Script to perform some hardening of Windows OS

Author

hi
i receive error on command :
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictRemoteSAM /t REG_SZ /d O:BAG:BAD:(A;;RC;;;BA) /f

error:
At line:1 char:99

• ... t\Control\Lsa" /v RestrictRemoteSAM /t REG_SZ /d O:BAG:BAD:(A;;RC;;;B ...

•                                                              ~
  

Missing closing ')' in expression.
At line:1 char:108

• ... trol\Lsa" /v RestrictRemoteSAM /t REG_SZ /d O:BAG:BAD:(A;;RC;;;BA) /f

•                                                                  ~
  

Unexpected token ')' in expression or statement.

• CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
• FullyQualifiedErrorId : MissingEndParenthesisInExpression

can U guide me?

I am not able to replicate your issue. I copied and pasted the command from your comment and ran it in a VM and it ran successfully. Did you make any other modifications to the script?

hi
i receive error on command :
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictRemoteSAM /t REG_SZ /d O:BAG:BAD:(A;;RC;;;BA) /f
error:
At line:1 char:99

• ... t\Control\Lsa" /v RestrictRemoteSAM /t REG_SZ /d O:BAG:BAD:(A;;RC;;;B ...

•                                                              ~
  

Missing closing ')' in expression.
At line:1 char:108

• ... trol\Lsa" /v RestrictRemoteSAM /t REG_SZ /d O:BAG:BAD:(A;;RC;;;BA) /f

•                                                                  ~
  

Unexpected token ')' in expression or statement.

• CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
• FullyQualifiedErrorId : MissingEndParenthesisInExpression

can U guide me?

I am not able to replicate your issue. I copied and pasted the command from your comment and ran it in a VM and it ran successfully. Did you make any other modifications to the script?

Hi dear
this is my Renault:

Author

Ah you're running it in PowerShell so that's the difference. It interprets various characters differently. You can run this command correctly either by running it in CMD or by placing the reg value into quotes. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictRemoteSAM /t REG_SZ /d "O:BAG:BAD:(A;;RC;;;BA)" /f

thanks a lot
My problem was solved.
Has this method been updated or are there newer techniques?

Author

I'm sure sure I understand your question. Has what method been updated? If you're asking if I've made updates to my script then yes I've made several.

I'm sure sure I understand your question. Has what method been updated? If you're asking if I've made updates to my script then yes I've made several.

sorry for my English translate.
Have you prepared other items in this regard?

Having issues with Teams connecting to meetings since making most of these changes and my system restore points are not working to restore back...All other teams functionality seems to work fine. Anyone else experiencing this?

Author

@huh-cool as in MS Teams? I hadn't seen other reports of this. Appreciate the info! I will do some testing with Teams and see what I can find.

Yes. MS Teams. It seems to try to connect to meetings. Fail and then tell me "Sorry, we couldn't connect you". I tried uninstalling/reinstalling MS Teams to no avail and am now manually rolling back some settings and culling the logs to figure out where the issue may be.

Author

Does Teams call another binary to join meetings? If so, there could be a compatibility issue between that binary and the Exploit Guard settings

This killed my TightVNC ability between PC and mobile. I am rolling back step by step but nothing yet. Can anyone suggest which step might have caused the issue please?

This is really great. It would be even greater if there was a script to reverse all the changes in case some cause issues. (or add the comands as commetns.)

I second this!

Author

This killed my TightVNC ability between PC and mobile. I am rolling back step by step but nothing yet. Can anyone suggest which step might have caused the issue please?

I haven't used VNC in many years and I don't know your specific configuration but my initial guesses would be around the connection itself? E.g. NTLMv2, schannel, etc.

Looks like this it the culprit:
netsh advfirewall set publicprofile firewallpolicy blockinboundalways,allowoutbound

I fixed it by resetting it with this command:
netsh advfirewall reset

Is there a way to enable the command and just open up for VNC only afterwards?

Author

Looks like this it the culprit:
netsh advfirewall set publicprofile firewallpolicy blockinboundalways,allowoutbound

I fixed it by resetting it with this command:
netsh advfirewall reset

Is there a way to enable the command and just open up for VNC only afterwards?

