ASD's Blueprint for Secure Cloud

ASD Windows Hardening Guidelines

This section describes the configuration of device configuration profiles within Microsoft Intune associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Estimated reading time: 14 minutes

Basics

ItemValue
NameASD Windows Hardening Guidelines
DescriptionAll currently available settings recommended within the ASD Windows Hardening Guidelines for Windows 10/11.
PlatformWindows 10 and later

Assignments

Included groups

ItemValue
GroupsAll devices

Excluded groups

None

Scope tags

ItemValue
Scope tagsDefault

Configuration settings

Administrative Templates

ItemValue
MS Security Guide
Apple UAC restrictions to local accounts on network logonsEnabled
Configure SMB v1 client driverEnabled
- Configure MrxSmb10 driverDisable driver (recommended)
Configure SMB v1 serverDisabled
Enable Structured Exception Handling Overwrite Protection (SEHOP)Enabled
MSS (Legacy)
MSS (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)Enabled
- DisableIPSourceRoutingIPv6 (Device)Highest protection, source routing is completely disabled
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)Enabled
- DisableIPSourceRouting (Device)Highest protection, source routing is completely disabled
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routesDisabled
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversEnabled
System
Prevent access to registry editing tools (User)Enabled
Disable regedit from running silently? (User)Yes
Prevent access to the command prompt (User)Enabled
Disable the command prompt script processing also? (User)Yes
System > Audit Process Creation
Include command line in process creation eventsEnabled
System > Credentials Delegation
Remote host allows delegation of non-exportable credentialsEnabled
System > Early Launch Antimalware
Boot-Start Driver Initialization PolicyEnabled
Choose the boot-start drivers that can be initialized:Good and unknown
System > Group Policy
Configure registry policy processingEnabled
- Do not apply during periodic background processing (Device)False
- Process even if the Group Policy objects have not changed (Device)True
Configure security policy processingEnabled
- Do not apply during periodic background processing (Device)False
- Process even if the Group Policy objects have not changed (Device)True
Turn off background refresh of Group PolicyDisabled
Turn off Local Group Policy Objects processingEnabled
Turn off Resultant Set of Policy loggingEnabled
System > Logon
Allow users to select when a password is required when resuming from connected standbyDisabled
Do not display network selection UIEnabled
Do not process the legacy run listEnabled
Do not process the run once listEnabled
Enumerate local users on domain-joined computersDisabled
Run these programs at user logonDisabled
Turn off app notifications on the lock screenEnabled
Turn off picture password sign-inEnabled
Turn on convenience PIN sign-inDisabled
System > Remote Assistance
Configure Offer Remote AssistanceDisabled
Configure Solicited Remote AssistanceDisabled
System > Remote Procedure Call
Restrict Unauthenticated RPC clientsEnabled
- RPC Runtime Unauthenticated Client Restriction to Apply:Authenticated
System > Removable Storage Access
All Removable Storage classes: Deny all accessEnabled
CD and DVD: Deny execute accessEnabled
CD and DVD: Deny read accessDisabled
CD and DVD: Deny write accessEnabled
Custom Classes: Deny read accessDisabled
Floppy Drives: Deny execute accessEnabled
Floppy Drives: Deny read accessDisabled
Floppy Drives: Deny write accessEnabled
Removable Disks: Deny execute accessEnabled
Removable Disks: Deny read accessDisabled
Tape Drives: Deny execute accessEnabled
Tape Drives: Deny read accessDisabled
Tape Drives: Deny write accessEnabled
WPD Devices: Deny read accessDisabled
WPD Devices: Deny write accessEnabled
Windows Components > Windows Remote Shell
Allow Remote Shell AccessDisabled
Windows Components > Windows Remote Management (WinRM) > WinRM Service
Allow Basic authenticationDisabled
Allow unencrypted trafficDisabled
Disallow WinRM from storing RunAs credentialsEnabled
Windows Components > Windows Remote Management (WinRM) > WinRM Client
Allow Basic authenticationDisabled
Allow unencrypted trafficDisabled
Disallow Digest authenticationEnabled
Windows Components > Windows PowerShell
Execution Policy (Device)Allow only signed scripts
Turn on PowerShell Script Block LoggingEnabled
- Log script block invocation start / stop events:False
Turn on Script ExecutionEnabled
Windows Components > Windows Logon Options
Disable or enable software Secure Attention SequenceDisabled
Sign-in and lock last interactive user automatically after a restartDisabled
Windows Components > Store
Turn off the Store applicationEnabled
Windows Components > Sound Recorder
Do not allow Sound Recorder to runEnabled
Windows Components > RSS Feeds
Prevent downloading of enclosuresEnabled
Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
- Encryption LevelHigh Level
Always prompt for password upon connectionEnabled
Do not allow local administrators to customize permissionsEnabled
Require secure RPC communicationEnabled
Require use of specific security layer for remote (RDP) connectionsEnabled
- Security Layer (Device)SSL
Require user authentication for remote connections by using Network Level AuthenticationEnabled
Set client connection encryption levelEnabled
Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Do not allow Clipboard redirectionEnabled
Do not allow drive redirectionEnabled
Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
Allow users to connect remotely by using Remote Desktop ServicesDisabled
Deny logoff of an administrator logged in to the console sessionEnabled
Windows Components > Remote Desktop Services > Remote Desktop Connection Client
Configure server authentication for clientEnabled
- Authentication setting: (Device)Do not connect if authentication fails
Do not allow passwords to be savedEnabled
Windows Components > Network Sharing
Prevent users from sharing files within their profile. (User)Enabled
Windows Components > Microsoft Defender Antivirus
Turn off Microsoft Defender AntivirusDisabled
Windows Components > Microsoft Defender Antivirus > MAPS
Configure local setting override for reporting to Microsoft MAPSDisabled
Configure the ‘Block at First Sight’ featureEnabled
Join Microsoft MAPSEnabled
- Join Microsoft MAPS (Device)Advanced MAPS
Windows Components > Microsoft Defender Antivirus > Quarantine
Configure removal of items from Quarantine folderDisabled
Windows Components > Microsoft Defender Antivirus > Real-time Protection
Scan all downloaded files and attachmentsEnabled
Turn off real-time protectionDisabled
Turn on behavior monitoringEnabled
Turn on process scanning whenever real-time protection is enabledEnabled
Windows Components > Microsoft Defender Antivirus > Scan
Allow users to pause scanDisabled
Scan archive filesEnabled
Scan packed executablesEnabled
Scan removable drivesEnabled
Turn on e-mail scanningEnabled
Turn on heuristicsEnabled
Windows Components > Microsoft account
Block all consumer Microsoft account user authenticationEnabled
Windows Components > Location and Sensors
Turn off location scriptingEnabled
Windows Components > Location and Sensors > Windows Location Provider
Turn off Windows Location ProviderEnabled
Windows Components > HomeGroup
Prevent the computer from joining a homegroupEnabled
Windows Components > File Explorer
Configure Windows Defender SmartScreenEnabled
- Pick one of the following settings: (Device)Warn and prevent bypass
Remove CD Burning features (User)Enabled
Remove Security tab (User)Enabled
Show hibernate in the power options menuDisabled
Show sleep in the power options menuDisabled
Turn off Data Execution Prevention for ExplorerDisabled
Turn off heap termination on corruptionDisabled
Turn off shell protocol protected modeDisabled
Windows Components > Event Log Service > System
- Maximum Log Size (KB)65536
Specify the maximum log file size (KB)Enabled
Windows Components > Event Log Service > Security
- Maximum Log Size (KB)2097152
Specify the maximum log file size (KB)Enabled
Windows Components > Event Log Service > Application
- Maximum Log Size (KB)65536
Specify the maximum log file size (KB)Enabled
Windows Components > Credential User Interface
Do not display the password reveal buttonEnabled
Enumerate administrator accounts on elevationDisabled
Prevent the use of security questions for local accountsEnabled
Require trusted path for credential entryEnabled
Windows Components > AutoPlay Policies
- Turn off Autoplay on:All drives
Disallow Autoplay for non-volume devicesEnabled
Set the default behavior for AutoRunEnabled
- Default AutoRun BehaviorDo not execute any autorun commands
Turn off AutoplayEnabled
Windows Components > Attachment Manager
Do not preserve zone information in file attachments (User)Disabled
Hide mechanisms to remove zone information (User)Enabled
Windows Components > Application Compatibility
Turn off Inventory CollectorEnabled
Turn off Steps RecorderEnabled
System > Troubleshooting and Diagnostics > Microsoft Support Diagnostic Tool
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support providerDisabled
System > Power Management > Sleep Settings
- System Sleep Timeout (seconds):0
Allow standby states (S1-S3) when sleeping (on battery)Disabled
Allow standby states (S1-S3) when sleeping (plugged in)Disabled
Require a password when a computer wakes (on battery)Enabled
Require a password when a computer wakes (plugged in)Enabled
Specify the system hibernate timeout (on battery)Enabled
- System Hibernate Timeout (seconds):0
Specify the system hibernate timeout (plugged in)Enabled
- System Hibernate Timeout (seconds):0
Specify the system sleep timeout (on battery)Enabled
- System Sleep Timeout (seconds):0
Specify the system sleep timeout (plugged in)Enabled
System > Internet Communication Management > Internet Communication settings
Turn off access to the StoreEnabled
System > Device Installation > Device Installation Restrictions
- Prevented Classes{d48179be-ec20-11d1-b6b8-00c04fa372a7}
- Also apply to matching devices that are already installed.True
Prevent installation of devices that match any of these device IDsEnabled
- Also apply to matching devices that are already installed.True
- Prevented device IDsPCI\CC_0C0010, PCI\CC_0C0A
Prevent installation of devices using drivers that match these device setup classesEnabled
Start Menu and Taskbar > Notifications
Turn off toast notifications on the lock screen (User)Enabled
Network > Windows Connection Manager
Prohibit connection to non-domain networks when connected to domain authenticated networkEnabled
Network > Network Provider
Hardened UNC PathsEnabled
- ValueRequireMutualAuthentication=1,RequireIntegrity=1
- Name\\*\NETLOGON
- ValueRequireMutualAuthentication=1,RequireIntegrity=1
- Name\\*\SYSVOL
Network > Network Connections
- Select from the following states: (Device)Enabled State
Prohibit installation and configuration of Network Bridge on your DNS domain networkEnabled
Prohibit use of Internet Connection Sharing on your DNS domain networkEnabled
Route all traffic through the internal networkEnabled
Network > DNS Client
Turn off multicast name resolutionEnabled
Control Panel > Personalization
- Seconds: (User)900
Enable screen saver (User)Enabled
Password protect the screen saver (User)Enabled
Prevent enabling lock screen cameraEnabled
Prevent enabling lock screen slide showEnabled
Screen saver timeout (User)Enabled

