Hardening Window 10 Home Security

Discussion in 'other anti-malware software' started by PaleDark, Sep 13, 2016.

  1. PaleDark

    PaleDark Registered Member

    Joined:
    Nov 30, 2015
    Posts:
    55
    Hi,

    Interested to know if there's any configure settings/ features on Window 10 Home Security?

    So far, I've only heard of Window 10 Pro for its Appcontainer and such etc... But im interested to see if there's anymore I can do to harden the WIndow 10 Home security by just playing it's config.

    I will be using only Win Defender and EMET. Is there's any other Microsoft-related software that I can install too?
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,178
    Location:
    in a remote land :)
    You have plenty, on Win10 Home most are registry tweaks or disabling services and components. the list is very long.

    just type "harden Windows 10" in google and you will have pages.

    Appcontainer is for all Win10 editions, I think you meant Applocker.

    depends, if you have good skills and knowledge about the various processes running in your system, you have Process Explorer and Autoruns, which may help you to pinpoint unusual processes/startup entries.
     
  3. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I made batch and reg file for ease.
    They are intended for win 10 Home (x64) w/out UEFI/Secureboot, but maybe useful for others too.
    Change extension to .bat and run them via (elevated) CMD except reg2 which is .reg file and it requires to run regedit w/ SYSTEM priv or edit ACL on HKLM\SECURITY. If you use ACL.bat, replace "User" w/ your account name.

    Important Note: These scripts assume you use Windows Defender and Windows Firewall. I do not recommend them if you use other AVs, FWs, or other security products. I only confirmed they work well w/ those 2 and Bouncer, HMPA. Please take full backup before you use them, as they can cause serious problem depending on your system.
    Note: most configs which can easily be toggled via GUI are omitted.
    configs which only makes sense on Secureboot/TPM, or which will cause problem are commented out.
    configs which doesn't make sense on Win10x64 such as disabling 16bit app, SafeDllSearchMode, SynAttackProtect are omitted.
    I intentionally omitted /f option.

    It is meant to be used by advanced user who understand what these scripts do. Pls use them w/ your own risk.

    [UPDATE] Commented ClearPageFileAtShutDown out as it is not good for system on SSD.
    Added Important Note.
     

    Attached Files:

    Last edited: Nov 4, 2016
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Mind if I ask, what does Reg2 do? :doubt:
     
  5. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,424
    To harden Windows 10 you will need a good understanding of group policy, admin permissions and know how to navigate the registry.

    First I would advise you to harden you router.Enable the firewall. Turn off FTP, SSH, Telenet login. And I would advise you to block open ports at your router..

    You need start to disable services that are a security risk. I'm talking about Bluetooth, Location Tracking, Remote Access, and UPnP.

    Then you move onto GroupPolicy. Consult one of many online guides about GroupPolicy hardening to get the best settings.

    Now you got to the registry and start changing values to make your system more secure and resilient to exploits. Yuki2718 scripts are a good start.

    I must add you do not connect to the open internet while you are hardening Windows 10. You must be 100% sure you aren't compromised from the get go.

    Probably the last thing you have to is install your security arsenal on your Windows 10 system. Then you can connect to the open internet.
     
  6. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    This forbids access form network for Local Service, Network Service, Guest, Service, and Anonymous Logon. Also forbids local logon by Guests too.
    If you have Pro or Enteprise version you can do this via policy editor, but for Home ver. it is required to run regedit in SYSTEM priv (easiest way will be use PSExec) or save ACLs on HKLM\Security, change registry, and restore the ACLs. This is why I separated them from the rest.
     
  7. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Well, I forgot to remove an entry for DriveSecurity in "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution" (CWDIllegalInDllSearch exclusion). I removed that and reuploaded. There's another exclusion for Chrome in the same key, but I'll leave it since many ppl will use Chrome and w/out this exclusion (for MitigationOptions 0x200000000) I got IME trouble on Chrome.
     
Loading...