-
-
Save jaredhaight/e88b4323adce06395dace501841d3075 to your computer and use it in GitHub Desktop.
Script to perform some hardening of Windows OS.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
:: | |
::####################################################################### | |
:: | |
:: Change file associations to protect against common ransomware attacks | |
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell | |
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :) | |
:: --------------------- | |
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
:: | |
::####################################################################### | |
:: | |
:: Enable ASR rules in Win10 1709 ExploitGuard to mitigate Offic malspam | |
:: Blocks Office childprocs, Office proc injection, Office win32 api calls & executable content creation | |
:: Note these only work when Defender is your primary AV | |
:: Source: https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
:: --------------------- | |
::%programfiles%\"Windows Defender"\MpCmdRun.exe -RestoreDefaults | |
:: Block Office applications from creating child processes | |
powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled | |
:: Block Office applications from injecting code into other processes | |
powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions enable | |
:: Block Win32 API calls from Office macro | |
powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions enable | |
:: Block Office applications from creating executable content | |
powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids '3B576869-A4EC-4529-8536-B80A7769E899' -AttackSurfaceReductionRules_Actions enable | |
:: Block execution of potentially obfuscated scripts | |
powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled | |
:: Block executable content from email client and webmail | |
powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled | |
:: Block JavaScript or VBScript from launching downloaded executable content | |
powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled | |
:: | |
::####################################################################### | |
:: Enable Cloud functionality of Windows Defender | |
::####################################################################### | |
powershell.exe Set-MpPreference -MAPSReporting Advanced | |
powershell.exe Set-MpPreference -SubmitSamplesConsent Always | |
::####################################################################### | |
:: | |
:: Harden all version of MS Office itself against common malspam attacks | |
:: Disables Macros, enables ProtectedView | |
:: Source: https://decentsecurity.com/block-office-macros/ | |
:: --------------------- | |
reg add "HKCU\Software\Policies\Microsoft\Office\12.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\14.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\14.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Outlook\Security" /v markinternalasunsafe /t REG_DWORD /d 0 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Word\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Excel\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Security" /v markinternalasunsafe /t REG_DWORD /d 0 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Excel\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f | |
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f | |
:: | |
::####################################################################### | |
:: | |
:: Harden all version of MS Office itself against DDE malspam attacks | |
:: Disables Macros, enables ProtectedView | |
:: Source: https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b | |
:: --------------------- | |
:: | |
reg add "HKCU\Software\Microsoft\Office\14.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f | |
reg add "HKCU\Software\Microsoft\Office\14.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f | |
reg add "HKCU\Software\Microsoft\Office\15.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f | |
reg add "HKCU\Software\Microsoft\Office\15.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f | |
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f | |
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f | |
::####################################################################### | |
:: | |
:: General OS hardening | |
:: Disables DNS multicast, smbv1, netbios, powershellv2 | |
:: Enables UAC and sets to always notify | |
:: --------------------- | |
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 1 /f | |
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f | |
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f | |
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 2 /f | |
net stop WinRM | |
wmic /interactive:off nicconfig where TcpipNetbiosOptions=1 call SetTcpipNetbios 2 | |
powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol | |
powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 | |
powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root | |
:: | |
::####################################################################### | |
:: | |
:: Harden lsass to help protect against credential dumping (mimikatz) | |
:: Configures lsass.exe as a protected process and disabled wdigest | |
:: Source: https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx | |
:: --------------------- | |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f | |
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 00000001 /f | |
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f | |
:: | |
::####################################################################### | |
:: | |
:: Enable Windows Firewall and configure some advanced options | |
:: Block Win32 binaries from making netconns when they shouldn't | |
:: --------------------- | |
NetSh Advfirewall set allprofiles state on | |
Netsh.exe advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\system32\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
Netsh.exe advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\system32\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
Netsh.exe advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\system32\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
Netsh.exe advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\system32\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
Netsh.exe advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\system32\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
Netsh.exe advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\system32\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
Netsh.exe advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\system32\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
:: | |
:: Enable Firewall Logging | |
netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log | |
netsh advfirewall set currentprofile logging maxfilesize 4096 | |
netsh advfirewall set currentprofile logging droppedconnections enable | |
:: | |
:: Block all inbound connections on Public profile | |
netsh advfirewall set publicprofile firewallpolicy blockinboundalways,allowoutbound | |
:: Enable Windows Defender Network Protection | |
powershell.exe Set-MpPreference -EnableNetworkProtection Enabled |
What benchmark version are this?
it is sad that all these notepad.exe/cscript.exe/calc.exe exist also in C:\Windows\WinSxS\ :-(
And the path contains build number, so it will have to update the rules)
https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Runscripthelper.exe.md
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
n.b. EnableMulticast 1 means the policy is actually enabled