Harden Windows Security | Only with official documented methods | Always up to date

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
Please make sure you read everything (preferably on GitHub because I had to remove so much formatting due to forum rules) so you will understand what each security measure means, why it's there and what to expect. everything is properly documented. also pay attention to the Trust section to see how you can 100% trust the GitHub repository and use the same tactics to verify the trustworthiness of any other similar thing you come across. Feel free to copy and fork the repository, actually I recommend to do it in the Trust section.


If you have any technical feedback involving code, please open an issue on GitHub so I can properly address it. Thank you.

I'll copy & paste the relevant content of the Readme page here.

p.s. for now, it's only for Windows 11, when Windows 12 is released, it will then be about it, and so on ^^

my only single goal for doing this, is to make sure every Windows user is secure and safe from threat actors, be informed about available security measures in our arsenal, and only access authentic official information so that there's no side effect, unwanted behavior or breakage.

Harden Windows Security​

Harden Windows 11 safely, securely and without breaking anything​


Things to note:

  1. Windows by default is secure and safe, this script does not imply nor claim otherwise. just like anything, you have to use it wisely and don't compromise yourself with reckless behavior and bad user configuration; Nothing is foolproof. This script only uses the tools and features that have already been implemented by Microsoft in Windows OS to fine-tune it towards the highest security and locked-down state, using well-documented, supported, recommended and official methods. continue reading for comprehensive info.
  2. Make sure your hardware (Tablet, Laptop, PC, Phone) meets the Windows 11 hardware requirements AND Virtualization Based Security requirements. Currently, Windows 11 allows some older than 8th Gen Intel CPUs (or their AMD equivalents), such as Intel i7 7700K, to use insider builds only. You will miss a lot of new features, benefits and new security technologies that are only available on newer hardware. You need to enable TPM 2.0, Virtualization technology and Secure Boot in your UEFI if they aren't enabled by default (which is the case on older hardware). To Enable Secure Boot in your UEFI firmware settings Check out this official guide - How to enable Secure Boot on: HP - Lenovo - Dell
  3. if there are multiple Windows user accounts in your computer, it's recommended to run this script in each of them, without administrator privileges, because non-admin commands only apply to the current user and are not machine wide.
  4. There are 4 items tagged with #TopSecurity that can break functionalities or cause difficulties so this script does NOT enable them by default. press Control + F and search for #TopSecurity on this page to find those security measures and how to enable them if you want.
  5. Note Windows Home edition is not supported.
  6. Restart your device after you apply the script, don't use any commands to force Group Policy update.

Features:

  • Always up-to-date and works with the latest build of Windows (Currently Windows 11 - compatible and rigorously tested on stable and Insider Dev builds)
  • It doesn't break anything.
  • All of the links and sources are official from Microsoft websites, straight from the source. no bias, no misinformation and no old obsolete methods, that's why there are no links to 3rd party news websites, made up blogs or articles.
With the following exceptions
Count​
Link​
Reason​
1​
Intel website​
i7 13700k product page​
2​
Wikipedia​
providing further information for the reader​
1​
non-official Github Wiki page​
providing further information for the reader about TLS​
1​
Security.Stackexchange Q&A​
providing logic and reasoning for certain actions​
1​
state.gov​
List of State Sponsors of Terrorism​
  • Doesn't remove or disable Windows functionalities against Microsoft's recommendation.
  • This Readme page is used as the reference for all of the security measures applied by this script and Group Policies.
  • When a hardening command is no longer necessary because it's applied by default by Microsoft on new builds of Windows, it will also be removed from this script in order to prevent any problems and because it won't be necessary anymore.
  • The script can be run infinite number of times, it's made in a way that it won't make any duplicate changes at all.
  • The script asks for confirmation, in the PowerShell console, before running each hardening category that is not applied by Group Policies, so you can selectively run (or don't run) each of them.
  • Applying this script makes your PC compliant with Microsoft Security Baselines and Secured-core PC specifications (providing that you use modern hardware that supports the latest Windows security features). - See what makes a Secured-core PC. Check Device Guard category for more details.
    • Secured-core – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks.


How To Use


To run the script:

# Set execution policy temporarily to bypass for the current PowerShell session only
Set-ExecutionPolicy Bypass -Scope Process

# Run the PowerShell script
Invoke-RestMethod "https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1" | Invoke-Expression


Hardening Categories

From Top to bottom in order:





Microsoft Security Baselines

A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Continue reading in the official documentation


Security Baselines X

This is the .zip file that I've created and uploaded to this GitHub repository. it contains the Group Policy Object that applies security measures explained in this page.

This script also undoes 3 policies set by Microsoft Security Baseline because they can cause some inconvenience.
(they are on GitHub, can't palce them here due to formatting)



Windows Security aka Defender

  • Enables additional security features of Windows Security (Defender), You can refer to this official document for full details.
  • This script makes sure Cloud Security Scan and Block At First Sight are enabled to the highest possible security states available, Zero Tolerance Cloud Block level. You need to be aware that this means actions like downloading and opening an unknown file WILL make Windows Security send samples of it to the Cloud for more advanced analysis and it can take a maximum of 60 seconds (this script sets it to max) from the time you try to open that unknown file to the time when it will be opened (if deemed safe), so you will have to wait. All of these security measures are in place by default in Windows to some extent and happen automatically without the need to run this script, but this script maxes them out and sets them to the highest possible levels at the cost of 🔻convenience and usability.🔺it's always a trade-off.
    • Here is an example of the notification you will see in Windows 11 if that happens.
    • Windows Security Cloud Scan Notification
  • Enables file hash computation; designed to allow admins to force the anti-malware solution to "compute file hashes for every executable file that is scanned if it wasn't previously computed" to "improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
  • Clears Quarantined items after 5 days instead of the default behavior of keeping them indefinitely.
  • Lets Windows Defender use up to 70% of the CPU instead of the default 50%, during scans.
  • Allows Windows Defender to download security updates even on a metered connection.
  • Enables Windows Defender to scan network drives, restore points, Emails and removable drives during a full scan, so it will take a while to finish a full scan if you have lots of those Items.
  • Sets the Signature Update Interval to every 3 hours instead of automatically.
  • Forces Windows Defender to check for new virus and spyware definitions before it runs a scan.
  • Makes Windows Defender run catch-up scans for scheduled quick scans. A computer can miss a scheduled scan, usually because the computer is off at the scheduled time, but now after the computer misses two scheduled quick scans, Windows Defender runs a catch-up scan the next time someone logs onto the computer.
  • Enables Network Protection of Windows Defender (Requires Windows Pro or Enterprise editions)
  • Makes sure Async Inspection for Network protection of Windows Defender is turned on - Network protection now has a performance optimization that allows Block mode to start asynchronously inspecting long connections after they're validated and allowed by SmartScreen, which might provide a potential reduction in the cost that inspection has on bandwidth and can also help with app compatibility problems.
  • Smart App Control: Smart App Control adds significant protection from new and emerging threats by blocking apps that are malicious or untrusted. Smart App Control also helps to block potentially unwanted apps, which are apps that may cause your device to run slowly, display unexpected ads, offer extra software you didn't want, or do other things you don't expect.
    • Smart App Control is User-Mode Windows Defender Application Control policy (WDAC) for non-enterprise consumers. You can see its status in System Information and enable it manually from Windows Security (Defender) app's GUI. it is very important for Windows and Windows Defender intelligence updates to be always new in order for Smart App Control to work properly as it relies on live intelligence and definition data from the cloud and other sources to make a Smart decision about programs and files it encounters.
    • Smart App Control uses ISG (Intelligent Security Graph). The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources and processed every 24 hours. As a result, the decision from the cloud can change.
    • Smart App Control can block a program entirely from running or only some parts of it in which case your app or program will continue working just fine most of the time. It's improved a lot since it was introduced, and it continues doing so. It's got so smart now that I enable it on new OS installations immediately after updating.
    • Smart App Control enforces the Microsoft Recommended Driver Block rules and the Microsoft Recommended Block Rules
    • The script enables Smart App Control, it will ask for confirmation before enabling it.
    • Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
  • There is another Security feature, for Ransomware Protection, that's been in Windows for a while and it's called Controlled Folder Access. This script does not enable it. the default state is disabled.
    • Protect important folders with controlled folder access: Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps.
    • If it blocks a program from accessing one of your folders it protects, and you absolutely trust that program, then you can add it to exclusion list using Windows Security (Defender) GUI or PowerShell. you can also query the list of allowed apps using PowerShell (commands below). with these commands, you can backup your personalized list of allowed apps, that are relevant to your system, and restore them in case you clean install your Windows.
# Add multiple programs to the exclusion list of Controlled Folder Access
Set-MpPreference -ControlledFolderAccessAllowedApplications 'C:\Program Files\App\app.exe','C:\Program Files\App2\app2.exe'
# Get the list of all allowed apps
$(get-MpPreference).ControlledFolderAccessAllowedApplications


Attack surface reduction rules

Reducing your attack surface means protecting your devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Windows can help!

Attack surface reduction rules target certain software behaviors, such as:

  • Launching executable files and scripts that attempt to download or run files
  • Running obfuscated or otherwise suspicious scripts
  • Performing behaviors that apps don't usually initiate during normal day-to-day work
Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe.

This script enables all 16 available Attack Surface Reduction rules shown in the official chart, You can manually turn off any of them by changing them from Enabled to AuditMode or Disabled in the script.