Auditing

ItemValue
Account Logon Logoff Audit Account LockoutFailure
Account Logon Logoff Audit Group MembershipSuccess
Account Logon Logoff Audit LogoffSuccess
Account Logon Logoff Audit LogonSuccess+Failure
Account Management Audit Computer Account ManagementSuccess+Failure
Account Management Audit Other Account Management EventsSuccess+Failure
Audit Changes to Audit PolicySuccess+Failure
Audit File Share AccessSuccess+Failure
Audit Other Logon Logoff EventsSuccess+Failure
Audit Security Group ManagementSuccess+Failure
Audit Special LogonSuccess+Failure
Audit User Account ManagementSuccess+Failure
Detailed Tracking Audit Process CreationSuccess
Detailed Tracking Audit Process TerminationSuccess
Object Access Audit File SystemSuccess+Failure
Object Access Audit Kernel ObjectSuccess+Failure
Object Access Audit Other Object Access EventsSuccess+Failure
Object Access Audit RegistrySuccess+Failure
Policy Change Audit Other Policy Change EventsSuccess+Failure
System Audit System IntegritySuccess+Failure

Browser

ItemValue
Allow Developer ToolsBlock
Allow Do Not TrackAllow
Allow FlashBlock
Allow Password ManagerBlock
Allow PopupsAllow
Allow Smart ScreenAllow
Prevent Access To About Flags In Microsoft EdgeEnabled
Prevent Smart Screen Prompt OverrideEnabled
Prevent Smart Screen Prompt Override For FilesEnabled

Defender

ItemValue
Cloud Block LevelHigh
Cloud Extended Timeout50
Enable Network ProtectionEnabled (block mode)
Submit Samples ConsentSend safe samples automatically.

Device Guard

ItemValue
Configure System Guard LaunchUnmanaged Enables Secure Launch if supported by hardware
Require Platform Security FeaturesTurns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.

Experience

ItemValue
Allow CortanaBlock
Allow Windows Spotlight (User)Allow
- Allow Third Party Suggestions In Windows Spotlight (User)Block
- Allow Windows Consumer FeaturesBlock
Show Lock On User TileEnabled

