Essantial Security Settings to Harden Windows Machines : Part 2

In today’s rapidly evolving digital landscape, securing Windows machines is more critical than ever. As cyber threats become more sophisticated, attackers often exploit outdated configurations and legacy settings, leaving systems vulnerable to data breaches and malicious activities. By implementing a series of well-established policies, you can significantly enhance the security posture of your Windows devices, whether they are part of a corporate network or personal setup. This article focuses on the most recommended settings to secure Windows machines, and eliminating potential attack vectors.

Each of these policies plays a vital role in protecting against common threats, reducing the attack surface, and ensuring a more resilient environment.

1 – Disable Solicited Remote Assistance :

The “Disable Solicited Remote Assistance” policy controls whether users can request remote assistance on a computer. When enabled, it prevents users from sending invitations for remote assistance, reducing the risk of unauthorized remote access or misuse of the feature.

Remote Assistance allows a user to share their desktop session with a helper (another user) who can view or control the desktop remotely. Disabling solicited remote assistance helps to enhance security by blocking this feature, especially in environments where remote desktop control is not required or is considered a security risk.

A – Can be applied on :

This policy can be applied to the following operating systems:

  • Windows 10 (all editions)
  • Windows 11 (all editions)
  • Windows Server (2016, 2019, 2022, and later versions)

B – Detect :

To check if this policy is configured on your computer :

$key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$valueName = "fAllowToGetHelp"

if (Get-ItemProperty -Path $key -Name $valueName -ErrorAction SilentlyContinue) {
    $value = (Get-ItemProperty -Path $key).$valueName
    if ($value -eq 0) {
        Write-Host "Solicited Remote Assistance is disabled." -ForegroundColor Green
    } else {
        Write-Host "Solicited Remote Assistance is enabled." -ForegroundColor Yellow
    }
} else {
    Write-Host "Policy not configured." -ForegroundColor Red
}

C – PowerShel Configuration :

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fAllowToGetHelp" -Value 0 -Type DWORD

D – GPO Configuration :

Path : Computer Configuration\Policies\Administrative Templates\System\Remote Assistance

Policy : Configure Solicited Remote Assistance.

Value : Disabled

gpupdate /force

2 – Disable Anonymous Enumeration of Shares :

The “Disable Anonymous Enumeration of Shares” policy prevents unauthorized users (anonymous users) from viewing shared folders on a Windows computer or server. If this setting is not configured, attackers could potentially enumerate shared resources without providing valid credentials, increasing the risk of information leakage and unauthorized access.

By disabling anonymous enumeration of shares, only authenticated users can list shared folders, which is crucial for securing your environment and reducing the attack surface.

A – Can be applied on :

This policy can be applied to the following operating systems:

  • Windows 10 (all editions)
  • Windows 11 (all editions)
  • Windows Server (2016, 2019, 2022, and later versions)

B – Detect :

To check if this policy is configured on your computer :

$key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
$valueName = "RestrictAnonymous"

if (Get-ItemProperty -Path $key -Name $valueName -ErrorAction SilentlyContinue) {
    $value = (Get-ItemProperty -Path $key).$valueName
    if ($value -eq 1) {
        Write-Host "Anonymous enumeration of shares is disabled." -ForegroundColor Green
    } elseif ($value -eq 0) {
        Write-Host "Anonymous enumeration of shares is enabled." -ForegroundColor Red
    } else {
        Write-Host "Policy is configured with an unexpected value." -ForegroundColor Yellow
    }
} else {
    Write-Host "Policy not configured." -ForegroundColor Red
}

C – PowerShel Configuration :

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RestrictAnonymous" -Value 1 -Type DWord

D – GPO Configuration :

Path : Computer Configuration\Policies\Windows Settings\Local Policies\Security Options

Policy : Network access: Do not allow anonymous enumeration of SAM accounts and shares

Value : Enabled

gpupdate /force

3 – Set folder access-based enumeration for shares :

The “Set Folder Access-Based Enumeration (ABE) for Shares” policy controls whether users can see only the files and folders they have permission to access in a shared network folder. With Access-Based Enumeration (ABE) enabled:

  • Users cannot see files or folders they do not have permission to access.
  • It enhances security by hiding content from unauthorized users.
  • It reduces information disclosure risks, preventing users from discovering the existence of files or folders they should not know about.

