Skip to content

Hardening script update v2023.8.4

Compare
Choose a tag to compare
@HotCakeX HotCakeX released this 04 Aug 19:28
· 2831 commits to main since this release

What's changed

  1. In the Bitlocker category, hibernation will only be enabled on physical machines because virtual machines such as Hyper-V VMs have other features such as Saving VM's state, Checkpoints, Pause etc. and they do not support hibernation and throw error.

  2. Added a new group policy to the Windows Networking category to clear all the entries for Remotely accessible registry paths

  3. Added a new group policy to the Windows Networking category to clear all the entries for Remotely accessible registry paths and subpaths

  4. In the Miscellaneous category, added a new policy for Command line process auditing

  5. In the Lock Screen category, changed the anti-hammering feature for lock screen by lowering the number of subsequent failed sign-in attempts from 6 to 5.

  6. In the Lock screen category, added a new policy for Account lockout threshold and set it to 5.

  7. In the Lock screen category, added a new policy for Reset account lockout counter and set it to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts.

  8. In the Lock screen category, added a new policy for Account lockout duration and set it to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts.

  9. In the Miscellaneous category, added a new policy for enabling the RPC Endpoint Mapper Client Authentication policy

  10. In the Miscellaneous category, added a new policy to set the Restrict Unauthenticated RPC Clients policy to "Authenticated without exceptions"

  11. In the Lock Screen category, added the following PIN Complexity rules for Windows Hello

    1. Must include digits
    2. Expires every 180 days (default behavior is to never expire)
    3. History of the 3 most recent selected PINs is preserved to prevent the user from reusing them
    4. Must include lower-case letters
  12. In the non-admin category, removed the registry keys related to security measures for disabling toast/push notifications on lock screen, because Microsoft security baselines already apply them.

  13. In the non-admin category, added a new security measure for disabling "Show reminders and incoming VoIP calls on the lock screen" in the Settings > System > Notifications


horizontal super thin rainbow RGB line