Lanman Workstation

ItemValue
Enable Insecure Guest LogonsDisabled

Local Policies Security Options

ItemValue
Accounts Block Microsoft AccountsUsers can’t add or log on with Microsoft accounts
Accounts Enable Administrator Account StatusDisable
Accounts Enable Guest Account StatusDisable
Accounts Limit Local Account Use Of Blank Passwords To Console Logon OnlyEnabled
Devices Prevent Users From Installing Printer Drivers When Connecting To Shared PrintersEnable
Interactive Logon Do Not Require CTRLALTDELDisabled
Interactive Logon Machine Inactivity Limit900
Microsoft Network Client Digitally Sign Communications AlwaysEnable
Microsoft Network Client Digitally Sign Communications If Server AgreesEnable
Microsoft Network Client Send Unencrypted Password To Third Party SMB ServersDisable
Microsoft Network Server Digitally Sign Communications AlwaysEnable
Microsoft Network Server Digitally Sign Communications If Client AgreesEnable
Network Access Do Not Allow Anonymous Enumeration Of SAM AccountsEnabled
Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And SharesEnabled
Network Access Restrict Anonymous Access To Named Pipes And SharesEnable
Network Access Restrict Clients Allowed To Make Remote Calls To SAM“O:BAG:BAD:(A;;RC;;;BA)”
Network Security Allow Local System To Use Computer Identity For NTLMAllow
Network Security Allow PKU2U Authentication RequestsBlock
Network Security Do Not Store LAN Manager Hash Value On Next Password ChangeEnable
Network Security LAN Manager Authentication LevelSend LM and NTLMv2 responses only. Refuse LM and NTLM
Network Security Minimum Session Security For NTLMSSP Based ClientsRequire NTLM and 128-bit encryption
Network Security Minimum Session Security For NTLMSSP Based ServersRequire NTLM and 128-bit encryption
User Account Control Allow UI Access Applications To Prompt For Elevationdisabled
User Account Control Behavior Of The Elevation Prompt For AdministratorsPrompt for credentials on the secure desktop
User Account Control Behavior Of The Elevation Prompt For Standard UsersAutomatically deny elevation requests
User Account Control Detect Application Installations And Prompt For ElevationEnable
User Account Control Only Elevate UI Access Applications That Are Installed In Secure LocationsEnabled: Application runs with UIAccess integrity only if it resides in secure location.
User Account Control Run All Administrators In Admin Approval ModeEnabled
User Account Control Switch To The Secure Desktop When Prompting For ElevationEnabled
User Account Control Use Admin Approval ModeEnable
User Account Control Virtualize File And Registry Write Failures To Per User LocationsEnabled

Microsoft App Store

ItemValue
Allow Game DVRBlock
MSI Allow User Control Over InstallDisabled
MSI Always Install With Elevated PrivilegesDisabled
MSI Always Install With Elevated Privileges (User)Disabled

Microsoft Edge

ItemValue
Allow download restrictionsEnabled
- Download restrictions (Device)Block potentially dangerous downloads
Configure Do Not TrackEnabled
Control the mode of DNS-over-HTTPSEnabled
- Control the mode of DNS-over-HTTPS (Device)Disable DNS-over-HTTPS
Control where developer tools can be usedEnabled
- Control where developer tools can be used (Device)Don’t allow using the developer tools
DNS interception checks enabledDisabled
Content settings
Default pop-up window settingEnabled
Default pop-up window setting (Device)Do not allow any site to show popups
Password manager and protection
Enable saving passwords to the password managerDisabled
SmartScreen settings
Configure Microsoft Defender SmartScreenEnabled
Prevent bypassing Microsoft Defender SmartScreen prompts for sitesEnabled
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloadsEnabled

Power

ItemValue
Turn Off Hybrid Sleep On Batteryhybrid sleep
Turn Off Hybrid Sleep Plugged Inhybrid sleep
ItemValue
Allow Indexing Encrypted Stores Or ItemsBlock
Do Not Use Web ResultsNot allowed. Queries won’t be performed on the web and web results won’t be displayed when a user performs a query in Search.

Smart Screen

ItemValue
Prevent Override For Files In ShellEnabled

Storage

ItemValue
Removable Disk Deny Write AccessEnabled

System

ItemValue
Allow LocationForce Location Off. All Location Privacy settings are toggled off and grayed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search.
Allow TelemetrySecurity
Disable One Drive File SyncSync enabled.

User Rights

ItemValue
Access From NetworkBUILTIN\Remote Desktop Users
BUILTIN\Administrators
Allow Local Log OnBUILTIN\Users
BUILTIN\Administrators
Backup Files And DirectoriesBUILTIN\Administrators
Create Global ObjectsNT AUTHORITY\SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
BUILTIN\Administrators
Create Page FileBUILTIN\Administrators
Debug ProgramsBUILTIN\Administrators
Deny Access From NetworkNT AUTHORITY\Local account
Deny Remote Desktop Services Log OnNT AUTHORITY\Local account
BUILTIN\Administrators
Impersonate ClientNT AUTHORITY\SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
BUILTIN\Administrators
Load Unload Device DriversBUILTIN\Administrators
Manage Auditing And Security LogBUILTIN\Administrators
Manage VolumeBUILTIN\Administrators
Modify Firmware EnvironmentBUILTIN\Administrators
Profile Single ProcessBUILTIN\Administrators
Remote ShutdownBUILTIN\Administrators
Restore Files And DirectoriesBUILTIN\Administrators
Take OwnershipBUILTIN\Administrators

Wi-Fi Settings

ItemValue
Allow Auto Connect To Wi Fi Sense HotspotsBlock

Windows Defender Security Center

ItemValue
Disallow Exploit Protection Override(Enable) Local users cannot make changes in the exploit protection settings area.

Windows Ink Workspace

ItemValue
Allow Windows Ink Workspaceink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.

Security & Governance

Design

Configuration

References

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra