-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathSet-SecurityBaseline.ps1
509 lines (346 loc) · 19.1 KB
/
Set-SecurityBaseline.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
# Windows 10 Defense Essentials Script
# Based on: https://github.com/Disassembler0/Win10-Initial-Setup-Script
# Usage:
# Open an Administrative powershell.exe prompt
# Temporarily set execution policy to bypass `powershell.exe -ep bypass`
# Dot source to load the functions `. .\windows-defense-essentials.ps1`
# Apply the settings with: `Enable-BasicDefense -Action Apply`
# Remove the settings with: `Enable-BasicDefense -Action Undo`
# To do:
# Check Core Isolation?
# Check Reputation-base protection settings?
# Disable automounting of external media?
# Check for, or setup and configure, Sysmon?
# echo "0.0.0.0 wpad." >> 'C:\Windows\System32\drivers\etc\hosts'?
# Colors
$Reset = $host.ui.RawUI.ForegroundColor # Make current color a variable
$host.ui.RawUI.ForegroundColor = "Green" # Change color using this line
# <Print information to terminal>
$host.ui.RawUI.ForegroundColor = $Reset # Reset color to original color via $Reset variable using this line
function Set-SecurityBaseline {
[CmdletBinding()]
Param(
[Parameter(Position = 0)]
[string]$Action
)
if ("$Action" -like "Apply")
{
# Apply settings
# [ Network ]
# Set current network profile to public (deny file sharing, device discovery, etc.)
Write-Output ""
Write-Output "Setting current network profile to public..."
Set-NetConnectionProfile -NetworkCategory Public
# Disable NetBIOS over TCP/IP on all currently installed network interfaces
# https://attack.mitre.org/mitigations/M1042
Write-Output "Disabling NetBIOS over TCP/IP..."
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip*" -Name "NetbiosOptions" -Type DWord -Value 2
# Disable Link-Local Multicast Name Resolution (LLMNR) protocol
# https://attack.mitre.org/mitigations/M1042
Write-Output "Disabling Link-Local Multicast Name Resolution (LLMNR)..."
If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient")) {
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Force | Out-Null
}
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Type DWord -Value 0
# Enable SMB signing
# https://attack.mitre.org/mitigations/M1037
# https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
Write-Output "Enabling SMB signing..."
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters" -Name "RequireSecuritySignature" -Type DWord -Value 1
#Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters" -Name "RequireSecuritySignature" -Type DWord -Value 1
# Disable SMBv1 Protocol
# https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
Write-Output "Disabling SMBv1 protocol..."
Write-Host -ForegroundColor Cyan "[i]If prompted for Restart, choose No and restart after this script is done executing."
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
# Disable Remote Desktop
# https://attack.mitre.org/mitigations/M1035/
# https://attack.mitre.org/mitigations/M1042/
Write-Output "Disabling Remote Desktop..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 1
# Shields Up -> Drop all inbound connections, disable (inbound) remote management, log all inbound connection attempts, increase logfile size
# https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring#know-how-to-use-shields-up-mode-for-active-attacks
Write-Output "Configuring Windows Defender Firewall Rules -> allprofiles state on..."
netsh advfirewall set allprofiles state on
Write-Host -ForegroundColor Cyan "[i]Set firewall to 'blockinboundalways'?"
Write-Host "This will prevent inbound connections even if an allow rule exists."
Write-Host -BackgroundColor Yellow -ForegroundColor DarkRed "WARNING: This setting will likely lock you out if this is a cloud instance."
$BlockInboundChoice = ""
while ($BlockInboundChoice -ne "y" -or "n") {
if ($BlockInboundChoice -eq "y") {
Write-Host "Configuring Windows Defender Firewall Rules -> blockinboundalways,allowoutbound..."
netsh advfirewall set allprofiles firewallpolicy blockinboundalways,allowoutbound
break
}
elseif ($BlockInboundChoice -eq "n") {
Write-Host "Configuring Windows Defender Firewall Rules -> blockinbound,allowoutbound..."
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
break
}
else {
$BlockInboundChoice = Read-Host "[y/n]"
}
}
Write-Output "Configuring Windows Defender Firewall Rules -> remotemanagement disabled..."
netsh advfirewall set allprofiles settings remotemanagement disable
Write-Output "Configuring Windows Defender Firewall Rules -> inboundusernotification enabled..."
netsh advfirewall set allprofiles settings inboundusernotification enable
Write-Output "Configuring Windows Defender Firewall Rules -> logging droppedconnections enabled..."
netsh advfirewall set allprofiles logging droppedconnections enable
Write-Output "Configuring Windows Defender Firewall Rules -> logging maxfilesize 16384 (~16MB)..."
netsh advfirewall set allprofiles logging maxfilesize 16384
Write-Output "Configuring Windows Defender Firewall Rules -> logging to %systemroot%\system32\LogFiles\Firewall\pfirewall.log..."
netsh advfirewall set allprofiles logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log
# Disable outbound mDNS, LLMNR connections, and Windows Search
Write-Output "Configuring Windows Defender Firewall Rules -> block outbound mDNS..."
Set-NetFirewallRule -DisplayName "mDNS*" -Direction Outbound -Action Block -Enabled True
Write-Output "Configuring Windows Defender Firewall Rules -> block outbound LLMNR..."
Set-NetFirewallRule -DisplayName "*LLMNR*" -Direction Outbound -Action Block -Enabled True
# [ System UI ]
# Disable Autoplay (automatically running executables when connecting external media / devices)
# https://attack.mitre.org/mitigations/M1042
Write-Output "Disabling Autoplay..."
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" -Name "DisableAutoplay" -Type DWord -Value 1
# Hide network options from Lock Screen
Write-Output "Hiding network options from Lock Screen..."
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "DontDisplayNetworkSelectionUI" -Type DWord -Value 1
# Hide shutdown options from Lock Screen
Write-Output "Hiding shutdown options from Lock Screen..."
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ShutdownWithoutLogon" -Type DWord -Value 0
# Show known file extensions
Write-Output "Showing known file extensions..."
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "HideFileExt" -Type DWord -Value 0
# Show hidden files
Write-Output "Showing hidden files..."
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "Hidden" -Type DWord -Value 1
# [ Security ]
# Enable Controlled Folder Access (will need configured for your environment, this can be done on the fly through prompts in the GUI when an issue arises)
# https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folders?view=o365-worldwide
Write-Output "Enabling Controlled Folder Access..."
Set-MpPreference -EnableControlledFolderAccess Enabled
# Enable Mandatory ASLR
# https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide
Write-Output "Enabling Mandatory ASLR..."
Set-ProcessMitigation -System -Enable ForceRelocateImages
# Validate SecureBoot
# https://docs.microsoft.com/en-us/powershell/module/secureboot/?view=windowsserver2019-ps
# https://attack.mitre.org/mitigations/M1046/
Write-Output "Validating SecureBoot..."
if (!(Test-Path -Path "HKLM:\SYSTEM\ControlSet001\Control\SecureBoot\State"))
{
echo ""
Write-Host -ForegroundColor Yellow "[i]SecureBoot Not enabled!"
echo ""
}
else
{
Confirm-SecureBootUEFI
}
# Validate BitLocker full disk encryption is enabled
# https://docs.microsoft.com/en-us/powershell/module/bitlocker/?view=windowsserver2019-ps
Write-Output "Validating BitLocker..."
if (Get-BitLockerVolume | Select-Object -Property ProtectionStatus | Select-String "Off")
{
echo ""
Write-Host -ForegroundColor Yellow "[i]BitLocker not enabled on one or more volumes, consider enabling it with:"
Write-Host -ForegroundColor Green "Start > Windows System > Control Panel > System and Security > BitLocker Drive Encryption > Manage BitLocker > Turn on BitLocker"
echo ""
}
elseif (Get-BitLockerVolume | Select-Object -Property ProtectionStatus | Select-String "On")
{
echo ""
Write-Host -ForegroundColor Green "BitLocker is enabled..."
echo ""
}
else
{
echo ""
Write-Host -ForegroundColor Yellow "[i]Cannot determine BitLocker status, make sure Windows is up to date..."
echo ""
}
sleep 2
# Check for Application Guard
# https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard
# https://attack.mitre.org/mitigations/M1048
# https://attack.mitre.org/mitigations/M1050
Write-Output "Checking for Application Guard..."
if (Get-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard | Select-Object -Property State | Select-String "Disabled")
{
echo ""
Write-Host -ForegroundColor Yellow "[i]Application Guard is disabled, consider enabling it with:"
Write-Host -ForegroundColor Green "Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard"
echo ""
}
else
{
echo "[i]Application Guard is installed..."
}
sleep 2
# Check if current user is a local Administrator
# https://attack.mitre.org/mitigations/M1026
# https://devblogs.microsoft.com/powershell-community/is-a-user-a-local-administrator/
$CurrentUser = C:\Windows\System32\whoami.exe
$Admins = Get-LocalGroupMember -Name Administrators | Select-Object -ExpandProperty Name
if ($Admins -contains $CurrentUser)
{
echo ""
Write-Host -ForegroundColor Yellow "[i]You are running as a local Administrator."
Write-Host -ForegroundColor Green "Create a separate user for daily use with:"
echo ""
Write-Host -ForegroundColor Cyan '$Password = Read-Host -AsSecureString'
Write-Host -ForegroundColor Cyan 'New-LocalUser "NewUserNameHere" -Password $Password -FullName "Your Full Name" -Description "Description of this account.'
Write-Host -ForegroundColor Cyan 'Add-LocalGroupMember -Group "Users" -Member "NewUserNameHere"'
echo ""
Write-Host -ForegroundColor Magenta 'See: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1'
echo ""
}
sleep 2
# [ Software ]
# Uninstall Internet Explorer
Write-Output "Uninstalling Internet Explorer..."
Get-WindowsOptionalFeature -Online | Where-Object { $_.FeatureName -like "Internet-Explorer-Optional*" } | Disable-WindowsOptionalFeature -Online -NoRestart -WarningAction Continue | Out-Null
Get-WindowsCapability -Online | Where-Object { $_.Name -like "Browser.InternetExplorer*" } | Remove-WindowsCapability -Online | Out-Null
Write-Output "Done."
}
elseif ("$Action" -like "Undo")
{
# Undo all settings; return to defaults
# [ Network ]
# Set current network profile to public (deny file sharing, device discovery, etc.)
Write-Output ""
Write-Output "Setting current network profile to public..."
Set-NetConnectionProfile -NetworkCategory Public
# Reset NetBIOS over TCP/IP options back to default value of 0
Write-Output "Enabling NetBIOS over TCP/IP..."
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip*" -Name "NetbiosOptions" -Type DWord -Value 0
# Remove Link-Local Multicast Name Resolution (LLMNR) protocol registry entry
Write-Output "Enabling Link-Local Multicast Name Resolution (LLMNR)..."
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast"
If ((Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient")) {
Remove-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Force | Out-Null
}
# Don't enforce SMB signing, default is 0 for Workstations, Servers ship with SMB signing enabled by default
Write-Output "Disabling SMB signing (Only for clients)..."
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters" -Name "RequireSecuritySignature" -Type DWord -Value 0
#Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters" -Name "RequireSecuritySignature" -Type DWord -Value 1
# SMBv1 Protocol should no longer be used, not enabling it here.
#Write-Output "Enabling SMBv1 protocol..."
#Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
# Remote Desktop default value is already 0
Write-Output "Reseting Remote Desktop policy..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 1
# Reset firewall back to allow all outbound, deny inbound, permit inbound that have explicit rules enabled.
Write-Output "Reseting Windows Defender Firewall Rules..."
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
netsh advfirewall set allprofiles settings remotemanagement disable
netsh advfirewall set allprofiles settings inboundusernotification enable
netsh advfirewall set allprofiles logging droppedconnections disable
netsh advfirewall set allprofiles logging maxfilesize 4096
# Reset outbound mDNS, LLMNR connections, and Windows Search to `Allow`
Set-NetFirewallRule -DisplayName "mDNS*" -Direction Outbound -Action Allow -Enabled True
Set-NetFirewallRule -DisplayName "*LLMNR*" -Direction Outbound -Action Allow -Enabled True
# [ System UI ]
# Enable Autoplay
Write-Output "Enabling Autoplay..."
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" -Name "DisableAutoplay" -Type DWord -Value 0
# Unhide network options from Lock Screen
Write-Output "Unhiding network options from Lock Screen..."
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "DontDisplayNetworkSelectionUI"
# Unhide shutdown options from Lock Screen
Write-Output "Unhiding shutdown options from Lock Screen..."
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ShutdownWithoutLogon" -Type DWord -Value 1
# Hide file extensions
Write-Output "Hiding file extensions..."
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "HideFileExt" -Type DWord -Value 1
# Hide hidden files
Write-Output "Hiding hidden files..."
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "Hidden" -Type DWord -Value 2
# [ Security ]
# Disable Controlled Folder Access
Write-Output "Disabling Controlled Folder Access..."
Set-MpPreference -EnableControlledFolderAccess Disabled
# Disable Mandatory ASLR
Write-Output "Disabling Mandatory ASLR..."
Set-ProcessMitigation -System -Disable ForceRelocateImages
# Validate SecureBoot
# https://docs.microsoft.com/en-us/powershell/module/secureboot/?view=windowsserver2019-ps
Write-Output "Validating SecureBoot..."
if (!(Test-Path -Path "HKLM:\SYSTEM\ControlSet001\Control\SecureBoot\State"))
{
echo ""
Write-Host -ForegroundColor Yellow "[i]SecureBoot Not enabled!"
echo ""
}
else
{
Confirm-SecureBootUEFI
}
# Validate BitLocker full disk encryption is enabled
# https://docs.microsoft.com/en-us/powershell/module/bitlocker/?view=windowsserver2019-ps
Write-Output "Validating BitLocker..."
if (Get-BitLockerVolume | Select-Object -Property ProtectionStatus | Select-String "Off")
{
echo ""
Write-Host -ForegroundColor Yellow "[i]BitLocker not enabled on one or more volumes, consider enabling it with:"
Write-Host -ForegroundColor Green "Start > Windows System > Control Panel > System and Security > BitLocker Drive Encryption > Manage BitLocker > Turn on BitLocker"
echo ""
}
elseif (Get-BitLockerVolume | Select-Object -Property ProtectionStatus | Select-String "On")
{
echo ""
Write-Host -ForegroundColor Green "BitLocker is enabled..."
echo ""
}
else
{
echo ""
Write-Host -ForegroundColor Yellow "[i]Cannot determine BitLocker status, make sure Windows is up to date..."
echo ""
}
sleep 2
# Check for Application Guard
# https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard
Write-Output "Checking for Application Guard..."
if (Get-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard | Select-Object -Property State | Select-String "Disabled")
{
echo ""
Write-Host -ForegroundColor Yellow "[i]Application Guard is disabled, consider enabling it with:"
Write-Host -ForegroundColor Green "Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard"
echo ""
}
else
{
echo "[i]Application Guard is installed..."
}
sleep 2
# Check if current user is a local Administrator
#
# https://devblogs.microsoft.com/powershell-community/is-a-user-a-local-administrator/
$CurrentUser = C:\Windows\System32\whoami.exe
$Admins = Get-LocalGroupMember -Name Administrators | Select-Object -ExpandProperty Name
if ($Admins -contains $CurrentUser)
{
echo ""
Write-Host -ForegroundColor Yellow "[i]You are running as a local Administrator."
Write-Host -ForegroundColor Green "Create a separate user for daily use with:"
echo ""
Write-Host -ForegroundColor Cyan '$Password = Read-Host -AsSecureString'
Write-Host -ForegroundColor Cyan 'New-LocalUser "NewUserNameHere" -Password $Password -FullName "Your Full Name" -Description "Description of this account.'
Write-Host -ForegroundColor Cyan 'Add-LocalGroupMember -Group "Users" -Member "NewUserNameHere"'
echo ""
Write-Host -ForegroundColor Magenta 'See: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1'
echo ""
}
sleep 2
# [ Software ]
# Enable Internet Explorer (there should be no reason to do this anymore, keeping commands here in case)
#Write-Output "Re-enabling Internet Explorer..."
#Get-WindowsOptionalFeature -Online | Where-Object { $_.FeatureName -like "Internet-Explorer-Optional*" } | Enable-WindowsOptionalFeature -Online -NoRestart -WarningAction Continue | Out-Null
#Get-WindowsCapability -Online | Where-Object { $_.Name -like "Browser.InternetExplorer*" } | Enable-WindowsCapability -Online | Out-Null
Write-Output "Done."
}
else
{
Write-Output "Usage: Enable-BasicDefense [Apply|Undo]"
}
}