Hard_Configurator is a GUI application to configure various Windows security features and apply recommended defaults.

Requirements

• Minimum standards for a highly secure Windows device (Secure-Core)
• Windows up-to-date
• Microsoft Defender up-to-date
• Latest Driver and Program updates
• Only necessary programs/apps/games which you need
• avoid insecure software like 7-Zip (which lacks Anti-Exploit and MOTW support) and also Forks, Open/ LibreOffice, Firefox, True/Veracrypt, ...
• stay away from "Anti-Spying"/"Anti-Telemetry"/.. tools and use official documentation
• No "Tuning" tools (not even stuff like Ccleaner!)
• Hardware Requirements for System Guard / Hardware-based Isolation
• Hardware Requirements for Memory integrity
• Hardware Requirements for Microsoft Defender Credential Guard

Hardening

• Set User Account Control (UAC) to maximum
• Create a different Admin account and transform your current account to limited/restricted/standard user to reduce the attack surface enormously. Don't use administrator access for your tasks!
• Use Smart App Control
• Block all incoming connections with Microsoft Defender Firewall
• Always display file type extension
• Manage Microsoft Defender Credential Guard
• Enable Memory Integrity (HVCI)
• Enable Network Protection (NP)
• Enable SmartScreen and enable SmartScreen Logs
• Enable Controlled Folder Access (CFA)
• Enable Attack Surface Reduction rules (ASR)
• Enable Mandatory ALSR and Bottom-Up-ALSR (Address Space Layout Randomization)
• Enable System Guard Secure Launch
• Enable cloud-delivered protection
• Enable protection against Potentially Unwanted Apps (PUA)
• Enable Bitlocker Encryption with TPM, optionally with Startup PIN & read about Countermeasures to reduce DMA threats
• Use Windows Sandbox for new/unknown binaries (you can use it with the right click menu) or enable Hyper-V for use with Microsoft's Virtual Machine Platform
• Enable sandboxing for Microsoft Defender Antivirus
• Only elevate executables which are signed and validated
• Use the only browser that natively supports hardware isolation: Edge
• Use EFS file encryption for very sensitive files - also compatible with Bitlocker
• Harden OneDrive with Windows Controlled Folder Access (CFA aka Ransomware Protection)
• Avoid old file systems like FAT32 that do not preserve Alternative NTFS Streams (where Mark Of The Web is skipped)
• While DNS encryption isn't perfect both Quad9 and Cloudflare are recommend. AdGuard and NextDNS are another, but some users report problems like false positive filtering, stability/performance issues.
• instead of passwords, use Passkeys

Further Hardening

• Specify the cloud-delivered protection level
• Configure Microsoft's Exploit Protection and Enforced CET
• Use Microsoft's recommended block rules
• Control USB devices and other removable media
• See UEFI Hardening aka NSA Defensive Practices Guidance and Hardware-and-Firmware-Security-Guidance
• See Hardware and Firmware Security Guidance for Windows and AMD CPUs
• Deploy Windows Security Baselines and keep it up-to-date
• Use Mandatory Integrity Control
• Use Security-ADMX custom template focused on hardening Windows 10 systems

Enterprises

• Application Control (WDAC) - Microsoft's Policy Wizard will help a lot
• Enterprise Certificate Pinning
• Block untrusted fonts in an enterprise
• Web protection
• Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
• Manage Windows Hello for Business
• Protect against DLL Search Order Hijacking
• Report vulnerable or malicious drivers to the Windows and Defender teams
• Video from Matt Soseman: Investigating Backdoor Attacks w/ Microsoft Defender ATP
• Video from Matt Soseman: Investigating a Fileless Attack w/ Microsoft Defender ATP & Exploit Protection
• Video from Matt Soseman: What is the Microsoft Cybersecurity Reference Architectures (MCRA) and why should I care?
• Microsoft Defender ATP secure score
• Microsoft Edge for Business
  

Test Config

• Validate connections between your network and the Microsoft Defender Antivirus cloud service
• Verify client connectivity to Microsoft Defender ATP service URLs
• Validate Microsoft Defender Tamper protection
• Confirm and validate that Defender "Block at First Sight" (BAFS) is enabled
• Microsoft Defender Testground
• Microsoft Defender SmartScreen Testground
• Validate your Kernel DMA Protection for Thunderbolt
• Test your Antimalware Scan Interface (AMSI your Network protection
• Changelogs for Defender security intelligence updates
• Check if your Bitlocker is safe against Bitleaker: Blog
• Use Process Monitor (tool from Microsoft) with this filter for finding privilege escalation vulnerabilities in Windows
• Check out winchecksec to perform static detection of common Windows security features
• Sysmon configuration file template with default high-quality event tracing
• check your installation against Deprecated features

Reading Material:

• Defender Firewall with Advanced Security
• https://github.com/frizb/Windows-Privilege-Escalation
• https://github.com/LOLBAS-Project/LOLBAS
• https://github.com/api0cradle/UltimateAppLockerByPassList
• https://trustedwindows.wordpress.com/
• https://docs.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware
• https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
• https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10
• https://docs.microsoft.com/en-us/windows/security/
• a picture about Microsoft Defender local and cloud script protection
• a picture about Attack Surface Reduction (ASR) Rules
• Security Unlocked - The Microsoft Security Podcast
• How the hell WD works on Windows Home & Pro documentation from AndyFul
• Windows AppContainer Isolation - what it does? from AndyFul
• Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection
• Windows Defender Application Control (WDAC) Resources / PowerShell script
• Why UAC is important at maximum (not default) level: 1, 2, 3, 4
• Testing DLL Search Order Hijacking against security features from AndyFul
• Some info about training AMSI machine learning models from AndyFul
• Cheap sandboxing with AppContainers Blog
• Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs Blog
• Complete W^X implementation in Windows with ACG
• Understanding Hardware-enforced Stack Protection (CET)
• Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode Blog
• Security Unlocked - The Microsoft Security Podcast about Below the OS: UEFI Scanning in Defender
• How the (Powershell) Constrained Language Mode is enforced Blog
• Application Control denies execution of randomly generated PowerShell PS1 files Blog
• Applocker and PowerShell: how do they tightly work together? Blog
• PowerShell 5.0 and Applocker. When security doesn't mean security Blog
• German BSI - SiSyPHuS Win10: Study on System Integrity, Logging, Hardening and Security relevant Functionality in Windows 10
• rc3 event - Breaking Thunderbolt 3 Security
• CIS Security Benchmark
• NIST Security Technical Implementation Guide
• AppLocker and WDAC help Blog
• Microsoft Defender Attack Surface Reduction (ASR) recommendations
• Adventures in Extremely Strict Device Guard (WDAC) Policy Configuration Blog
• Building a Simple, Secure Windows-only WDAC Policy Blog
• Application Control on Windows 10 Home
• Windows Hello - Why a PIN is better than a password
• Battle of the SKM and IUM: How Windows 10 Rewrites OS Architecture (blackhat USA 2015 talk)
• Defender (with ConfigureDefender tool) vs fileless malware
• Offense and Defense – A Tale of Two Sides: Bypass UAC
• Microsoft Windows Antimalware Scan Interface (AMSI) Bypasses
• Windows security book in web doc form
• Video from Matt Soseman: Smartscreen in Edge (& Chrome) to block phishing & malicious websites
• Video from Matt Soseman: Block at First Sight (BAFS): Windows Defender blocking malware in SECONDS!
• Video from Matt Soseman: How Controlled Folder Access (CFA) works in Windows
• Video from Matt Soseman: Block Potentially Unwanted Applications (PUA) in Microsoft Defender Antivirus
• Video1, Video2 from Matt Soseman: Attack Surface Reduction (ASR) in Windows
• Video from Matt Soseman: Hardware Isolated Browsing w/ Microsoft Defender Application Guard
• what is meant by "User Space"
• what the feature "Allow apps from the store only" does
• Breaking Bitlocker - Bypassing the Windows Disk Encryption / more BitLocker Attacks
• Zammis Clark: An Evil Maid's Dream - Windows Boot Security was Broken Anyway
• Harden Windows Safely