Created
November 24, 2023 15:25
-
-
Save gary23w/d514db58a576446c8f4b8a76e4c68881 to your computer and use it in GitHub Desktop.
policy-and-service-config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # services and policies :\ | |
| # New names for the accounts | |
| $NewAdminName = "GaryAdmin" | |
| $NewGuestName = "GaryGuest" | |
| # Define the services to be disabled | |
| $servicesToDisable = @( | |
| "MapsBroker", # Downloaded Maps Manager | |
| "lfsvc", # Geolocation Service | |
| "SharedAccess", # Internet Connection Sharing (ICS) | |
| "lltdsvc", # Link-Layer Topology Discovery Mapper | |
| "MSiSCSI", # Microsoft iSCSI Initiator Service | |
| "sshd", # OpenSSH SSH Server | |
| "PNRPsvc", # Peer Name Resolution Protocol | |
| "p2psvc", # Peer Networking Grouping | |
| "p2pimsvc", # Peer Networking Identity Manager | |
| "PNRPAutoReg", # PNRP Machine Name Publication Service | |
| "Spooler", # Print Spooler | |
| "wercplsupport", # Problem Reports and Solutions Control Panel Support | |
| "RasAuto", # Remote Access Auto Connection Manager | |
| "SessionEnv", # Remote Desktop Configuration | |
| "TermService", # Remote Desktop Services | |
| "UmRdpService", # Remote Desktop Services UserMode Port Redirector | |
| "RpcLocator", # Remote Procedure Call (RPC) Locator | |
| "LanmanServer", # Server | |
| "SSDPSRV", # SSDP Discovery | |
| "upnphost", # UPnP Device Host | |
| "Spooler", # Print Spooler | |
| "WerSvc", # Windows Error Reporting Service | |
| "Wecsvc", # Windows Event Collector | |
| "WMPNetworkSvc", # Windows Media Player Network Sharing Service | |
| "icssvc", # Windows Mobile Hotspot Service | |
| "WpnService", # Windows Push Notifications System Service | |
| "PushToInstall", # Windows PushToInstall Service | |
| "WinRM", # Windows Remote Management (WS-Management) | |
| "XboxGipSvc", # Xbox Accessory Management Service | |
| "XblAuthManager", # Xbox Live Auth Manager | |
| "XblGameSave", # Xbox Live Game Save | |
| "XboxNetApiSvc" # Xbox Live Networking Service | |
| ) | |
| # Disable each service | |
| foreach ($service in $servicesToDisable) { | |
| $svc = Get-Service -Name $service -ErrorAction SilentlyContinue | |
| if ($null -ne $svc) { | |
| Set-Service -Name $service -StartupType Disabled | |
| Write-Host "Service $service has been disabled." | |
| } else { | |
| Write-Host "Service $service not found." | |
| } | |
| } | |
| # Import the PolicyFileEditor module | |
| Import-Module PolicyFileEditor | |
| # Define the path to the Registry.pol file | |
| $PolicyPath = "C:\Windows\System32\GroupPolicy\Machine\Registry.pol" | |
| # Set 'Enforce password history' to 24 passwords | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -ValueName "PasswordHistorySize" -Data 24 -Type DWord | |
| # Set 'Minimum password age' to 1 day | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -ValueName "MinimumPasswordAge" -Data 1 -Type DWord | |
| # Set 'Minimum password length' to 14 characters | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -ValueName "MinimumPasswordLength" -Data 14 -Type DWord | |
| # Enable 'Password must meet complexity requirements' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -ValueName "PasswordComplexity" -Data 1 -Type DWord | |
| # Enable 'Relax minimum password length limits' (assuming the registry setting exists and is known) | |
| # Set-PolicyFileEntry -Path $PolicyPath -Key "RegistryKeyForRelaxMinimumPasswordLength" -ValueName "YourValueName" -Data 1 -Type DWord | |
| # Set 'Account lockout threshold' to 5 invalid logon attempts | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -ValueName "LockoutBadCount" -Data 5 -Type DWord | |
| # Block Microsoft accounts - This setting is typically managed via a group policy setting | |
| # The registry key might vary based on the Windows version and system setup | |
| # Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "NoConnectedUser" -Data 3 -Type DWord | |
| # Rename the built-in Administrator account | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" -ValueName "Administrator" -Data $NewAdminName -Type String | |
| # Rename the built-in Guest account | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" -ValueName "Guest" -Data $NewGuestName -Type String | |
| # Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\System" -ValueName "AllowCrossDeviceClipboard" -Data 0 -Type DWord | |
| # Ensure 'Allow upload of User Activities' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\System" -ValueName "PublishUserActivities" -Data 0 -Type DWord | |
| # Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" -ValueName "DCSettingIndex" -Data 0 -Type DWord | |
| # Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" -ValueName "ACSettingIndex" -Data 0 -Type DWord | |
| # Configure 'Interactive logon: Message text for users attempting to log on' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "LegalNoticeText" -Data "I AM ALIVE.... almost?" -Type String | |
| # Configure 'Interactive logon: Message title for users attempting to log on' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "LegalNoticeCaption" -Data "still almost alive. lol" -Type String | |
| # Set 'Interactive logon: Number of previous logons to cache' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -ValueName "CachedLogonsCount" -Data 4 -Type String | |
| # Set 'Interactive logon: Smart card removal behavior' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -ValueName "ScRemoveOption" -Data "1" -Type String # 1 corresponds to 'Lock Workstation' | |
| # Enable 'Microsoft network client: Digitally sign communications (always)' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "System\CurrentControlSet\Services\LanmanWorkstation\Parameters" -ValueName "RequireSecuritySignature" -Data 1 -Type DWord | |
| # Enable 'Microsoft network server: Digitally sign communications (always)' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "System\CurrentControlSet\Services\LanmanServer\Parameters" -ValueName "RequireSecuritySignature" -Data 1 -Type DWord | |
| # Enable 'Microsoft network server: Digitally sign communications (if client agrees)' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "System\CurrentControlSet\Services\LanmanServer\Parameters" -ValueName "EnableSecuritySignature" -Data 1 -Type DWord | |
| # Set 'Microsoft network server: Server SPN target name validation level' | |
| # Note: The specific registry key and value for this setting may vary. Please confirm the correct key and value. | |
| # Set-PolicyFileEntry -Path $PolicyPath -Key "RegistryKeyForThisSetting" -ValueName "YourValueName" -Data "Data" -Type "Type" | |
| # Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "System\CurrentControlSet\Control\Lsa" -ValueName "RestrictAnonymousSAM" -Data 1 -Type DWord | |
| # Set 'Network access: Do not allow storage of passwords and credentials for network authentication' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "System\CurrentControlSet\Control\Lsa" -ValueName "DisableDomainCreds" -Data 1 -Type DWord | |
| # Set 'Network security: Allow Local System to use computer identity for NTLM' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "System\CurrentControlSet\Control\Lsa\MSV1_0" -ValueName "NTLMMinClientSec" -Data 537395200 -Type DWord | |
| # Ensure 'Allow widgets' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\Explorer" -ValueName "AllowNewsAndInterests" -Data 0 -Type DWord | |
| # Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\System" -ValueName "ShellSmartScreenLevel" -Data "Block" -Type String | |
| # Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\System" -ValueName "EnableSmartScreen" -Data 1 -Type DWord | |
| # Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\GameDVR" -ValueName "AllowGameDVR" -Data 0 -Type DWord | |
| # Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\WindowsInkWorkspace" -ValueName "AllowSuggestedAppsInWindowsInkWorkspace" -Data 0 -Type DWord | |
| # Ensure 'Allow Windows Ink Workspace' is set appropriately | |
| # Note: Modify the registry key and value based on actual policy requirement | |
| # Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "DisableAutomaticRestartSignOn" -Data 1 -Type DWord | |
| # Ensure 'Disallow Digest authentication' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "System\CurrentControlSet\Services\HTTP\Parameters" -ValueName "DisableDigestAuth" -Data 1 -Type DWord | |
| # Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\WinRM\Service" -ValueName "DisableRunAs" -Data 1 -Type DWord | |
| # Ensure 'Allow Remote Shell Access' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -ValueName "AllowRemoteShellAccess" -Data 0 -Type DWord | |
| # Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\Sandbox\Containers" -ValueName "AllowClipboardRedirection" -Data 0 -Type DWord | |
| # Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\Sandbox\Containers" -ValueName "AllowNetworking" -Data "Disabled" -Type String | |
| # Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\Personalization" -ValueName "NoLockScreenCamera" -Data 1 -Type DWord | |
| # Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\Personalization" -ValueName "NoLockScreenSlideshow" -Data 1 -Type DWord | |
| # Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Speech" -ValueName "OnlineSpeechPrivacyPolicyHasAccepted" -Data 0 -Type DWord | |
| # Ensure 'Allow Online Tips' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\CloudContent" -ValueName "DisableWindowsConsumerFeatures" -Data 1 -Type DWord | |
| # Ensure 'Turn off Push To Install service' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\PushToInstall" -ValueName "DisablePushToInstall" -Data 1 -Type DWord | |
| # Ensure 'Do not allow passwords to be saved' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows NT\Terminal Services" -ValueName "DisablePasswordSaving" -Data 1 -Type DWord | |
| # Ensure 'Allow UI Automation redirection' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows NT\Terminal Services" -ValueName "fEnableUIADesktopToggle" -Data 0 -Type DWord | |
| # Ensure 'Do not allow COM port redirection' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows NT\Terminal Services" -ValueName "fDisableCcm" -Data 1 -Type DWord | |
| # Ensure 'Do not allow drive redirection' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows NT\Terminal Services" -ValueName "fDisableCdm" -Data 1 -Type DWord | |
| # Ensure 'Do not allow location redirection' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows NT\Terminal Services" -ValueName "fDisableLPT" -Data 1 -Type DWord | |
| # Ensure 'Do not allow LPT port redirection' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows NT\Terminal Services" -ValueName "fDisableLPT" -Data 1 -Type DWord | |
| # Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows NT\Printers" -ValueName "RegisterSpoolerRemoteRpcEndPoint" -Data 0 -Type DWord | |
| # Ensure 'Turn off notifications network usage' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" -ValueName "NoNetworkUsageNotification" -Data 1 -Type DWord | |
| # Ensure 'Include command line in process creation events' is set to 'Enabled' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -ValueName "ProcessCreationIncludeCmdLine_Enabled" -Data 1 -Type DWord | |
| # Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' | |
| Set-PolicyFileEntry -Path $PolicyPath -Key "Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" -ValueName "AllowEncryptionOracle" -Data 2 -Type DWord | |
| # Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' | |
| # Note: This setting is typically controlled via Group Policy and may not have a direct registry equivalent. | |
| # This setting might require setting up a Group Policy on a domain controller. | |
| # Apply the policy changes | |
| gpupdate /force |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment