Windows' Security Tweaks

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Will you use these Windows Security Tweaks?


  • Total voters
    47

Umbra

Level 61
Content Creator
Verified
May 16, 2011
17,486
Ratings
30,741
Operating System
Windows 10
Installed Antivirus
Default-Deny
#1
hi guys,

So i will put here various tweaks (registry, group policy, etc...) i found around the net to secure Windows more tightly. By doing them , you will reduce the attacks vector and may even remove the need of security solutions.

As a basis there is these articles to secure the network and the system

For Win7: Harden Windows 7 SP1 64bit
For Win10 : Harden Windows 10 - A Security Guide. How to secure Windows 10

Be careful some tweaks will cripple some of the OS functions; test before applying definitively.

There are network Tweaks: Windows' Security Tweaks
there System tweaks: Windows' Security Tweaks

To create registry files from the script below:

- open notepad
- copy the lines
- save the file as .reg file (for example "disable unsigned elevation.reg)
- click on the newly made .reg file, you will have 2 prompts, say yes.
- the tweak will be applied.
 
Last edited:

Umbra

Level 61
Content Creator
Verified
May 16, 2011
17,486
Ratings
30,741
Operating System
Windows 10
Installed Antivirus
Default-Deny
#3
System Tweaks

LSA Protection :

Enable LSA protection in Windows 8.1 and Server 2012 R2

Ask password for Admin Account:
If a process ask for elevation , UAC will request your password even in admin account.
Create a registry file with this lines :
Code:
Windows Registry Editor Version 5.00

; Created by: Shawn Brink
; http://www.eightforums.com
; Tutorial: http://www.eightforums.com/tutorials/41136-uac-change-prompt-behavior-administrators-windows.html


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000001


Blocking Unsigned Elevation :
90% of malware are unsigned and will request an elevation from UAC, this trick will block the request.
Create a registry file with this lines :
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001
If successfully implemented, the next unsigned process/program; won't be allow to execute, and you will have a error box.
To re-enabled unsigned elevation , use the same line but with "dword:00000000"

Disable Javascript (for Edge)

we all know That javascript is a well-know attack vector .
Create a registry file with this lines :
Code:
Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings\Zones\3]
"1400"=dword:00000001

Some tweaks from @ParaXY
Code:
;Set SmartScreen to warn:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="Prompt"

;Turn off Remote Assistance:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Assistance]
"fAllowToGetHelp"=dword:00000000

;Turn UAC to max setting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"PromptOnSecureDesktop"=dword:00000001
"EnableLUA"=dword:00000001
"ConsentPromptBehaviorAdmin"=dword:00000002

;Enable PUP in Defender:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"MpEnablePus"=dword:00000001

;Deny elevation of unsigned executables:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001

;Enable Secure Sign in screen (Ctrl + Alt + Del:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableCAD"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableCAD"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCAD"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCAD"=-

;Ask for user name and password at log on screen:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000001

;Disable cmd.exe for SUA account:
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System]
"DisableCMD"=dword:00000001
 
Last edited:

Umbra

Level 61
Content Creator
Verified
May 16, 2011
17,486
Ratings
30,741
Operating System
Windows 10
Installed Antivirus
Default-Deny
#7
Are you in Standard User Account? if yes, of course it won't work, must be on admin account.
 

Umbra

Level 61
Content Creator
Verified
May 16, 2011
17,486
Ratings
30,741
Operating System
Windows 10
Installed Antivirus
Default-Deny
#9
edited the line , try again
 

Umbra

Level 61
Content Creator
Verified
May 16, 2011
17,486
Ratings
30,741
Operating System
Windows 10
Installed Antivirus
Default-Deny
#11
something wrong; i will try to find why.
 

Umbra

Level 61
Content Creator
Verified
May 16, 2011
17,486
Ratings
30,741
Operating System
Windows 10
Installed Antivirus
Default-Deny
#12
I edited the lines on the OP, it works now.
 
Jan 19, 2015
227
Ratings
913
#15
Block unsigned works, but password tweak doesn't
upload_2016-6-10_0-41-28.png

(unsigned error message when trying to open)

EDIT:
Now it works with password, I guess you need BOTH tweaks (block unsigned & password tweak) for it to work, cause when I used only the password tweak but not the unsigned one, it didn't ask for password, but now that I use both tweaks it does.
 

Umbra

Level 61
Content Creator
Verified
May 16, 2011
17,486
Ratings
30,741
Operating System
Windows 10
Installed Antivirus
Default-Deny
#16
@Shran the password tweak work if UAC is at max and if you enabled the password obviously.

Both tweaks are independant
 

_CyberGhosT_

Level 52
Verified
Aug 2, 2015
4,177
Ratings
27,272
Operating System
Linux Mint
Installed Antivirus
Default-Deny
#17
@Umbra
I employed the Edge Tweak and the Blocking Unsigned Elevation.
After doing this, any uninstall or install of software is requiring my Admin password.
I'm not complaining for me, now that I have a awesome config that I won't change anytime soon
this is awesome :)
To test it I have a 1year sub to Office so i uninstalled and re-installed it, on both occasions it required
my admin password, there was an update for Macrium Reflect, rather than just updating I did the
same I uninstalled & Re-installed it and both times It again required my Admin Password. My last
install was for GOG Galaxy (Game Client) same results.
This may not be optimal for a user that changes their software often, but man I am loving this
tweak. The weird thing for me is that I only did the code for the blocking, so this will serve
as a "heads up" for anyone else thinking of employing that tweak.
It could be that other tweaks I have done in the past are affecting this too, but either
way I love the results
Your the best Umbra, great share.
 
Last edited:
Jan 19, 2015
227
Ratings
913
#18
@Umbra

Yes I have UAC Maxed & Password enabled, maybe I did something wrong o_O well anyway I actually found a way to enable these tweaks using Group Policy, so now both are enabled anyway :D
 

Umbra

Level 61
Content Creator
Verified
May 16, 2011
17,486
Ratings
30,741
Operating System
Windows 10
Installed Antivirus
Default-Deny
#19
@Umbra

Yes I have UAC Maxed & Password enabled, maybe I did something wrong o_O well anyway I actually found a way to enable these tweaks using Group Policy, so now both are enabled anyway :D
every system is different , at least they works , it is the important thing ;)

@_CyberGhosT_ thanks ;)