Windows 11 Hardening Script Configurations
Richard Wadsworth
ISO 22301\27001A CSP BAPC SFPC SDPC SPOPC SMPC SSPC USFC ALPC CDSPC KEPC KIKF SPLPC DEPC DCPC DFPC DTPC IMPC CSFPC CEHPC SDLPC HDPC C3SA BTF CTIA CI\CCFI GAIPC CAIPC CAIEPC AIRMPC CPEFPC BCPC
Overview
The Windows 11 CIS Benchmark Hardening Script applies critical security configurations to enhance the resilience of Windows systems against unauthorized access, malware, and other vulnerabilities. This article provides a detailed overview of each setting and its role in securing your system.
The Center for Internet Security (CIS) Benchmarks offer a set of best practices to secure IT systems. This hardening script automates the implementation of these recommendations for Windows 11, addressing key areas such as password policies, user account management, and network security.
Key Configurations in the Hardening Script in powershell.
Administrative Privileges Enforcement
Ensures the script runs with administrative rights, necessary for making critical system changes.
# Ensure script is run with administrative privileges
# This section ensures the script is executed with Administrator rights.
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Error "This script must be run as an Administrator. Exiting."
exit 1
}
Disable Guest Account
Deactivates the Guest account to prevent unauthorized access.
# Disable Guest Account
# Disabling the Guest account enhances security by preventing unauthorized access.
Write-Host "Disabling Guest Account..."
Set-LocalUser -Name Guest -Enabled $false
Password Policies
Enforces password complexity, minimum length (14 characters), aging, and history requirements to reduce vulnerability to brute-force attacks.
Enforce Password Policies
# Configures password complexity, length, age, and history to meet security standards.
Write-Host "Configuring password policies..."
secedit /export /cfg C:\Windows\Temp\secpol.cfg
(Get-Content C:\Windows\Temp\secpol.cfg).replace("PasswordComplexity = 0", "PasswordComplexity = 1") |
Set-Content C:\Windows\Temp\secpol.cfg
(Get-Content C:\Windows\Temp\secpol.cfg).replace("MinimumPasswordLength = 0", "MinimumPasswordLength = 14") |
Set-Content C:\Windows\Temp\secpol.cfg
(Get-Content C:\Windows\Temp\secpol.cfg).replace("MinimumPasswordAge = 0", "MinimumPasswordAge = 1") |
Set-Content C:\Windows\Temp\secpol.cfg
(Get-Content C:\Windows\Temp\secpol.cfg).replace("PasswordHistorySize = 0", "PasswordHistorySize = 24") |
Set-Content C:\Windows\Temp\secpol.cfg
secedit /configure /db C:\Windows\Security\Database\secedit.sdb /cfg C:\Windows\Temp\secpol.cfg /areas SECURITYPOLICY
Disable SMBv1
Protects against vulnerabilities in the outdated SMBv1 protocol, often exploited by ransomware.
# Disable SMBv1
# Disabling SMBv1 protects against vulnerabilities inherent in this outdated protocol.
Write-Host "Disabling SMBv1..."
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
Enable Windows Firewall
Activates the firewall across all profiles to restrict unauthorized traffic.
# Enable Windows Firewall
# Ensures the Windows Firewall is active for all profiles to enhance network security.
Write-Host "Enabling Windows Firewall..."
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
Configure Windows Defender Antivirus
Enables real-time monitoring, advanced threat reporting, and PUA protection for proactive malware defense.
# Configure Windows Defender Antivirus
# Configures Windows Defender to enable real-time monitoring, reporting, and PUA protection.
Write-Host "Configuring Windows Defender Antivirus..."
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendSafeSamples
Set-MpPreference -PUAProtection Enabled
Enable BitLocker Encryption
Encrypts the system drive using AES-256 to safeguard data against theft or loss.
# Enable BitLocker (if applicable)
# Enables BitLocker to encrypt the system drive using AES-256 encryption.
Write-Host "Enabling BitLocker..."
Enable-BitLocker -MountPoint C: -EncryptionMethod XtsAes256 -UsedSpaceOnly -SkipHardwareTest
Disable Unnecessary Services
Reduces the attack surface by disabling non-essential services.
# Disable Unnecessary Services
# Stops and disables services that are not essential and may pose security risks.
Write-Host "Disabling unnecessary services..."
Get-Service -Name "XboxGipSvc", "DiagTrack", "WMPNetworkSvc" | ForEach-Object {
Stop-Service $_.Name -Force
Set-Service $_.Name -StartupType Disabled
}
Audit Policies / Login Auditing
Logs successful and failed actions across system categories for better monitoring.
Monitors logon and account logon events to detect unauthorized access attempts.
# Audit Policies
# Configures audit policies to log successful and failed events for all categories.
Write-Host "Configuring audit policies..."
audtpol /set /category:* /subcategory:* /success:enable /failure:enable
# Add Login Auditing
# Enables auditing for user logon and logoff events.
Write-Host "Enabling login auditing..."
