Windows Hardening

This chapter indicates possible adjustments to Windows settings to increase the level of security. For the most part, these are settings that are not directly related to the D2000

We recommend running the commands from a command line running with administrator rights, otherwise, some may not be executed correctly (e.g. renaming an account).

Preventing the connection of client disks when connecting via RDP (the setting also disables file copying via RDP)

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDisableCdm /t REG_DWORD /d 1 /f

Electronic signing of SMB server communication packets

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v requiresecuritysignature /t REG_DWORD /d 1 /f

Preventing anonymous browsing of account and other sensitive data from Security Accounts Manager (SAM)

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v restrictanonymous /t REG_DWORD /d 1 /f

Renaming the local administrator account

wmic useraccount where name='Administrator' rename some_unknown_name

Disabling the autostart of the DHCP Client service (unnecessary if fixed IP addresses are used)

sc config "Dhcp" start= disabled

Disabling the autostart of the "IKE and AuthIP IPsec Keying Modules" service (unnecessary if VPN connections are not made from the computer).

sc config "IKEEXT" start= disabled

Disabling the autostart of the "IPsec Policy Agent" service (unnecessary if VPN connections are not made from the computer).

sc config "PolicyAgent" start= disabled

Enforcing a higher level of encryption (High - at least 128 bits) when connecting via RDP

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t REG_DWORD /d 3 /f

Increasing the level of auditing

auditpol /set /subcategory:"Sensitive Privilege Use" /failure:enable /success:enable
auditpol /set /subcategory:"Security System Extension" /failure:enable /success:enable
auditpol /set /subcategory:"IPsec Driver" /failure:enable /success:enable
auditpol /set /subcategory:"Credential Validation" /failure:enable /success:enable
auditpol /set /subcategory:"Application Group Management" /failure:enable /success:enable
auditpol /set /subcategory:"Computer Account Management" /failure:enable /success:enable
auditpol /set /subcategory:"Other Account Management Events" /failure:enable /success:enable
auditpol /set /subcategory:"Security Group Management" /failure:enable /success:enable
auditpol /set /subcategory:"User Account Management" /failure:enable /success:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable /success:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /failure:enable /success:enable
auditpol /set /subcategory:"Other Object Access Events" /failure:enable /success:enable
auditpol /set /subcategory:"Removable storage" /failure:enable /success:enable
auditpol /set /subcategory:"Audit Policy Change" /failure:enable /success:enable
auditpol /set /subcategory:"Authorization Policy Change" /success:enable

Blocking the use of older and vulnerable TLS 1.0 and 1.1 and enabling TLS 1.2 (e.g. for Terminal Services)

powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null"

powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null"

Blocking the use of DES-CBC3-SHA, RC4-SHA and RC4-MD5 encryption (e.g. for Terminal Services)

powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"
powershell -command "([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168')"
powershell -command "New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null"

Disabling the use of vulnerable cipher suites

powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_256_GCM_SHA384""
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_GCM_SHA256""
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_3DES_EDE_CBC_SHA""
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_NULL_SHA256""
powershell -command "Disable-TlsCipherSuite -Name "TLS_RSA_WITH_NULL_SHA""
powershell -command "Disable-TlsCipherSuite -Name "TLS_PSK_WITH_AES_256_GCM_SHA384""
powershell -command "Disable-TlsCipherSuite -Name "TLS_PSK_WITH_AES_128_GCM_SHA256""

Blocking the use of SMBv1 communication protocol and enabling SMBv2

powershell -command "Get-SmbServerConfiguration | Select EnableSMB1Protocol"
powershell -command "Set-SmbServerConfiguration -EnableSMB1Protocol $false"
powershell -command "Get-SmbServerConfiguration | Select EnableSMB2Protocol"
powershell -command "Set-SmbServerConfiguration -EnableSMB2Protocol $true"

Other recommendations:

• We recommend enabling encryption of D2000 inter-process communication.
• We recommend using the D2000 Security Access Server for client access from external networks.
• We recommend using SFTP instead of FTP in the update mechanism for D2000 client installations (D2u_*).
• If some system processes (e.g. OPC UA Server, KOM process, Event Handler) are in a separate network with a lower security level, it is possible to configure a reverse connection (D2000 Server connects to the respective process).
• For encrypted communication, we recommend using certificates issued by a well-known certification authority (internal or external), whose authenticity can be unequivocally verified and which provide a sufficient guarantee of their origin. The recommendation applies to services such as Terminal Services, HTTPS, and others.