Windows' Security Tweaks

Will you use these Windows Security Tweaks?


  • Total voters
    53

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,965
OS
Windows 10
Antivirus
Default-Deny
#1
hi guys,

So i will put here various tweaks (registry, group policy, etc...) i found around the net to secure Windows more tightly. By doing them , you will reduce the attacks vector and may even remove the need of security solutions.

As a basis there is these articles to secure the network and the system

For Win7: Harden Windows 7 SP1 64bit
For Win10 : Harden Windows 10 - A Security Guide. How to secure Windows 10

Be careful some tweaks will cripple some of the OS functions; test before applying definitively.

There are network Tweaks: Windows' Security Tweaks
there System tweaks: Windows' Security Tweaks

To create registry files from the script below:

- open notepad
- copy the lines
- save the file as .reg file (for example "disable unsigned elevation.reg)
- click on the newly made .reg file, you will have 2 prompts, say yes.
- the tweak will be applied.
 
Last edited:

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,965
OS
Windows 10
Antivirus
Default-Deny
#3
System Tweaks

LSA Protection :

Enable LSA protection in Windows 8.1 and Server 2012 R2

Ask password for Admin Account:
If a process ask for elevation , UAC will request your password even in admin account.
Create a registry file with this lines :
Code:
Windows Registry Editor Version 5.00

; Created by: Shawn Brink
; http://www.eightforums.com
; Tutorial: http://www.eightforums.com/tutorials/41136-uac-change-prompt-behavior-administrators-windows.html


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000001


Blocking Unsigned Elevation :
90% of malware are unsigned and will request an elevation from UAC, this trick will block the request.
Create a registry file with this lines :
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001
If successfully implemented, the next unsigned process/program; won't be allow to execute, and you will have a error box.
To re-enabled unsigned elevation , use the same line but with "dword:00000000"

Disable Javascript (for Edge)

we all know That javascript is a well-know attack vector .
Create a registry file with this lines :
Code:
Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings\Zones\3]
"1400"=dword:00000001

Some tweaks from @ParaXY
Code:
;Set SmartScreen to warn:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="Prompt"

;Turn off Remote Assistance:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Assistance]
"fAllowToGetHelp"=dword:00000000

;Turn UAC to max setting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"PromptOnSecureDesktop"=dword:00000001
"EnableLUA"=dword:00000001
"ConsentPromptBehaviorAdmin"=dword:00000002

;Enable PUP in Defender:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"MpEnablePus"=dword:00000001

;Deny elevation of unsigned executables:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001

;Enable Secure Sign in screen (Ctrl + Alt + Del:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableCAD"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableCAD"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCAD"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCAD"=-

;Ask for user name and password at log on screen:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000001

;Disable cmd.exe for SUA account:
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System]
"DisableCMD"=dword:00000001
 
Last edited:

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,965
OS
Windows 10
Antivirus
Default-Deny
#9
edited the line , try again
 
Joined
Jan 19, 2015
Messages
227
#15
Block unsigned works, but password tweak doesn't
upload_2016-6-10_0-41-28.png

(unsigned error message when trying to open)

EDIT:
Now it works with password, I guess you need BOTH tweaks (block unsigned & password tweak) for it to work, cause when I used only the password tweak but not the unsigned one, it didn't ask for password, but now that I use both tweaks it does.
 

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,965
OS
Windows 10
Antivirus
Default-Deny
#16
@Shran the password tweak work if UAC is at max and if you enabled the password obviously.

Both tweaks are independant
 
Likes: _CyberGhosT_

_CyberGhosT_

Level 52
Trusted
Joined
Aug 2, 2015
Messages
4,180
OS
Linux Mint
Antivirus
Default-Deny
#17
@Umbra
I employed the Edge Tweak and the Blocking Unsigned Elevation.
After doing this, any uninstall or install of software is requiring my Admin password.
I'm not complaining for me, now that I have a awesome config that I won't change anytime soon
this is awesome :)
To test it I have a 1year sub to Office so i uninstalled and re-installed it, on both occasions it required
my admin password, there was an update for Macrium Reflect, rather than just updating I did the
same I uninstalled & Re-installed it and both times It again required my Admin Password. My last
install was for GOG Galaxy (Game Client) same results.
This may not be optimal for a user that changes their software often, but man I am loving this
tweak. The weird thing for me is that I only did the code for the blocking, so this will serve
as a "heads up" for anyone else thinking of employing that tweak.
It could be that other tweaks I have done in the past are affecting this too, but either
way I love the results
Your the best Umbra, great share.
 
Last edited:

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,965
OS
Windows 10
Antivirus
Default-Deny
#19
@Umbra

Yes I have UAC Maxed & Password enabled, maybe I did something wrong o_O well anyway I actually found a way to enable these tweaks using Group Policy, so now both are enabled anyway :D
every system is different , at least they works , it is the important thing ;)

@_CyberGhosT_ thanks ;)
 
Likes: _CyberGhosT_

Similar Threads

Similar Threads