Skip to content

jkerai1/WindowsHardeningScripts

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

220 Commits
7Zip
7Zip
 
 
AdobeHardening
AdobeHardening
 
 
BiometricsHardening
BiometricsHardening
 
 
BitlockerMinPin
BitlockerMinPin
 
 
BlockISOMountForNonAdmin
BlockISOMountForNonAdmin
 
 
BlockOutdatedActiveX
BlockOutdatedActiveX
 
 
BlockRemoteCommands
BlockRemoteCommands
 
 
BulkASR
BulkASR
 
 
ChromeHardening
ChromeHardening
 
 
CipherHardening
CipherHardening
 
 
ControlledFolderAccess
ControlledFolderAccess
 
 
CredentialGuard
CredentialGuard
 
 
DisableAnonymousEnumOfShares
DisableAnonymousEnumOfShares
 
 
DisableAutoPlay
DisableAutoPlay
 
 
DisableAutoRun
DisableAutoRun
 
 
DisableClickOnceTrust
DisableClickOnceTrust
 
 
DisableConfigOfNetworkBridgeonDNS
DisableConfigOfNetworkBridgeonDNS
 
 
DisableEnumOnElevation
DisableEnumOnElevation
 
 
DisableHTTPPrinter
DisableHTTPPrinter
 
 
DisableIPv6
DisableIPv6
 
 
DisableLLMNR
DisableLLMNR
 
 
DisableLMHosts
DisableLMHosts
 
 
DisableLocalStorageOfCreds
DisableLocalStorageOfCreds
 
 
DisableMergeOfLocalFirewallWithGroupPolicy
DisableMergeOfLocalFirewallWithGroupPolicy
 
 
DisableNTLM
DisableNTLM
 
 
DisableOutlookMacros
DisableOutlookMacros
 
 
DisablePowershellv2
DisablePowershellv2
 
 
DisableRDP
DisableRDP
 
 
DisableRPCInteraction
DisableRPCInteraction
 
 
DisableRunningofInvalidSignature
DisableRunningofInvalidSignature
 
 
DisableSharingMappedDrivesBetweenUsers
DisableSharingMappedDrivesBetweenUsers
 
 
DisableSolictedRemoteAssistance
DisableSolictedRemoteAssistance
 
 
DisableStickyKeysPrompt
DisableStickyKeysPrompt
 
 
DisableWifiSense
DisableWifiSense
 
 
DisableWscript
DisableWscript
 
 
EnableCloudFuncOfDefender
EnableCloudFuncOfDefender
 
 
EnableDefenderExploitSystemWideProtection
EnableDefenderExploitSystemWideProtection
 
 
EnableDefenderPeriodicScan
EnableDefenderPeriodicScan
 
 
EnableEarlyLaunchOfAntiMalwareDriver
EnableEarlyLaunchOfAntiMalwareDriver
 
 
EnableLocalPasswordManagement
EnableLocalPasswordManagement
 
 
EnableNetworkProtection
EnableNetworkProtection
 
 
EnablePowershellConstrainedLanguageMode
EnablePowershellConstrainedLanguageMode
 
 
EnableSMB&LDAPSigning
EnableSMB&LDAPSigning
 
 
EnableSMBSigning
EnableSMBSigning
 
 
EnableSmartScreen
EnableSmartScreen
 
 
EnableVirtualizationBasedProtectionOfCodeIntegrity
EnableVirtualizationBasedProtectionOfCodeIntegrity
 
 
FolinaMitagation
FolinaMitagation
 
 
ForceLogOffIfSmartCardRemoved
ForceLogOffIfSmartCardRemoved
 
 
ForceSignatureUpdateBeforeScan
ForceSignatureUpdateBeforeScan
 
 
IPV6RoutingHighestProtection
IPV6RoutingHighestProtection
 
 
LSAProtection
LSAProtection
 
 
LSASSHardening
LSASSHardening
 
 
LimitBlankPasswordUse
LimitBlankPasswordUse
 
 
MSOfficeHardening
MSOfficeHardening
 
 
MicrosoftNetworkSignCommAlways
MicrosoftNetworkSignCommAlways
 
 
PreventGuestLogonsSMB
PreventGuestLogonsSMB
 
 
PreventKerberosFromUsingDESorRC4
PreventKerberosFromUsingDESorRC4
 
 
PreventRemoteDLLHijacking
PreventRemoteDLLHijacking
 
 
PreventUnauthRPC
PreventUnauthRPC
 
 
PreventUnencryptedPasswordsTo3rdPartyServers
PreventUnencryptedPasswordsTo3rdPartyServers
 
 
RaiseUACLevel
RaiseUACLevel
 
 
RefuseNTLMDowngrade
RefuseNTLMDowngrade
 
 
RequireElevationWhenSettingNetworkLocation
RequireElevationWhenSettingNetworkLocation
 
 
RequireEncryptionForRPC
RequireEncryptionForRPC
 
 
RequireStrongEncryptionForRemoteDesktop
RequireStrongEncryptionForRemoteDesktop
 
 
RestrictNTLM
RestrictNTLM
 
 
RestrictPowershellExecutionPolicy
RestrictPowershellExecutionPolicy
 
 
ShowHiddenFiles
ShowHiddenFiles
 
 
SignatureUpdateInterval
SignatureUpdateInterval
 
 
StopHomeGroupServices
StopHomeGroupServices
 
 
StopNetBiosOverTCP
StopNetBiosOverTCP
 
 
StrongAuthForNetFramework
StrongAuthForNetFramework
 
 
UACToAutomaticallyDenyElevationRequests
UACToAutomaticallyDenyElevationRequests
 
 
WinRM
WinRM
 
 
WindowsFirewallHardening
WindowsFirewallHardening
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

GitHub stars GitHub forks GitHub issues GitHub pulls

Windows Hardening

Hardening Powershell /cmd Scripts to deploy from something like intune or even Live response library!

These scripts are ideal for deploying for sandboxes to test recommendations

Caution: Some scripts may brick your environment, review carefully

Requires admin as registry changes

Scripts are not signed

Write-Host is not applicable in intune scenario

May need to comment in/out the "New-Item" if the key does not exist/Does already exist

Some of this would be better done with GPO/Intune but if not applicable can use powershell script (e.g. LSA Protection)

Could even be deployed from Live Response (MDE) if unsigned powershell scripts are allowed as post compromise remediation

Pull Requests Welcome

About

Windows Hardening Powershell Scripts

Topics

powershell lsa hardening winrm ppl gpo intune basicauthentication lsass runasppl

Resources

Readme

License

GPL-3.0 license
Activity

Stars

10 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages