Last Updated on May 2, 2022 by rudyooms
This blog will show you which steps you can take to make sure your endpoints are secure! There should be absolutely no discussion why we need to do our utmost best to secure the Windows 10 Endpoints.
UPDATE 19-05-2021
After posting this blog on a twitter topic... I decided to update it with links to my latest blogs regarding the steps. I will show you these next options:
Step 1: Least Privilege (No local admin/adminless)
*ONLY using Autopilot? You also denied registering personal devices? Good, if not… You need a solution to make sure your users are not admins.
But beware making sure the users don’t have administrator permissions can give you some problems. In this blog, I will show you how to deal with those.
Step 2: Block administrative Tools
You will need to prevent access to cmd and regedit. Please take a look at my blog on how you could make sure these apps are blocked. You can even block Powershell!
Step 3: Applocker
Nice… users are no longer admins. Why not implement a full Applocker policy? Using Applocker is great when you, of course, need to block Powershell
If you want to be sure PowerShell and some other LOLBINS are blocked, please deploy this Applocker baseline
Step 4: Bitlocker
Make sure you enable Bitlocker. You can do this through the Intune portal or with a custom-made Intunewin app based on a PowerShell script. Your choice…
Step 5: Windows Defender with ASR rules
Please turn on Windows Defender and configure the ASR Rules. You can automate the deployment as I did with the Applocker policy.
And please when you have money to spare, please enable Microsoft Defender for Endpoints (ATP)
Step 6: Baseline policies
Take a look at the baseline policies in Intune. It is easy to implement, and if you’d like to dig a little deeper you can create your own baseline with a PowerShell script. I find it easier to read than the baseline policy and not all security configs exist in the Intune baseline policy.
#Harden lsass to help protect against credential dumping (mimikatz) and audit lsass access requests
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" /v AllowProtectedCreds /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f
#Disables DNS multicast
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v DisableSmartNameResolution /t REG_DWORD /d 1 /f
#Disable anonymous access to named pipes/shared, anonymous enumeration of SAM accounts, non-admin remote access to SAM
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v TokenLeakDetectDelaySecs /t REG_DWORD /d 30 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymousSAM /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictRemoteSAM /t REG_SZ /d "O:BAG:BAD:(A;;RC;;;BA)" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel /t REG_DWORD /d 5 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f
#Enable PowerShell Logging
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1 /f
#Disable autorun/autoplay on all drives
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAutorun /t REG_DWORD /d 1 /f
#Enable And lock down firewall
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft' -name "WindowsFirewall"
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall' -name "DomainProfile"
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall' -name "PublicProfile"
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall' -name "StandardProfile"
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' -name "EnableFirewall" -Value 1
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' -name "EnableFirewall" -Value 1
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile' -name "EnableFirewall" -Value 1
Auditpol /set /category:"System" /SubCategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable
#Removing Powershell.20
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2RootStep 7: Windows Firewall
Turning on the Windows Firewall is always a good thing. You could configure it with Intune. I dedicated a blog about this some time ago!
Step 8: Windows Hello or MFA Authenticator
It’s very easy to turn on MFA and Windows Hello… I recommend requiring users to use at least a device pin instead of their password.
If you want to read more about credential providers and how to use the Microsoft Authenticator for Windows logon:
Step 9: Windows 10 Update
Windows has to be kept up to date, go configure Windows 10 update for business within Intune. Please beware of the servicing channel. You could configure it specifically to use the Insider Slow but for production environments, it’s not the best option so I made sure I selected the “general availability channel”
Step 10: Office 365 Apps Security
Don’t forget about the macro’s and file type settings in Office. If like me, you didn’t know why blocking DIF and Sylk files is necessary. Take a look at this blog from Outflank https://outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/. They do a very good job of explaining why this is important.
You can block these file types in the settings catalog
Of course, I also created a blog about this topic. Go read it if you want to know more.
Step 11: OneDrive KFM
Onedrive KFM is a nice solution to make sure your documents and desktop are silently redirected to your OneDrive account. Your data is also protected against ransomware.
Step 12: Chocolatey or Winget
Have you thought about patching third-party apps? Use Chocolatey (or Winget… but it does not have an automatic upgrade function). Very good… your third-party apps will be up to date forever.
Invoke-Expression ((New-Object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) -ErrorAction Stop
$ChocoPackages = @(“jre8”,"adobereader","7zip.install")
$chocoinstall = Get-Command -Name 'choco' -ErrorAction SilentlyContinue -WarningAction SilentlyContinue | Select-Object -ExpandProperty Source
foreach($Package in $ChocoPackages) {
try {
Invoke-Expression “cmd.exe /c $ChocoInstall Install $Package -y” -ErrorAction Stop
}
catch {
Throw “Failed to install $Package”
}
}
##Create A scheduled task to Update all packages each day at 12:00
choco install choco-upgrade-all-at --params "'/DAILY:yes /TIME:12:00 /ABORTTIME:14:00'" -yIf you want to know, how you could do the same with winget:
Step 13: Audit Logging
Did you increase the Security/System/Application event log size? Please make sure that you have configured auditing! Please make sure you have got the proper licensing setup.
/Vendor/MSFT/Policy/Config/Audit/
Policy CSP – Audit – Windows Client Management | Microsoft Docs
Step 14: LAPS
Have you thought about implementing LAPS? In these 2 blogs below I will show you the possible options on how to configure a sort of LAPS
15. MCAS
Microsoft Cloud App Security is a fantastic product, you really want to have this deployed and active in your Microsoft 365 Tenant. I wrote a blog on how to setup/automate some steps of it.
Conclusion:
You have to take a few steps… but your endpoints need to be secure. It can be much work if you need to configure all these settings in your tenant. Guess what? All these steps can be done within a few seconds.
