Enable ‘Local Security Authority (LSA) protection’
Description
Forces LSA to run as Protected Process Light (PPL).
Potential risk
If LSA isn’t running as a protected process, attackers could easily abuse the low process integrity for attacks (such as Pass-the-Hash).
Remediation options
Option-1 Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL
To the following REG_DWORD value: 1
Disable ‘Allow Basic authentication’ for WinRM Client
Description
Determines whether the Windows Remote Management (WinRM) client uses Basic authentication.
Potential risk
Basic authentication uses plain text passwords that could be used by an attacker to compromise a system.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow Basic authentication
To the following value: Disabled
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowBasic
To the following REG_DWORD value: 0
Disable ‘Allow Basic authentication’ for WinRM Service
Description
Determines whether the Windows Remote Management (WinRM) service accepts Basic authentication.
Potential risk
Basic authentication uses plain text passwords that could be used by an attacker to compromise a system.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow Basic authentication
To the following value: Disabled
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowBasic
To the following REG_DWORD value: 0
Disable Anonymous enumeration of shares
Description
Determines whether anonymous logon users (null session connections) are allowed to list all account names and enumerate all shared resources
Potential risk
Allowing this can provide a map of potential points to attack the system.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access\Do not allow anonymous enumeration of SAM accounts and shares
To the following value: Enabled
Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous
To the following REG_DWORD value: 1
Disable ‘Autoplay’ for all drives
Description
Determines whether Autoplay is enabled on the device. Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately
Potential risk
An attacker could use this feature to launch a malicious program to damage a client computer or data on the computer.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Turn off Autoplay
To the following value: Enabled\All drives
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
To the following REG_DWORD value: 255
Disable ‘Autoplay for non-volume devices’
Description
Determines whether autoplay for non-volume devices (such as Media Transfer Protocol (MTP) devices) is enabled or disabled.
Potential risk
An attacker could use this feature to launch a program to damage a client computer or data on the computer.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Disallow Autoplay for non-volume devices
To the following value: Enabled
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume
To the following REG_DWORD value: 1
Disable ‘Enumerate administrator accounts on elevation’
Description
Determines whether the user needs to provide both the administrator username and password to elevate a running application, or if the system displays a list of administrator accounts to choose from.
Potential risk
Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user, making attacks easier.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Enumerate administrator accounts on elevation
To the following value: Disabled
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
To the following REG_DWORD value:
0
Disable Solicited Remote Assistance
Description
Remote assistance allows another user to view or take control of the local session of a user. Solicited assistance is help that is specifically requested by the local user.
Potential risk
This may allow unauthorized parties access to the resources on the computer
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\System\Remote Assistance\Configure Solicited Remote Assistance
To the following value: Disabled
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp
To the following REG_DWORD value: 0
Enable ‘Apply UAC restrictions to local accounts on network logons’
Description
With User Account Control enabled, filtering the privileged token for built-in administrator accounts will prevent the elevated privileges of these accounts from being used over the network.
This recommendation is not applicable for organizations which use local password management solution (like LAPS) to protect local accounts for remote administration and support.
Potential risk
A compromised local administrator account can provide means for an attacker to move laterally between domain systems.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\MS Security Guide\Apply UAC restrictions to local accounts on network logons
To the following value: Enabled
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
To the following REG_DWORD value: 0
Enable ‘Require additional authentication at startup’
Description
Determines whether BitLocker requires additional authentication each time the computer starts, and whether you are using BitLocker with or without a Trusted Platform Module (TPM).
Potential risk
TPM without use of a PIN will only validate early boot components and does not require a user to enter any additional authentication information. If a computer is lost or stolen in this configuration, BitLocker will not provide any additional measure of protection beyond what is provided by native Windows authentication unless the early boot components are tampered with or the encrypted drive is removed from the machine.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup
To the following value: Enabled
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\FVE\UseAdvancedStartup
To the following REG_DWORD value: 1
Set default behavior for ‘AutoRun’ to ‘Enabled: Do not execute any autorun commands’
Description
Determines whether Autorun commands are allowed to execute. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.
