TABLE OF CONTENTS
Home Page
Windows 10 Client Hardening Guide
Windows 10 Server Hardening Guide
Debian Hardening Guide
Apple CIDR Script Runners
Hardening Windows 10 Server 2016

This was written in late November early December, 2019

IMPORTANT: This webpage is not the most updated version of this checklist. To find the most updated checklist go to the cyperpatriots google drive.

  1. Read the Read Me
  2. On the desktop there should be an icon labeled "readme" > open it and completely read it. This website will tell you the situation, what needs to be changed and settings that should be applied.

  3. Windows Update Settings
  4. Change Update Settings to Defer Windows Feature Updates:

    Go to Settings (the little gear icon) > Update & Security > Advanced Options > make sure the "Defer Windows Feature Updates" is checkmarked.

    Check For Updates:

    Go to Settings (the little gear icon) > Update & Security > Windows Update check for updates.

    Automatic Updates:

    Go to Settings (the little gear icon) > Update & Security > underneath "check for updates" click Advanced Options > ensure that Automatic updates are selected.

  5. Complete Forensic Questions
  6. Do what the questions ask you to find out. USE THE INTERNET it is there to help you. These are worth quite a few points so make sure you get them done.

  7. Remove Unauthorized Software
  8. Look at README website from before and see what apps should be installed. Whatever apps or programs that are installed that are not required for the system to run or are required by the README file should be removed through the windows installer. Common Examples of unwanted software: Angry IP Scanner, WireShark, BitTorrent and other torrent services, Driver Support.

  9. Microsoft Management Console (MMC)
  10. Remove Unauthorized Users From System:

    Look at READ ME and remove any unauthorized users and administrators. MMC > insert/ remove snap in > insert "local users" go to "users" and "adminsitrators" and remove unauthorized users/administrators from computer.

    Apply Template (STIGS): *Make sure they are the templates for the server and not the regular stigs, otherwise you will lose points due to server requiring different services

    In search type mmc > in top left select "File" > Add/Remove Snap In > scroll until you find Security Configuration and Analysis > Click Add > click OK in the bottom right had corner > right click on Security Configuration > click "Open Database" > when prompted to select a database type something random into where asks for a filename and click open > change the directory in the top of the popup browser and find where you downloaded your STIGS template file (most likely it is still in downloads) > select it > now once the popup browser has closed, right click again on "Security Configuration and Analysis" > select "Analyze Computer" Now and let it run > once it has finished right click on "Security Configuration" again and select "Configure Computer Now" > once this has been completed you have are now done!

    Apply Group Policy (STIGS): *Make sure they are the templates for the server and not the regular STIGS, otherwise you will lose points due to the server requiring different services

    Open "File Explorer" > in View check "Show Hidden Files" > open C drive > open "Windows" > open System 32 > open "Group Policy" not Group Policy Users > replace all files in here with your Group Policy files replacing all in this destination > after this you are done with STIGS!

  11. Make Sure Everyone Has A Secure Password
  12. In search bar > control panel > user Accounts > User account > Manage user accounts From there change all passwords besides your own to make sure everyone has a secure password.

  13. Update All Required Software on Computer
  14. Recommended to Update Programs Manually First:

    Look at READ ME and Update software stated in READ ME by hand first. To do this, for most software you have to find somewhere in the settings or in the corner, the "About" page. On the About page there should something that says "Check for Updates" or something similar. Click on that.

    Use "Patch my PC home Updater":

    Use this software on everything else that is installed on computer to make sure that everything is up to date. Download page here

    Update Drivers:

    Right click Windows button > select Device manager > update device drivers Go through all devices and make sure all drivers are up to date.

  15. Make Sure Firewall is ON
  16. Turn on Firewall:

    In search bar > Firewall Advanced Security > Turn Firewall on if not already.

    Apply Firewall Rules:

    Open Windows Advanced Firewall > Action > Import Policy > select the .wfw file > click "Open" Then the Windows Firewall policy should have updated and you are done!

  17. Remove Prohibited Files and Other Settings
  18. Show Hidden File Extensions:

    Windows key > type "Show hidden files and folders" > uncheck "Hide extensions for known file types

    Remove Prohibited Video Files:

    In File Explorer go to C Drive > in search bar look up (include the asterisk) *.mp4, *.flv, *.avi, *.wmv, *.mov, etc look more up on the internet if nothing shows up just to be sure.

    Remove Prohibited Audio Files:

    In File Explorer go to C Drive > in search bar look up (include the asterisk) *.mp3, *.wmv, *.wma, *.aif, etc look up more on the internet just in case you missed one.

    Remove Prohibited Images:

    In File Explorer go to C Drive > in search bar look up (include the asterisk) *.png, *.jpg, *.tif, *.gif, etc look up more on the internet just in case.

    File sharing

    Windows Key > Computer Management > click yes when prompted > Shared Folders Look through all files and make sure no unauthorized Folders are being shared. Sharing is not caring in Cyber Patriots.

    Turn on BitLocker:

    Go to file explorer > this pc > right click on C drive > turn on Bitlocker > go through the prompt Important! make sure you have a removable media of some sort to store the generated key that will unlock the computer! What this software does is encrypt the boot drive making it much harder to hack, when you restart the machine, it will ask you to put in the password you have put on it or to insert the flashdrive with the password. Otherwise you will not be able to boot! That's it! :)

    Extra: While hunting and pecking, also try looking for "readme" files because most hidden hacking tools come with one. To search for them go to search bar in file explorer and type "readme" (but without the quotation marks)

  19. Firefox Settings
  20. Settings to change:

    -Privacy & Security >> 1.) set to Strict 2.) Send website a do not track signal always 3.) Delete cookies and site data when firefox is closed
    -Permissions (Under privacy & security) >> Auto play >> check mark block pop-up windows, warn you when websites try to install add-ons
    -Firefox should not be allowed to collect data
    -Security (under privacy and security) >> checkmark Block dangerous and deceptive content, Block dangerous downloads, warn you about unwanted and uncommom software, and certificates 'ask everytime' and Query OCSP responder servers to confirm the current validity of certificates.
    -General tab >> Allow firefox to Automatically install updates

  21. Windows Features
  22. *IMPORTANT!*
    Turn off the following features UNLESS TOLD OTHERWISE! Meaning only turn them off if they are not listed as a Required Service in the Read Me.

    Go to "Turn Windows Features on/off" and DISABLE the following features if not disabled already : RIP listener, Simple TCPIP services, SMB 1.0/CIFS File Sharing Support, TFTP Client, Telnet Client and Server, Simple Network Management Protocol (SNMP),(located in 'Internet Information Services') FTP Server,

  23. Disable Dump File Creation
  24. Dump files are memory dumps, and everything in memory are saved to a file. This is used for debugging problems when your system crashes. However, passwords and all confidential stuff that are running currently are also saved to this file. This feature should only be enabled when you are experiencing problems and need to debug. Control Panel > System > Advanced System Settings > Advanced tab > Startup and Recovery > Underneath "Write Debugging information" change "Automatic Memory Dump" to "none" and uncheck "Write an event to the system log" which is underneath "System Failure".

  25. Install Malware Removal Software + Other Utilities
  26. Malwarebytes:

    Install Malwarebytes: make sure it is updated and you do a full/deep scan. Malwarebytes is the best tool you have to find backdoors and hidden malware on your image.

    Avast or AVG:

    Install Avast Anti-Malware: make sure it is updated and you do a full/deep scan or AVG antivirus

    Enhanced Mitigation Experience Toolkit

    Install EMET (Enhanced Mitigation Experience Toolkit) Run EMET, and set the following :

    DEP - always on.
    SEHOP - always on
    ASLR - application opt in.

    Defaults:

    DEP : application Opt In
    SEHOP : application Opt In
    ASLR: application Opt In
    Pinning: Enabled

    Click ""Apps"" button, then ""Add Application"" button, and locate

    \Windows\System32\wuauclt.exe
    \Windows\servicing\trustedinstaller.exe
    Your antivirus’s service, if it has one.

    Create God Mode File

    On Desktop > create New Folder > rename folder (without quotation marks)"GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}" Use this tool to easily make changes throughout the system.

    Glary Utilities

    Look up and install Glary Utillities. Use it to clean registry files, update software, this software should help you get some points if you go through all the tools

  27. Screensaver
  28. Unattended PCs are obvious security risks. But many people fail to take care of this via this simple setting. Most larger companies that are security aware have strict rules to enable this and not to leave PCs logged in and unattended. Right click on desktop and choose Personalize / Screensaver. Configure it to wait 10 minutes, and check mark "On resume, display Logon screen".

    This list will grow but will not always be the latest version. The latest version will be on the Cyberpatriots Google Drive