From 55b4a534c09ede238ceb750c9d5eab1c9b78f608 Mon Sep 17 00:00:00 2001 From: HotCakeX Date: Tue, 30 May 2023 18:21:55 +0330 Subject: [PATCH 1/5] updated TLS Cipher Suites and ECC Curves --- Payload/Security-Baselines-X.zip | Bin 9604 -> 9639 bytes README.md | 22 +++++++++++----------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Payload/Security-Baselines-X.zip b/Payload/Security-Baselines-X.zip index 5b152087af85972cf2851893e9f569fb8038603e..15586dae816885fe9010c7142e3546324b663980 100644 GIT binary patch delta 681 zcmZqiUhci2osU_mbKm4HzF-i&`2k-dBbebLpu{4yHg#W^!KpMU5k>|ECKd(;NruU> z%F^{`Cp&r{b`WTd-}@uoX2ul{SN)~S!Zw(ta4W54ByA{fm2fA9UgS8`EXG%GTk z($eqmsr+1~=xH^3yNYj$Nl<+9-Ic3DHZJoDc@@h2w8l78!FhW%`}!aAwz9n5`2Ui0 zeZj0IagV|?)hckZ7&vfi|dKK z2w9=p^@8(2(RsduN*jzXM4!)Iy;%6>^ThS%Znei6Ja3PkzxC;($Bn(oRlP=PJO$Cm zC;a0%ublN=W7|!4g|yJ#l2yw0Z$51)Tl>)`dYX>Ha}J)nJp1)qv3L4^-ShWnn||IJyL{&Iw^sE(H`X6E-@IQmh>>qk=f1G^%Ln&u zWnf^K$2eJDT%*2q!fCE12Z>hug~u~4Dqq$qj5%5EJar7JlrOs-70x6in_B|z}- zpY6pz&d>Qc-SZWrHB*sa$Q2n)5006M9U;%B@QQ7^s-qkhpDktdOtI~0`XTdEt)rOD z|E*sdre8JCz8i9T)v@DEzjy1+{Z@a?v9IX6y7JQw@6)Z%ldd0S{40NaS2g42gW|Fr z;I#2jJ{g=O+!e$jX(Lhb4kI6G+L-LE9L}^{bny_Mli!gK#4`jI%iARy|eArI*beqR;&yRk_?j@ zl%?y>PPyxK*g>Gx|Kp+Q9}jJF)2a&2-qN&HFIx& zaiOxZZ)axC+`M^$#ylVCN$XNfu55JM6%fABsaI6<^4>JBNa3dn%;i-~=OeezYW`}m z|AnCaWs(1E|M`x%8QC6~)u#;FE3gDw8vy8HL_)$8K_7jB!Mef9cN^X>EaBJFPddG>ANz4yV0YV%Q16GpzYMJZu^vNbGK3=9kh7$&oeYt;Mpo#r}Z zAmY;hAbzLFk=_8FSBG{?*mkX9TY&b_{ohq~6cnp}PEfnL@2%K@nFkK^cFxpR)}1KZ zdF%Uu*Uw%3vTS>6!g|+K&OY%o?!QLgE6@Gc*B)`t^t7^+|Isn|&C6F^YyFgO@0j(q z*}R31Oiu-r>&ui{@kkdpaJE}--W|H{N4o(Ox3d!L3&r%SFB!m{lJB)m& z31M=cayaAu$;Xrp6i~gxz@P;576d2&DR%M6+~O*e?NxauyQ#=A9TcA=p+9-O9M9y1 iK;CPK$p=+}m~5pc*GOpr)o3xgP0ms^XS0_D82|utv@8z* diff --git a/README.md b/README.md index 1f3577ec1..6f3f257f1 100644 --- a/README.md +++ b/README.md @@ -156,13 +156,17 @@ Install-Script -Name Harden-Windows-Security | Link Count| Link | Reason | |:----:|:-----------------------------:|:----------------------------------------------------------:| | 1 | Intel website | i7 13700k product page | -| 2 | Wikipedia | providing further information for the reader | -| 1 | UK National Cyber Security Centre | providing further information for the reader about TLS | -| 1 | Security.Stackexchange Q&A | providing logic and reasoning for certain actions | | 1 | state.gov | List of State Sponsors of Terrorism | | 1 | orpa.princeton.edu | OFAC Sanctioned Countries | -| 1 | browserleaks.com/tls | Browser TLS test | -| 1 | clienttest.ssllabs.com | Browser TLS test | +| 2 | Wikipedia | TLS - providing additional information | +| 1 | UK Cyber Security Centre | TLS - providing additional information | +| 1 | Security.Stackexchange Q&A | TLS - providing additional information | +| 1 | browserleaks.com/tls | TLS - Browser test | +| 1 | clienttest.ssllabs.com | TLS - Browser test | +| 1 | Security.Stackexchange Q&A | TLS - providing additional information | +| 1 | scanigma.com/knowledge-base | TLS - providing additional information | +| 1 | cloudflare.com/ssl/reference/ | TLS - providing additional information | +| 1 | github.com/ssllabs/research/ | TLS - providing additional information | @@ -475,7 +479,7 @@ If you want to read more: [Demystifying Schannel](https://techcommunity.microsof - Rotating pink gem denoting registry or cmdlet Disables the following [weak ciphers](https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices) that are **only available for backward compatibility**: `"DES 56-bit"`,`"RC2 40-bit"`,`"RC2 56-bit"`,`"RC2 128-bit"`,`"RC4 40-bit"`,`"RC4 56-bit"`,`"RC4 64-bit"`,`"RC4 128-bit"`,`"3DES 168-bit (Triple DES 168)"` -- Blue Check mark denoting Group Policy Configures the [TLS](https://www.ncsc.gov.uk/guidance/using-tls-to-protect-data) to only use the following secure [cipher