This area is meant for Windows OS Based Hardening Techniques. Here is a quick lay of the land explanation as to how to get the most out of this documentation:
The breakdown will be as follows:
- Workstation General OS Hardening Techniques
- Server General OS Hardening Techniques
- Application specific Hardening Techniques (these would be applications on Windows based devices)
Beyond the above, each section will have individual documentation for each hardening technique. This will give you the ability to better understand the hardening technique to a much deeper level. This should also help with implementation and avoiding potential issues with the implementation of the hardening techniques.
Almost all of the documentation starts at the latest versions of the OS. So the assumption for this documentation as of this writing is Server 2016+, and Windows 10+ workstation. These techniques can work on older OS’s, but the repercussions could be higher. Most of the general ones will work Windows 7+, and Server 2012+ generally without issue. But you may want to focus in on your older Operating System(s) and figure out additional potential issues with your specific version.
Under these sections there is additional sections like:
- Individual Documentation
- Scripts
Individual Documentation is meant to give you just that, 1 page dedicated to a hardening technique. There may be a few that I consolidate into a single page such as Broadcast / Multicast protocols. This is because they are very similar, and in my experience I have successfully rolled those three items out at once. You should explicitly test these in your environment(s) to ensure that you are reducing the chances of a disruption to your organization. Remember, we always assume that we do not use something until it is broken. Then we have an emergency to deal with to fix the thing. If you properly test and roll these out, it reduces the chances of an issue occurring.
Scripts are any thing I have put together such as Phantabyte to help you deploy the the individual OS Hardening Techniques.
The other thing to think about as well is do not fear breaking stuff on your network. I understand completely some networks are way more critical than others. Start in the places that are less critical and go from there. From experience, preparing, testing, slowly rolling these out if an outage does occur, if done properly it should be limited, and over relatively quickly. The alternative is a threat actor is able to dance around your environment with out your knowledge in which they will attempt to take your entire organization out of production for as long as it takes so they get money, notoriety, fame, etc. You do not chose this. This is one of the most painful ways to remediate to a degree. Your organization will be 100% onboard with your recommendations though for that short time period. This can be a good way to express things before a security event/incident.