The Forgotten Fruits of Securing your Windows Endpoints

Last Updated on May 2, 2022 by rudyooms

This blog will show you which steps you can take to make sure your endpoints are secure! There should be absolutely no discussion why we need to do our utmost best to secure the Windows 10 Endpoints.

UPDATE 19-05-2021

After posting this blog on a twitter topic... I decided to update it with links to my latest blogs regarding the steps. 

I will show you these next options:

  1. Least Privilege
  2. Block Administrative Tools
  3. Applocker
  4. Bitlocker
  5. Defender ASR
  6. Hardening Baseline Policies
  7. Windows Firewall
  8. MFA / Hello
  9. Windows Update WUfB
  10. Office Apps Security
  11. OneDrive KFM
  12. Chocolatey / Winget
  13. Audit Logging
  14. LAPS
  15. MCAS

Step 1: Least Privilege (No local admin/adminless)  

*ONLY using Autopilot? You also denied registering personal devices? Good, if not… You need a solution to make sure your users are not admins.  

But beware making sure the users don’t have administrator permissions can give you some problems. In this blog, I will show you how to deal with those.

Step 2: Block administrative Tools

You will need to prevent access to cmd and regedit. Please take a look at my blog on how you could make sure these apps are blocked. You can even block Powershell!

Step 3: Applocker 

Nice…  users are no longer admins. Why not implement a full Applocker policy?  Using Applocker is great when you, of course, need to block Powershell

If you want to be sure PowerShell and some other LOLBINS are blocked, please deploy this Applocker baseline

Step 4: Bitlocker 

Make sure you enable Bitlocker. You can do this through the Intune portal or with a custom-made Intunewin app based on a PowerShell script. Your choice…  

Step 5: Windows Defender with ASR rules 

Please turn on Windows Defender and configure the ASR Rules.  You can automate the deployment as I did with the Applocker policy. 

And please when you have money to spare, please enable Microsoft Defender for Endpoints (ATP) 

Step 6: Baseline policies 

Take a look at the baseline policies in Intune. It is easy to implement, and if you’d like to dig a little deeper you can create your own baseline with a PowerShell script.  I find it easier to read than the baseline policy and not all security configs exist in the Intune baseline policy. 

#Harden lsass to help protect against credential dumping (mimikatz) and audit lsass access requests
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" /v AllowProtectedCreds /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f

#Disables DNS multicast
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v DisableSmartNameResolution /t REG_DWORD /d 1 /f

#Disable anonymous access to named pipes/shared, anonymous enumeration of SAM accounts, non-admin remote access to SAM
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v TokenLeakDetectDelaySecs /t REG_DWORD /d 30 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymousSAM /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictRemoteSAM /t REG_SZ /d "O:BAG:BAD:(A;;RC;;;BA)" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel /t REG_DWORD /d 5 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f

#Enable PowerShell Logging
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1 /f


#Disable autorun/autoplay on all drives
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAutorun /t REG_DWORD /d 1 /f

#Enable And lock down firewall
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft' -name "WindowsFirewall"
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall' -name "DomainProfile"
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall' -name "PublicProfile"
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall' -name "StandardProfile"
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' -name "EnableFirewall" -Value 1
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' -name "EnableFirewall" -Value 1
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile' -name "EnableFirewall" -Value 1
Auditpol /set /category:"System" /SubCategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable


#Removing Powershell.20
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

Step 7: Windows Firewall 

Turning on the Windows Firewall is always a good thing. You could configure it with Intune.  I dedicated a blog about this some time ago!

Step 8: Windows Hello or MFA Authenticator 

It’s very easy to turn on MFA and Windows Hello… I recommend requiring users to use at least a device pin instead of their password. 

If you want to read more about credential providers and how to use the Microsoft Authenticator for Windows logon:

Step 9: Windows 10 Update 

Windows has to be kept up to date, go configure Windows 10 update for business within Intune. Please beware of the servicing channel. You could configure it specifically to use the Insider Slow but for production environments, it’s not the best option so I made sure I selected the “general availability channel”

Step 10: Office  365 Apps Security 

Don’t forget about the macro’s and file type settings in Office. If like me, you didn’t know why blocking DIF and Sylk files is necessary. Take a look at this blog from Outflank https://outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/. They do a very good job of explaining why this is important. 

You can block these file types in the settings catalog

Of course, I also created a blog about this topic. Go read it if you want to know more.

Step 11: OneDrive KFM 

Onedrive KFM is a nice solution to make sure your documents and desktop are silently redirected to your OneDrive account. Your data is also protected against ransomware.  


Step 12: Chocolatey  or Winget

Have you thought about patching third-party apps? Use Chocolatey (or Winget… but it does not have an automatic upgrade function). Very good… your third-party apps will be up to date forever. 

Invoke-Expression ((New-Object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) -ErrorAction Stop
$ChocoPackages = @(“jre8”,"adobereader","7zip.install")
$chocoinstall = Get-Command -Name 'choco' -ErrorAction SilentlyContinue -WarningAction SilentlyContinue | Select-Object -ExpandProperty Source
foreach($Package in $ChocoPackages) {
     try {
         Invoke-Expression “cmd.exe /c $ChocoInstall Install $Package -y” -ErrorAction Stop
     }
     catch {
         Throw “Failed to install $Package”
     }
}
##Create A scheduled task to Update all packages each day at 12:00
choco install choco-upgrade-all-at --params "'/DAILY:yes /TIME:12:00 /ABORTTIME:14:00'"  -y

If you want to know, how you could do the same with winget:

Step 13: Audit Logging 

Did you increase the Security/System/Application event log size? Please make sure that you have configured auditing! Please make sure you have got the proper licensing setup.

/Vendor/MSFT/Policy/Config/Audit/

Policy CSP – Audit – Windows Client Management | Microsoft Docs

Step 14: LAPS

Have you thought about implementing LAPS? In these 2 blogs below I will show you the possible options on how to configure a sort of LAPS

15. MCAS

Microsoft Cloud App Security is a fantastic product, you really want to have this deployed and active in your Microsoft 365 Tenant. I wrote a blog on how to setup/automate some steps of it.

Conclusion: 

You have to take a few steps… but your endpoints need to be secure. It can be much work if you need to configure all these settings in your tenant. Guess what? All these steps can be done within a few seconds.

Security guard GIFs - Get the best gif on GIFER

Leave a Reply

Your email address will not be published. Required fields are marked *

56  +    =  58