PROTECT - Hardening Microsoft Windows 10 Version 21H1 Workstations (October 2021)
PROTECT - Hardening Microsoft Windows 10 Version 21H1 Workstations (October 2021)
PROTECT - Hardening Microsoft Windows 10 Version 21H1 Workstations (October 2021)
Application control 2
Credential protection 4
Credential entry 5
Elevating privileges 6
Exploit protection 7
Measured Boot 9
Microsoft Edge 9
Multi-factor authentication 9
Secure Boot 11
Medium priorities 12
Account lockout policy 12
Anonymous connections 12
Antivirus software 13
Attachment Manager 15
ii
Audit event management 15
Boot devices 17
Bridging networks 17
CD burner access 18
Command Prompt 19
Drive encryption 20
Installing applications 25
Microsoft accounts 26
MSS settings 26
Network authentication 27
NoLMHash policy 27
Power management 28
PowerShell 29
Remote Assistance 30
iii
Reporting system information 32
Safe Mode 33
Security policies 34
Session locking 36
Software-based firewalls 37
Sound Recorder 37
System cryptography 38
UEFI passwords 38
Low priorities 42
Displaying file extensions 42
Location awareness 42
Microsoft Store 43
Further information 44
Contact details 45
iv
Introduction
Workstations are often targeted by malicious actors using malicious websites, emails or removable media in an attempt
to extract sensitive information. Hardening workstations is an important part of reducing this risk.
This publication provides recommendations on hardening workstations using Enterprise and Education editions of
Microsoft Windows 10 version 21H1. Before implementing recommendations in this publication, thorough testing should
be undertaken to ensure the potential for unintended negative impacts on business processes is reduced as much as
possible.
While this publication refers to workstations, most recommendations are equally applicable to servers (with the
exception of Domain Controllers) using Microsoft Windows Server.
Security features discussed in this publication, along with the names and locations of Group Policy settings, are taken
from Microsoft Windows 10 version 21H1 – some differences will exist for earlier versions.
For cloud-based device managers, such as Microsoft Endpoint Manager, equivalents can be found for many of the Group
Policy settings. Alternatively, there is often a function to import Group Policy settings into cloud-based device managers.
1
High priorities
The following recommendations, listed in alphabetical order, should be treated as high priorities when hardening
Microsoft Windows 10 workstations.
Application hardening
When applications are installed they are often not pre-configured in a secure state. By default, many applications enable
functionality that isn’t required by any users while in-built security functionality may be disabled or set at a lower
security level. For example, Microsoft Office by default allows untrusted macros in Office documents to automatically
execute without user interaction. To reduce this risk, applications should have any in-built security functionality enabled
and appropriately configured along with unrequired functionality disabled. This is especially important for key
applications such as office productivity suites (e.g. Microsoft Office), PDF readers (e.g. Adobe Reader), web browsers
(e.g. Microsoft Internet Explorer, Mozilla Firefox or Google Chrome), common web browser plugins (e.g. Adobe Flash),
email clients (Microsoft Outlook) and software platforms (e.g. Oracle Java Platform and Microsoft .NET Framework). In
addition, vendors may provide guidance on configuring their products securely. For example, Microsoft provides security
baselines for their products on the Microsoft Security Baselines Blog. In such cases, vendor guidance should be
followed to assist in securely configuring their products.
The Australian Signals Directorate also provides guidance for hardening Microsoft Office. For more information see the
Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016 publication.
Application control
Malicious actors can email malicious code, or host malicious code on a compromised website, and use social engineering
techniques to convince users into executing it. Such malicious code often aims to exploit vulnerabilities in existing
applications and does not need to be installed to be successful. Application control can be an extremely effective
mechanism in not only preventing malicious code from executing, but also ensuring only approved applications can be
installed.
When developing application control rules, starting from scratch is a more secure method than relying on a list of
executable content currently residing on a workstation. Furthermore, it is preferable that organisations define their own
application control ruleset rather than relying on rulesets from application control vendors. This application control
ruleset should then be regularly assessed to determine if it remains fit for purpose.
For more information on application control and how it can be appropriately implemented see the Implementing
Application Control publication.
2
In order to use ASR, Microsoft Defender Antivirus must be configured as the primary real-time antivirus scanning engine
on workstations. ASR offers a number of rules which are included below.
Organisations should either implement ASR using Microsoft Defender Antivirus or use third-party antivirus solutions that
offer similar functionality to those provided by ASR. For older versions of Microsoft Windows, alternative measures will
need to be implemented to mitigate certain threats addressed by ASR, such as the likes of Dynamic Data Exchange (DDE)
attacks.
For organisations using Microsoft Defender Antivirus, the following Group Policy settings can be implemented to enforce
the above ASR rules.
3
Group Policy Setting Recommended Option
Credential protection
Cached credentials are stored in the Security Accounts Manager (SAM) database and can allow a user to log onto a
workstation they have previously logged onto even if the domain is not available. Whilst this functionality may be
desirable from an availability of services perspective, this functionality can be abused by malicious actors who can
retrieve these cached credentials (potentially Domain Administrator credentials in a worst-case scenario). To reduce this
risk, cached credentials should be limited to only one previous logon.
The following Group Policy settings can be implemented to disable credential caching.
Within an active user session, credentials are cached within the Local Security Authority Subsystem Service (LSASS)
process (including the user’s passphrase in plaintext if WDigest authentication is enabled) to allow for access to network
resources without users having to continually enter their credentials. Unfortunately, these credentials are at risk of theft
by malicious actors. To reduce this risk, WDigest authentication should be disabled.
Credential Guard, a security feature of Microsoft Windows 10, is also designed to assist in protecting the LSASS process.
4
The following Group Policy settings can be implemented to disable WDigest authentication as well as enable Credential
Guard functionality, assuming all software, firmware and hardware prerequisites are met. Note, the MS Security Guide
Group Policy settings are available as part of the Microsoft Security Compliance Toolkit.
Credential entry
When users enter their credentials on a workstation it provides an opportunity for malicious code, such as a key logging
application, to capture the credentials. To reduce this risk, users should be authenticated by using a trusted path to enter
their credentials on the Secure Desktop.
The following Group Policy settings can be implemented to ensure credentials are entered in a secure manner.
5
Do not display network selection UI Enabled
Elevating privileges
Microsoft Windows provides the ability to require confirmation from users, via the User Access Control (UAC)
functionality, before any sensitive actions are performed. The default settings allow privileged users to perform sensitive
actions without first providing credentials and while standard users must provide privileged credentials they are not
required to do so via a trusted path on the Secure Desktop. This provides an opportunity for malicious actors that gain
access to an open session of a privileged user to perform sensitive actions at will or for malicious code to capture any
6
credentials entered via a standard user when attempting to elevate their privileges. To reduce this risk, UAC functionality
should be implemented to ensure all sensitive actions are authorised by providing credentials on the Secure Desktop.
The following Group Policy settings can be implemented to configure UAC functionality effectively.
User Account Control: Behavior of the elevation prompt Prompt for credentials on the secure desktop
for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt Automatically deny elevation requests
for standard users
Exploit protection
Malicious actors that develop exploits for Microsoft Windows or third-party applications will have a higher success rate
when security measures designed by Microsoft to help prevent vulnerabilities from being exploited are not
implemented. Microsoft Defender’s exploit protection functionality, a security feature of Microsoft Windows 10,
provides system-wide and application-specific security measures. Exploit protection is designed to replace the Enhanced
Mitigation Experience Toolkit (EMET) that was used on earlier versions of Microsoft Windows 10.
System-wide security measures configurable via exploit protection include: Control Flow Guard (CFG), Data Execution
Prevention (DEP), mandatory Address Space Layout Randomization (ASLR), bottom-up ASLR, Structured Exception
Handling Overwrite Protection (SEHOP) and heap corruption protection.
Many more application-specific security measures are also available, however, they will require testing (either within a
test environment or using audit mode) beforehand to limit the likelihood of any unintended consequences. As such, a
staged approach to implementing application-specific security measures is prudent. In doing so, applications that ingest
arbitrary untrusted data from the internet should be prioritised.
The following Group Policy settings can be implemented to define exploit protection settings and to prevent users from
modifying these settings on their devices.
7
Group Policy Setting Recommended Option
In addition, the following Group Policy setting can be implemented to ensure DEP is not disabled for File Explorer.
Furthermore, the following Group Policy setting can be implemented to force the use of SEHOP. Note, the MS Security
Guide Group Policy settings are available as part of the Microsoft Security Compliance Toolkit.
If a common local administrator account absolutely must be used for workstation management then Microsoft’s Local
Administrator Password Solution (LAPS) needs to be used to ensure unique passphrases are used for each workstation. In
addition, User Account Control restrictions should be applied to remote connections using such accounts. Note, the MS
Security Guide Group Policy settings are available as part of the Microsoft Security Compliance Toolkit.
8
Group Policy Setting Recommended Option
Measured Boot
The third key security feature of Trusted Boot, supported by Microsoft Windows 10 in combination with motherboards
with both an UEFI and a Trusted Platform Module (TPM), is Measured Boot. Measured Boot is used to develop a reliable
log of components that are initialised before the ELAM driver. This information can then be scrutinised by antimalware
software for signs of tampering of boot components. To reduce the risk that malicious changes to boot components go
unnoticed, Measured Boot should be used on workstations that support it.
Microsoft Edge
Microsoft Edge is a web browser that was first introduced in Microsoft Windows 10 to replace Internet Explorer 11. As
Microsoft Edge contains enhanced security functionality (being based on the Chromium project) it should be used
wherever possible.
For organisations using Microsoft Edge instead of third-party web browsers, a number of Group Policy settings can be
configured (once the supporting Group Policy Administrative Templates have been installed) to harden the web browser,
including Microsoft Defender SmartScreen. Recommended hardening guidance for Microsoft Edge is available from the
Microsoft Security Baselines Blog.
Multi-factor authentication
As privileged credentials often allow users to bypass security functionality put in place to protect workstations, and are
susceptible to key logging applications, it is important that they are appropriately protected against compromise. In
addition, malicious actors that brute force captured password hashes can gain access to workstations if multi-factor
authentication hasn’t been implemented. To reduce this risk, hardware-based multi-factor authentication should be
used for privileged users, remote access and any access to important or sensitive data repositories.
Organisations may consider whether Windows Hello for Business (WHfB) is suitable for their environment. Notably,
WHfB can be configured with a personal identification number (PIN) or face/fingerprint recognition to unlock the use of
asymmetric cryptography stored in a TPM in order to authenticate users. Note, the use of TPMs places additional
importance on patching TPMs for vulnerabilities and decommissioning those devices that are not able to be patched.
Organisations may also choose to enforce the use of the latest versions of TPMs when using WHfB. Finally, Microsoft has
issued guidance on the use of FIDO2 security tokens as part of multi-factor authentication for Microsoft Windows logons.
For more information on how to effectively implement multi-factor authentication see the Implementing Multi-Factor
Authentication publication.
9
vulnerability being patched and develop an associated exploit. This activity can be undertaken in less than one day and
has led to an increase in 1-day attacks. To reduce this risk, operating system patches and driver updates should be
centrally managed, deployed and applied in an appropriate timeframe as determined by the severity of the vulnerability
and any mitigating measures already in place.
Previously, operating system patching was typically achieved by using Microsoft Endpoint Configuration Manager, or
Microsoft Windows Server Update Services (WSUS), along with Wake-on-LAN functionality to facilitate patching outside
of core business hours. However, Windows Update for Business may replace or supplement many WSUS functions.
Configuration of Windows Update for Business can be applied through Group Policy settings or the equivalent settings in
Microsoft Endpoint Manager. Microsoft has also issued guidance on common misconfigurations relating to Windows
updates.
For more information on determining the severity of vulnerabilities and timeframes for applying patches see the
Patching Applications and Operating Systems publication.
The following Group Policy settings can be implemented to ensure operating systems remain appropriately patched.
Furthermore, if a Windows Server Update Services (WSUS) server is used, the following Group Policy setting can be
implemented.
