Corrections

Author: simeononsecurity

README.md

@@ -1,15 +1,27 @@
-**Optimizing and Hardening Windows 10 Deployments**
+# Optimizing and Hardening Windows 10 Deployments
 
-Download all the required files from the [GitHub Repository](https://github.com/smiltech/W10-Optimize-and-Harden)
+**Download all the required files from the [GitHub Repository](https://github.com/smiltech/W10-Optimize-and-Harden)**
 
 
 Windows 10 is an invasive and insecure operating system out of the box. 
 Organizations like [PrivacyTools.io](https://PrivacyTools.io), [Microsoft](https://microsoft.com) and the 
 [Department of Defense](https://public.cyber.mil) have recomended configuration changes to lockdown, harden, and secure the operating system. These changes cover a wide range of mitigations including blocking telemetery, macros, removing bloatware, and preventing many physical attacks on a system.
 
+## Requirements
+- [x] [Standards](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure) for a highly secure Windows 10 device
+- [x] Latest [Windows 10 stable version](https://www.microsoft.com/en-us/software-download/windows10)
+- [x] System is [fully up to date](https://support.microsoft.com/en-gb/help/4027667/windows-10-update)
+- [x] (default activated) internal Windows Defender protection instead of external "Security" solutions
+- [x] Latest Driver and Program updates
+- [x] No "Tuning" tools
+- [x] Only necessary tools which you realy need
+- [x] [Hardware Requirements](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection#requirements-met-by-system-guard-enabled-machines) for [System Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) / [Hardware-based Isolation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation)
+- [x] [Hardware Requirements](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity#baseline-protections) for [Memory integrity](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/memory-integrity)
+- [x] [Hardware Requirements](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) for Windows [Defender Application Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) (WDAG)
+- [x] [Hardware Requirements](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements) for Windows [Defender Credential Guard](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-how-it-works)
 
 
-A list of script and tools this collection utilizes:
+## A list of scripts and tools this collection utilizes:
 
 1.) [Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/en-us/download/details.aspx?id=55319)
 
@@ -23,37 +35,46 @@ A list of script and tools this collection utilizes:
 
 6.) [Mirinsoft - debotnet](https://github.com/builtbybel/debotnet)
 
-Additional configurations were considered from:
+## Additional configurations were considered from:
 
-[Disable TCP Timestamps](https://www.whonix.org/wiki/Disable_TCP_and_ICMP_Timestamps)
+[NSACyber - Hardware-and-Firmware-Security-Guidance](https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance)
 
-[IE Scripting Engine Memory Corruption](https://kb.cert.org/vuls/id/573168/)
+[Whonix - Disable TCP Timestamps](https://www.whonix.org/wiki/Disable_TCP_and_ICMP_Timestamps)
 
-[Specture and Meltdown Mitigations](https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities)
+[CERT - IE Scripting Engine Memory Corruption](https://kb.cert.org/vuls/id/573168/)
 
-[SSL Hardening](https://dirteam.com/sander/2019/07/30/howto-disable-weak-protocols-cipher-suites-and-hashing-algorithms-on-web-application-proxies-ad-fs-servers-and-windows-servers-running-azure-ad-connect/)
+[Dirteam - SSL Hardening](https://dirteam.com/sander/2019/07/30/howto-disable-weak-protocols-cipher-suites-and-hashing-algorithms-on-web-application-proxies-ad-fs-servers-and-windows-servers-running-azure-ad-connect/)
 
-[Windows 10 Privacy](https://docs.microsoft.com/en-us/windows/privacy/)
+[Microsoft - Specture and Meltdown Mitigations](https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities)
 
-[Managing Windows 10 Telemetry and Callbacks](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+[Microsoft - Windows 10 Privacy](https://docs.microsoft.com/en-us/windows/privacy/)
 
-[Windows 10 VDI Recomendations](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909)
+[Microsoft - Managing Windows 10 Telemetry and Callbacks](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)
 
+[Microsoft - Windows 10 VDI Recomendations](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909)
 
+
+## How to run the script
+
+**The script may be lauched from the extracted GitHub download like this:**
+```
+.\W10-Optimize-and-Harden-master\installallstandalone.ps1
+```
 The script we will be using must be launched from the directory containing all the other files from the [GitHub Repository](https://github.com/smiltech/W10-Optimize-and-Harden)
 
-In order to enable the Windows 10 VDI Optimizations you must uncomment the line below:
+**In order to enable the Windows 10 VDI Optimizations you must uncomment the line below:**
 ```
 .\Scripts\"Debloating, Optimization, and Privacy"\"Windows_10_VDI"\1909_WindowsUpdateEnabled\Win10_1909_VDI_Optimize.ps1
 
 ```
-In order to enable the SSL Hardening you must uncomment the line below:
+
+**In order to enable the SSL Hardening you must uncomment the line below:**
 ```
-.\Scripts\"Security, Hardening, and Mitigation"s\"SSL Hardening Registries.ps1"
+.\Scripts\"Security, Hardening, and Mitigation"\"SSL Hardening Registries.ps1"
 