suites](https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-11) and in this exact order: +- Blue Check mark denoting Group Policy Configures the [TLS](https://www.ncsc.gov.uk/guidance/using-tls-to-protect-data) to only use the following secure [cipher suites](https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-11) and in this exact order: [Rotating pink gem denoting registry or cmdlet ¹](https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/) [Rotating pink gem denoting registry or cmdlet ²](https://scanigma.com/knowledge-base) ``` TLS_CHACHA20_POLY1305_SHA256 @@ -485,10 +489,6 @@ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 -TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 -TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ``` @@ -496,9 +496,9 @@ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - Blue Check mark denoting Group Policy [Configures](https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls) TLS ECC Curves to use the following prioritized Curves order: ``` +nistP521 curve25519 NistP384 -NistP256 ``` * By default, in [Windows 11 22H2](https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-elliptic-curves-in-windows-10-1607-and-later), the order is this: From 79c486ad96194bb0cc270a29aad018b71be8ea21 Mon Sep 17 00:00:00 2001 From: HotCakeX <118815227+HotCakeX@users.noreply.github.com> Date: Tue, 30 May 2023 15:27:55 +0000 Subject: [PATCH 2/5] updating file --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6f3f257f1..961ace68c 100644 --- a/README.md +++ b/README.md @@ -981,7 +981,7 @@ This repository uses the simplest possible, yet effective, methods that make it
-Virus Total scan results of Security-Baselines-X.zip +Virus Total scan results of Security-Baselines-X.zip
From 8ba98bd48ce85b94b3a8cd9f19e9e29e52dbee89 Mon Sep 17 00:00:00 2001 From: HotCakeX Date: Tue, 30 May 2023 19:21:20 +0330 Subject: [PATCH 3/5] Update Security-Baselines-X.zip --- Payload/Security-Baselines-X.zip | Bin 9639 -> 9643 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/Payload/Security-Baselines-X.zip b/Payload/Security-Baselines-X.zip index 15586dae816885fe9010c7142e3546324b663980..40f7f6c00536406a61703633b68a5d11b238041f 100644 GIT binary patch delta 455 zcmZ4Pz1n+2J0BCv%*ma6AwX*LeZC|{5bZ3W%p#OIb6;4l?4m>oMg|5E76t}MhRF@e z()DL2$9pq5iX83V`y;jL#8%$L>MKo~ucW$jc*Z6f3LokXYu;D8f96%iUyHTB2%NsN zv-sW4=kp|QSj;?|J?UMlNr1ca-IZ%yCLZgW`Z|(3b}*}sC(f0x=l*kZ_LPa+x|xVU3ShlhI)1J9TA65+UzdKID7Qv#9rsB z-XOJ-!sufS|3uC+XDN%!p5rXAd1af`<&E!iik){)uUM5GQZ?^xi1%{)4bmT?@85{u zs=O*ZL}|Wsgr1OKm045#8@Bjb+ delta 446 zcmZ4Oz1(|4J0Fu$=j2Yl5FoYrK3@_eh;|lGX5n3%x-ZP&RGO3sBLf4|))IB&0JU;ks?R+iTr|6h`>Txt1J_$PPA z+9_HIx(DoIQa$rFYF_Tii|D^Az2=&L`t$lT=PIk$J-_U`?Zv`waXqmYAuCk7UT_{L zI?s1dX@l{F==0gD7YpBfp1A(pt@c=h=k2lcw?2LJxUo06s@F)3ry%&8ID8Yd`vgui&xWy>F&(8N>d~2ji~yt&9umtj$YEz4OL&&cSn+ zXTN^?PG97&d;b1x)6ZLDm(N`O)~f#J#`?qNn^%iQae;!6T_FV&bh!!=;2>;Qyvv9d zgoVlxOv^`JJ*B(|a)>S7oxDiWcLO$(brqOnj1)^&~Zb0z8v{s>m@V aNKI~#(gJh+Rpl5nC+De}vn9zg0096wyuJAV From b37b18277de7bd1292f672bd24de5cc3bb39e203 Mon Sep 17 00:00:00 2001 From: HotCakeX <118815227+HotCakeX@users.noreply.github.com> Date: Tue, 30 May 2023 15:57:32 +0000 Subject: [PATCH 4/5] updating file --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 961ace68c..164b1ca57 100644 --- a/README.md +++ b/README.md @@ -981,7 +981,7 @@ This repository uses the simplest possible, yet effective, methods that make it
-Virus Total scan results of Security-Baselines-X.zip +Virus Total scan results of Security-Baselines-X.zip
From 8a96920ed773a68ae1fcfe6841b111fdb5987ca0 Mon Sep 17 00:00:00 2001 From: HotCakeX Date: Tue, 30 May 2023 20:15:36 +0330 Subject: [PATCH 5/5] Update README.md --- README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 164b1ca57..918833c8a 100644 --- a/README.md +++ b/README.md @@ -185,7 +185,7 @@ Install-Script -Name Harden-Windows-Security Features Item Applying this script makes your PC compliant with Microsoft Security Baselines and Secured-core PC specifications (provided that you use modern hardware that supports the latest Windows security features) - [See what makes a Secured-core PC](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure#what-makes-a-secured-core-pc) - Check Device Guard category for more details. > [Secured-core](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure) – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks. -Features Item There are 4 items tagged with **#TopSecurity** TopSecurity that can cause some inconvenience but increase security even further. When you run this script, you will have an option to enable them if you want to. Press `Control + F` and search for `#TopSecurity` on this page to find those security measures. +Features Item There are 5 items tagged with **#TopSecurity** TopSecurity that can cause some inconvenience but increase security even further. When you run this script, you will have an option to enable them if you want to. Press `Control + F` and search for `#TopSecurity` on this page to find those security measures. Features Item Since I originally created this repository for myself and people I care about, I always maintain it to the highest possible standard. @@ -499,6 +499,7 @@ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 nistP521 curve25519 NistP384 +NistP256 ``` * By default, in [Windows 11 22H2](https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-elliptic-curves-in-windows-10-1607-and-later), the order is this: @@ -565,7 +566,7 @@ NistP384 - Blue Check mark denoting Group Policy Changes the [behavior of the elevation prompt for standard users](https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) from "prompt for credentials" to "prompt for credentials on the secure desktop". - **#TopSecurity** TopSecurity behavior: Automatically deny all UAC prompts on Standard accounts. **Highly recommended to be used on sensitive critical machines.** Only use Standard account for regular everyday tasks, and if you want to perform administrative tasks such as intalling a program system-wide or changing system settings, completely log out of the Standard account and log into an Administrator account, perform the tasks, then completely log out and log back into the Standard account to continue your work. No [fast user switching](https://learn.microsoft.com/en-us/windows/win32/shell/fast-user-switching) and **absolutely no UAC on Standard accounts.** -- Blue Check mark denoting Group Policy *#TopSecurity* TopSecurity Hides the entry points for [Fast User Switching](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon). +- Blue Check mark denoting Group Policy **#TopSecurity** TopSecurity Hides the entry points for [Fast User Switching](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon). - Rotating pink gem denoting registry or cmdlet **(Requires additional confirmation to run):** [Asks for a strong password for the built-in Administrator account and then enables it.](https://github.com/HotCakeX/Harden-Windows-Security/discussions/30#discussioncomment-5627737) @@ -773,6 +774,8 @@ These are configurations that are typically *recommended in High-Risk Environmen - Rotating pink gem denoting registry or cmdlet Enables **WinVerifyTrust Signature Validation**, [a security feature related to WinVerifyTrust function that handles Windows Authenticode signature verification for portable executable (PE) files.](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900) +- Blue Check mark denoting Group Policy [Blocking Untrusted Fonts](https://learn.microsoft.com/en-us/windows/security/threat-protection/block-untrusted-fonts-in-enterprise) TopSecurity **#TopSecurity** +

💡 (back to categories)