Windows Hardening Commands
Windows Commands
Harden System from Lateral Movement/privesc
Note: These may inadvertently break communication of devices and should be tested. It may also require a restart.
Disable remote interaction with services
Disable remote interaction with scheduled tasks
Disable RDP access
Disable DCOM
Disable Admin Shares
Disable Printer Spooler Service (PrintNightmare RCE & LPE Mitigation)
Note: Flow chart kindly provided by Benjamin Delpy
Prevent SYSTEM from writing new print DLL (PrintNightmare RCE & LPE Mitigation)
Special thanks to truesec
Disable Remote Printing (PrintNightmare RCE mitigation)
Enable Warning on PointAndPrint and UAC (PrintNightmare LPE mitigation)
Deny vulnerable Netlogon connections (Prevent ZeroLogon CVE-2020-1472)
Note: This should be run on a DC or relevant policy applied. It requires the August 11, 2020 update. Full mitigation advice can be found here
It should be noted the following System events relate to this and should be reviewed:
Event IDs 5827 and 5828 in the System event log, if ZeroLogon connections are denied.
Event IDs 5830 and 5831 in the System event log, if ZeroLogon connections are allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
Event ID 5829 in the System event log, if ZeroLogon vulnerable Netlogon secure channel connection is allowed.
Rename mshtml.dll (CVE-2021-40444 Mitigation)
Note: This will render any application which leverages mshtml.dll for rendering HTML content unable to do so (including mshta.exe - yay). At this stage the MSHTML (Trident) engine should not be leveraged by many applications and Microsoft recommends future app development not use the MSHTML (Trident) engine. Some examples of what do use it include .chm files and software mentioned here
Run cmd.exe as Administrator.
takeown /F mshtml.dll icacls mshtml.dll /grant administrators:F move mshtml.dll mshtml2.dll cd ../SysWOW64 takeown /F mshtml.dll icacls mshtml.dll /grant administrators:F move mshtml.dll mshtml2.dll
Stop Server Responsible for Inter-process Communication Calls
Delete Admin Shares
Note: This may break some application communication and admin functionality. It may also be temporary as Windows has been known to recreate them. Always test.
C$ = Default share on systems ‘C’ drive.
IPC$ = Default Inter-process communication share (used by named pipes)
ADMIN$ = Default share for remote administration (used by PsExec)
net share C$ /delete net share IPC$ /delete net share ADMIN$ /delete
Disable Anonymous Access to Named Pipes
Notes on named pipes:
Named pipes are used for communication between processes, this includes a process from a remote system.
A named pipe can be created by anyone.
By enabling ‘RestrictNullSessAccess’ you stop anonymous network logons from accessing named pipes on your system.
If a process has the ‘SeImpersonatePrivilege’ (or equivalent) privilege assigned and creates a named pipe, it may be able to impersonate the user context of anyone who connects to its named pipe if it then acts as the named pipe server.
The client of a named pipe, RPC, or DDE connection can control the impersonation level that the server of the named pipe can impersonate, ref: Microsoft
This doesn’t apply if the connection is remote, in that instance the permissions are set by the server.
Any service running through the Service Control Manager (SCM), or Component Object Model (COM) specified to run under a certain account, automatically has impersonate privileges.
When creating a child process using ‘CreateProcessWithToken’ the secondary logon service ‘seclogon’ needs to be running or else this will fail.
Disable OLE objects in
Windows
BTFM: Windows Hardening - pg. 22
Operator Handbook: Windows_Defend - pg. 334
Enforce Safe DLL Search Mode - PTFM - pg. 28
Disable Run Once - PTFM - pg. 28
Enable WIndows Credential Guard - PTFM - pg.44
Operator Handbook: Mimikatz_Defend - pg. 206
Cyber Operations: Defending the Windows Domain - pg. 567
Linux
BTFM: Linux Hardening - pg. 34
Operator Handbook: Linux_Defend - pg. 123
Misc Guides
Repository of Hardening guides - https://github.com/ernw/hardening
Operator Handbook: MacOS_Defend - pg. 162
Last updated