Potential risk
Allowing autorun commands to execute may introduce malicious code to a system without user intervention or awareness. Configuring this setting prevents autorun commands from executing.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Set the default behavior for AutoRun
To the following value: Enabled\Do not execute any autorun commands
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun
To the following REG_DWORD value: 1
Set ‘Minimum PIN length for startup’ to ‘6 or more characters’
Description
Determines the minimum PIN length for authentication without sending a password to a network where it could be compromised.
Potential risk
BitLocker requires the use of the function keys [F1-F10] for PIN entry since the PIN is entered in the pre-OS environment before localization support is available. This limits each PIN digit to one of ten possibilities. The TPM has an anti-hammering feature that includes a mechanism to exponentially increase the delay for PIN retry attempts; however, using a PIN that is short in length improves an attacker’s chances of guessing the correct PIN.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure minimum PIN length for startup
To the following value: Enabled\6 or more characters
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\FVE\MinimumPIN
To the following value: greater than 5
Set User Account Control (UAC) to automatically deny elevation requests
Description
Determines the behavior of the elevation prompt for standard users.
Potential risk
Denying elevation requests from standard user accounts requires tasks that need elevation to be initiated by accounts with administrative privileges. This prevents privileged account credentials from being cached with standard user profile information to help mitigate credential theft.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control\Behavior of the elevation prompt for standard users
To the following value: Automatically deny elevation requests
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
To the following REG_DWORD value: 0
Disable ‘Always install with elevated privileges’
Description
Determines whether Windows Installer always elevates privileges when installing applications.
Potential risk
Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Installer\Always install with elevated privileges
To the following value: Disabled
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
To the following REG_DWORD value: 0
Disable ‘Anonymous enumeration of SAM accounts’
Description
Controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment.
Potential risk
Anonymous enumeration of SAM accounts allows anonymous log on users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access\Do not allow anonymous enumeration of SAM accounts
To the following value: Enabled
Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
To the following REG_DWORD value: 1
Disable ‘Configure Offer Remote Assistance’
Description
Determines whether unsolicited offers of help to this computer via Remote Assistance are allowed. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests.
Potential risk
A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\System\Remote Assistance\Configure Offer Remote Assistance
To the following value: Disabled
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited
To the following REG_DWORD value: 0
Disable ‘Insecure guest logons’ in SMB
Description
Determines whether insecure guest logons are used by file servers to allow unauthenticated access to shared folders..
Potential risk
Insecure guest logons allow unauthenticated access to shared folders and retreive sensitive data, as well as place malicious files. Shared resources on a system must require authentication to establish proper access.
Remediation options
Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\Windows\lanmanworkstation\AllowInsecureGuestAuth
To the following REG_DWORD value: 0
Disable ‘WDigest Authentication’
Description
When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft.
Potential risk
Disabling this setting will prevent WDigest from storing credentials in memory.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\MS Security Guide\WDigest Authentication (disabling may require KB2871997)
To the following value: Disabled
Option 2 – Set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\UseLogonCredential
To the following REG_DWORD value: 0
Enable Explorer Data Execution Prevention (DEP)
Description
Determines whether Data Execution Prevention can be turned off for File Explorer.
Potential risk
DEP provides additional protection by performing checks on memory to help prevent malicious code from running.
Remediation options
Option 1 – Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off Data Execution Prevention for Explorer
To the following value: Disabled
Option 2 – Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention
To the following REG_DWORD value: 0
Set ‘Interactive logon: Machine inactivity limit’ to ‘1-900 seconds’
Description
Determines the amount of inactivity time (in seconds) of a logon session, beyond which the screen saver will run, locking the session.
This security control is only applicable for machines with Windows 10, version 1709 or later.
Potential risk
An unattended device that remains unlocked, exposes the device to unauthorized use by malicious attackers who can exploit this to hijack the device, execute malicious code, or access sensitive data.
Remediation options
Set the following Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit
To the following value: Between 1 and 900
EireaNet 