212 lines
16 KiB
YAML
212 lines
16 KiB
YAML
---
|
|
title: configure-security
|
|
description: configure-security
|
|
privilege: TrustedInstaller
|
|
actions:
|
|
|
|
# ============================
|
|
# === Spectre and Meltdown ===
|
|
# ============================
|
|
# === Disable Spectre and Meltdown Mitigations for improved performance.
|
|
# ------> FeatureSettings has to be set to 1 hexadecimal to fully disable these security protections.
|
|
- !registryValue: {path: 'HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management', value: 'FeatureSettings', type: REG_DWORD, data: '1'}
|
|
- !registryValue: {path: 'HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management', value: 'FeatureSettingsOverride', type: REG_DWORD, data: '3'}
|
|
- !registryValue: {path: 'HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management', value: 'FeatureSettingsOverrideMask', type: REG_DWORD, data: '3'}
|
|
# ==========================
|
|
# === Mitigation Options ===
|
|
# ==========================
|
|
# === Process Mitigation Options - Disabled
|
|
# ------> Disables Process Mitigations on csrss, dwm and ntoskrnl
|
|
# ------> https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.GroupPolicy::ProcessMitigationOptions
|
|
# ------> https://argonsys.com/microsoft-cloud/library/windows-10-memory-protection-features/
|
|
- !registryValue: {path: 'HKCU\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions', value: 'csrss.exe', type: REG_SZ, data: '00000000000000000000000000000000'}
|
|
- !registryValue: {path: 'HKCU\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions', value: 'dwm.exe', type: REG_SZ, data: '00000000000000000000000000000000'}
|
|
- !registryValue: {path: 'HKCU\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions', value: 'ntoskrnl.exe', type: REG_SZ, data: '00000000000000000000000000000000'}
|
|
- !registryValue: {path: 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions', value: 'csrss.exe', type: REG_SZ, data: '00000000000000000000000000000000'}
|
|
- !registryValue: {path: 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions', value: 'dwm.exe', type: REG_SZ, data: '00000000000000000000000000000000'}
|
|
- !registryValue: {path: 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions', value: 'ntoskrnl.exe', type: REG_SZ, data: '00000000000000000000000000000000'}
|
|
# =============================================================
|
|
# === Service Control Manager Settings -> Security Settings ===
|
|
# =============================================================
|
|
# === Enable svchost.exe mitigation options - Disabled
|
|
# ------> Don't enforce stricter svchost.exe services policy.
|
|
# [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SCMConfig]
|
|
# "EnableSvchostMitigationPolicy"=dword:00000000
|
|
# [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SCMConfig]
|
|
# "EnableSvchostMitigationPolicy"=dword:00000000
|
|
# ==================================
|
|
# === Windows Defender Antivirus ===
|
|
# ==================================
|
|
# === Allow antimalware service to remain running always - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender]
|
|
# "ServiceKeepAlive"=dword:00000000
|
|
# === Allow antimalware service to startup with normal priority - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender]
|
|
# "AllowFastServiceStartup"=dword:00000000
|
|
# === Configure detection for potentially unwanted applications - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender]
|
|
# "PUAProtection"=dword:00000000
|
|
# === Turn off routine remediation - Enabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender]
|
|
# "DisableRoutinelyTakingAction"=dword:00000001
|
|
# === Turn off Windows Defender Antivirus - Enabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender]
|
|
# "DisableAntiSpyware"=dword:00000001
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender]
|
|
# "DisableAntiVirus"=dword:00000001
|
|
# === Turn on spyware definitions - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware]
|
|
# "DisableAntiSpyware"=dword:00000001
|
|
# === Turn on virus definitions - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware]
|
|
# "DisableAntiVirus"=dword:00000001
|
|
# =====================================================
|
|
# === Windows Defender Antivirus - Client Interface ===
|
|
# =====================================================
|
|
# ------> https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress
|
|
# === Suppress all notifications - Enabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration]
|
|
# "Notification_Suppress"=dword:00000001
|
|
# === Suppresses reboot notifications - Enabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration]
|
|
# "SuppressRebootNotification"=dword:00000001
|
|
# =========================================
|
|
# === Windows Defender Antivirus - MAPS ===
|
|
# =========================================
|
|
# === Configure the 'Block at First Sight' feature - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet]
|
|
# "DisableBlockAtFirstSeen"=dword:00000001
|
|
# === Join Microsoft MAPS - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet]
|
|
# "SpynetReporting"=dword:00000000
|
|
# === Send file samples when further analysis is required - Disabled (Never Send)
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet]