Bitlocker Settings

  • This script sets up and configures Bitlocker, for OS drive and all other drives on the device using official documentation, with the most secure configuration and Military Grade encryption algorithm, XTS-AES-256, TPM 2.0 and start-up PIN.
    • When running this category, any connected external storage devices such as external SSDs, USB flash drives will also be encrypted, if that's not what you want, please eject them from your device before running Bitlocker Category.
  • You will be asked to enter a Startup PIN when activating Bitlocker for the first time. make sure the PIN you enter is at least 6 digits. Since this script enables Enhanced Startup PIN, you can use characters including uppercase and lowercase letters, symbols, numbers, and spaces. Make sure the Bitlocker PIN that you choose is not the same as your Windows Hello PIN.
  • Once you run this script for the first time, there will be a text file containing the 48-digit recovery password for each encrypted drive that will be saved in itself, with the names like Drive C recovery password.txt. it is very important to keep it in a safe and reachable place, e.g., in OneDrive's Personal Vault which requires authentication to access. see Here and Here for more info about OneDrive's Personal Vault
    • Check out Lock Screen category for more info about the recovery password.
    • Also check out Miscellaneous Configurations category for more info about how Bitlocker protects your device and data against an Attacker with skill and lengthy physical access, which is worst-case scenario.
    • To have even more security than what the script provides, you can utilize a Startup key in addition to the other 3 key protectors (TPM, Startup PIN and Recovery password). with this method, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
  • BitLocker will bring you a real security against the theft of your device if you strictly abide by the following basic rules:
    • As soon as you have finished working, either Hibernate or shut Windows down and allow for every shadow of information to disappear from RAM within 2 minutes. this practice is recommended in High-Risk Environments.
    • Do not mix 3rd party encryption software and tools with Bitlocker. Bitlocker creates a secure end-to-end encrypted ecosystem for your device and its peripherals, this secure ecosystem is backed by things such as software, Virtualization Technology, TPM 2.0 and UEFI firmware, Bitlocker protects your data and entire device against real-life attacks and threats. You can encrypt your external SSDs and flash drives with Bitlocker too.
Refer to this official documentation about the countermeasures of Bitlocker


TLS Security


This script disables TLS 1 and TLS 1.1 security protocols that only exist for backward compatibility. all modern software should and do use TLS 1.2 and TLS 1.3.

Changes made by the script only affect things that use Schannel SSP: that includes Edge, IIS web server, built-in inbox Windows apps and some other programs supplied by Microsoft, but not 3rd party software that use portable stacks like Java, nodejs, python or php.

if you want to read more: Demystifying Schannel

  • Enables TLS_CHACHA20_POLY1305_SHA256 cipher Suite which is available but not enabled by default in Windows 11, and sets its priority to highest.
  • Enables the following secure Diffie-Hellman based key exchange algorithms which are available in Windows 11 but not enabled by default, according to this Microsoft Document: "TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
  • Disables NULL ciphers that are only available for backward compatibility:"TLS_RSA_WITH_NULL_SHA256","TLS_RSA_WITH_NULL_SHA","TLS_PSK_WITH_NULL_SHA384","TLS_PSK_WITH_NULL_SHA256"
  • Disables MD5 Hashing Algorithm that is only available for backward compatibility
  • Disables the following weak cipher suites that are only available for backward compatibility: "TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_PSK_WITH_AES_256_GCM_SHA384","TLS_PSK_WITH_AES_128_GCM_SHA256","TLS_PSK_WITH_AES_256_CBC_SHA384","TLS_PSK_WITH_AES_128_CBC_SHA256"
  • Disables the following weak ciphers that are only available for backward compatibility: "DES 56-bit","RC2 40-bit","RC2 56-bit","RC2 128-bit","RC4 40-bit","RC4 56-bit","RC4 64-bit","RC4 128-bit","3DES 168-bit (Triple DES 168)"

Lock Screen

  • Automatically locks device after X seconds of inactivity (just like mobile phones), which is set to 120 seconds (2 minutes) in this script, you can change that to any value you like.
  • Require CTRL+ALT+DEL on the lock screen, the reason and logic behind it is:
    • A malicious user might install malware that looks like the standard sign-in dialog box for the Windows operating system and capture a user's password. The attacker can then sign into the compromised account with whatever level of user rights that user has.
  • Enables a security feature that sets a threshold (6 in this script) for the number of failed sign-in attempts that causes the device to be locked by using BitLocker. This threshold means, if the specified maximum number of failed sign-in attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access.
    • This Script (in the Bitlocker category) automatically saves the 48-digit recovery password of each drive in itself, the location of it will also be visible on the PowerShell console when you run it. it is very important to keep it in a safe and reachable place, e.g. in OneDrive's Personal Vault which requires authentication to access. see Here and Here for more info about OneDrive's Personal Vault
  • Hides email address of the Microsoft account on lock screen, if your device is in a trusted place like at home then this isn't necessary.
  • Don't display username at sign-in; If a user signs in as Other user, the full name of the user isn't displayed during sign-in. In the same context, if users type their email address and password at the sign-in screen and press Enter, the displayed text "Other user" remains unchanged, and is no longer replaced by the user's first and last name, as in previous versions of Windows 10. Additionally, if users enter their domain user name and password and click Submit, their full name isn't shown until the Start screen displays.
    • Useful If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user's full names or domain account names
  • Don't display last signed-in; This security policy setting determines whether the name of the last user to sign in to the device is displayed on the Secure Desktop. If this policy is enabled, the full name of the last user to successfully sign in isn't displayed on the Secure Desktop, nor is the user's sign-in tile displayed. Additionally, if the Switch user feature is used, the full name and sign-in tile aren't displayed. The sign-in screen requests a qualified domain account name (or local user name) and password.
    • Users will need to manually enter username and password/Pin to sign in. it can cause annoyance, so disabled in this script. this feature however can be useful to enable if you live in High-Risk Environments and you don't want Anyone to get Any information about your device when it's locked and you're not around. if you want to enable it, change its value to 1. #TopSecurity
  • Don't Display Network Selection UI on Lock Screen (like WIFI Icon); This setting allows you to control whether anyone can interact with available networks UI on the logon screen. Once enabled, the device's network connectivity state cannot be changed without signing into Windows. suitable for High-Risk Environments

User Account Control

Here is the official reference for the commands used in this section of the script, User Account Control Group Policy and registry key settings.

  • Introduces (but Not fully enables) an option to Prompt for credentials on the secure desktop, in Administrator accounts, which presents the sign-in UI and restricts functionality and access to the system until the sign-in requirements are satisfied. The secure desktop's primary difference from the user desktop is that only trusted processes running as SYSTEM are allowed to run here (that is, nothing is running at the user's privilege level). The path to get to the secure desktop from the user desktop must also be trusted through the entire chain.
    • This is the default behavior: prompt the administrator in Admin Approval Mode to select either "Permit" or "Deny" for an operation that requires elevation of privilege for any non-Windows binaries. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. This operation will happen on the secure desktop
    • This is the behavior that this script sets: prompts the administrator in Admin Approval Mode to select either "Permit" or "Deny" an operation that requires elevation of privilege. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. "Prompt for consent" removes the inconvenience of requiring that users enter their name and password to perform a privileged task. This operation occurs on the secure desktop.
    • This is the #TopSecurity behavior: This option prompts the Consent Admin to enter his or her username and password (or another valid admin) when an operation requires elevation of privilege. This operation occurs on the secure desktop. ¹
  • Introduces (but Not enables, because it can cause inconvenience) a feature that Enforces cryptographic signatures on any interactive application that requests elevation of privilege. it can prevent certain programs from running or prompting for UAC. #TopSecurity
  • Changes the behavior of the elevation prompt for standard users from "prompt for credentials" to "prompt for credentials on the secure desktop".
    • This security measure allows for a #TopSecurity behavior where you can optionally automatically deny all UAC prompts on Standard accounts. suitable for forcing log out of Standard account and logging in Admin account to perform administrator actions, or switching to Admin account to perform elevated tasks.

Device Guard

Most of the Device Guard and Virtualization-Based Security features are Automatically enabled by default on capable and modern hardware, this script only checks their status and if needed, enables UEFI lock for them and also proceeds with enabling full Secured-Core PC requirements:




Device protection in Windows Security gives you one of these 4 hardware scores:

  1. Standard hardware security not supported
    • This means that your device does not meet at least one of the requirements of Standard Hardware Security.
  2. Your device meets the requirements for Standard Hardware Security.
  3. Your device meets the requirements for Enhanced Hardware Security
  4. Your device has all Secured-core PC features enabled

Windows Firewall

  • Makes sure Windows Firewall is enabled for all profiles (which is the default)
  • Sets inbound and outbound default actions for Domain Firewall Profile to Block; because this script is Not intended to be used on devices that are part of a domain or controlled by an Active Directory Domain Controller, since they will have their own policies and policy management systems in place.
  • Enables Windows Firewall logging for Private and Public profiles, sets the log file size to max 32.767 MB, logs only dropped packets.
  • Disables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles, This might interfere with Miracast screen sharing, which relies on the Public profile, and homes where the Private profile is not selected, but it does add an extra measure of security in public places, like a coffee shop.