This feature is particularly useful in shared environments where multiple users have different levels of access to the same shared folder.

A – Can be applied on :

This policy can be applied to:

  • Windows Server (2008 R2, 2012 R2, 2016, 2019, 2022, and later versions)

Note: The ABE feature is primarily used on Windows Server operating systems where shared folders are configured.

B – Detect :

To check if this policy is configured on your computer :

Get-SmbShare | Select-Object Name, FolderEnumerationMode

C – PowerShel Configuration :

Set-SmbShare -Name "ShareName" -FolderEnumerationMode AccessBased
Write-Output "Access-Based Enumeration has been enabled for the shared folder 'ShareName'."

D – Server Configuration :

Following the following steps and guidelines:

  • Launch SERVER MANAGER (Server 2012 and above)
  • Click on FILE AND STORAGE SERVICES
  • Click on SHARES
  • Right click on each share you want to set Access-Based-Enumeration, select PROPERTIES
  • Click SETTINGS
  • Click ENABLE ACCESS BASED ENUMERATION
gpupdate /force

4 – Set user authentication for remote connections using Network Level Authentication :

The “Set User Authentication for Remote Connections Using Network Level Authentication (NLA)” policy ensures that users authenticate before establishing a Remote Desktop Protocol (RDP) session. With NLA enabled, the client must authenticate first, before the Remote Desktop session is created.

This improves security by :

  • Reducing the risk of unauthorized access.
  • Preventing Denial of Service (DoS) attacks against the RDP service.
  • Requiring stronger authentication methods like NTLM or Kerberos.

Enabling NLA significantly reduces the attack surface for Remote Desktop Services by blocking unauthenticated users from connecting.

A – Can be applied on :

This policy can be applied to:

  • Windows 10 (all editions)
  • Windows 11 (all editions)
  • Windows Server (2012 R2, 2016, 2019, 2022, and later versions)

B – Detect :

To check if this policy is configured on your computer :

$key = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
$valueName = "UserAuthentication"

if (Get-ItemProperty -Path $key -Name $valueName -ErrorAction SilentlyContinue) {
    $value = (Get-ItemProperty -Path $key).$valueName
    if ($value -eq 1) {
        Write-Host "Network Level Authentication (NLA) is enabled." -ForegroundColor Green
    } else {
        Write-Host "Network Level Authentication (NLA) is disabled." -ForegroundColor Red
    }
} else {
    Write-Output "Policy not configured."
    Write-Host "Policy not configured." -ForegroundColor Red
}

C – PowerShel Configuration :

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1 -Type DWord

D – GPO Configuration :

Path : Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security

Policy : Require user authentication for remote connections by using Network Level Authentication

Value : Enabled

gpupdate /force

5 – Disable ‘Installation and configuration of Network Bridge’

The “Disable ‘Installation and Configuration of Network Bridge'” policy prevents users from creating or configuring a network bridge on their device. A network bridge is a feature that allows two or more network connections to act as a single network. While useful in some scenarios, allowing users to create a network bridge can pose security risks, such as:

  • Bypassing network controls and firewall rules.
  • Enabling unauthorized network access or creating unintended connections.
  • Inadvertently exposing internal networks to external threats.

By disabling this capability, you can reduce the attack surface and maintain better control over network configuration.

A – Can be applied on :

This policy can be applied to:

  • Windows 10 (all editions)
  • Windows 11 (all editions)
  • Windows Server (2012 R2, 2016, 2019, 2022, and later versions)

B – Detect :

To check if this policy is configured on your computer :

$key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections"
$valueName = "NC_AllowNetBridge_NLA"

if (Get-ItemProperty -Path $key -Name $valueName -ErrorAction SilentlyContinue) {
    $value = (Get-ItemProperty -Path $key).$valueName
    if ($value -eq 0) {
        Write-Host "Installation and configuration of Network Bridge is disabled." -ForegroundColor Green
    } else {
        Write-Host "Installation and configuration of Network Bridge is enabled." -ForegroundColor Red
    }
} else {
    Write-Output "Policy not configured."
    Write-Host "Policy not configured." -ForegroundColor Red
}

