Hardening script update v2023.8.4
What's changed
-
In the Bitlocker category, hibernation will only be enabled on physical machines because virtual machines such as Hyper-V VMs have other features such as Saving VM's state, Checkpoints, Pause etc. and they do not support hibernation and throw error.
-
Added a new group policy to the Windows Networking category to clear all the entries for Remotely accessible registry paths
-
Added a new group policy to the Windows Networking category to clear all the entries for Remotely accessible registry paths and subpaths
-
In the Miscellaneous category, added a new policy for Command line process auditing
-
In the Lock Screen category, changed the anti-hammering feature for lock screen by lowering the number of subsequent failed sign-in attempts from 6 to 5.
-
In the Lock screen category, added a new policy for Account lockout threshold and set it to 5.
-
In the Lock screen category, added a new policy for Reset account lockout counter and set it to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts.
-
In the Lock screen category, added a new policy for Account lockout duration and set it to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts.
-
In the Miscellaneous category, added a new policy for enabling the RPC Endpoint Mapper Client Authentication policy
-
In the Miscellaneous category, added a new policy to set the Restrict Unauthenticated RPC Clients policy to "Authenticated without exceptions"
-
In the Lock Screen category, added the following PIN Complexity rules for Windows Hello
- Must include digits
- Expires every 180 days (default behavior is to never expire)
- History of the 3 most recent selected PINs is preserved to prevent the user from reusing them
- Must include lower-case letters
-
In the non-admin category, removed the registry keys related to security measures for disabling toast/push notifications on lock screen, because Microsoft security baselines already apply them.
-
In the non-admin category, added a new security measure for disabling "Show reminders and incoming VoIP calls on the lock screen" in the Settings > System > Notifications