!Work in progress / rebuild
Any help is welcome!
TL;DR: This awesome tool do a lot stuff listed here
- Standards for a highly secure Windows 10 device
- Latest Windows 10 stable version
- System up2date
- (default activated) internal Windows Defender protection instead of external "Security" solutions
- Latest Driver and Program updates
- No "Tuning" tools
- Only necessary tools which you realy need
- Hardware Requirements for System Guard / Hardware-based Isolation
- Hardware Requirements for Memory integrity
- Hardware Requirements for Windows Defender Application Guard (WDAG)
- Deploy latest Microsoft Security Baseline and keep it up2date
- Install Windows Defender Application Guard (WDAG)
- Enable Memory integrity (HVCI)
- Enable network protection
- Enable controlled folder access
- Enable attack surface reduction rules (ASR)
- Enable System Guard Secure Launch
- Enable cloud-delivered protection
- Configure PUA protection in Windows Defender Antivirus
- Enable Bitlocker Encryption
- Use Windows Sandbox for test/ unknown/ untrusted binarys
- Enable sandboxing for Windows Defender Antivirus
- Only elevate executables that are signed and validated
- Specify the cloud-delivered protection level
- Configure exploit protection
- Microsoft recommended block rules
- Control USB devices and other removable media
- UEFI Hardening (NSA Defensive Practices Guidance) PDF
- Hardware and Firmware Security Guidance for Windows & AMD CPUs - for other see the overview
- Configure Application Control
- Validate connections between your network and the Windows Defender Antivirus cloud service
- Verify client connectivity to Microsoft Defender ATP service URLs
- Validate Windows Defender Tamper protection
- Confirm and validate that Defender "block at first sight" is enabled
- Windows Defender Testground
- Windows Defender SmartScreen Demo Pages
- Validate your Kernel DMA Protection
- https://github.com/frizb/Windows-Privilege-Escalation
- https://github.com/LOLBAS-Project/LOLBAS
- https://github.com/api0cradle/UltimateAppLockerByPassList
- https://trustedwindows.wordpress.com/
All my commits are signed with my GPG Key:
ID 4AEE18F83AFDEB23 (0x620F071D)
Fingerprint: 3D3AA8EA763AA97DA252071497F9E213620F071D