C – PowerShel Configuration :

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name "NC_AllowNetBridge_NLA" -Value 0 -Type DWord

D – GPO Configuration :

Path : Computer Configuration\Policies\Administrative Templates\Network\Network Connections

Policy : Prohibit installation and configuration of Network Bridge on your DNS domain network

Value : Enabled

gpupdate /force

6 – Disable the local storage of passwords and credentials :

The “Disable the local storage of passwords and credentials” policy prevents Windows from caching user credentials locally. By default, Windows can store credentials (e.g., usernames and passwords) for later use, allowing features like automatic login to shared resources. However, storing credentials locally can present security risks, including:

  • Exposure of cached credentials if the system is compromised.
  • Increased risk of credential theft attacks (e.g., pass-the-hash or pass-the-ticket attacks).
  • Potential unauthorized access, especially on shared or multi-user systems.

Disabling local storage of passwords and credentials helps protect against these risks by ensuring that credentials are not stored on the device.

A – Can be applied on :

This policy can be applied to:

  • Windows 10 (all editions)
  • Windows 11 (all editions)
  • Windows Server (2012 R2, 2016, 2019, 2022, and later versions)

B – Detect :

To check if this policy is configured on your computer :

$key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation"
$valueName = "DisablePasswordSaving"

if (Get-ItemProperty -Path $key -Name $valueName -ErrorAction SilentlyContinue) {
    $value = (Get-ItemProperty -Path $key).$valueName
    if ($value -eq 1) {
        Write-Host "Local storage of passwords and credentials is disabled." -ForegroundColor Green
    } else {
        Write-Output "Local storage of passwords and credentials is enabled."
        Write-Host "Local storage of passwords and credentials is enabled." -ForegroundColor Red
    }
} else {
    Write-Output "Policy not configured."
    Write-Host "Policy not configured." -ForegroundColor Red
}

C – PowerShel Configuration :

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" -Name "DisablePasswordSaving" -Value 1 -Type DWORD

D – GPO Configuration :

Path : Computer Configuration\Policies\Windows Settings\Local Policies\Security Options

Policy : Network access: Do not allow storage of passwords and credentials for network authentication

Value : Enabled

gpupdate /force

7 – Enable ‘Microsoft network client: Digitally sign communications (always)’ :

The “Microsoft network client: Digitally sign communications (always)” policy enforces the use of digital signatures for all SMB (Server Message Block) communications from the client. When this policy is enabled, the client must digitally sign all SMB packets sent to the server. This ensures:

  • Integrity: Protects against man-in-the-middle attacks by verifying that the data has not been tampered with during transit.
  • Authentication: Confirms that the data was sent by a legitimate client.
  • Security: Prevents unauthorized modifications of SMB packets.

Enabling this policy enhances the security of network communications, especially in environments where sensitive data is transmitted.

A – Can be applied on :

This policy can be applied to:

  • Windows 10 (all editions)
  • Windows 11 (all editions)
  • Windows Server (2012 R2, 2016, 2019, 2022, and later versions)

B – Detect :

To check if this policy is configured on your computer :

$key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters"
$valueName = "RequireSecuritySignature"

if (Get-ItemProperty -Path $key -Name $valueName -ErrorAction SilentlyContinue) {
    $value = (Get-ItemProperty -Path $key).$valueName
    if ($value -eq 1) {
        Write-Host "Microsoft network client: Digitally sign communications (always) is enabled." -ForegroundColor Green
    } else {
        Write-Host "Microsoft network client: Digitally sign communications (always) is disabled." -ForegroundColor Red
    }
} else {
    Write-Host "Policy not configured." -ForegroundColor Red
}

C – PowerShel Configuration :

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "RequireSecuritySignature" -Value 1 -Type DWord

D – GPO Configuration :

Path : Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Policy : Microsoft network client: Digitally sign communications (always)

Value : Enabled

gpupdate /force

8 – Account Lockout Policies :

The Account Lockout Policies are designed to help prevent unauthorized access to user accounts by temporarily locking an account after a specified number of failed login attempts. These policies include three key settings:

  • Account Lockout Threshold: Defines the number of failed login attempts that trigger the account lockout.
  • Account Lockout Duration: Specifies the amount of time (in minutes) the account remains locked.
  • Reset Account Lockout Counter After: Determines the time period (in minutes) after which the counter for failed login attempts is reset.

These settings help mitigate brute-force attacks, where an attacker attempts to guess a password by repeatedly trying different combinations.

A – Can be applied on :

Account Lockout Policies can be applied to:

  • Windows 10 (all editions)
  • Windows 11 (all editions)
  • Windows Server (2008 R2, 2012 R2, 2016, 2019, 2022, and later versions)

B – Detect :

To check if this policy is configured on your computer :

  • Domain Envirement :
Get-ADDefaultDomainPasswordPolicy | Select-Object LockoutThreshold, LockoutDuration, LockoutObservationWindow
  • Local Machine :
secedit /export /cfg C:\account_lockout_policies.txt
Select-String -Path C:\account_lockout_policies.txt -Pattern "LockoutBadCount|LockoutDuration|ResetLockoutCount"

C – PowerShel Configuration :

$Threshold = 3
$Duration = 15
$ResetTime = 15

# Set the account lockout threshold (number of invalid login attempts)
net accounts /lockoutthreshold:$Threshold

# Set the account lockout duration (in minutes)
net accounts /lockoutduration:$Duration

# Set the time to reset the lockout counter (in minutes)
net accounts /lockoutwindow:$ResetTime

Write-Output "Account Lockout Policies have been configured: Threshold= $($Threshold), Duration= $($Duration) minutes, Reset Time= $($ResetTime) minutes."

D – GPO Configuration :

Path : Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy

Configure the following settings:

  • Account Lockout Threshold : Set the number of failed login attempts (e.g., 3).
  • Account Lockout Duration : Set the lockout duration (e.g., 15 minutes).
  • Reset Account Lockout Counter After : Set the time to reset the lockout counter (e.g., 15 minutes).

Click Apply and OK.

gpupdate /force

9 – Disable ‘Continue running background apps when Google Chrome is closed’ :

The “Disable ‘Continue running background apps when Google Chrome is closed'” policy controls whether Google Chrome can continue running background processes after the browser is closed. These background processes may include extensions, notifications, or other tasks. Disabling this feature has several benefits:

  • Improved Performance: Frees up system resources by stopping Chrome processes when the browser is closed.
  • Enhanced Security: Reduces the risk of malicious extensions running in the background.
  • Battery Optimization: Saves battery life on laptops by reducing CPU usage when Chrome is closed.

This policy is particularly useful in enterprise environments to prevent unnecessary resource consumption.

A – Can be applied on :

This policy can be applied to:

  • Windows 10 (all editions)
  • Windows 11 (all editions)
  • Windows Server (2012 R2, 2016, 2019, 2022, and later versions)

B – Detect :

To check if this policy is configured on your computer :

$key = "HKLM:\SOFTWARE\Policies\Google\Chrome"
$valueName = "BackgroundModeEnabled"

if (Get-ItemProperty -Path $key -Name $valueName -ErrorAction SilentlyContinue) {
    $value = (Get-ItemProperty -Path $key).$valueName
    if ($value -eq 0) {
        Write-Host "Chrome background apps are disabled when the browser is closed." -ForegroundColor Green
    } else {
        Write-Host "Chrome background apps are enabled when the browser is closed." -ForegroundColor Red
    }
} else {
    Write-Host "Policy not configured." -ForegroundColor Red
}

C – PowerShel Configuration :

New-Item -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -Name "BackgroundModeEnabled" -Value 0 -Type DWord

D – GPO Configuration :

To configure this policy using Group Policy, you need the Google Chrome ADMX templates:

  1. Download the Google Chrome ADMX templates from the Google Chrome Enterprise Help Center.
  2. Copy the ADMX file (chrome.admx) and the language file (chrome.adml) to your Group Policy Central Store (C:\Windows\PolicyDefinitions).
  3. Open the Group Policy Management Console (GPMC).
  4. Navigate to : Computer Configuration\Administrative Templates\Google\Google Chrome
  5. Locate the policy “Continue running background apps when Google Chrome is closed”.
  6. Set the policy to “Disabled”.
  7. Click Apply and OK.
gpupdate /force

10 – Enable ‘Require domain users to elevate when setting a network’s location’ :

The “Require domain users to elevate when setting a network’s location” policy controls whether standard domain users are required to provide administrative credentials when changing the network location type (e.g., Public, Private, or Domain) on their machine. The network location type impacts the firewall settings and the level of network sharing, which can affect security:

  • Public Network: Most restrictive, used in public places like coffee shops. Limited sharing and stricter firewall rules.
  • Private Network: Used for trusted networks like home or office. Allows sharing and more relaxed firewall rules.
  • Domain Network: Automatically detected when connected to a domain. Uses domain policies.

This policy prevents standard domain users from accidentally or maliciously changing the network location type, which could weaken the security settings. It helps ensure that only authorized administrators can change the network location, maintaining a consistent security posture.

2. Supported Operating Systems

This policy can be applied to:

  • Windows 10 (Professional, Enterprise, and Education editions)
  • Windows 11 (Professional, Enterprise, and Education editions)
  • Windows Server (2012 R2, 2016, 2019, 2022, and later versions)

A – Can be applied on :

This policy can be applied to:

  • Windows 10 (all editions)
  • Windows 11 (all editions)
  • Windows Server (2012 R2, 2016, 2019, 2022, and later versions)

B – Detect :

To check if this policy is configured on your computer :

$key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections"
$valueName = "NC_StdDomainUserSetLocation"

if (Get-ItemProperty -Path $key -Name $valueName -ErrorAction SilentlyContinue) {
    $value = (Get-ItemProperty -Path $key).$valueName
    if ($value -eq 1) {
        Write-Host "Policy is enabled: Domain users must elevate to change the network location." -ForegroundColor Green
    } else {
        Write-Host "Policy is disabled: Domain users can change the network location without elevation." -ForegroundColor Red
    }
} else {
    Write-Host "Policy not configured." -ForegroundColor Red
}

C – PowerShel Configuration :

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name "NC_StdDomainUserSetLocation" -Value 1 -Type DWord

D – GPO Configuration :

  • Path : Computer Configuration\Policies\Administrative Templates\Network\Network Connections
  • Policy “Require domain users to elevate when setting a network’s location”.
  • Value : “Enabled”.
gpupdate /force

Conclusion :

Securing Windows machines is not just about applying the latest patches or using antivirus software, it requires a holistic approach that includes disabling outdated features, strengthening authentication, and minimizing unnecessary exposures. The policies discussed in this article provide a strong foundation for enhancing security, mitigating risks, and complying with best practices. By enforcing these settings, you can protect your systems against a wide range of attacks, from malware infections to sophisticated network intrusions. Remember, security is a continuous process, regularly review and update these configurations as new threats emerge and technologies evolve. By taking proactive steps today, you can safeguard your Windows environment for the challenges of tomorrow.

Thanks

Aymen EL JAZIRI (Microsoft MVP)
Aymen EL JAZIRI (Microsoft MVP)

Hi, I’m Aymen El Jaziri , a passionate System Administrator and Microsoft MVP, with years of hands-on experience in managing and securing modern IT infrastructures.
This blog is where I share technical guides, automation scripts, product reviews, and real-world solutions that help IT professionals simplify their day-to-day work and stay ahead in a fast-evolving cloud ecosystem.
Whether you’re here to troubleshoot an issue, improve your automation game, or learn new best practices , welcome in my blog !
Let’s build a stronger, smarter IT community together.
Feel free to connect with me on LinkedIn for more content, discussions, or collaboration opportunities.

Thanks

Aymen

Articles: 154

Related Posts

Trending now

Why it’s important to to disable user application consent in Microsoft 365
Intune Security Deep Dive : Enable Tamper Protection to Secure Defender Settings on Windows Devices
Unlock Your Microsoft 365 Tenant after Conditional Access misconfiguration in One Click
Maximize RDS Collection Efficiency : PowerShell Automation for Seamless Maintenance