potential attack vectors. + + This capability is not included in the standard installation of Windows [1]. + + > **Caution:** + > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote + > administration is necessary. + + [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" + call: + function: UninstallCapability + parameters: + capabilityName: RasCMAK.Client + - + name: Disable Windows Remote Assistance feature + recommend: standard + docs: |- + This script disables the Windows Remote Assistance feature to improve your system's privacy and security. + Windows Remote Assistance allows a third party to remotely access your PC [1]. + This capability, known as *Solicited Remote Assistance* [2], enables another user to view or take + control of your computer [2] [3] [4] [5]. + + Disabling Remote Assistance improves security by: + + - Preventing others from remotely viewing or controlling your computer [2]. + - Reducing the risk of exploitation from RDP-related vulnerabilities [5]. + - Reducing the attack surface by eliminating unnecessary remote access functionalities. + + The script modifies the following settings to achieve this: + + - It configures `fAllowToGetHelp` to block users from requesting remote assistance [3]. + - It configures `fAllowFullControl` to prevent remote users from gaining full control of the system [4]. + + These changes are applied via: + + - The application setting in the Windows registry at `HKLM\System\CurrentControlSet\Control\Remote Assistance` [6]. + - The Group Policy setting at `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` [2]. + + > **Caution:** + > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote + > administration is necessary. + + [1]: https://web.archive.org/web/20240510233757/https://support.microsoft.com/en-us/windows/solve-pc-problems-remotely-with-remote-assistance-and-easy-connect-cf384ff4-6269-d86e-bcfe-92d72ed55922 "Solve PC problems remotely with Remote Assistance and Easy Connect - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20240510233343/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651 "Solicited Remote Assistance must not be allowed. | www.stigviewer.com" + [3]: https://web.archive.org/web/20240510233528/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp "fAllowToGetHelp | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240510233541/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowfullcontrol "fAllowFullControl | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240510233611/https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-053 "Microsoft Security Bulletin MS12-053 - Critical | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240510233842/https://support.microsoft.com/en-us/topic/an-update-to-disable-the-chat-feature-in-remote-assistance-msra-exe-is-available-for-windows-7-sp1-and-windows-server-2008-r2-sp1-a29674bc-ea7b-d5ab-1314-95cd3b93fcb3 "An update to disable the Chat feature in Remote Assistance (MSRA.exe) is available for Windows 7 SP1 and Windows Server 2008 R2 SP1 - Microsoft Support | support.microsoft.com" + call: + - + function: RunInlineCode + parameters: + code: |- + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f + revertCode: |- # 1 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Windows 10 Pro (≥ 23H2) + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 1 /f + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + valueName: AllowBasic + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Windows 10 Pro (≥ 23H2) + - + category: Disable non-essential network components + docs: |- + This category focuses on disabling or removal of specific networking features. + These are generally considered unnecessary or less secure for most users. + + Disabling these features contributes to a more secure and privacy-focused environment by + eliminating potential vulnerabilities and reducing the system's attack surface. + These features may utilize outdated protocols or lack robust encryption and + authentication methods, making them vulnerable to cyberattacks. + If these features are not essential for your daily operations, it is + advisable to disable them to enhance your system's security. + + The scripts target specific networking tools and protocols, ideal for users who don't need these + features, thus streamlining the system and potentially improving performance. + + > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. + children: + - + name: Disable "Net.TCP Port Sharing" feature + recommend: strict + docs: |- # refactor-with-variables: Same • Caution + This script disables the "Net.TCP Port Sharing" feature. + + This feature is part of Windows Communication Foundation (WCF) [1]. + + This feature enables multiple WCF applications to share the same TCP port [1]. + It manages incoming connections and routes them to the appropriate application based on + the destination address found in the message stream [1]. + + This increases the system's attack surface [2]: + + - When applications share the same port, more applications are exposed to network traffic. + - It runs under a system account with high permissions, making the system vulnerable to extensive + access by attackers if compromised [2]. + - Poor application configuration can increase risk of serious damage if an application is compromised [1]. + - The security of the system depends significantly on how well each individual application handles security. + + It's disabled by default on Windows due to security concerns [1]. + + > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. + + ### Overview of default feature statuses + + | | | + | ---- | --- | + | **Feature name** | `WCF-TCP-PortSharing45` | + | **Display name** | TCP Port Sharing | + | **Description** | TCP Port Sharing | + | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | + | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | + + [1]: https://web.archive.org/web/20240314102452/https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing "Net.TCP Port Sharing - WCF | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240413140234/https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-03-09/finding/V-3487 "Services will be documented and unnecessary services will not be installed or will be disabled. | stigviewer.com" + call: + function: DisableWindowsFeature + parameters: + featureName: WCF-TCP-PortSharing45 # Get-WindowsOptionalFeature -FeatureName 'WCF-TCP-PortSharing45' -Online + - + name: Disable "SMB Direct" feature + recommend: strict + docs: |- # refactor-with-variables: Same • Caution + This script disables "SMB Direct" feature. + + SMB Direct improves file transfer speeds across networks by utilizing network adapters that are + Remote Direct Memory Access (RDMA) capable [1]. + + Although not inherently insecure [2], maintaining unnecessary software can increase the attack surface, + especially if the underlying RDMA hardware has vulnerabilities. + + > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. + + ### Overview of default feature statuses + + | | | + | ---- | --- | + | **Feature name** | `SMB Direct` | + | **Display name** | SMB Direct | + | **Description** | Remote Direct Memory Access (RDMA) support for the SMB 3.x file sharing protocol | + | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | + | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | + + [1]: https://web.archive.org/web/20240314102437/https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-direct?tabs=disable "Improve performance of a file server with SMB Direct | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240413124106/https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 "Stop using SMB1 - Microsoft Community Hub | techcommunity.microsoft.com" + call: + function: DisableWindowsFeature + parameters: + featureName: SmbDirect # Get-WindowsOptionalFeature -FeatureName 'SmbDirect' -Online + - + name: Disable "TFTP Client" feature + recommend: standard # Disabled by default + docs: |- # refactor-with-variables: Same • Caution + This script disables the "TFTP Client" feature. + + The TFTP Client supports file transfers using the *Trivial File Transfer Protocol (TFTP)*. + TFTP protocol is insecure because it lacks authentication and encryption capabilities [1] [2] [3]. + This makes data transferred via TFTP vulnerable to eavesdropping and tampering [2] [3]. + + Although TFTP's simplicity can be advantageous in certain contexts, such as configuring network devices, + its security risks generally outweigh these benefits. + Disabling it helps mitigate the risk of unauthorized data access and simplifies system security management [1] [2]. + + > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. + + ### Overview of default feature statuses + + | | | + | ---- | --- | + | **Feature name** | `TFTP` | + | **Display name** | TFTP Client | + | **Description** | Transfer files using the Trivial File Transfer Protocol | + | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | + | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | + + [1]: https://web.archive.org/web/20240413142327/https://www.stigviewer.com/stig/windows_server_2016/2018-03-07/finding/V-73297 "The TFTP Client must not be installed. | www.stigviewer.com" + [2]: https://web.archive.org/web/20240413142325/https://www.tenable.com/audits/items/Juniper_Hardening_Junos_Devices.audit:0343769f1ea790c8345e961c9a442ec6 "Access Security - Disable insecure or unnecessary access servi... | Tenable® | www.tenable.com" + [3]: https://archive.ph/2024.04.13-142535/https://www.infosecinstitute.com/resources/incident-response-resources/network-traffic-analysis-for-ir-tftp-with-wireshark/ "Network traffic analysis for IR: TFTP with Wireshark | Infosec | www.infosecinstitute.com" + call: + function: DisableWindowsFeature + parameters: + featureName: TFTP # Get-WindowsOptionalFeature -FeatureName 'TFTP' -Online + disabledByDefault: true + - + name: Remove "RIP Listener" capability + docs: |- # refactor-with-variables: *Caution** + This script removes the "RIP Listener" (`RIP.Listener` [1]) capability. + + The RIP Listener listens for route updates from routers using the Routing Information Protocol version 1 (RIPV1) [1]. + + RIPV1 is an older protocol that might be redundant in modern networks, despite its specific utilities. + Removing this feature can contribute to a more secure system by eliminating unnecessary network + listening capabilities. + + This capability is not included in the standard installation of Windows [1]. + + > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. + + [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" + call: + function: UninstallCapability + parameters: + capabilityName: RIP.Listener + - + name: Remove "Simple Network Management Protocol (SNMP)" capability + docs: |- # refactor-with-variables: Same • Caution + This script removes the "Simple Network Management Protocol (SNMP)" (`SNMP.Client` [1]) capability. + + SNMP is used for monitoring and managing network devices [1]. + + While it provides valuable information for network administration, it may not be essential for + all users and can expose the system to additional network traffic and potential vulnerabilities. + + This capability is not included in the standard installation of Windows [1]. + + > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. + + [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" + call: + function: UninstallCapability + parameters: + capabilityName: SNMP.Client + - + name: Remove "SNMP WMI Provider" capability + docs: |- # refactor-with-variables: Same • Caution + This script removes the "SNMP WMI Provider" (`WMI-SNMP-Provider.Client` [1]) capability. + + This feature enables Windows Management Instrumentation (WMI) clients to access SNMP information [1]. + SNMP is used for monitoring and managing network devices [1]. + + Integrating SNMP data into WMI, this capability may be extraneous for those not needing SNMP monitoring. + Removing this capability can simplify the system's management interfaces and improve its security posture + by limiting the ways in which network information is accessed and exposed. + + This capability is not included in the standard installation of Windows [1]. + + > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. + + [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" + call: + function: UninstallCapability + parameters: + capabilityName: WMI-SNMP-Provider.Client + - + category: Disable clipboard data collection + docs: |- + This category includes scripts that focus on disabling various aspects of clipboard data collection in Windows. + The clipboard is a critical component of the operating system, often containing sensitive data such as usernames, passwords, and other + personal information [1]. + However, features such as clipboard history and device synchronization can significantly increase privacy and security risks. + + By default, Windows tends to store clipboard data in an unencrypted format [2], making it easily accessible to malicious applications or scripts. + Additionally, data synchronization features can lead to sensitive information being stored on remote servers or shared across devices, increasing the + risk of data exposure. + + The scripts in this category address these risks by disabling the related features.. + While these features offer convenience and productivity benefits, they can inadvertently compromise user privacy and security. + + > **Caution**: Applying these scripts may lead to a loss of certain functionalities. Users who rely on these features for their daily tasks should + > consider the trade-offs before proceeding with these changes. + + [1]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com" + [2]: https://web.archive.org/web/20240119151846/https://ghostvolt.com/blog/Is-the-Windows-Clipboard-Function-History-or-Sync-Secure.html "Is the Windows Clipboard Function, History or Sync Secure | ghostvolt.com" + children: + - + name: Disable Cloud Clipboard (breaks clipboard sync) + recommend: strict + docs: |- + This script disables the Cloud Clipboard feature [1], also known as the cross-device clipboard [2]. + The Cloud Clipboard, introduced in the Windows 10 October 2018 Update [3], synchronizes clipboard contents across Windows + devices [1] [2] [4]. While this feature enhances usability, it can pose a privacy risk as sensitive information like passwords or credit card + details [5] might be inadvertently synchronized and stored on Microsoft servers. + + Disabling Cloud Clipboard is recommended in secure environments where clipboard data should remain local to the system, avoiding + potential exposure or misuse of sensitive information [6]. The Center for Internet Security (CIS) recommends disabling this feature in + such settings for enhanced security [6]. Moreover, Microsoft acknowledges that disabling network connections linked to the Cloud Clipboard + can improve privacy [1]. This script secures your clipboard data by preventing unauthorized access from other processes on your computer + or network, reducing the risk of data theft. + + The script configures the following registry keys: + + - `HKLM\SOFTWARE\Policies\Microsoft\Windows\System!AllowCrossDeviceClipboard`: Disables the Cloud Clipboard feature, preventing + clipboard synchronization across devices [1] [2] [6]. + - `HKCU\SOFTWARE\Microsoft\Clipboard!CloudClipboardAutomaticUpload`: Stops the automatic upload of clipboard data to the cloud [7]. + + > **Caution**: After running this script, clipboard contents will not synchronize across devices [1] [2] [6]. + > Text or images copied on one device will not be accessible on other devices [3] [4] [5]. + > This enhances privacy and security but limits the clipboard's functionality across your Windows devices. + + [1]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#30-cloud-clipboard "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" + [2]: https://web.archive.org/web/20240119150031/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#allowcrossdeviceclipboard "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20210619004804/https://community.windows.com/en-us/stories/cloud-clipboard-windows-10 "Copy and paste across Windows 10 devices using cloud clipboard | Windows Community | community.windows.com" + [4]: https://web.archive.org/web/20240119150040/https://support.microsoft.com/en-us/windows/clipboard-in-windows-c436501e-985d-1c8d-97ea-fe46ddf338c6 "Clipboard in Windows - Microsoft Support | support.microsoft.com" + [5]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com" + [6]: https://web.archive.org/web/20240119145854/https://www.tenable.com/audits/items/CIS_MS_InTune_for_Windows_11_Level_2_BitLocker_v1.0.0.audit:19bea796bd6a86f37028214bbed97ffd "18.8.31.1 Ensure 'Allow Clipboard synchronization across devic... | Tenable® | www.tenable.com" + [7]: https://web.archive.org/web/20240119145950/https://www.elevenforum.com/t/enable-or-disable-clipboard-sync-across-devices-in-windows-11.976/ "Enable or Disable Clipboard Sync Across Devices in Windows 11 Tutorial | Windows 11 Forum | elevenforum.com" + call: + - + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "AllowCrossDeviceClipboard" /t "REG_DWORD" /d "0" /f + # This key does not exist by default since Windows 10 22H2 and Windows 11 23H2 + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "AllowCrossDeviceClipboard" /f 2>nul + - + function: RunInlineCode + parameters: + code: reg add "HKCU\Software\Microsoft\Clipboard" /v "CloudClipboardAutomaticUpload" /t "REG_DWORD" /d "0" /f + # This key does not exist by default since Windows 10 22H2 and Windows 11 23H2 + revertCode: reg delete "HKCU\Software\Microsoft\Clipboard" /v "CloudClipboardAutomaticUpload" /f 2>nul + - + name: Disable clipboard history + recommend: standard + docs: |- + This