 ```
 
-The script we will be using is called **"installallstandalone.ps1"** and its contents are:
+**The script we will be using is called **"installallstandalone.ps1"** and its contents are:**
 
 ```
 ######SCRIPT FOR FULL INSTALL AND CONFIGURE ON STANDALONE MACHINE#####
@@ -85,23 +106,18 @@ copy-item -Path .\PolicyDefinitions\* -Destination C:\Windows\PolicyDefinitions
 
 #Security Scripts Testing Required
 #Only enable after testing in your environment
-#.\Scripts\"Security, Hardening, and Mitigation"s\"SSL Hardening Registries.ps1"
+#.\Scripts\"Security, Hardening, and Mitigations"\"SSL Hardening Registries.ps1"
 
 #Debloating Scripts
 
 #ONLY ENABLE IF ON VM
 #.\Scripts\"Debloating, Optimization, and Privacy"\"Windows_10_VDI"\1909_WindowsUpdateEnabled\Win10_1909_VDI_Optimize.ps1
 
+.\Scripts\"Debloating, Optimization, and Privacy"\"Windows 10 Debloater"\Windows10SysPrepDebloater.ps1 -Sysprep -Debloat -Privacy
+.\Scripts\"Debloating, Optimization, and Privacy"\"Windows 10 telemetry.ps1"
 .\Scripts\"Debloating, Optimization, and Privacy"\ultimate performance mode.ps1
-.\Scripts\"Debloating, Optimization, and Privacy"\startupcleantelem.ps1
 .\Scripts\"Debloating, Optimization, and Privacy"\optimizevmvirtalization.ps1
-.\Scripts\"Debloating, Optimization, and Privacy"\"Windows 10 Debloater"\Windows10SysPrepDebloater.ps1 -Sysprep -Debloat -Privacy
+.\Scripts\"Debloating, Optimization, and Privacy"\startupcleantelem.ps1
 .\Scripts\"Debloating, Optimization, and Privacy"\sharpapp\sharpappscripts.ps1
 .\Scripts\"Debloating, Optimization, and Privacy"\debotnet\debotnetscripts.ps1
 ```
-
-
-**The script may be lauched from the extracted GitHub download like this:**
-```
-.\W10-Optimize-and-Harden-master\installallstandalone.ps1
-```

Scripts/Debloating, Optimization, and Privacy/startupcleantelem.ps1

@@ -130,3 +130,26 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableScree
 sc stop "VSStandardCollectorService150"
 net stop "VSStandardCollectorService150"
 sc config "VSStandardCollectorService150" start=disabled
+#General Optmizations
+#Delete "windows.old" folder
+%SystemRoot%\System32\Cmd.exe /c Cleanmgr /sageset:65535 & Cleanmgr /sagerun:65535
+
+#Display full path in explorer
+@echo off
+
+REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState" /V FullPath /T REG_DWORD /D 1 /F
+
+taskkill /f /im explorer.exe
+start explorer.exe
+
+#Make icons easier to touch in exploere
+@echo off
+
+:: Needs: Windows 10 build 19592+
+
+REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /V FileExplorerInTouchImprovement /T REG_DWORD /D 1 /F
+
+:: To kill and restart explorer
+taskkill /f /im explorer.exe
+start explorer.exe
+#disable

installallstandalone.ps1

@@ -27,16 +27,17 @@ copy-item -Path .\PolicyDefinitions\* -Destination C:\Windows\PolicyDefinitions
 
 #Security Scripts Testing Required
 #Only enable after testing in your environment
-#.\Scripts\"Security, Hardening, and Mitigation"s\"SSL Hardening Registries.ps1"
+#.\Scripts\"Security, Hardening, and Mitigations"\"SSL Hardening Registries.ps1"
 
 #Debloating Scripts
 
 #ONLY ENABLE IF ON VM
 #.\Scripts\"Debloating, Optimization, and Privacy"\"Windows_10_VDI"\1909_WindowsUpdateEnabled\Win10_1909_VDI_Optimize.ps1
 
+.\Scripts\"Debloating, Optimization, and Privacy"\"Windows 10 Debloater"\Windows10SysPrepDebloater.ps1 -Sysprep -Debloat -Privacy
+.\Scripts\"Debloating, Optimization, and Privacy"\"Windows 10 telemetry.ps1"
 .\Scripts\"Debloating, Optimization, and Privacy"\ultimate performance mode.ps1
-.\Scripts\"Debloating, Optimization, and Privacy"\startupcleantelem.ps1
 .\Scripts\"Debloating, Optimization, and Privacy"\optimizevmvirtalization.ps1
-.\Scripts\"Debloating, Optimization, and Privacy"\"Windows 10 Debloater"\Windows10SysPrepDebloater.ps1 -Sysprep -Debloat -Privacy
+.\Scripts\"Debloating, Optimization, and Privacy"\startupcleantelem.ps1
 .\Scripts\"Debloating, Optimization, and Privacy"\sharpapp\sharpappscripts.ps1
-.\Scripts\"Debloating, Optimization, and Privacy"\debotnet\debotnetscripts.ps1
+.\Scripts\"Debloating, Optimization, and Privacy"\debotnet\debotnetscripts.ps1