AuditPol /Set /Subcategory:"Logon" /Success:Enable /Failure:Enable
AuditPol /Set /Subcategory:"Account Logon" /Success:Enable /Failure:Enable
Account Lockout Policy
Locks accounts after three failed login attempts to prevent brute-force attacks.
领英推荐
# Set Account Lockout Policy
# Configures the account lockout policy to lock accounts after 3 failed attempts, requiring admin to unlock.
Write-Host "Setting account lockout policy..."
net accounts /lockoutthreshold:3 /lockoutduration:0 /lockoutwindow:30
Write-Host "Account lockout policy configured to require admin intervention for unlock."
Account Complexity Requirements
Make sure passwords have an uppercase , number and special characters
# Enforce Account Complexity Requirements
# Enforces the use of complex passwords.
Write-Host "Enforcing account complexity requirements..."
secedit /export /cfg C:\Windows\Temp\complexity.cfg
(Get-Content C:\Windows\Temp\complexity.cfg).replace("PasswordComplexity = 0", "PasswordComplexity = 1") |
Set-Content C:\Windows\Temp\complexity.cfg
secedit /configure /db C:\Windows\Security\Database\secedit.sdb /cfg C:\Windows\Temp\complexity.cfg /areas SECURITYPOLICY
Disable Automatic Login
Removes stored credentials to strengthen physical security.
# Disable Automatic Login
# Removes any automatic login credentials to prevent unauthorized access.
Write-Host "Disabling automatic login..."
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DefaultUserName" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DefaultPassword" -ErrorAction SilentlyContinue
Disable Remote Desktop
Disables RDP unless required to reduce exposure to external attacks.
# Disable Remote Desktop (if not needed)
# Disables Remote Desktop to reduce exposure to external attacks.
Write-Host "Disabling Remote Desktop..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
Disable Autorun
Prevents automatic execution of programs from removable drives to mitigate malware risks.
# Disable Autorun
# Disables Autorun for all drives to prevent automatic execution of potentially malicious files.
Write-Host "Disabling Autorun..."
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun" -Value 255
Harden Disk Access
Restricts write access to removable drives and USB devices without BitLocker protection.
# Harden Disk Access
# Configures disk access permissions to restrict unauthorized changes and access.
Write-Host "Hardening disk access..."
# Disable write access to removable drives not protected by BitLocker
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "DenyWriteAccess" -Value 1
# Restrict access to USB storage devices
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" -Name "Start" -Value 4
Write-Host "Disk access hardened to restrict unauthorized modifications."
Disable Unnecessary Scheduled Tasks
Disables telemetry and defragmentation tasks that may introduce vulnerabilities.
# Disable Unnecessary Scheduled Tasks
# Disables scheduled tasks that are not required and could be used for attacks.
Write-Host "Disabling unnecessary scheduled tasks..."
$tasks = @("\Microsoft\Windows\Customer Experience Improvement Program\Consolidator",
"\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip",
"\Microsoft\Windows\Defrag\ScheduledDefrag")
foreach ($task in $tasks) {
Disable-ScheduledTask -TaskPath ($task -replace "\\[^\\]+$", "\\") -TaskName ($task -replace ".*\\", "")
}
Write-Host "Unnecessary scheduled tasks disabled."
Enable Secure Boot
Ensures only trusted software can load during system boot.
# Enable Secure Boot
# Ensures Secure Boot is enabled to prevent unauthorized software from loading during boot.
Write-Host "Ensuring Secure Boot is enabled..."
if ((Confirm-SecureBootUEFI) -eq $false) {
Write-Warning "Secure Boot is not enabled. Please enable it in the UEFI firmware settings."
} else {
Write-Host "Secure Boot is enabled."
}
Enable Tamper Protection
Prevents unauthorized modifications to Windows Security settings.
# Enable Tamper Protection for Windows Security
# Prevents unauthorized changes to security settings.
Write-Host "Enabling Tamper Protection..."
Set-MpPreference -DisableTamperProtection $false
Write-Host "Tamper Protection enabled."
Enable Credential Guard
Isolates credentials in a secure environment to prevent theft.
# Enable Credential Guard
# Protects credentials by isolating them in a secure environment.
Write-Host "Enabling Credential Guard..."
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f
Write-Host "Credential Guard enabled."
Best Practices for Using the Hardening Script
- Testing in a Non-Production Environment: Validate the script in a controlled environment to ensure compatibility with your organization’s applications and policies.
- Backup Before Applying: Create backups of configurations and critical data to enable quick restoration if required.
- Regular Reviews: Periodically revisit the script and CIS Benchmarks to stay updated with evolving security threats and recommendations.
- Custom Adjustments: Tailor the script to match the specific security requirements and operational needs of your environment.
The Windows 11 CIS Benchmark Hardening Script provides a powerful, automated approach to implementing best practices for system security. By applying these settings, organizations can significantly enhance their defenses against a wide range of threats while maintaining system integrity and compliance with security standards.
Example script can be found here