Yeah. You have to explicitly set an open firewall rule. You could tie it to the TightVNC binary or the port number itself (or both). When I'm back at my computer, I can look up the command(s)

Back to my MS Teams issue. There were multiple issues and I lost patience and track of the changes after a while. Firewall was an issue at first because my home WiFi was set to a public profile, not private. Exploitguard didn't fix it. I think that it was related to transport layer and credential security issues (encryption methods, signing, secure channel, LmCompatibilityLevel, UseLogonCredential, AllowProtectedCreds, etc.)

Some really good stuff in this, thank you!

Thank you very much for putting time and effort into compiling and testing . This script and your references was one of the big inspiration when I built privacy.sexy (a GUI around the scripts)

The following line causes Windows Update to fail as well as other MS remote things (i.e. powerpoint template loading)

reg add "HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" /v EccCurves /t REG_MULTI_SZ /d NistP384,NistP256 /f

Windows 10 1909 (OS Build 18363.1082)

Removing the EccCurves key and a reboot fixes the issue.

I ran into the same issue as @kernel-sanders, this key made many of my programs stop working, including docker, krisp, chocolatey, windows update, and many more.

All the errors in event viewer registered similar logs in event viewer:

Faulting application name: choco.exe, version: 0.10.5.0, time stamp: 0x58e7c338
Faulting module name: ntdll.dll, version: 10.0.19041.546, time stamp: 0x5b56177b
Exception code: 0xc0000409
Fault offset: 0x00000000000a1090
Faulting process ID: 0x1ef4
Faulting application start time: 0x01d6a233efda9233
Faulting application path: C:\ProgramData\chocolatey\bin\choco.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report ID: 24171f6f-1e0b-4a34-a103-ff9404943489
Faulting package full name: 
Faulting package-relative application ID: 

Author

Thank you for the feedback! I will comment it out for now.

Thanks for putting this together! This is great. I can confirm what @kernel-sanders and @evilpilaf are saying, that EccCurves breaks a lot of apps.

After I ran this script, a lot of our users including myself can't print to our home Wi-Fi printers anymore. Any guess what would be break that? I'm having a hard time figuring out. It seems like most home Wi-Fi printers are setup to print via IPP (internet printing protocol). I've tried deleted all the registry changes and rebooting, but I still can't seem to re-install a home Wi-Fi printer and print.

@TwKROazGKsh it is possibly the two following rules:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v IGMPLevel /t REG_DWORD /d 0 /f
netsh advfirewall set publicprofile firewallpolicy blockinboundalways,allowoutbound

Revert them with

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v IGMPLevel /f
netsh advfirewall reset

Thanks @kernel-sanders, that help! It turns out you had to add the default value back for IGMPLevel=2, so printing via multicast works. Just deleting the registry key and rebooting did not fix it.

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v IGMPLevel /t REG_DWORD /d 2 /f

After you add that back, you'll need to reboot for it to take affect. It seems like the default Windows 10 printer setup GUI, configures the printer using WSD (Web Services for Devices), which uses ipv4 multicast.

FYI - we did not push that firewall rule to our users, so we did not have to revert that one, but my guess is it will likely cause other issues too if your users don't have their Wi-Fi/ethernet connection set to private/domain profile.

Very nice script Mackwage.
Any chance you can add a couple lines for the Windows Shadow Copy vulnerabilities? CVE-2021-36934
I believe it uses a combination of icalcs and vssadmin commands to set permissions and delete previous shadow copies that are vulnerable.

https://labs.k7computing.com/?vulnerability=cve-2021-36934

Much obliged and great work here.

Why block notepad and calc? Also, why not by default block nbns and llmnr?

Thank you for the effort that went into this. A great resource. I'm hoping that it will solve my problems with pesky nuisance hackers.

Excellent script - thank you.
As far as changing file associations to Notepad.exe, the method at the top of this script is for cmd only and not Powershell. After some brief testing, the equivalent PowerShell format is:

#Change double-click of .bat files to open in Notepad
CMD: ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
PowerShell: cmd /c --% ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"

This is really great. It would be even greater if there was a script to reverse all the changes in case some cause issues. (or add the comands as commetns.)

The whole script is super cool!! Do you have the script to reverse all the changes?

This is really great. It would be even greater if there was a script to reverse all the changes in case some cause issues. (or add the comands as commetns.)

I second this!

@RobertLaffan Just curious if you worked on reverse script?