- Oct 3, 2022
- 769
Hi Everyone,
Am now performing a test of MS Windows Security Baseline + WHH at max settings per Andy Ful + OSArmor at all protections=ON. I am placing the laptop in the DMZ. As you probably know, being in the DMZ means the laptop will only be protected by it's own Windows Defender firewall and the modem+router will allow all access to it bypassing NAT protection.
I would say it is a fair test of the capabilities of MS Windows Sec Baseline and WHH and OSArmor and Windows Defender and Defender firewall as if the laptop was at a coffee shop.
To install the MS Sec Baseline 24H2, download it along with LGPO.zip. Extract and place LGPO.exe into \Downloads\Baseline\Final\Scripts\Tools. Then issue these powershell commands from the Script directory:
set-executionpolicy remotesigned
baseline-localinstall.ps1 -win11nondomainjoined
(When script is finished) set-executionpolicy restricted
Then I made one change to the group policy that the baseline set:
gpedit
> Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender AV > MpEngine > set cloud protection level = zero tolerance
Here are Andy's recommended settings:
Additionally:
Since OSArmor has every protection checked, I had to make some exclusions to run Settings and other things. But the exclusions are all removed prior to being online except for the one for Settings. And OSArmor is password protected.
Andy did suggest to enhance WDAC by using WDAC Wizard; but I wanted to test WHH with it's path based WDAC and SRP settings. OSArmor was deployed to provide some hindrance for the attacker.
Lets see how long it survivies. There used to be lots of attack scans on the net looking for various vulnerabilities and Windows default openings. I was feeling a little naked so added NoVirusThanks SysHardener.max settings. I also setup PIN access for the 2 accounts.
Am now performing a test of MS Windows Security Baseline + WHH at max settings per Andy Ful + OSArmor at all protections=ON. I am placing the laptop in the DMZ. As you probably know, being in the DMZ means the laptop will only be protected by it's own Windows Defender firewall and the modem+router will allow all access to it bypassing NAT protection.
I would say it is a fair test of the capabilities of MS Windows Sec Baseline and WHH and OSArmor and Windows Defender and Defender firewall as if the laptop was at a coffee shop.
To install the MS Sec Baseline 24H2, download it along with LGPO.zip. Extract and place LGPO.exe into \Downloads\Baseline\Final\Scripts\Tools. Then issue these powershell commands from the Script directory:
set-executionpolicy remotesigned
baseline-localinstall.ps1 -win11nondomainjoined
(When script is finished) set-executionpolicy restricted
Then I made one change to the group policy that the baseline set:
gpedit
> Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender AV > MpEngine > set cloud protection level = zero tolerance
Here are Andy's recommended settings:
Additionally:
- ConfigureDefender set to MAX Protection Level
- FirewallHardening set to LOLBins block list
Since OSArmor has every protection checked, I had to make some exclusions to run Settings and other things. But the exclusions are all removed prior to being online except for the one for Settings. And OSArmor is password protected.
Andy did suggest to enhance WDAC by using WDAC Wizard; but I wanted to test WHH with it's path based WDAC and SRP settings. OSArmor was deployed to provide some hindrance for the attacker.
Lets see how long it survivies. There used to be lots of attack scans on the net looking for various vulnerabilities and Windows default openings. I was feeling a little naked so added NoVirusThanks SysHardener.max settings. I also setup PIN access for the 2 accounts.
Last edited: