Advice Request Windows' Security Tweaks

  • Thread starter Deleted member 178
  • Start date

Please provide comments and solutions that are helpful to the author of this topic.

Will you use these Windows Security Tweaks?


  • Total voters
    59
D

Deleted member 178

Thread author
hi guys,

So i will put here various tweaks (registry, group policy, etc...) i found around the net to secure Windows more tightly. By doing them , you will reduce the attacks vector and may even remove the need of security solutions.

As a basis there is these articles to secure the network and the system

For Win7: Harden Windows 7 SP1 64bit
For Win10 : Harden Windows 10 - A Security Guide. How to secure Windows 10

Be careful some tweaks will cripple some of the OS functions; test before applying definitively.

There are network Tweaks: Windows' Security Tweaks
there System tweaks: Windows' Security Tweaks

To create registry files from the script below:

- open notepad
- copy the lines
- save the file as .reg file (for example "disable unsigned elevation.reg)
- click on the newly made .reg file, you will have 2 prompts, say yes.
- the tweak will be applied.
 
Last edited by a moderator:
D

Deleted member 178

Thread author
System Tweaks

LSA Protection :

Enable LSA protection in Windows 8.1 and Server 2012 R2

Ask password for Admin Account:
If a process ask for elevation , UAC will request your password even in admin account.
Create a registry file with this lines :
Code:
Windows Registry Editor Version 5.00

; Created by: Shawn Brink
; http://www.eightforums.com
; Tutorial: http://www.eightforums.com/tutorials/41136-uac-change-prompt-behavior-administrators-windows.html


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000001



Blocking Unsigned Elevation :
90% of malware are unsigned and will request an elevation from UAC, this trick will block the request.
Create a registry file with this lines :
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001

If successfully implemented, the next unsigned process/program; won't be allow to execute, and you will have a error box.
To re-enabled unsigned elevation , use the same line but with "dword:00000000"

Disable Javascript (for Edge)

we all know That javascript is a well-know attack vector .
Create a registry file with this lines :
Code:
Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings\Zones\3]
"1400"=dword:00000001


Some tweaks from @ParaXY
Code:
;Set SmartScreen to warn:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="Prompt"

;Turn off Remote Assistance:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Assistance]
"fAllowToGetHelp"=dword:00000000

;Turn UAC to max setting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"PromptOnSecureDesktop"=dword:00000001
"EnableLUA"=dword:00000001
"ConsentPromptBehaviorAdmin"=dword:00000002

;Enable PUP in Defender:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"MpEnablePus"=dword:00000001

;Deny elevation of unsigned executables:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001

;Enable Secure Sign in screen (Ctrl + Alt + Del:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableCAD"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableCAD"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCAD"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCAD"=-

;Ask for user name and password at log on screen:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000001

;Disable cmd.exe for SUA account:
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System]
"DisableCMD"=dword:00000001
 
Last edited by a moderator:

Shran

Level 5
Verified
Well-known
Jan 19, 2015
230
@Umbra,

What kind of file should I create when making these lines?

upload_2016-6-9_22-32-53.png
 
  • Like
Reactions: Logethica

Shran

Level 5
Verified
Well-known
Jan 19, 2015
230
Block unsigned works, but password tweak doesn't
upload_2016-6-10_0-41-28.png

(unsigned error message when trying to open)

EDIT:
Now it works with password, I guess you need BOTH tweaks (block unsigned & password tweak) for it to work, cause when I used only the password tweak but not the unsigned one, it didn't ask for password, but now that I use both tweaks it does.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
@Umbra
I employed the Edge Tweak and the Blocking Unsigned Elevation.
After doing this, any uninstall or install of software is requiring my Admin password.
I'm not complaining for me, now that I have a awesome config that I won't change anytime soon
this is awesome :)
To test it I have a 1year sub to Office so i uninstalled and re-installed it, on both occasions it required
my admin password, there was an update for Macrium Reflect, rather than just updating I did the
same I uninstalled & Re-installed it and both times It again required my Admin Password. My last
install was for GOG Galaxy (Game Client) same results.
This may not be optimal for a user that changes their software often, but man I am loving this
tweak. The weird thing for me is that I only did the code for the blocking, so this will serve
as a "heads up" for anyone else thinking of employing that tweak.
It could be that other tweaks I have done in the past are affecting this too, but either
way I love the results
Your the best Umbra, great share.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top