script deactivates the clipboard history feature in Windows, a feature that is enabled by default [1] [2]. + Regularly, users copy sensitive data such as usernames and passwords to their clipboard, making clipboard history + valuable to attackers for gathering information for post-exploitation activities like lateral movement. + + Microsoft introduced clipboard history in the Windows 10 October 2018 Update [1], offering enhanced functionality, including + multi-device sync and customizable history management [1]. + Despite these benefits, clipboard history poses several security risks: + + - **Plain Text Storage**: Clipboard data is stored unencrypted, making it vulnerable to access by malicious applications [3]. + - **Persistent Memory**: The data remains in memory until overwritten or the machine restarts, exposing it to unauthorized access + by other users or malware [3]. + - **Process Accessibility**: Most running processes and applications can access clipboard data, increasing the risk if any are malicious [3]. + - **Open Network Threats**: Malicious website scripts could potentially access clipboard data, leading to data theft [3]. + - **Windows Clipboard History**: Stores the last 25 copied text and image items, which could include sensitive information [3]. + - **Increased Attack Surface**: Clipboard history is susceptible to exploitation by malware that silently accesses and logs clipboard data [3]. + + Microsoft's privacy statement also indicates that clipboard data could be used for marketing and advertising purposes [4]. + + Given these risks, especially when handling sensitive data like passwords or credit card numbers [5], it is advisable for + users concerned about security to disable clipboard history to safeguard their privacy. + + This script modifies Windows Registry keys to turn off clipboard history and sync features: + + - `HKCU\Software\Microsoft\Clipboard!EnableClipboardHistory`: Disables the local clipboard history for the current user [6] [7] [8]. + - `HKLM\SOFTWARE\Policies\Microsoft\Windows\System!AllowClipboardHistory`: Disables the policy for storing clipboard contents [2] [9]. + + [1]: https://web.archive.org/web/20210619004804/https://community.windows.com/en-us/stories/cloud-clipboard-windows-10 "Copy and paste across Windows 10 devices using cloud clipboard | Windows Community | community.windows.com" + [2]: https://web.archive.org/web/20240119153212/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#allowclipboardhistory "Experience Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240119151846/https://ghostvolt.com/blog/Is-the-Windows-Clipboard-Function-History-or-Sync-Secure.html "Is the Windows Clipboard Function, History or Sync Secure | ghostvolt.com" + [4]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" + [5]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com" + [6]: https://web.archive.org/web/20240119153118/https://www.elevenforum.com/t/enable-or-disable-clipboard-history-in-windows-11.973/ "Enable or Disable Clipboard History in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" + [7]: https://web.archive.org/web/20240119153113/https://itechbrand.com/how-to-enable-and-use-clipboard-history-on-windows-10/ "How to: Enable and Use Clipboard History on Windows 10 | ITechBrand | itechbrand.com" + [8]: https://web.archive.org/web/20240119153250/https://labs.withsecure.com/tools/sharpcliphistory "SharpClipHistory | WithSecure™ Labs | labs.withsecure.com" + [9]: https://web.archive.org/web/20240119153231/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OSPolicy::AllowClipboardHistory "Allow Clipboard History | admx.help" + call: + - + function: RunInlineCode + parameters: + code: reg add "HKCU\Software\Microsoft\Clipboard" /v "EnableClipboardHistory" /t REG_DWORD /d 0 /f + # This key does not exist by default since Windows 10 22H2 and Windows 11 23H2 + revertCode: reg delete "HKCU\Software\Microsoft\Clipboard" /v "EnableClipboardHistory" /f 2>nul + - + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "AllowClipboardHistory" /t "REG_DWORD" /d "0" /f + # This key does not exist by default since Windows 10 22H2 and Windows 11 23H2 + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "AllowClipboardHistory" /f 2>nul + - + name: Disable background clipboard data collection (`cbdhsvc`) (breaks clipboard history and sync) + recommend: strict + docs: |- + This script disables `cbdhsvc` also known as "Clipboard User Service" [1]. + This service is responsible for clipboard history and synchronization across devices [1]. + + Microsoft acknowledges that disabling this service does not adversely affect the system's core functionality [2]. + + Disabling this service enhances your security by reducing your system's + vulnerability surface. This service has been historically susceptible to vulnerabilities such as Privilege Escalation vulnerability [3]. + Turning off `cbdhsvc` also helps improve system performance by reducing the number of background processes as `cbdhsvc` runs automatically + in the background [1]. + Additionally, it enhances privacy by preventing the storage and sharing of clipboard history with Microsoft servers. + Clipboard data often contains sensitive information, including passwords and credit card numbers [4]. + + > **Caution**: Disabling this service will remove the functionalities for clipboard history and synchronization across devices. + > If you depend on these features, you should weigh the benefits against the loss of these functionalities. + + [1]: https://web.archive.org/web/20240119153912/https://learn.microsoft.com/en-us/windows/application-management/per-user-services-in-windows "Per-user services - Windows Application Management | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services#per-user-services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" + [3]: https://archive.ph/2024.01.19-154717/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21869 "CVE-2022-21869 - Security Update Guide - Microsoft - Clipboard User Service Elevation of Privilege Vulnerability | rc.microsoft.com" + [4]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com" + call: + function: DisablePerUserService + parameters: + # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\cbdhsvc").Start + # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\cbdhsvc_*").Start + serviceName: cbdhsvc + defaultStartupMode: Automatic + - + category: Enable protection against Meltdown and Spectre + docs: https://support.microsoft.com/en-us/topic/kb4072698-windows-server-and-azure-stack-hci-guidance-to-protect-against-silicon-based-microarchitectural-and-speculative-execution-side-channel-vulnerabilities-2f965763-00e2-8f98-b632-0d96f30c8c8e + children: + - + name: Mitigate Spectre Variant 2 and Meltdown in host operating system + code: |- + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f + wmic cpu get name | findstr "Intel" >nul && ( + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 0 /f + ) + wmic cpu get name | findstr "AMD" >nul && ( + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 64 /f + ) + revertCode: |- + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 3 /f + - + name: Mitigate Spectre Variant 2 and Meltdown in Hyper-V + code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f + revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /f + - + name: Enable Data Execution Prevention (DEP) + code: |- + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f + revertCode: |- + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 1 /f + - + name: Disable AutoPlay and AutoRun + docs: + - https://en.wikipedia.org/wiki/AutoRun + - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667 + - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671 + - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673 + recommend: standard + code: |- + :: 255 (0xff) means all drives + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /t REG_DWORD /d 1 /f + revertCode: |- + reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /f + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 2 /f + reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /f + - + name: Disable lock screen camera access + recommend: standard + docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237 + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f + revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /f + - + name: Disable storage of the LAN Manager password hashes + recommend: standard + docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797 + code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 1 /f + revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 0 /f + - + name: Disable "Always install with elevated privileges" in Windows Installer + recommend: standard + docs: https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974 + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f + revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 1 /f + - + name: Enable Structured Exception Handling Overwrite Protection (SEHOP) + recommend: standard + docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849 + code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f + revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 1 /f + - + name: Enable security against PowerShell 2.0 downgrade attacks + recommend: standard + docs: |- + See: [The Windows PowerShell 2.0 feature must be disabled on the system. | stigviewer.com](https://web.archive.org/web/20240406114721/https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-70637) + + ### Overview of default feature statuses + + `MicrosoftWindowsPowerShellV2`: + + | | | + | ---- | --- | + | **Feature name** | `MicrosoftWindowsPowerShellV2` | + | **Display name** | Windows PowerShell 2.0 Engine | + | **Description** | Adds or Removes Windows PowerShell 2.0 Engine | + | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | + | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | + + `MicrosoftWindowsPowerShellV2Root`: + + | | | + | ---- | --- | + | **Feature name** | `MicrosoftWindowsPowerShellV2Root` | + | **Display name** | Windows PowerShell 2.0 | + | **Description** | Adds or Removes Windows PowerShell 2.0 | + | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | + | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | + call: + - + function: DisableWindowsFeature + parameters: + featureName: MicrosoftWindowsPowerShellV2 # Get-WindowsOptionalFeature -FeatureName 'MicrosoftWindowsPowerShellV2' -Online + - + function: DisableWindowsFeature + parameters: + featureName: MicrosoftWindowsPowerShellV2Root # Get-WindowsOptionalFeature -FeatureName 'MicrosoftWindowsPowerShellV2Root' -Online + - + name: Disable "Windows Connect Now" wizard + recommend: standard + docs: + - https://web.archive.org/web/20240314130322/https://learn.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now + - https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-15698 + code: |- + reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 0 /f + revertCode: |- + reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 1 /f - category: Block tracking hosts docs: |- @@ -16314,230 +16703,76 @@ actions: featureName: LegacyComponents # Get-WindowsOptionalFeature -FeatureName 'LegacyComponents' -Online disabledByDefault: true - - category: Disable server features + category: Disable Hyper-V virtualization features children: - - category: Disable Hyper-V virtualization features - children: - - - name: Disable "Hyper-V" feature - docs: |- - ### Overview of default feature statuses - - | | | - | ---- | --- | - | **Feature name** | `Microsoft-Hyper-V-All` | - | **Display name** | Hyper-V | - | **Description** | Provides services and management tools for creating and running virtual machines and their resources. | - | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | - | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | - call: - function: DisableWindowsFeature - parameters: - featureName: Microsoft-Hyper-V-All # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-All' -Online - disabledByDefault: true - - - name: Disable "Hyper-V GUI Management Tools" feature - docs: |- - ### Overview of default feature statuses - - | | | - | ---- | --- | - | **Feature name** | `Microsoft-Hyper-V-Management-Clients` | - | **Display name** | Hyper-V GUI Management Tools | - | **Description** | Includes the Hyper-V Manager snap-in and Virtual Machine Connection tool. | - | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | - | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | - call: - function: DisableWindowsFeature - parameters: - featureName: Microsoft-Hyper-V-Management-Clients # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-Management-Clients' -Online - disabledByDefault: true - - - name: Disable "Hyper-V Management Tools" feature - docs: |- - ### Overview of default feature statuses - - | | | - | ---- | --- | - | **Feature name** | `Microsoft-Hyper-V-Tools-All` | - | **Display name** | Hyper-V Management Tools | - | **Description** | Includes GUI and command-line tools for managing Hyper-V. | - | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | - | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | - call: - function: DisableWindowsFeature - parameters: - featureName: Microsoft-Hyper-V-Tools-All # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-Tools-All' -Online - disabledByDefault: true # Default: Disabled (tested: Windows 10 22H2, Windows 11 23H2) - - - name: Disable "Hyper-V Module for Windows PowerShell" feature - docs: |- - ### Overview of default feature statuses - - | | | - | ---- | --- | - | **Feature name** | `Microsoft-Hyper-V-Management-PowerShell` | - | **Display name** | Hyper-V Module for Windows PowerShell | - | **Description** | Includes Windows PowerShell cmdlets for managing Hyper-V. | - | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | - | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | - call: - function: DisableWindowsFeature - parameters: - featureName: Microsoft-Hyper-V-Management-PowerShell # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-Management-PowerShell' -Online - disabledByDefault: true - - - category: Disable networking features + name: Disable "Hyper-V" feature docs: |- - This category focuses on disabling specific networking features in Windows. - These are generally considered unnecessary or less secure for most users. + ### Overview of default feature statuses - Disabling these features can significantly reduce the system's exposure to potential - cyber threats by minimizing the attack surface. - Many of these features utilize outdated protocols or lack robust encryption and - authentication methods, making them vulnerable to cyberattacks. - If these features are not essential for your daily operations, it is - advisable to disable them to enhance your system's security. + | | | + | ---- | --- | + | **Feature name** | `Microsoft-Hyper-V-All` | + | **Display name** | Hyper-V | + | **Description** | Provides services and management tools for creating and running virtual machines and their resources. | + | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | + | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | + call: + function: DisableWindowsFeature + parameters: + featureName: Microsoft-Hyper-V-All # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-All' -Online + disabledByDefault: true + - + name: Disable "Hyper-V GUI Management Tools" feature + docs: |- + ### Overview of default feature statuses - > **Caution**: Disabling a networking feature may cause connectivity issues if required for specific operations. - children: - - - name: Disable "Telnet Client" feature - docs: |- - This script disables the **Telnet Client** feature in Windows. + | | | + | ---- | --- | + | **Feature name** | `Microsoft-Hyper-V-Management-Clients` | + | **Display name** | Hyper-V GUI Management Tools | + | **Description** | Includes the Hyper-V Manager snap-in and Virtual Machine Connection tool. | + | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | + | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | + call: + function: DisableWindowsFeature + parameters: + featureName: Microsoft-Hyper-V-Management-Clients # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-Management-Clients' -Online + disabledByDefault: true + - + name: Disable "Hyper-V Management Tools" feature + docs: |- + ### Overview of default feature statuses - The Telnet Client enables remote server connections [1]. - It is inherently insecure because it transmits all data, including sensitive credentials, - in clear text without encryption [2] [3]. - This lack of encryption makes it vulnerable to interception and misuse [3]. - Due to these security flaws, entities such as NIST [2], Department of Defense [2] - and Microsoft [1] recommend removing or disabling this feature. + | | | + | ---- | --- | + | **Feature name** | `Microsoft-Hyper-V-Tools-All` | + | **Display name** | Hyper-V Management Tools | + | **Description** | Includes GUI and command-line tools for managing Hyper-V. | + | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | + | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | + call: + function: DisableWindowsFeature + parameters: + featureName: Microsoft-Hyper-V-Tools-All # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-Tools-All' -Online + disabledByDefault: true # Default: Disabled (tested: Windows 10 22H2, Windows 11 23H2) + - + name: Disable "Hyper-V Module for Windows PowerShell" feature + docs: |- + ### Overview of default feature statuses - Although this feature is disabled by default in newer versions of Windows [1], ensuring - that it remains disabled can prevent accidental or unauthorized use. - - [1]: https://web.archive.org/web/20231207105605/https://social.technet.microsoft.com/wiki/contents/articles/38433.windows-10-enabling-telnet-client.aspx "Windows 10: Enabling Telnet Client - TechNet Articles - United States (English) - TechNet Wiki | social.technet.microsoft.com" - [2]: https://web.archive.org/web/20240413140012/https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220721 "The Telnet Client must not be installed on the system. | stigviewer.com" - [3]: https://web.archive.org/web/20240413140230/https://it.mst.edu/policies/secure-telnet/ "Secure Telnet – Information Technology | Missouri S&T | it.mst.edu" - - > **Caution**: Disabling a networking feature may cause connectivity issues if required for specific operations. - - ### Overview of default feature statuses - - | | | - | ---- | --- | - | **Feature name** | `TelnetClient` | - | **Display name** | Telnet Client | - | **Description** | Allows you to connect to other computers remotely. | - | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | - | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | - call: - function: DisableWindowsFeature - parameters: - featureName: TelnetClient # Get-WindowsOptionalFeature -FeatureName 'TelnetClient' -Online - disabledByDefault: true - - - name: Disable "Net.TCP Port Sharing" feature - docs: |- - This script disables the **Net.TCP Port Sharing** feature. - - This feature is part of Windows Communication Foundation (WCF) [1]. - - This feature enables multiple WCF applications to share the same TCP port [1]. - It manages incoming connections and routes them to the appropriate application based on - the destination address found in the message stream [1]. - - This increases the system's attack surface [2]: - - - When applications share the same port, more applications are exposed to network traffic. - - It runs under a system account with high permissions, making the system vulnerable to extensive - access by attackers if compromised [2]. - - Poor application configuration can increase risk of serious damage if an application is compromised [1]. - - The security of the system depends significantly on how well each individual application handles security. - - It's disabled by default on Windows due to security concerns [1]. - - > **Caution**: Disabling a networking feature may cause connectivity issues if required for specific operations. - - ### Overview of default feature statuses - - | | | - | ---- | --- | - | **Feature name** | `WCF-TCP-PortSharing45` | - | **Display name** | TCP Port Sharing | - | **Description** | TCP Port Sharing | - | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | - | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | - - [1]: https://web.archive.org/web/20240314102452/https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing "Net.TCP Port Sharing - WCF | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240413140234/https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-03-09/finding/V-3487 "Services will be documented and unnecessary services will not be installed or will be disabled. | stigviewer.com" - call: - function: DisableWindowsFeature - parameters: - featureName: WCF-TCP-PortSharing45 # Get-WindowsOptionalFeature -FeatureName 'WCF-TCP-PortSharing45' -Online - - - name: Disable "SMB Direct" feature - docs: |- - This script disables **SMB Direct** feature. - - SMB Direct improves file transfer speeds across networks by utilizing network adapters that are - Remote Direct Memory Access (RDMA) capable [1]. - - Although not inherently insecure [2], maintaining unnecessary software can increase the attack surface, - especially if the underlying RDMA hardware has vulnerabilities. - - > **Caution**: Disabling a networking feature may cause connectivity issues if required for specific operations. - - ### Overview of default feature statuses - - | | | - | ---- | --- | - | **Feature name** | `SMB Direct` | - | **Display name** | SMB Direct | - | **Description** | Remote Direct Memory Access (RDMA) support for the SMB 3.x file sharing protocol | - | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | - | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | - - [1]: https://web.archive.org/web/20240314102437/https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-direct?tabs=disable "Improve performance of a file server with SMB Direct | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240413124106/https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 "Stop using SMB1 - Microsoft Community Hub | techcommunity.microsoft.com" - call: - function: DisableWindowsFeature - parameters: - featureName: SmbDirect # Get-WindowsOptionalFeature -FeatureName 'SmbDirect' -Online - - - name: Disable "TFTP Client" feature - docs: |- - This script disables the **TFTP Client** feature. - - The TFTP Client supports file transfers using the *Trivial File Transfer Protocol (TFTP)*. - TFTP protocol is insecure because it lacks authentication and encryption capabilities [1] [2] [3]. - This makes data transferred via TFTP vulnerable to eavesdropping and tampering [2] [3]. - - Although TFTP's simplicity can be advantageous in certain contexts, such as configuring network devices, - its security risks generally outweigh these benefits. - Disabling it helps mitigate the risk of unauthorized data access and simplifies system security management [1] [2]. - - > **Caution**: Disabling a networking feature may cause connectivity issues if required for specific operations. - - [1]: https://web.archive.org/web/20240413142327/https://www.stigviewer.com/stig/windows_server_2016/2018-03-07/finding/V-73297 "The TFTP Client must not be installed. | www.stigviewer.com" - [2]: https://web.archive.org/web/20240413142325/https://www.tenable.com/audits/items/Juniper_Hardening_Junos_Devices.audit:0343769f1ea790c8345e961c9a442ec6 "Access Security - Disable insecure or unnecessary access servi... | Tenable® | www.tenable.com" - [3]: https://archive.ph/2024.04.13-142535/https://www.infosecinstitute.com/resources/incident-response-resources/network-traffic-analysis-for-ir-tftp-with-wireshark/ "Network traffic analysis for IR: TFTP with Wireshark | Infosec | www.infosecinstitute.com" - - ### Overview of default feature statuses - - | | | - | ---- | --- | - | **Feature name** | `TFTP` | - | **Display name** | TFTP Client | - | **Description** | Transfer files using the Trivial File Transfer Protocol | - | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | - | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | - call: - function: DisableWindowsFeature - parameters: - featureName: TFTP # Get-WindowsOptionalFeature -FeatureName 'TFTP' -Online - disabledByDefault: true + | | | + | ---- | --- | + | **Feature name** | `Microsoft-Hyper-V-Management-PowerShell` | + | **Display name** | Hyper-V Module for Windows PowerShell | + | **Description** | Includes Windows PowerShell cmdlets for managing Hyper-V. | + | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | + | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | + call: + function: DisableWindowsFeature + parameters: + featureName: Microsoft-Hyper-V-Management-PowerShell # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-Management-PowerShell' -Online + disabledByDefault: true - category: Disable printing features children: @@ -16926,104 +17161,6 @@ actions: function: UninstallCapability parameters: capabilityName: Msix.PackagingTool.Driver - - - category: Remove networking capabilities - docs: |- # refactor-with-variables: **Caution** - This category focuses on the removal of certain networking capabilities. - These capabilities are usually not pre-installed on Windows [1]. - - Removing these features can contribute to a more secure and privacy-focused - environment by eliminating potential vulnerabilities and reducing the - system's attack surface. - - The scripts target specific networking tools and protocols, ideal for users who - don't need these features, thus streamlining the system and potentially improving - performance. - - > **Caution:** - > Removing networking capabilities could disrupt remote connections and network management tasks. - > These features may be critical for enterprise environments or specific operations. - - [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" - children: - - - name: Remove "RAS Connection Manager Administration Kit (CMAK)" capability - docs: |- # refactor-with-variables: Same • Caution - This script removes the "RAS Connection Manager Administration Kit (CMAK)" (`RasCMAK.Client` [1]) capability. - - CMAK is a tool that allows the creation of profiles for connecting to remote servers and networks [1]. - - Though useful for remote connections, this capability might be unnecessary for many users. - Removing it can simplify the system's network configuration and enhance security by reducing potential attack vectors. - - > **Caution:** - > Removing networking capabilities could disrupt remote connections and network management tasks. - > These features may be critical for enterprise environments or specific operations. - - [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" - call: - function: UninstallCapability - parameters: - capabilityName: RasCMAK.Client - - - name: Remove "RIP Listener" capability - docs: |- # refactor-with-variables: *Caution** - This script removes the "RIP Listener" (`RIP.Listener` [1]) capability. - - The RIP Listener listens for route updates from routers using the Routing Information Protocol version 1 (RIPV1) [1]. - - RIPV1 is an older protocol that might be redundant in modern networks, despite its specific utilities. - Removing this feature can contribute to a more secure system by eliminating unnecessary network - listening capabilities. - - > **Caution:** - > Removing networking capabilities could disrupt remote connections and network management tasks. - > These features may be critical for enterprise environments or specific operations. - - [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" - call: - function: UninstallCapability - parameters: - capabilityName: RIP.Listener - - - name: Remove "Simple Network Management Protocol (SNMP)" capability - docs: |- # refactor-with-variables: Same • Caution - This script removes the "Simple Network Management Protocol (SNMP)" (`SNMP.Client` [1]) capability. - - SNMP is used for monitoring and managing network devices [1]. - - While it provides valuable information for network administration, it may not be essential for - all users and can expose the system to additional network traffic and potential vulnerabilities. - - > **Caution:** - > Removing networking capabilities could disrupt remote connections and network management tasks. - > These features may be critical for enterprise environments or specific operations. - - [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" - call: - function: UninstallCapability - parameters: - capabilityName: SNMP.Client - - - name: Remove "SNMP WMI Provider" capability - docs: |- # refactor-with-variables: Same • Caution - This script removes the "SNMP WMI Provider" (`WMI-SNMP-Provider.Client` [1]) capability. - - This feature enables Windows Management Instrumentation (WMI) clients to access SNMP information [1]. - - Integrating SNMP data into WMI, this capability may be extraneous for those not needing SNMP monitoring. - Removing this capability can simplify the system's management interfaces and improve its security posture - by limiting the ways in which network information is accessed and exposed. - - > **Caution:** - > Removing networking capabilities could disrupt remote connections and network management tasks. - > These features may be critical for enterprise environments or specific operations. - - [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" - call: - function: UninstallCapability - parameters: - capabilityName: WMI-SNMP-Provider.Client - name: Remove "OpenSSH Server" capability call: