TABLE OF CONTENTS
Home Page Windows 10 Client Hardening Guide What to do on day of Cyberpatriots Competition Debian Hardening Guide Apple CIDR Script Runners
Hardening Windows 10

This was written in late November, 2019

IMPORTANT: This webpage is not the most updated version of this checklist. To find the most updated checklist go to the cyberpatriots google drive.

place ToC here

  1. Login
  2. Input Team ID.

  3. Read the Read Me
  4. On the desktop there should be an icon labeled "readme" > open it and completely read it. This website will tell you the situation, what needs to be changed and settings that should be applied.

  5. Windows Update Settings
    • Change Update Settings to Defer Windows Feature Updates:

      Go to Settings (the little gear icon) > Update & Security > Advanced Options > make sure the "Defer Windows Feature Updates" is checkmarked.

      NOTE: Please keep in mind that if you do not see this setting anywhere that is okay, as it means that your current version of windows will not install Feature Updates automatically.
    • Check For Updates:

      Go to Settings (the little gear icon) > Update & Security > Windows Update check for updates.
    • Automatic Updates:

      Go to Settings (the little gear icon) > Update & Security > underneath "check for updates" click Advanced Options > ensure that Automatic updates are selected.

  6. Complete Forensic Questions
  7. Do what the questions ask you to find out. USE THE INTERNET it is there to help you. These are worth quite a few points so make sure you get them done.

  8. Remove Unauthorized Software
  9. Look at README website from before and see what apps should be installed. Whatever apps or programs that are installed that are not required for the system to run or are required by the README file should be removed through the windows installer. Common Examples of unwanted software:

    • Angry IP Scanner
    • WireShark
    • BitTorrent and other torrent services
    • Unneeded/Not Required Security Programs Ex: Driver Support, CCleaner
    • Video Games

    If you do not know what a program is, look it up. It might be something that can be used for malicious purposes. If it is make sure to get rid of it. But, before you delete/uninstall anything, make sure to check the README and ensure that it is not a required program.

  10. Microsoft Management Console (MMC)
  11. Local Users and Groups

    • Remove Unauthorized Users/Administrators From System:

      Look at READ ME and remove any unauthorized users and administrators. MMC > insert/ remove snap in > insert "local users" go to "users" and "adminsitrators" and remove unauthorized users/administrators from computer. Make sure that profile in C:\Users\ no longer exists after removing the user from the system.

    • Give All Users A Secure Passwords

      In search bar > MMC > File tab > Add-Remove Snapin > add the Local Users and Groups snapin, and hit next/finish on all popups > Users
      From here, right click on the users and change all passwords besides your own to ensure everyone has a secure password.
      The password I recommend you use is the following: 1234qwerasdf!@#$QWERASDF
      I know it looks complicated and hard to remember, but trust me. Once you start typing it you will see that it is not that hard to remember. ;)

    • User Account Control

      Type "change user account control settings" in the windows search bar and hit enter. Set the User Account Control settings to the highest possible.

    Apply Template (STIGS):

    In search type mmc > in top left select "File" > Add/Remove Snap In > scroll until you find Security Configuration and Analysis > Click Add > click OK in the bottom right had corner > right click on Security Configuration > click "Open Database" > when prompted to select a database type something random into where asks for a filename and click open > change the directory in the top of the popup browser and find where you downloaded your STIGS template file (most likely it is still in downloads) > select it > now once the popup browser has closed, right click again on "Security Configuration and Analysis" > select "Analyze Computer" Now and let it run > once it has finished right click on "Security Configuration" again and select "Configure Computer Now" > once this has been completed you have are now done!

    Apply Group Policy (STIGS):

    Open "File Explorer" > in View check "Show Hidden Files" > open C drive > open "Windows" > open System 32 > open "Group Policy" not Group Policy Users > replace all files in here with your Group Policy files replacing all in this destination > after this you are done with STIGS!

  12. Update All Required Software on Computer
  13. Recommended to Update Programs Manually First:

    Look at READ ME and Update software stated in READ ME by hand first. To do this, for most software you have to find somewhere in the settings or in the corner, the "About" page. On the About page there should something that says "Check for Updates" or something similar. Click on that.

    Use "Patch my PC home Updater":

    Use this software on everything else that is installed on computer to make sure that everything is up to date. Download page here

    Update Drivers:

    Right click Windows button > select Device manager > update device drivers Go through all devices and make sure all drivers are up to date.

  14. Make Sure Firewall is ON
  15. Turn on Firewall:

    In search bar > firewall advanced security > Turn Firewall on if not already

    Apply Firewall Rules:

    Open Windows Advanced Firewall > Action > Import Policy > select the .wfw file > click "Open" Then the windows fire wall policy should have updated and you are done!

  16. Remove Prohibited Files and Other Settings
    • Show Hidden File Extensions:

      Windows Search Bar > click on "view" tab > check "Hidden items" so you can make sure you don't miss any hidden files or folders.
    • Remove Prohibited Video Files:

      In File Explorer go to C Drive > in search bar look up (include the asterisk) *.mp4, *.flv, *.avi, *.wmv, *.mov, etc look up more video file types on the internet if nothing shows up just to be sure.
    • Remove Prohibited Audio Files:

      In File Explorer go to C Drive > in search bar look up (include the asterisk) *.mp3, *.wmv, *.wma, *.aif, etc look up more audio file types on the internet just in case you missed one.
    • Remove Prohibited Images:

      In File Explorer go to C Drive > in search bar look up (include the asterisk) *.png, *.jpg, *.tif, *.gif, etc look up more image file types on the internet just in case.
    • File Sharing:

      Windows Key > Computer Management > click yes when prompted > Shared Folders The only shares that should be active are ADMIN$ C:\Windows , C$ C:\ , and IPC$ No other shares should be active.
    • Turn on Bit Locker:

      Go to file explorer > this pc > right click on C drive > turn on Bitlocker > go through the prompt.
      Important! make sure you have a removable media of some sort to store the generated key that will unlock the computer!