Optional Windows Features


Windows Networking

These are configurations that are typically recommended in High-Risk Environments but also can be applied for home users


Miscellaneous Configurations

  • Sets Early launch antimalware engine's status to 8 which is Good only. The default value is 3, which allows good, unknown and 'bad but critical'. that is the default value, because setting it to 8 can prevent your computer from booting if the driver it relies on is critical but at the same time unknown or bad.
    • By being launched first by the kernel, ELAM is ensured to be launched before any third-party software and is therefore able to detect malware in the boot process and prevent it from initializing. ELAM drivers must be specially signed by Microsoft to ensure they are started by the Windows kernel early in the boot process.
  • Disabling location service system wide. websites and apps won't be able to use your precise location, however they will still be able to detect your location using your IP address.
  • Enables Hibernate, adds Hibernate to Start menu's power options and disables Sleep. this feature is only recommended for High-Risk Environments. This is to prevent an Attacker with skill and lengthy physical access to your computer which is the Worst-case Scenario
    • Attack Scenario: Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software. Of course, Bitlocker and configurations applied by this script will protect you against that.
    • Power states S1-S3 will be disabled in order to completely disable Sleep, doing so also removes the Sleep option from Start menu and even using commands to put the computer to sleep won't work. You will have to restart your device for the changes to take effect.
  • sets Hibernate to full
  • Enabling Mandatory ASLR, It might cause compatibility issues for some unofficial 3rd party portable programs, such as Photoshop portable, Telegram portable etc. or some software installers.
    • You can add Mandatory ASLR override for a trusted program using the PowerShell command below or in the Program Settings section of Exploit Protection in Windows Security (Defender) app.
    • Set-ProcessMitigation -Name "C:\TrustedApp.exe" -Disable ForceRelocateImages
    • There are more options for Exploit Protection but enabling them requires extensive reviewing by users because mixing them up can cause a lot of compatibility issues.
  • Enables svchost.exe mitigations. built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. These stricter security policies include a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code.
    • Requires Business (e.g. Windows 11 pro for Workstations), Enterprise or Education Windows licenses Turns on Enhanced mode search for Windows indexer. the default is classic mode.
    • this causes some UI elements in the search settings in Windows settings to become unavailable for Standard user accounts to view, because it will be a managed feature by an Administrator.
  • Enforce the Administrator role for adding printer drivers
  • Enables SMB/LDAP Signing
  • Enables SMB Encryption (the status of (get-SmbServerConfiguration).EncryptData was $False when tested on Windows 11 dev build 25272, this script sets it to $True)
  • Enable Windows update and Edge browser to download and install updates on any network, metered or not; because the updates are important and should not be suppressed, that's what bad actors would want.
  • Enables "notify me when a restart is required to finish updating" in Windows Update, responsible for the toggle in Windows settings => Windows Update => Advanced options
  • Enables all Windows users to use Hyper-V and Windows Sandbox by adding all Windows users to the "Hyper-V Administrators" security group, by default only Administrators can use Hyper-V or Windows Sandbox.
  • Changes Windows time sync interval from the default every 7 days to every 4 days (= every 345600 seconds)
  • Enables UEFI Lock for Local Security Authority (LSA) process Protection. it is turned on by default on new Windows 11 installations but not with UEFI Lock. When this setting is used with UEFI lock and Secure Boot, additional protection is achieved because disabling its registry key will have no effect.
    • when this feature is on, a new option called "Local Security Authority Protection" appears in Windows Security GUI => Device Security => Core Isolation

Certificate Checking Commands

In this category, the script runs sigcheck64.exe live from Sysinternals, then lists valid certificates not rooted to the Microsoft Certificate Trust List in the User and Machine stores. Unless you use Windows insider build, all the certificates that will be listed should be treated as dangerous and removed from your system immediately. However, if you are a Windows Insider user, like me, there will be certificates listed that belong to Microsoft and pre-public build of Windows that you use, so they are OK and should not be removed. some of those safe Windows-Insider-build related certificates that should be left alone are:

  • Microsoft ECC Development Root Certificate Authority 2018
  • Microsoft Development Root Certificate Authority 2014

Country IP Blocking

The script fetches the newest range of IPv4 and IPv6 addresses of State Sponsors of Terrorism then creates 2 rules (inbound and outbound) for each country in Windows firewall, completely blocking connections to and from those countries.

Once you have those Firewall rules added, you can use this method to see if any of the blocked connections were from/to those countries.



Non-Admin Commands

In order to run commands in this category, you don't need administrator privileges, because no system-wide configuration is made. changes in this category only apply to the user account that is running the current PowerShell session:

  • Show known file extensions in File explorer
  • Show hidden files, folders and drives (toggles the control panel folder options item)
  • Disable websites accessing local language list - good for privacy
  • Turn off safe search in Windows search, will enable +18 content to appear in searches; essentially toggles the button in: Windows settings > privacy and security > search permissions > safe search
  • prevent showing notifications in Lock screen - this is the same as toggling the button in Windows settings > system > notifications > show notifications in the lock screen
  • Enable Clipboard History and sync with Microsoft Account
  • Create custom views for Windows Event Viewer to help you keep tabs on important security events: attack surface reduction rules events, controlled folder access events, exploit protection events, network protection events, MSI and Scripts for WDAC Auditing events, Sudden Shut down events and Code Integrity Operational events.
  • Turn on text suggestions when typing on the physical keyboard
  • Turn on "Multilingual text suggestions" for the current user, toggles the option in Windows settings
  • Turn off sticky key shortcut of pressing shift key 5 times fast

Related

PowerShell Gallery - Also available in PowerShell Gallery

Trust

How can you 100% trust this script and know that nothing shady is going on?​

Trust is very important; you shouldn't blindly trust me nor any other 3rd party person/organization just because they say they are trustworthy. this script uses the simplest possible, yet effective, methods that make it very easy to verify:

  • The script is in plain text, nothing hidden, no 3rd party executable or pre-compiled binary is involved.
  • Change log history is present on GitHub. (Despite some of my awkward documentation typos)
  • You can open the file in Visual Studio Code/Visual Studio Code Web, and view the script in a nice easy to read environment, I've included a lot of spacing in the script file for this purpose
  • You can learn PowerShell which is super easy, multiplatform, and useful for the future, Microsoft Learn website teaches you everything, then you will understand everything in the script is safe, or you can ask someone that you trust and knows PowerShell to verify the script for you
  • There is no unexpected behavior involved.
  • You can even fork this repository, 100% verify it until that point in time, then verify any subsequent changes/updates I push to this repository, at your own pace (using Sync fork and Compare options on your fork), and if you are happy with the changes, allow it to be merged with your own copy/fork on your GitHub account.

How to verify security-baselines-x.zip file and 100% trust it?

If there is any other verification method in your mind that I haven't mentioned or applied, please let me know.


Support

if you have any questions, requests, suggestions etc. about this script, please open a new discussion on Github


Security Recommendations

  • Always download your operation system from official Microsoft websites. Right now, Windows 11 is the latest version of Windows, its ISO file can be downloaded from this official Microsoft server. One of the worst things you can do to your own security and privacy is downloading your OS, which is the root of all the active and passive security measures, from a 3rd party website claiming they have the official unmodified files. there are countless bad things that can happen as the result of it such as threat actors embedding malware or backdoors inside the customized OS, or pre-installing customized root CA certificates in your OS so that they can perform TLS termination and view all of your HTTPS and encrypted Internet data in plain clear text, even if you use VPN. Having a poisoned and compromised certificate store is the endgame for you, and that's just the tip of the iceberg.
  • Whenever you want to install a program or app, first use the Microsoft Store or Winget, if the program or app you are looking for isn't available in there, then download it from its official website. somebody created a nice web interface for interacting with Winget CLI here.using Winget or Microsoft store provides many benefits:
    • Microsoft store UWP apps are secure in nature, digitally signed, in MSIX format. That means, installing and uninstalling them is guaranteed and there won't be any leftovers after uninstalling.
    • Microsoft store has Win32 apps too, they are traditional .exe installers that we are all familiar with. The store has a library feature that makes it easy to find the apps you previously installed.
    • both Microsoft and Winget check the hash of the files by default, if a program or file is tampered, they will warn you and block the installation, whereas when you manually download a program from a website, you will have to manually verify the file hash with the hash shown on the website, If Any.
  • Use Secure DNS; Windows 11 natively supports DNS over HTTPS and DNS over TLS.
    • I've created a PowerShell module to use a DNS over HTTPS server that doesn't have a stable IP address, on Windows 11, feel free to check it out.
  • Only use Microsoft Edge for browser; It has the Highest-rated protection against phishing and malware, available by default on Windows OS, has tightly integrated valuable Security features such as Windows Defender Application Guard, Windows Defender SmartScreen, Hardware Enforced Stack Protection, Arbitrary Code Guard (ACG), Control Flow Guard (CFG), Tracking Prevention and Trusted built-in Secure Network feature from Cloudflare just to name a few.
  • Always enable Two-Factor/Multi-Factor Authentication on websites, apps and services that you use. preferably, use Microsoft Authenticator app which has backup and restore feature, so you never lose access to your TOTPs (Time-Based One-Time Passwords) even if you lose your phone. available for Android and IOS. You can also use Microsoft Authenticator on Windows 11 (PC, Laptop or Tablet) using Windows Subsystem for Android (WSA) and access your authenticator codes without the need to use your phone (again thanks to the secure automatic backup/restore feature). use an open-source and trusted Android store such as Aurora Store to install and keep it up to date.
  • Make sure OneDrive backup for important folders (Desktop/Documents/Pictures) is enabled. it is fast, secure and works in any network condition and since it's x64 (64-bit), it can handle a Lot of small and large files simultaneously.
  • If you live in a western country, NATO country, European country or Australia, do not use VPNs. your local ISP (Internet service provider) is a lot more trustworthy than the remote VPN server's ISP. Using VPN only takes the trust from your own local ISP and puts it in the hands of the remote ISP that the VPN server uses for its Internet, Nothing else. period. Do not fall for the fake advertisements of VPN companies, you never know who is behind the VPN provider, what their political views are, their background, where their allegiance lies. the permissive civilized western world could allow a state sponsor of terrorism or some other hostile country to create a VPN company in here and gather intelligence and collect bulk data for mining, tracking etc. this has happened before and one of the most recent revelations is about a VPN provider called Betternet, based in Canada, ran by IRGC terrorists and their families abroad. stay Vigilant and Smart.
    • There are situations where using VPN can provide security and privacy. for example, when using a public WiFi hotspot or basically any network that you don't have control over. in such cases, use Cloudflare WARP, or as mentioned, use Secure Network in Edge browser that utilizes the same secure Cloudflare network. it's free, uses WireGuard protocol, it's from an American company that has global radar and lots of insight about countries in the world in real-time, at least 19.7% of all websites use it (2022). safe to say it's one of the backbones of the Internet.
  • Go passwordless with your Microsoft account and use Windows Hello authentication. in your Microsoft account which has Outlook service, you can create up to 10 Email aliases in addition to the 1 Email address you get when you made your Microsoft account, that means without creating a new account, you can have 11 Email addresses all of which will use the same inbox and account. you can specify which one of those Email aliases can be used to sign into your account, in the sign in preferences of your Microsoft account settings. so for example, when going passwordless, if you need you can give one of your Email aliases to others for communication or add it to a public profile of yours, then block sign in using that Email alias so nobody can send you authenticator notifications by entering that Email alias in the sign in page, and use the other 10 aliases that are private to sign into your Microsoft account with peace of mind. You can create a rule in your Outlook so that all of the Emails sent to your public Email alias will be stored in a different folder, apart from your other inbox emails. all of this can be done using free Microsoft account and Outlook webapp.
  • More Security Recommendations coming soon...

Resources


License

Not Applicable, No license. because the only mission of this GitHub repository and script is to give all Windows users accurate, up to date and correct information about how to stay secure and safe in dangerous environments, and to stay not one, but Many steps, ahead of threat actors.
 
Last edited:

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
Interesting and good guide but this hardening is for Windows 11 only.
For users with Windows 10 you have another hardening script/guide?

Thank you,
Windows 10 users can use it too but It'll only be guaranteed to fully work on latest version of Windows, whether it's 11, 12 or future versions. because one of the fundamental security recommendations is to make sure user is using the latest version of the OS.
sorry, I don't have another guide/script only for Windows 10. but feel free to fork it, modify it to make it suitable for Windows 10 :)
 

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
203
How To Use

To run the script:

# Set execution policy temporarily to bypass for the current PowerShell session only
Set-ExecutionPolicy Bypass -Scope Process

# Run the PowerShell script
Invoke-RestMethod "https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1" | Invoke-Expression

After the above command in PS, it prompts as below

Skipping commands that require Administrator privileges
Run Non-Admin category ?
1: Yes
2: No
3: Exit
Select an option:
Which one to choose?
 

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
203
You can choose whichever you like, it's up to you :) 1 for yes and 2 for no, 3 for exit, I suggest saying yes and run it.
you didn't run PowerShell as admin and that's why it is skipping commands that require administrator privileges.
I had run Windows Powershell (Admin) from the Start menu, as seen in screenshot below. However, there is another Powershell when I searched from taskbar search icon. I don't know why there are 2 Powershell.

powershell.png
 

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
I had run Windows Powershell (Admin) from the Start menu, as seen in screenshot below. However, there is another Powershell when I searched from taskbar search icon. I don't know why there are 2 Powershell.

View attachment 272621

Did you read the GitHub repository?

from screenshot, looks like you are using 3rd party security software and Windows 10. none of them are supported by this script. if you are sure you are running PowerShell as Admin and the script is still skipping admin commands then there must be a problem on your end.
 

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,616
I had run Windows Powershell (Admin) from the Start menu, as seen in screenshot below. However, there is another Powershell when I searched from taskbar search icon. I don't know why there are 2 Powershell.

View attachment 272621
Open Terminal, go to settings. In Default Profile choose PowerShell to use PowerShell 7 as default as I see you have already installed PowerShell 7. So use PowerShell 7. I also use it. Also set Windows Terminal as the Default Terminal application if you haven't already.
BTW, @SpyNetGirl's hardening methods are really very good and secure, but it'll be too hardcore for most users. So I would suggest that instead of just applying her script directly, you should first read the whole thing very carefully and then decide what you need and what not.
BTW, @SpyNetGirl, thanks for sharing and providing such great details. It's very educational to say the least.
 

