The Forgotten Fruits of Securing your Windows 10 Endpoint

The Forgotten Fruits of Securing your Windows 10 Endpoint

This blog will show you which steps you can take to make sure your endpoints are secure! There should be absolutely no discussion why we need to do our utmost best to secure the Windows 10 Endpoints.

UPDATE 19-05-2021

After posting this blog on a twitter topic... I decided to update it with links to my latest blogs regarding the steps. 

I will show you these next options:

  1. Least Privilege
  2. Block Administrative Tools
  3. Applocker
  4. Bitlocker
  5. Defender ASR
  6. Hardening Baseline Policies
  7. Windows Firewall
  8. MFA / Hello
  9. Windows Update WUfB
  10. Office Apps Security
  11. OneDrive KFM
  12. Chocolatey / Winget
  13. Audit Loggin
  14. LAPS
  15. MCAS

Step 1: Least Privilege (No local admin/adminless)  

*ONLY using Autopilot? You also denied registering personal devices? Good, if not… You need a solution to make sure your users are not admins.  

But beware making sure the users don’t have administrator permissions can give you some problems. In this blog, I will show you how to deal with those.

Step 2: Block administrative Tools

You will need to prevent access to cmd and regedit. Please take a look at my blog how you could make sure these apps are blocked. You can even block powershell!

Step 3: Applocker 

*Nice…  users are no longer admins. Why not implement a full Applocker policy? 

Using Applocker is great when you of course, need to block Powershell

If you want to be sure PowerShell and some other LOLBINS are blocked, please deploy this Applocker baseline

Step 4: Bitlocker 

*Make sure you enable Bitlocker. You can do this through the Intune portal or with a custom made Intunewin app based on a PowerShell script. Your choice…  

Step 5: Windows Defender with ASR rules 

*Please turn on Windows Defender and configure the ASR Rules.  You can automate the deployment as I did with the Applocker policy. 

And please when you have money to spare, please enable Microsoft Defender for Endpoints (ATP) 

Step 6: Baseline policies 

*Take a look at the baseline policies in Intune. It is easy to implement, and if you’d like to dig a little deeper you can create your own baseline with a PowerShell script.  I find it easier to read than the baseline policy and not all security configs exist in the Intune baseline policy. 


#Harden lsass to help protect against credential dumping (mimikatz) and audit lsass access requests
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" /v AllowProtectedCreds /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f

#Disables DNS multicast
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v DisableSmartNameResolution /t REG_DWORD /d 1 /f

#Disable anonymous access to named pipes/shared, anonymous enumeration of SAM accounts, non-admin remote access to SAM
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v TokenLeakDetectDelaySecs /t REG_DWORD /d 30 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymousSAM /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictRemoteSAM /t REG_SZ /d "O:BAG:BAD:(A;;RC;;;BA)" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel /t REG_DWORD /d 5 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f

#Enable PowerShell Logging
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1 /f

#Disable autorun/autoplay on all drives
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAutorun /t REG_DWORD /d 1 /f

#Enable And lock down firewall
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft' -name "WindowsFirewall"
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall' -name "DomainProfile"
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall' -name "PublicProfile"
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall' -name "StandardProfile"
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' -name "EnableFirewall" -Value 1
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' -name "EnableFirewall" -Value 1
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile' -name "EnableFirewall" -Value 1

Step 7: Windows Firewall 

*Turning on the Windows Firewall is always a good thing. You could configure it with Intune.  I dedicated a blog about this some time ago!

Step 8: Windows Hello or MFA Authenticator 

*Easy to turn on… I recommend requiring users to use at least a device pin instead of their password. 

If you want to read more about credential providers and how to use the Microsoft Authenticator for Windows logon:

Step 9: Windows 10 Update 

*Windows has to be kept up to date, go configure Windows 10 update for business within Intune. Please beware of the servicing channel. I configured it specifically for the Insider Slow

Step 10: Office  365 Apps Security 

*Don’t forget about the macro’s and file type settings in Office. If like me, you didn’t know why blocking DIF and Sylk files is necessary. Take a look at this blog from Outflank https://outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/. They do a very good job at explaining why this is important. 

You can block these file types in the settings catalog

Of course, I also created a blog about this topic. Go read it if you want to know more.

Step 11: OneDrive KFM 

*Onedrive KFM is a nice solution to make sure your documents and desktop are silently redirected to your onedrive account. Your data is also protected against ransomware.  


Step 12: Chocolatey  or Winget

*Did you thought about patching third-party apps? Use Chocolatey (or Winget… but it does not have an automatic upgrade function). Very good… your third-party apps will be up to date forever. 

Invoke-Expression ((New-Object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) -ErrorAction Stop
$ChocoPackages = @(“jre8”,"adobereader","7zip.install")
$chocoinstall = Get-Command -Name 'choco' -ErrorAction SilentlyContinue -WarningAction SilentlyContinue | Select-Object -ExpandProperty Source
foreach($Package in $ChocoPackages) {
     try {
         Invoke-Expression “cmd.exe /c $ChocoInstall Install $Package -y” -ErrorAction Stop
     }
     catch {
         Throw “Failed to install $Package”
     }
}
##Create A scheduled task to Update all packages each day at 12:00
choco install choco-upgrade-all-at --params "'/DAILY:yes /TIME:12:00 /ABORTTIME:14:00'"  -y

If you want to know, how you could do the same with winget:

Step 13: Audit Logging 

*Did you increase the Security/System/Application event log size? And are you auditing everything you need to know?  Please make sure you have got the proper licensing setup.

Step 14: Laps 

*Have you thought about implementing LAPS? I will show you the possibe options on how to configure a sort of LAPS

And my older blog about LAPS

15. MCAS

Microsoft Cloud App Security is a fantastic product, you really want to have this deployed and active in your Microsoft 365 Tenant. I wrote a blog on how to setup/automate some steps of it.

Conclusion: 

You have to take a few steps… but your endpoints need to be secure. It can be much work if you need to configure all these settings in your tenant. Guess what? All these steps can be done within a few seconds.

Security guard GIFs - Get the best gif on GIFER

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  88  =  96