      What this software does is encrypt the boot drive making it much harder to hack, when you restart the machine, it will ask you to put in the password you have put on it or to insert the flashdrive with the password. Otherwise you will not be able to boot! That's it! :)
    • Extra: While hunting and pecking, also try looking for "readme.md" or "readme.txt" files because most hidden hacking tools come with one. To search for them go to search bar in file explorer and type "readme" (but without the quotation marks)

  17. Windows Security Center
  18. Windows Security settings give you an overview of important services such as Virus & Threat protection, Firewall & network protection, App & browser control, and Device security. Here are some settings you should change in this window:

    • Windows Security > Windows Defender Antivirus options > Periodic scanning > Turn on
    • App & Broswer protection > Check apps and files > set to "Block"
    • App & Browser protection > SmartScreen for Microsft Edge > set to "On" (If this is not hear then you are currently running an older version of windows that does not have this setting)
    • App & Browser protection > SmartScreen for Microsoft Store apps > set to "Warn"
    • App & Browser protection > Exploit Protection > System settings > set all options to "On"

  19. Auto Login Settings
  20. FYI This does not apply to the main admin account. AKA the account you automatically login in with. In Windows 10 to disable Auto Login you must: Windows Key + R > enter "netplwiz" (this will open the "User Accounts" window) > check mark the "Users must enter a username and password ot use this computer" and click "Apply" > Restart VM (The fake windows computer) to fully apply changes.

  21. Windows Features
  22. Go to "Turn Windows Features on/off" (Use search bar) and DISABLE the following features if not disabled already:

    • RIP listener
    • Simple TCPIP services
    • SMB 1.0/CIFS File Sharing Support
    • TFTP Client
    • Telnet Client and Server
    • Simple Network Management Protocol (SNMP)
    • All 'Internet Information Services'
    • FTP Server

  23. Disable Dump File Creation
  24. Dump files are memory dumps, and everything in memory are saved to a file. This is used for debugging problems when your system crashes. However, passwords and all confidential stuff that are running currently are also saved to this file. You should enable this feature only when you are experiencing problems and need to debug. Control Panel > System > Advanced System Settings > Advanced tab > Startup and Recovery > Underneath "Write Debugging information" change "Automatic Memory Dump" to "none" and uncheck "Write an event to the system log" which is underneath "System Failure"

  25. Install Malware Removal Software + Other Utilities
  26. Malwarebytes:

    Install Malwarebytes: make sure it is updated and you do a full/deep scan. Malwarebytes is the best tool you have to find backdoors and hidden malware on your image.

    Avast or AVG:

    Install Avast Anti-Malware: make sure it is updated and you do a full/deep scan or AVG antivirus

    Install EMET (Enhanced Mitigation Experience Toolkit) Run EMET, and set the following:

    Note: This tool is currently depricated and not recommended.

    DEP - always on.
    SEHOP - always on
    ASLR - application opt in.

    Defaults:

    DEP : application Opt In
    SEHOP : application Opt In
    ASLR: application Opt In
    Pinning: Enabled

    Click ""Apps"" button, then ""Add Application"" button, and locate

    \Windows\System32\wuauclt.exe
    \Windows\servicing\trustedinstaller.exe
    Your antivirus’s service, if it has one.

    Create God Mode File

    On Desktop > create New Folder > rename folder (without quotation marks)"GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}" Use this tool to easily make changes throughout the system.

    Glary Utilities

    Look up and install Glary Utillities. Use it to clean registry files, update software, this software should help you get some points if you go through all the tools

    Firefox Settings

    Settings to change:

    1. Privacy & Security
      • Set to Strict
      • Send website a do not track signal always 3.) Delete cookies and site data when firefox is closed
    2. Permissions (Under privacy & security) >> Auto play >> check mark block pop-up windows, warn you when websites try to install add-ons
    3. Firefox should not be allowed to collect data
    4. Security (under privacy and security) >> checkmark Block dangerous and deceptive content, Block dangerous downloads, warn you about unwanted and uncommom software, and for certificates 'ask everytime' and Query OCSP responder servers to confirm the current validity of certificates.
    5. General tab >> Allow firefox to Automatically install updates

  27. Screensaver
  28. Unattended PCs are obvious security risks. But many people fail to take care of this via this simple setting. Most larger companies that are security aware have strict rules to enable this and not to leave PCs logged in and unattended. Right click on desktop and choose Personalize / Screensaver. Configure it to wait 10 minutes, and check mark "On resume, display Logon screen".

  29. Other Checklists or websites to check out
  30. Use thes websites after you have completed my checklist. These websites will give you more in depth instructions on how to further harden your windows 10 system image.



    This list will grow but will not always be updated.

Recommended Tools (Programs)

These are the tools that I recommend that use when securing a windows 10 computer

  • Patch my Pc
  • Malwarebytes
  • Apple CIDR Script Runner
    (Disclaimer: Not everything in this program currently works and some commands have the ability to corrupt/break your system. Will not be responsible for any damages. You have been warned.)