PIN for Windows to defend against hacking?

This is probably a stupid question, but can setting a PIN for Windows help defend against hacking?

I'm not sure how, but just wondering.

Or is it just to stop people present with your PC from getting access to your user profile?

 

well.. since Mimikatz can be used to extract PIN code I would say yes, as well as setting the option to press ctrl+alt+del as a limiting factor
nobody writes about it, and you need to dig a little deeper to get this kind of info, if you try google search you get info on website passwords, router passwords and the like

for instance, for the home/company pc
by design Remote Desktop requires a password in order to connect as a security measure. The Remote Desktop user ID and password are local to the computer you want to remotely access and control
you don't want RD tools accessing and controlling your computer so you set a password, and that's one reason

truth be told the ID, or username is a password on its own, and must be protected too

 

I have not heard about the Ctrl + Alt - Del option but will be looking into this. Thankyou.

 

How does this help exactly? Legit curious.

 

its like captcha thing for local admin, humans/owners can press that no problem, in other worlds people on the keyboard versus remote attacker (I am sure this can be circumvented just like anything, its part of hardening mindset: not too useful but better than nothing)
it is controlled by CAD, 0 means enabled
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableCAD /t REG_DWORD /d 0 /f

Of course this is aimed at anti-persistence rather than anti-hacking
credentials among many things allow revealing of more information on target, e.g. browser passwords
Using stolen credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals (Tim Bryant)


penetration would be from something else, you clicked a link executed an exe, the usual drill
authentication related stuff and RD tweaks below

Spoiler

I mentioned RD so lets stick to RD as it's a LOLBIN in its nature, perhaps the most abused service, local, and low profile.


tweaks about credentials (and RD) are found below, due to advent of Hello and biometric features their utility has changed.
Notably, if using the old method of authentication, they force to press CAD on each file and system change (along with prompt for admin and password requirement), some programme for encryption would be needed though
this is harsh so don't use it (pressing CAD and authenticating on each prompt), and some are situational, just an idea though:

Spoiler

:: authentication related stuff

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /d 1 /t REG_DWORD
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /d 1 /t REG_DWORD
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" /v "LsaCfgFlags" /d 1 /t REG_DWORD

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 00000001 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v Negotiate /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllowMultipleTSSessions /t REG_DWORD /d 0 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /d 0 /t REG_DWORD /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdminOutboundCreds /t REG_DWORD /d 00000001 /f
REG ADD "HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon" /v CachedLogonsCount /t REG_SZ /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v NtlmMinClientSec /t REG_DWORD /d 20080000 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v everyoneincludeanonymous /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LMCompatibilityLevel /t REG_DWORD /d 5 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v NoLMHash /t REG_DWORD /d 1 /f
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v DisablePasswordCaching /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableCAD /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v DisablePasswordChange /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v RequireStrongKey /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v RequireSignOrSeal /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v SignSecureChannel /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v undockwithoutlogon /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v SealSecureChannel /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v BlockDomainPicturePassword /t REG_DWORD /d 1 /f
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" /v EnableSecureCredentialPrompting /t REG_DWORD /d 1 /f
REG ADD "HKLM\Software\Policies\Microsoft\Windows\CredUI" /v DisablePasswordReveal /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v dontdisplaylastusername /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount /t REG_SZ /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v disabledomaincreds /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA / t REG_DWORD / d 0x1 / f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v FilterAdministratorToken / t REG_DWORD / d 0x1 / f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin / t REG_DWORD / d 0x2 / f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v PromptOnSecureDesktop / t REG_DWORD / d 0x1 / f
REG ADD "HKCU\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout /v "ResetTime (mins)" /t REG_DWORD /d 9999 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v MaximumPasswordAge /t REG_DWORD /d 40 /f
net accounts /FORCELOGOFF:130 /MINPWLEN:10 /MAXPWAGE:40 /MINPWAGE:20 /UNIQUEPW:3
net accounts /LOCKOUTTHRESHOLD:3
net accounts /LOCKOUTDURATION:30
net accounts /LOCKOUTWINDOW:30

:: remote desktop and remote assistance
netsh advfirewall firewall set rule group="Remote Assistance" new enable=no
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fEnableWinStation /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fAllowUnsolicited /t REG_DWORD /d 0 /f
REG ADD "HKLM\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_SZ /d 1 /f
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\ControlSet001\Control\Remote Assistance" /v fAllowFullControl /t REG_DWORD /D 0 /f
REG ADD "HKLM\SOFTWARE\Microsoft\WBEM\CIMOM" /v AllowAnonymousCallback /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fDisableEncryption /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fAllowSecProtocolNegotiation /t REG_DWORD /d 1 /f
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDisableAutoReconnect /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v KeepAliveEnable /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'fQueryUserConfigFromLocalMachine' /t REG_DWORD /d 0 /f
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStation\RDP-Tcp\ SSLCertificateSHA1Hash" /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths /f /v Machine /t REG_MULTI_SZ /d "" /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "AllowRemoteRPC" /t "REG_DWORD" /d "0" /f
sc stop TermService
sc config TermService start= disabled
REG ADD "HKLM\SYSTEM\CurrentControlSet\services\TermService" /v Start /t REG_DWORD /d 4 /f
sc stop RemoteRegistry
sc config RemoteRegistry start= disabled
REG ADD "HKLM\SYSTEM\CurrentControlSet\services\RemoteRegistry" /v Start /t REG_DWORD /d 4 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurePipeServers" /v Winreg /t REG_DWORD /d 1 /f

for RD this .reg file can be run without hassle

Spoiler

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout]
"MaxDenials"=dword:00000001
"ResetTime (mins)"=dword:00000b40

for a read on RD (TermService) params see here https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-general-error
RD certificate securing: http://woshub.com/securing-rdp-connections-trusted-ssl-tls-certificates/

 

My understanding of a PIN for Windows is that it cannot be used remotely and when used locally you get 3 guesses before you have to restart the machine.

 

Thanks, great stuff.

I think it is it 5 or 10, but then you have to wait for 2 hours or use a different login.