|
|
# "SubmitSamplesConsent"=dword:00000002
|
|
# ==============================================================
|
|
# === Windows Defender Antivirus - Network Inspection System ===
|
|
# ==============================================================
|
|
# === Turn on definition retirement - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS]
|
|
# "DisableSignatureRetirement"=dword:00000001
|
|
# === Turn on protocol recognition - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\NIS]
|
|
# "DisableProtocolRecognition"=dword:00000001
|
|
# ===============================================
|
|
# === Windows Defender Antivirus - Quarantine ===
|
|
# ===============================================
|
|
# === Configure removal of items from Quarantine folder - Disabled
|
|
# ------> If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed.
|
|
# ------> The user can manually remove it, also prevents the system from accidentally removing false positives.
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Quarantine]
|
|
# "PurgeItemsAfterDelay"=dword:00000000
|
|
# =========================================================
|
|
# === Windows Defender Antivirus - Real-time Protection ===
|
|
# =========================================================
|
|
# === Monitor file and program activity on your computer - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection]
|
|
# "DisableOnAccessProtection"=dword:00000001
|
|
# === Scan all downloaded files and attachments - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection]
|
|
# "DisableIOAVProtection"=dword:00000001
|
|
# === Turn off real-time protection - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection]
|
|
# "DisableRealtimeMonitoring"=dword:00000001
|
|
# === Turn on behavior monitoring - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection]
|
|
# "DisableBehaviorMonitoring"=dword:00000001
|
|
# === Turn on Information Protection Control - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection]
|
|
# "DisableInformationProtectionControl"=dword:00000001
|
|
# === Turn on network protection against exploits of known vulnerabilities - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection]
|
|
# "DisableIntrusionPreventionSystem"=dword:00000001
|
|
# === Turn on process scanning whenever real-time protection is enabled - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection]
|
|
# "DisableScanOnRealtimeEnable"=dword:00000001
|
|
# === Turn on raw volume write notifications - Disabled
|
|
# - !registryValue: {path: 'HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection', value: 'DisableRawWriteNotification', type: REG_DWORD, data: '1'}
|
|
# === Turn on raw volume write notifications - Disabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection]
|
|
# "DisableRawWriteNotification"=dword:00000001
|
|
# ==============================================
|
|
# === Windows Defender Antivirus - Reporting ===
|
|
# ==============================================
|
|
# === Configure Watson events - Disabled
|
|
# ------> https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization
|
|
- !registryValue: {path: 'HKLM\Software\Policies\Microsoft\Windows Defender\Reporting', value: 'DisableGenericRePorts', type: REG_DWORD, data: '1'}
|
|
# === Turn off enhanced notifications - Enabled
|
|
# [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Reporting]
|
|
# "DisableEnhancedNotifications"=dword:00000001
|
|
# ==================================================================
|
|
# === Windows Defender Antivirus - Security Intelligence Updates ===
|
|
# ==================================================================
|
|
# === Allow notifications to disable security intelligence based reports to Microsoft MAPS - Disabled
|
|
- !registryValue: {path: 'HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates', value: 'SignatureDisableNotification', type: REG_DWORD, data: '0'}
|
|
# === Allow real-time security intelligence updates based on reports to Microsoft MAPS - Disabled
|
|
- !registryValue: {path: 'HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates', value: 'RealtimeSignatureDelivery', type: REG_DWORD, data: '0'}
|
|
# === Allow security intelligence updates from Microsoft Update - Disabled
|
|
- !registryValue: {path: 'HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates', value: 'ForceUpdateFromMU', type: REG_DWORD, data: '0'}
|
|
# === Allow security intelligence updates when running on battery power - Disabled
|
|
- !registryValue: {path: 'HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates', value: 'DisableScheduledSignatureUpdateOnBattery', type: REG_DWORD, data: '1'}
|
|
# === Check for the latest virus and spyware security intelligence on startup - Disabled
|
|
- !registryValue: {path: 'HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates', value: 'UpdateOnStartUp', type: REG_DWORD, data: '0'}
|
|
# === Initiate security intelligence update on startup - Disabled
|
|
- !registryValue: {path: 'HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates', value: 'DisableUpdateOnStartupWithoutEngine', type: REG_DWORD, data: '1'}
|
|
# === Turn on scan after security intelligence update - Disabled
|
|
- !registryValue: {path: 'HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates', value: 'DisableScanOnUpdate', type: REG_DWORD, data: '1'}
|
|
# ==========================================
|
|
# === Windows Defender Application Guard ===
|
|
# ==========================================
|
|
# === Allow auditing events in Windows Defender Application Guard - Disabled
|
|
# [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI]
|
|
# "AuditApplicationGuard"=dword:00000000
|
|
# === Turn on Windows Defender Application Guard in Managed Mode - Disabled
|
|
# ------> https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard
|
|
# [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI]
|
|
# "AllowAppHVSI_ProviderSet"=dword:00000000
|
|
# ====================================
|
|
# === Windows Defender SmartScreen ===
|
|
# ====================================
|
|
# === Configure App Install Control - Disabled
|
|
- !registryValue: {path: 'HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen', value: 'ConfigureAppInstallControlEnabled', type: REG_DWORD, data: '0'}
|
|
# === Pick one of the following settings - Turn off app recommendations
|
|
# ------> https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl
|
|
- !registryValue: {path: 'HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen', value: 'ConfigureAppInstallControl', type: REG_DWORD, data: '0'}
|
|
# === Configure Windows Defender SmartScreen - Disabled
|
|
- !registryValue: {path: 'HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen', value: 'EnableSmartScreen', type: REG_DWORD, data: '0'}
|
|
- !registryValue: {path: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe', value: 'Debugger', type: REG_SZ, data: '%windir%\System32\taskkill.exe'}
|
|
# === Configure Windows Defender SmartScreen (Microsoft Edge) - Disabled
|
|
- !registryValue: {path: 'HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter', value: 'EnabledV9', type: REG_DWORD, data: '0'}
|
|
- !registryValue: {path: 'HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter', value: 'EnabledV9', type: REG_DWORD, data: '0'}
|
|
# ==============================
|
|
# === System -> Device Guard ===
|
|
# ==============================
|
|
# === Turn On Virtualization Based Security - Disabled
|
|
# ------> https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::VirtualizationBasedSecurity
|
|
# [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard]
|
|
# "EnableVirtualizationBasedSecurity"=dword:00000000
|
|
# === Virtualization Based Protection of Code Integrity - Disabled
|
|
# [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard]
|
|
# "HypervisorEnforcedCodeIntegrity"=dword:00000000
|
|
# === Credential Guard Configuration - Disabled
|
|
# [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard]
|
|
# "LsaCfgFlags"=dword:00000000
|
|
# === Secure Launch Configuration - Disabled
|
|
# [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard]
|
|
# "ConfigureSystemGuardLaunch"=dword:00000002
|
|
# === Deploy Windows Defender Application Control - Disabled
|
|
# ------> https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::ConfigCIPolicy
|
|
# [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard]
|
|
# "DeployConfigCIPolicy"=dword:00000000
|
|
# ========================
|
|
# === Windows Security ===
|
|
# ========================
|
|
# === Hide Windows Security Systray - Enabled
|
|
# ------> https://www.tenforums.com/tutorials/11974-hide-show-windows-security-notification-area-icon-windows-10-a.html
|
|
- !registryValue: {path: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray', value: 'HideSystray', type: REG_DWORD, data: '1'}
|
|
- !registryValue: {path: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run', value: 'SecurityHealth', operation: delete}
|
|
- !registryKey: {path: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run', operation: add}
|
|
|
|
|
|
# === https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption
|
|
- !registryValue: {path: 'HKLM\SYSTEM\ControlSet001\Control\BitLocker', value: 'PreventDeviceEncryption', type: REG_DWORD, data: '1'} |