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
Open Terminal, go to settings. In Default Profile choose PowerShell to use PowerShell 7 as default as I see you have already installed PowerShell 7. So use PowerShell 7. I also use it. Also set Windows Terminal as the Default Terminal application if you haven't already.
BTW, @SpyNetGirl's hardening methods are really very good and secure, but it'll be too hardcore for most users. So I would suggest that instead of just applying her script directly, you should first read the whole thing very carefully and then decide what you need and what not.
BTW, @SpyNetGirl, thanks for sharing and providing such great details. It's very educational to say the least.

Thank you so much 😊
btw, Windows PowerShell that's preinstalled is also fully supported ^^
 

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
203
Did you read the GitHub repository?

from screenshot, looks like you are using 3rd party security software and Windows 10. none of them are supported by this script. if you are sure you are running PowerShell as Admin and the script is still skipping admin commands then there must be a problem on your end.
Yes, I read Github.
Mine is Windows 11. And also I clean reinstalled Windows 11 Pro last month and those are all default installations.
 

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
203
Open Terminal, go to settings. In Default Profile choose PowerShell to use PowerShell 7 as default as I see you have already installed PowerShell 7. So use PowerShell 7. I also use it. Also set Windows Terminal as the Default Terminal application if you haven't already.
Thanks, changed them.
But as you can see in my screenshot, Windows PowerShell advised to install latest PowerShell and I downloaded PowerShell from the Microsoft link. So, shouldn't Windows automatically replace old Windows PowerShell with the newly installed updated PowerShell 7 as Windows itself advised to update? Any differences between these 2 versions?
 
Last edited:

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
203
@SeriousHoax As you instructed, changed them and restarted PC. But when I click Windows PowerShell or Windows PowerShell (Admin) from Start menu, they still open Windows PowerShell (non-administrator Windows PowerShell for both) instead of PowerShell 7.
 
  • Like
Reactions: SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,616
@SeriousHoax As you instructed, changed them and restarted PC. But when I click Windows PowerShell or Windows PowerShell (Admin) from Start menu, they still open Windows PowerShell (non-administrator Windows PowerShell for both) instead of PowerShell 7.
It is expected behavior. Run Terminal instead of PowerShell. The old PowerShell is still present, but not default anymore. Since it's not an issue related to her script. Let's talk about it somewhere else to keep this thread clean. You can DM me if you have any questions regarding this matter.
 

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
Yes, I read Github.
Mine is Windows 11. And also I clean reinstalled Windows 11 Pro last month and those are all default installations.

So you're saying your Windows 11 by default looks like Windows 10? you know that means your installation media is most likely tampered and modified
 
  • Like
Reactions: kylprq

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
203
So you're saying your Windows 11 by default looks like Windows 10? you know that means your installation media is most likely tampered and modified
Installation media is from Microsoft. It looks like Windows 10 because I used ExplorerPatcher to change the look of Windows 11 menu to look like Windows 10 menu.


I just uninstalled ExplorerPatcher and revert to Windows 11 menu. But still, when clicking Terminal or Terminal (Admin), it's not running as Administrator. It works only when I search "PowerShell 7" from the Search button on Taskbar and Run it as Administrator.

terminal.png
 
Last edited:

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
Installation media is from Microsoft. It looks like Windows 10 because I used ExplorerPatcher to change the look of Windows 11 menu to look like Windows 10 menu.


I just uninstalled ExplorerPatcher and revert to Windows 11 menu. But still, when clicking Terminal or Terminal (Admin), it's not running as Administrator. It works only when I search "PowerShell 7" from the Search button on Taskbar and Run it as Administrator.

View attachment 272632

This is not related to the script or Windows 11. how do I know? me and a few other people test it all the time. you can test it too, clean install Windows 11 latest version, then run the script. you will see it will run without this problem.

whatever program you installed or modifications you made has caused this issue, because what you are experiencing is not the default behavior. uninstalling 3rd party stuff like that doesn't mean everything they did is completely reverted back to how they were before installation, only programs packaged in MSIX have clean uninstall.

by the way, if you want to see the most up to date version of the guide and details about the script, you can find it on Github only.
 

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
Here are the changes I made to the script:

Added 2 new categories, Edge browser and Windows update

Windows Update Configurations

  • Enables Windows Update to download and install updates on any network, metered or not; because the updates are important and should not be suppressed, that's what bad actors would want.
  • Enables "Receive Updates for other Microsoft products" (such as PowerShell) and sets updates to be installed outside of active hours automatically
  • Enables "Notify me when a restart is required to finish updating"
  • Sets the deadline for automatic updates and restarts for quality and feature updates to 2 days

Edge Browser configurations


Added these for Windows Security (Defender) category:

Changes to the Trust section to make things more clear:
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top