10
Operating system version
Microsoft Windows 10 has introduced improvements in security functionality over previous versions of Microsoft
Windows. This has made it more difficult for malicious actors to craft reliable exploits for vulnerabilities they discovered.
Using older versions of Microsoft Windows, including previous versions of Microsoft Windows 10, exposes organisations
to exploit techniques that have since been mitigated in newer versions of Microsoft Windows. To reduce this risk,
workstations should use the latest version of Microsoft Windows 10.
Secure Boot
Another method for malicious code to maintain persistence and prevent detection is to replace the default boot loader
for Microsoft Windows with a malicious version. In such cases the malicious boot loader executes at boot time and loads
Microsoft Windows without any indication that it is present. Such malicious boot loaders are extremely difficult to detect
and can be used to conceal malicious code on workstations. To reduce this risk, motherboards with Secure Boot
functionality should be used. Secure Boot, a component of Trusted Boot, is a security feature of Microsoft Windows 10 in
combination with motherboards with an UEFI. Secure Boot works by checking at boot time that the boot loader is signed
and matches a Microsoft signed certificate stored in the UEFI. If the certificate signatures match the boot loader is
allowed to run, otherwise it is prevented from running and the workstation will not boot.
11
Medium priorities
The following recommendations, listed in alphabetical order, should be treated as medium priorities when hardening
Microsoft Windows 10 workstations.
Anonymous connections
Malicious actors can use anonymous connections to gather information about the state of workstations. Information
that can be gathered from anonymous connections (i.e. using the net use command to connect to the IPC$ share) can
include lists of users and groups, SIDs for accounts, lists of shares, workstation policies, operating system versions and
patch levels. To reduce this risk, anonymous connections to workstations should be disabled.
The following Group Policy settings can be implemented to disable the use of anonymous connections.
12
Network access: Restrict anonymous access to Named Enabled
Pipes and Shares
Antivirus software
Malicious actors can develop malicious code to exploit vulnerabilities in software not detected and remedied by vendors
during testing. As significant time and effort is often involved in the development of functioning and reliable exploits,
malicious actors will often reuse their exploits as much as possible before being forced to develop new exploits. To
reduce this risk, endpoint security applications with signature-based antivirus functionality should be implemented. In
doing so, signatures should be updated at least on a daily basis.
Whilst using signature-based antivirus functionality can assist in reducing risk, they are only effective when a particular
piece of malicious code has already been profiled and signatures are current. Malicious actors can create variants of
known malicious code, or develop new unseen malicious code, to bypass traditional signature-based detection
mechanisms. To reduce this risk, endpoint security applications with host-based intrusion prevention functionality, or
equivalent functionality leveraging cloud-based services, should also be implemented. In doing so, such functionality
should be set at the highest level available.
If using Microsoft Defender Antivirus, the following Group Policy settings can be implemented to optimally configure it.
13
Send file samples when further analysis is required: Send
safe samples
Check for the latest virus and spyware definitions before Enabled
running a scheduled scan
14
Attachment Manager
The Attachment Manager within Microsoft Windows works in conjunction with applications such as the Microsoft Office
suite and Internet Explorer to help protect workstations from attachments that have been received via email or
downloaded from the internet. The Attachment Manager classifies files as high, medium or low risk based on the zone
they originated from and the type of file. Based on the risk to the workstation, the Attachment Manager will either issue
a warning to a user or prevent them from opening a file. If zone information is not preserved, or can be removed, it can
allow malicious actors to socially engineer a user to bypass protections afforded by the Attachment Manager. To reduce
this risk, the Attachment Manager should be configured to preserve and protect zone information for files.
The following Group Policy settings can be implemented to ensure zone information associated with attachments is
preserved and protected.
15
Manage auditing and security log Administrators
Furthermore, the following Group Policy settings can be implemented to enable a comprehensive auditing strategy.
16
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\Policy Change
Boot devices
By default, workstations are often configured to boot from optical media, or even USB media, in preference to hard
drives. Malicious actors with physical access to such workstations can boot from their own media in order to gain access
to the content of the hard drives. With this access, malicious actors can reset local user account passwords or gain access
to the local SAM database to steal password hashes for offline brute force cracking attempts. To reduce this risk,
workstations should be restricted to only booting from the designated primary system drive.
Bridging networks
When workstations have multiple network interfaces, such as an Ethernet interface and a wireless interface, it is possible
to establish a bridge between the connected networks. For example, when using an Ethernet interface to connect to an
organisation’s wired network and a wireless interface to connect to another non-organisation controlled network such as
a public wireless hotspot. When bridges are created between such networks malicious actors can directly access the
wired network from the wireless network to extract sensitive information. To reduce this risk, the ability to install and
17
configure network bridges between different networks should be disabled. This won’t prevent malicious actors from
compromising a workstation via the wireless network and then using malicious software as a medium to indirectly access
the wired network. This can only be prevented by manually disabling all wireless interfaces when connecting to wired
networks.
The following Group Policy settings can be implemented to disable the ability to install and configure network bridges.
CD burner access
If CD burning functionality is enabled, and CD burners are installed in workstations, malicious actors may attempt to steal
sensitive information by burning it to CD. To reduce this risk, users should not have access to CD burning functionality
except when explicitly required.
The following Group Policy setting can be implemented to prevent access to CD burning functionality, although as this
Group Policy setting only prevents access to native CD burning functionality in Microsoft Windows, users should also be
prevented from installing third-party CD burning applications. Alternatively, CD readers can be used in workstations
instead of CD burners.
18
Centralised audit event logging
Storing audit event logs on workstations poses a risk that malicious actors could attempt to modify or delete these logs
during an intrusion to cover their tracks. In addition, failure to conduct centralised audit event logging will reduce the
visibility of audit events across all workstations, prevent the correlation of audit events and increase the complexity of
any investigations after cyber security incidents. To reduce this risk, audit event logs from workstations should be
transferred to a secure central logging server.
Command Prompt
Malicious actors who gain access to a workstation can use the Command Prompt to execute in-built Microsoft Windows
tools to gather information about the workstation or domain as well as schedule malicious code to execute on other
workstations on the network. To reduce this risk, users should not have Command Prompt access or the ability to
execute batch files and scripts. Should a legitimate business requirement exist to allow users to execute batch files (e.g.
cmd and bat files); run logon, logoff, startup or shutdown batch file scripts; or use Remote Desktop Services, this risk will
need to be accepted.
The following Group Policy setting can be implemented to prevent access to the Command Prompt and script processing
functionality.
19
Drive encryption
Malicious actors with physical access to a workstation may be able to use a bootable CD/DVD or USB media to load their
own operating environment. From this environment, they can access the local file system to gain access to sensitive
information or the SAM database to access password hashes. In addition, malicious actors that gain access to a stolen or
unsanitised hard drive, or other removable media, will be to recover its contents when connected to another machine on
which they have administrative access and can take ownership of files. To reduce this risk, AES-based full disk encryption
should be used to protect the contents of hard drives from unauthorised access. The use of full disk encryption may also
contribute to streamlining media sanitisation during decommissioning processes.
If Microsoft BitLocker is used, the following Group Policy settings should be implemented.
20
Deny write access to fixed drives not protected by Enabled
BitLocker
21
Settings for computers with a TPM
Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key
and PIN with TPM
22
infections or the unauthorised copying of sensitive information. To reduce this risk, endpoint device control functionality
should be appropriately implemented to control the use of all removable storage devices.
The following Group Policy setting can be implemented to disable the use of removable storage devices.
Alternatively, if specific classes of removable storage devices are required to meet business requirements, the execute,
read and write permissions should be controlled on a class by class basis.
The following Group Policy settings provide a sample implementation that allows data to be read from but not executed
from or written to common classes of removable storage devices.
23
Group Policy Setting Recommended Option
24
Installing applications
While the ability to install applications may be a business requirement for users, this privilege can be exploited by
malicious actors. Malicious actors can email a malicious application, or host a malicious application on a compromised
website, and use social engineering techniques to convince users into installing the application on their workstation.
Even if privileged access is required to install applications, users will use their privileged access if they believe, or can be
convinced that, the requirement to install the application is legitimate. Additionally, if applications are configured to
install using elevated privileges, malicious actors can exploit this by creating a Windows Installer installation package to
create a new account that belongs to the local built-in administrators group or to install a malicious application.
The following Group Policy settings can be implemented to control application installations.
25
Do not process the run once list Enabled
Microsoft accounts
A feature of Microsoft Windows 10 is the ability to link Microsoft accounts (formerly Windows Live IDs) to local or
domain accounts. When this occurs, a user’s settings and files are stored in the cloud using OneDrive rather than locally
or on a domain controller. While this may have the benefit of allowing users to access their settings and files from any
workstation (e.g. corporate workstation, home PC, internet cafe) it can also pose a risk to an organisation as they lose
control over where sensitive information may be accessed from. To reduce this risk, users should not link Microsoft
accounts with local or domain accounts.
The following Group Policy settings can be implemented to disable the ability to link Microsoft accounts to local or
domain accounts.
Accounts: Block Microsoft accounts Users can’t add or log on with Microsoft accounts
MSS settings
MSS settings are registry values previously identified by Microsoft security experts that can be used for increased
security. While many of these registry values are no longer applicable in modern versions of Microsoft Windows, some
still provide a security benefit. By failing to specify these MSS settings, malicious actors may be able to exploit
weaknesses in a workstation’s security posture to gain access to sensitive information. To reduce this risk, MSS settings
that are still relevant to modern versions of Microsoft Windows should be specified using Group Policy settings.
The Group Policy Administrative Templates for MSS settings are available from the Microsoft Security Guidance blog.
The ADMX and ADML files can be placed in %SystemDrive%\Windows\SYSVOL\domain\Policies\PolicyDefinitions on the
Domain Controller and they will automatically be loaded in the Group Policy Management Editor.
The following Group Policy settings can be implemented to configure MSS settings that are still relevant to modern
versions of Microsoft Windows.
26
MSS: (DisableIPSourceRouting) IP source routing Enabled
protection level (protects against packet spoofing) DisableIPSourceRouting: Highest protection, source
routing is completely disabled
Network authentication
Using insecure network authentication methods may allow malicious actors to gain unauthorised access to network
traffic and services. To reduce this risk, only secure network authentication methods, ideally Kerberos, should be used
for network authentication.
The following Group Policy settings can be implemented to configure Kerberos, and if required for legacy purposes, the
use of NTLMv2.
Network security: LAN Manager authentication level Send NTLMv2 response only. Refuse LM & NTLM
Network security: Minimum session security for NTLM Require NTLMv2 session security
SSP based (including secure RPC) clients Require 128-bit encryption
Network security: Minimum session security for NTLM Require NTLMv2 session security
SSP based (including secure RPC) servers Require 128-bit encryption
NoLMHash policy
When Microsoft Windows hashes a password that is less than 15 characters, it stores both a LAN Manager hash (LM
hash) and Windows NT hash (NT hash) in the local SAM database for local accounts, or in Activity Directory for domain
accounts. The LM hash is significantly weaker than the NT hash and can easily be brute forced. To reduce this risk, the
NoLMHash Policy should be implemented on all workstations and domain controllers. As the LM hash is designed for
authentication of legacy Microsoft Windows operating systems, such as those prior to Microsoft Windows 2000, there
shouldn’t be a business requirement for its use except in very rare circumstances.
The following Group Policy setting can be implemented to prevent the storage of LM hashes for passwords. All users
should be encouraged to change their password once this Group Policy setting has been set as until they do they will
remain vulnerable.
27
Group Policy Setting Recommended Option
Power management
One method of reducing power usage by workstations is to enter a sleep, hibernation or hybrid sleep state after a pre-
defined period of inactivity. When a workstation enters a sleep state it maintains the contents of memory while
powering down the rest of the workstation; with hibernation or hybrid sleep, it writes the contents of memory to the
hard drive in a hibernation file (hiberfil.sys) and powers down the rest of the workstation. When this occurs, sensitive
information such as encryption keys could either be retained in memory or written to the hard drive in a hibernation file.
28
Malicious actors with physical access to the workstation and either the memory or hard drive can recover the sensitive
information using forensic techniques. To reduce this risk, sleep, hibernation and hybrid sleep states should be disabled.
The following Group Policy settings can be implemented to ensure that sleep, hibernation and hybrid sleep states are
disabled.
PowerShell
Allowing any PowerShell script to execute exposes a workstation to the risk that a malicious script may be unwittingly
executed by a user. To reduce this risk, users should not have the ability to execute PowerShell scripts; however, if using
PowerShell scripts is an essential business requirement, only signed scripts should be allowed to execute. Ensuring that
29
only signed scripts are allowed to execute can provide a level of assurance that a script is trusted and has been endorsed
as having a legitimate business purpose.
For more information on how to effectively implement PowerShell see the Securing PowerShell in the Enterprise
publication.
The following Group Policy settings can be implemented to control the use of PowerShell scripts.
Remote Assistance
While Remote Assistance can be a useful business tool to allow system administrators to remotely administer
workstations, it can also pose a risk. When a user has a problem with their workstation they can generate a Remote
Assistance invitation. This invitation authorises anyone that has access to it to remotely control the workstation that
issued the invitation. Invitations can be sent by email, instant messaging or saved to a file. If malicious actors manage to
intercept an invitation they will be able to use it to access the user’s workstation. Additionally, if network traffic on port
3389 is not blocked from reaching the internet, users may send Remote Assistance invitations over the internet which
could allow for remote access to their workstation by malicious actors. While Remote Assistance only grants access to
the privileges of the user that generated the request, malicious actors could install a key logging application on the
workstation in preparation of a system administer using their privileged credentials to fix any problems. To reduce this
risk, Remote Assistance should be disabled.
The following Group Policy settings can be implemented to disable Remote Assistance.
30
Remote Desktop Services
While remote desktop access allows for the remote administration of workstations across a network, it also allows
malicious actors to access other workstations once they have compromised an initial workstation and user’s credentials.
This risk can be compounded if malicious actors can compromise domain administrator credentials or common local
administrator credentials. To reduce this risk, Remote Desktop Services should be configured in a manner that is as
secure as possible and only for users for which it is explicitly required.
The following Group Policy settings can be implemented to use Remote Desktop Services in as secure a manner as
possible.
31
Require use of specific security layer for remote (RDP) Enabled
connections Security Layer: SSL
32
Computer Configuration\Policies\Administrative Templates\Windows Components\Application Compatibility
Safe Mode
Malicious actors with standard user credentials that can boot into Microsoft Windows using Safe Mode, Safe Mode with
Networking or Safe Mode with Command Prompt options may be able to bypass system protections and security
functionality. To reduce this risk, users with standard credentials should be prevented from using Safe Mode options to
log in.
The following registry entry can be implemented using Group Policy preferences to prevent non-administrators from
using Safe Mode options.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
33
Domain member: Digitally encrypt secure channel data Enabled
(when possible)
Security policies
By failing to comprehensively specify security policies, malicious actors may be able to exploit weaknesses in a
workstation’s Group Policy settings to gain access to sensitive information. To reduce this risk, security policies should be
comprehensively specified.
The following Group Policy settings can be implemented, in addition to those specifically mentioned in other areas of this
publication, to form a comprehensive set of security policies.
34
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
35
Microsoft network server: Amount of idle time required 15 minutes
before suspending session
Session locking
Malicious actors with physical access to an unattended workstation with an unlocked session may attempt to
inappropriately access sensitive information or conduct actions that won’t be attributed to them. To reduce this risk, a
session lock should be configured to activate after a maximum of 15 minutes of user inactivity. Furthermore, be aware
that information or alerts may be displayed on the lock screen. To reduce the risk of unauthorised information
disclosure, minimise the amount of information that the lock screen is permitted to display.
The following Group Policy settings can be implemented to set session locks.
36
Screen saver timeout Enabled
Seconds: 900
Software-based firewalls
Network firewalls often fail to prevent the propagation of malicious code on a network, or malicious actors from
extracting sensitive information, as they generally only control which ports or protocols can be used between segments
on a network. Many forms of malicious code are designed specifically to take advantage of this by using common
protocols such as HTTP, HTTPS, SMTP and DNS. To reduce this risk, software-based firewalls that filter both incoming and
outgoing traffic should be appropriately implemented. Software-based firewalls are more effective than network
firewalls as they can control which applications and services can communicate to and from workstations. The in-built
Windows firewall can be used to control both inbound and outbound traffic for specific applications.
Sound Recorder
Sound Recorder is a feature of Microsoft Windows that allows audio from a device with a microphone to be recorded
and saved as an audio file on the local hard drive. Malicious actors with remote access to a workstation can use this
functionality to record sensitive conversations in the vicinity of the workstation. To reduce this risk, Sound Recorder
should be disabled.
The following Group Policy setting can be implemented to disable the use of Sound Recorder.
37
files that may have been removed by system administrators as part of malicious code removal activities or to replace
existing files with malicious variants. To reduce this risk, the ability to use backup and restore functionality should be
limited to administrators.
The following Group Policy settings can be implemented to control the use of backup and restore functionality.
System cryptography
By default, when cryptographic keys are stored in Microsoft Windows, users can access them without first entering a
password to unlock the certificate store. Malicious actors that compromise a workstation, or gains physical access to an
unlocked workstation, can use these user keys to access sensitive information or resources that are cryptographically
protected. To reduce this risk, strong encryption algorithms and strong key protection should be used on workstations.
The following Group Policy settings can be implemented to ensure strong encryption algorithms and strong key
protection is used.
System cryptography: Force strong key protection for User must enter a password each time they use a key
user keys stored on the computer
UEFI passwords
Malicious actors with access to a workstation’s UEFI can modify the hardware configuration of the workstation to
introduce attack vectors or weaken security functionality within the workstation’s operating system. This can include
disabling security functionality in the CPU, modifying allowed boot devices and enabling insecure communications
interfaces such as FireWire and Thunderbolt. To reduce this risk, strong UEFI passwords should be used for all
workstations to prevent unauthorised access.
38
Act as part of the operating system <blank>
39
Web Proxy Auto Discovery protocol
The Web Proxy Auto Discovery (WPAD) protocol assists with the automatic detection of proxy settings for web browsers.
Unfortunately, WPAD has suffered from a number of severe vulnerabilities. Organisations that do not rely on the use of
the WPAD protocol should disable it. This can be achieved by modifying each workstation’s host file at
%SystemDrive%\Windows\System32\Drivers\etc\hosts to create the following entry: 255.255.255.255 wpad.
40
The following Group Policy settings can be implemented to prevent web search results being returned for any user
search terms.
41
Low priorities
The following recommendations, listed in alphabetical order, should be treated as low priorities when hardening
Microsoft Windows 10 workstations.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Location awareness
When users interact with the internet their workstations often automatically provide geo-location details to websites or
online services to assist them in tailoring content specific to the user’s geographical region (i.e. the city they are
accessing the internet from). This information can be captured by malicious actors to determine the location of a specific
user. To reduce this risk, location services in the operating system and applications should be disabled.
The following Group Policy settings can be implemented to disable location services within the operating system.
42
Computer Configuration\Policies\Administrative Templates\Windows Components\Location and Sensors\
Windows Location Provider
Microsoft Store
Whilst applications in the Microsoft Store are vetted by Microsoft, there is still a risk that users given access to the
Microsoft Store could download and install potentially malicious applications or applications that cause conflicts with
other endorsed applications on their workstation. To reduce this risk, access to the Microsoft Store should be disabled.
The following Group Policy settings can be implemented to prevent Microsoft Store access.
43
Further information
The Information Security Manual is a cyber security framework that organisations can apply to protect their systems
and data from cyber threats. The advice in the Strategies to Mitigate Cyber Security Incidents, along with its Essential
Eight, complements this framework.
44
Contact details
If you have any questions regarding this guidance you can write to us or call us on 1300 CYBER1 (1300 292 371).
45