Q&A Windows' Security Tweaks

Omnipotent · Aug 13, 2016

It's the other way around @Umbra, You made a mistake. (ConsentPromptBehaviorAdmin) adds UAC password prompt and (ValidateAdminCodeSignatures) blocks unsigned processes/programs. Just tested it.

Deleted member 178 · Aug 13, 2016

yes lol , thanks for noticing the mistake

frogboy · Aug 13, 2016

Thanks @Umbra i shall try these tweaks and see what happens.

Sorry i did not see them before.

Av Gurus · Aug 13, 2016

Umbra said:
hi guys,

So i will put here various tweaks (registry, group policy, etc...) i found around the net to secure Windows more tightly. By doing them , you will reduce the attacks vector and may even remove the need of security solutions.

As a basis there is these articles to secure the network and the system

For Win7: Harden Windows 7 SP1 64bit
For Win10 : Harden Windows 10 - A Security Guide. How to secure Windows 10

Is this your web page or someone else?
If it is yours, are you updating the tweaks?

Deleted member 178 · Aug 13, 2016

Av Gurus said:
Is this your web page or someone else?
If it is yours, are you updating the tweaks?

not mine

Av Gurus · Aug 13, 2016

Do you have some similar web pages with tweaks in your bookmarks to share with us?

Deleted member 178 · Apr 30, 2017

Updated the "system tweaks" section by adding @ParaXY 's tweaks

cryogent · May 1, 2017

Thanks @Umbra for this great topic.
Barely wait to get home to make some changes.

.

Sunshine-boy · Sep 19, 2017

Someone pls share new and effective tweak thanks.

Av Gurus · Sep 28, 2017

Umbra said:
System Tweaks

Blocking Unsigned Elevation :
90% of malware are unsigned and will request an elevation from UAC, this trick will block the request.
Create a registry file with this lines :

Code:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ValidateAdminCodeSignatures"=dword:00000001

If successfully implemented, the next unsigned process/program; won't be allow to execute, and you will have a error box.
To re-enabled unsigned elevation , use the same line but with "dword:00000000"

Is it possible to make some kinda whitelist or something similar with this reg tweak?
I have some portable app who are unsigned and can't run with this tweak (accept change that tweak everytime).

Andy Ful · Sep 28, 2017

Av Gurus said:
Is it possible to make some kinda whitelist or something similar with this reg tweak?
I have some portable app who are unsigned and can't run with this tweak (accept change that tweak everytime).

No whitelisting possibility. You can run unsigned application using several ways:

via scheduled task trick (works only on admin account and run the program elevated);
using the bat files to deactivate/activate this feature via the Registry;
writing a simple loader script in powerhell or Windows Script Host.
running first, the signed file manager as administrator (Total Commander), and using it to run portable applications (they will be run elevated without UAC prompt).

Nither of the above is especially convenient.

bribon77 · Sep 28, 2017

Very good, Some adjustments already I make them. for a long time but this guide is very good, Thank you.

Sunshine-boy · Sep 28, 2017

Andy I know you have a lot of secret tweaks pls share it with us:notworthy:

Andy Ful · Sep 28, 2017

They are easily accessible, for example :
Download Group Policy Settings Reference for Windows and Windows Server from Official Microsoft Download Center
https://msdnshared.blob.core.windows.net/media/2017/08/Windows-10-RS2-Security-Baseline-FINAL.zip
But, not many policies are usable for home computers. The most usable are (will be) included in Hard_Configurator.

Edit 1
Edited the link. Open the zip file and look into Documentation folder. Before applying any policy, gogle some info about it.

Edit 2
Manual reg tweaks are recommended only for experienced users, you can easily break your system. Personally, I use Shadow Defender, when testing reg tweaks.

Sunshine-boy · Sep 28, 2017

Thanks! I was searching for a link like this one.

Andy Ful · Sep 28, 2017

Sunshine-boy said:
Thanks! I was searching for a link like this one.

You have been warned!

Sunshine-boy · Sep 28, 2017

Andy Ful said:
warned

I see thank you

Andy Ful · Sep 28, 2017

Sunshine-boy said:
I see thank you

Added the second useful link, to my previous post.

Av Gurus · Sep 28, 2017

Andy Ful said:
No whitelisting possibility. You can run unsigned application using several ways:

using the bat files to deactivate/activate this feature via the Registry;

Can you make that .bat file for me, please?

EDIT:

Can I make a quick reg files for change, like this?
Enable.reg:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001

Disable.reg:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000000

Andy Ful · Sep 28, 2017

Av Gurus said:
Can you make that .bat file for me, please?

EDIT:

Can I make a quick reg files for change, like this?
Enable.reg:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001

Disable.reg:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000000

Yes, they are correct.

Q&A Windows' Security Tweaks

Will you use these Windows Security Tweaks?

Yes

No

I already did!

Omnipotent

Deleted member 178

In memoriam 1961-2018

Level 29

Deleted member 178

Level 29

Deleted member 178

Level 5

Level 27

Level 29

Level 67

Level 34

Level 27

Level 67

Level 27

Level 67

Level 27

Level 67

Level 29

Level 67

Similar threads