commit a1b0366996800cbc220824d20255d50f1221bcb8
parent 93623a15e093699365e3031a1dd8f3a57cb5f604
Author: PlutoTank <qwolkensperg@gmail.com>
Date: Wed, 4 Dec 2019 23:14:04 -0500
tweaks and added to registry edits
Diffstat:
2 files changed, 28 insertions(+), 5 deletions(-)
diff --git a/ConfigFiles/RegistyHardenData.txt b/ConfigFiles/RegistyHardenData.txt
@@ -18,8 +18,18 @@ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon:AutoAdminLogon:REG_DW
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management:ClearPageFileAtShutdown:REG_DWORD:1
# no printer drivers
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers:AddPrinterDrivers:REG_DWORD:1
-# audit lsass.exe
+# enable LUA
+HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:EnableLUA:REG_DWORD:1
+# lsass.exe hardening
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe:AuditLevel:REG_DWORD:00000008
+# disable bad bad wDigest
+HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest:UseLogonCredential:REG_DWORD:0
+# No DNS
+HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient:EnableMulticast:REG_DWORD:1
+# No SMB1
+HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters:SMB1:REG_DWORD:0
+# UAC
+HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:ConsentPromptBehaviorAdmin:REG_DWORD:2
# LSA protec
HKLM\SYSTEM\CurrentControlSet\Control\Lsa:RunAsPPL:REG_DWORD:00000001
# no blank passwords
@@ -50,4 +60,4 @@ HKLM\SYSTEM\CurrentControlSet\Control\CrashControl:CrashDumpEnabled:REG_DWORD:0
# disable autorun
HKCU\SYSTEM\CurrentControlSet\Services\CDROM:AutoRun:REG_DWORD:1
# clear null session pipes
-HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters:NullSessionPipes:REG_MULTI_SZ:-
\ No newline at end of file
+HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters:NullSessionPipes:REG_MULTI_SZ:
diff --git a/CyberPolice.bat b/CyberPolice.bat
@@ -2,7 +2,7 @@
SETLOCAL EnableDelayedExpansion
-set functions=checkfiles usermgmtff userprop services firewall features passwordPol audit lockout rdp power sessions shares checkdns uac backuplsp lsp regharden verifysys auto
+set functions=checkfiles usermgmtff userprop services firewall features passwordpol audit lockout rdp power sessions shares checkdns uac windef backuplsp lsp regharden verifysys auto
for /F "tokens=1,2 delims=#" %%a in ('"prompt #$H#$E# & echo on & for %%b in (1) do rem"') do (
set "DEL=%%a"
@@ -213,7 +213,14 @@ if %errorlevel%==1 (
)
goto:EOF
-:passwordPol
+:windef
+echo CYBER POLICE are setting windows defender settings...
+%powershellPath% Set-MpPreference -MAPSReporting Advanced
+%powershellPath% Set-MpPreference -SubmitSamplesConsent Always
+%powershellPath% Set-MpPreference -EnableNetworkProtection Enabled
+goto:EOF
+
+:passwordpol
echo The CYBER POLICE are setting a password policy...
net accounts /lockoutthreshold:5 /MINPWLEN:8 /MAXPWAGE:30 /MINPWAGE:15 /UNIQUEPW:15
call:colorEcho 0a "Password policy set!"
@@ -366,6 +373,7 @@ goto:EOF
:firewall
echo The CYBER POLICE will now try to enable the firewall...
netsh advfirewall set allprofiles state on
+netsh advfirewall set publicprofile firewallpolicy blockinboundalways,allowoutbound
call:colorEcho 0a "The CYBER POLICE have enabled the firewall"
echo.
echo The CYBER POLICE will now do some basic firewall hardening...
@@ -463,6 +471,12 @@ for /f "tokens=*" %%A in (%configPath%\BadWinFeatures.txt) do (
)
)
%dism% /online /Get-Features>%wfOutput%\StatusWFAfter.txt
+echo CYBER POLICE are stopping misc connections...
+net stop WinRM
+%wmicPath% /interactive:off nicconfig where TcpipNetbiosOptions=1 call SetTcpipNetbios 2
+%powershellPath% Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
+%powershellPath% Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
+%powershellPath% Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
call:colorEcho 0a "CYBER POLICE are done finding bad Windows features"
echo.
goto:EOF
