?

Will you use these Windows Security Tweaks?

  1. Yes

    45.7%
  2. No

    34.8%
  3. I already did!

    19.6%
  1. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    #1 Umbra, Jun 9, 2016
    Last edited: Jun 9, 2016
    hi guys,

    So i will put here various tweaks (registry, group policy, etc...) i found around the net to secure Windows more tightly. By doing them , you will reduce the attacks vector and may even remove the need of security solutions.

    As a basis there is these articles to secure the network and the system

    For Win7: Harden Windows 7 SP1 64bit
    For Win10 : Harden Windows 10 - A Security Guide. How to secure Windows 10

    Be careful some tweaks will cripple some of the OS functions; test before applying definitively.

    There are network Tweaks: Windows' Security Tweaks
    there System tweaks: Windows' Security Tweaks

    To create registry files from the script below:

    - open notepad
    - copy the lines
    - save the file as .reg file (for example "disable unsigned elevation.reg)
    - click on the newly made .reg file, you will have 2 prompts, say yes.
    - the tweak will be applied.
     
    L S, bribon77, frogboy and 13 others like this.
  2. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Network Tweaks
     
    L S, frogboy, Deletedmessiah and 5 others like this.
  3. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    #3 Umbra, Jun 9, 2016
    Last edited: Apr 30, 2017
    System Tweaks

    LSA Protection :

    Enable LSA protection in Windows 8.1 and Server 2012 R2

    Ask password for Admin Account:
    If a process ask for elevation , UAC will request your password even in admin account.
    Create a registry file with this lines :
    Code:
    Windows Registry Editor Version 5.00
    
    ; Created by: Shawn Brink
    ; http://www.eightforums.com
    ; Tutorial: http://www.eightforums.com/tutorials/41136-uac-change-prompt-behavior-administrators-windows.html
    
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ConsentPromptBehaviorAdmin"=dword:00000001


    Blocking Unsigned Elevation :
    90% of malware are unsigned and will request an elevation from UAC, this trick will block the request.
    Create a registry file with this lines :
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ValidateAdminCodeSignatures"=dword:00000001
    If successfully implemented, the next unsigned process/program; won't be allow to execute, and you will have a error box.
    To re-enabled unsigned elevation , use the same line but with "dword:00000000"

    Disable Javascript (for Edge)

    we all know That javascript is a well-know attack vector .
    Create a registry file with this lines :
    Code:
    Windows Registry Editor Version 5.00
    
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings\Zones\3]
    "1400"=dword:00000001

    Some tweaks from @ParaXY
    Code:
    ;Set SmartScreen to warn:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
    "SmartScreenEnabled"="Prompt"
    
    ;Turn off Remote Assistance:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Assistance]
    "fAllowToGetHelp"=dword:00000000
    
    ;Turn UAC to max setting:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "PromptOnSecureDesktop"=dword:00000001
    "EnableLUA"=dword:00000001
    "ConsentPromptBehaviorAdmin"=dword:00000002
    
    ;Enable PUP in Defender:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
    "MpEnablePus"=dword:00000001
    
    ;Deny elevation of unsigned executables:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ValidateAdminCodeSignatures"=dword:00000001
    
    ;Enable Secure Sign in screen (Ctrl + Alt + Del:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "DisableCAD"=dword:00000000
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "DisableCAD"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableCAD"=-
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableCAD"=-
    
    ;Ask for user name and password at log on screen:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=dword:00000001
    
    ;Disable cmd.exe for SUA account:
    [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System]
    "DisableCMD"=dword:00000001
     
  4. Shran

    Shran Level 5

    Jan 19, 2015
    227
    913
    @Umbra,

    What kind of file should I create when making these lines?

    upload_2016-6-9_22-32-53.png
     
    Logethica likes this.
  5. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    @Shran answered on the OP
     
    Logethica, _CyberGhosT_ and Shran like this.
  6. Shran

    Shran Level 5

    Jan 19, 2015
    227
    913
  7. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Are you in Standard User Account? if yes, of course it won't work, must be on admin account.
     
    Sunshine-boy and _CyberGhosT_ like this.
  8. Shran

    Shran Level 5

    Jan 19, 2015
    227
    913
    No I am in admin, copied the code exactly (for password when UAC)
     
  9. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    edited the line , try again
     
  10. Shran

    Shran Level 5

    Jan 19, 2015
    227
    913
    Same message still :/
     
  11. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    something wrong; i will try to find why.
     
    Sunshine-boy likes this.
  12. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    I edited the lines on the OP, it works now.
     
  13. _CyberGhosT_

    _CyberGhosT_ Level 52
    Trusted

    Aug 2, 2015
    4,174
    27,490
    Retired
    Central US
    Linux Mint
    Default-Deny
    Like a charm Umbra.
    Thanks
     
    bribon77, Sunshine-boy and Logethica like this.
  14. Shran

    Shran Level 5

    Jan 19, 2015
    227
    913
    It imported the key now, but still doesn't ask for password on UAC prompt
     
  15. Shran

    Shran Level 5

    Jan 19, 2015
    227
    913
    Block unsigned works, but password tweak doesn't
    upload_2016-6-10_0-41-28.png
    (unsigned error message when trying to open)

    EDIT:
    Now it works with password, I guess you need BOTH tweaks (block unsigned & password tweak) for it to work, cause when I used only the password tweak but not the unsigned one, it didn't ask for password, but now that I use both tweaks it does.
     
  16. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    @Shran the password tweak work if UAC is at max and if you enabled the password obviously.

    Both tweaks are independant
     
    _CyberGhosT_ likes this.
  17. _CyberGhosT_

    _CyberGhosT_ Level 52
    Trusted

    Aug 2, 2015
    4,174
    27,490
    Retired
    Central US
    Linux Mint
    Default-Deny
    #17 _CyberGhosT_, Jun 10, 2016
    Last edited: Jun 10, 2016
    @Umbra
    I employed the Edge Tweak and the Blocking Unsigned Elevation.
    After doing this, any uninstall or install of software is requiring my Admin password.
    I'm not complaining for me, now that I have a awesome config that I won't change anytime soon
    this is awesome :)
    To test it I have a 1year sub to Office so i uninstalled and re-installed it, on both occasions it required
    my admin password, there was an update for Macrium Reflect, rather than just updating I did the
    same I uninstalled & Re-installed it and both times It again required my Admin Password. My last
    install was for GOG Galaxy (Game Client) same results.
    This may not be optimal for a user that changes their software often, but man I am loving this
    tweak. The weird thing for me is that I only did the code for the blocking, so this will serve
    as a "heads up" for anyone else thinking of employing that tweak.
    It could be that other tweaks I have done in the past are affecting this too, but either
    way I love the results
    Your the best Umbra, great share.
     
  18. Shran

    Shran Level 5

    Jan 19, 2015
    227
    913
    @Umbra

    Yes I have UAC Maxed & Password enabled, maybe I did something wrong o_O well anyway I actually found a way to enable these tweaks using Group Policy, so now both are enabled anyway :D
     
    bribon77, Umbra and _CyberGhosT_ like this.
  19. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    every system is different , at least they works , it is the important thing ;)

    @_CyberGhosT_ thanks ;)
     
    _CyberGhosT_ likes this.
  20. neon

    neon Level 3

    Nov 23, 2015
    113
    266
    EU
    Windows 10
    Any Windows Tweaks should be more easy to mahe this :)
     
    bribon77 and Andy Ful like this.
Loading...