-
-
Notifications
You must be signed in to change notification settings - Fork 273
/
Optimize-Security.ps1
85 lines (65 loc) · 5.38 KB
/
Optimize-Security.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
Import-Module -DisableNameChecking "$PSScriptRoot\..\lib\Get-HardwareInfo.psm1"
Import-Module -DisableNameChecking "$PSScriptRoot\..\lib\Title-Templates.psm1"
Import-Module -DisableNameChecking "$PSScriptRoot\..\lib\debloat-helper\Set-ItemPropertyVerified.psm1"
Import-Module -DisableNameChecking "$PSScriptRoot\..\utils\Individual-Tweaks.psm1"
# Adapted from: https://youtu.be/xz3oXHleKoM
# Adapted from: https://github.com/ChrisTitusTech/win10script
# Adapted from: https://github.com/kalaspuffar/windows-debloat
function Optimize-Security() {
$TweakType = "Security"
# Initialize all Path variables used to Registry Tweaks
$PathToLMPoliciesEdge = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge"
$PathToLMPoliciesMRT = "HKLM:\SOFTWARE\Policies\Microsoft\MRT"
$PathToCUExplorer = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer"
$PathToCUExplorerAdvanced = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
Write-Title "Security Tweaks"
Write-Section "Windows Firewall"
Write-Status -Types "+", $TweakType -Status "Enabling default firewall profiles..."
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled True
Write-Section "Windows Defender"
Write-Status -Types "?", $TweakType -Status "If you already use another antivirus, nothing will happen." -Warning
Write-Status -Types "+", $TweakType -Status "Ensuring your Windows Defender is ENABLED..."
Set-ItemPropertyVerified -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWORD -Value 0
Set-MpPreference -DisableRealtimeMonitoring $false -Force
Write-Status -Types "+", $TweakType -Status "Enabling Microsoft Defender Exploit Guard network protection..."
Set-MpPreference -EnableNetworkProtection Enabled -Force
Write-Status -Types "+", $TweakType -Status "Enabling detection for potentially unwanted applications and block them..."
Set-MpPreference -PUAProtection Enabled -Force
Write-Section "SmartScreen"
Write-Status -Types "+", $TweakType -Status "Enabling 'SmartScreen' for Microsoft Edge..."
Set-ItemPropertyVerified -Path "$PathToLMPoliciesEdge\PhishingFilter" -Name "EnabledV9" -Type DWord -Value 1
Write-Status -Types "+", $TweakType -Status "Enabling 'SmartScreen' for Store Apps..."
Set-ItemPropertyVerified -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation" -Type DWord -Value 1
Write-Section "Old SMB Protocol"
# Details: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
Write-Status -Types "+", $TweakType -Status "Disabling SMB 1.0 protocol..."
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Write-Section "Autoplay and Autorun (Removable Devices)"
Write-Status -Types "-", $TweakType -Status "Disabling Autoplay..."
Set-ItemPropertyVerified -Path "$PathToCUExplorer\AutoplayHandlers" -Name "DisableAutoplay" -Type DWord -Value 1
Write-Status -Types "-", $TweakType -Status "Disabling Autorun for all Drives..."
Set-ItemPropertyVerified -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun" -Type DWord -Value 255
Write-Section "Microsoft Store"
Disable-SearchAppForUnknownExt
Write-Section "Windows Explorer"
Write-Status -Types "+", $TweakType -Status "Enabling Show file extensions in Explorer..."
Set-ItemPropertyVerified -Path "$PathToCUExplorerAdvanced" -Name "HideFileExt" -Type DWord -Value 0
Write-Section "User Account Control (UAC)"
# Details: https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings
Write-Status -Types "+", $TweakType -Status "Raising UAC level..."
Set-ItemPropertyVerified -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Type DWord -Value 5
Set-ItemPropertyVerified -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 1
Write-Section "Windows Update"
# Details: https://forums.malwarebytes.com/topic/246740-new-potentially-unwanted-modification-disablemrt/
Write-Status -Types "+", $TweakType -Status "Enabling offer Malicious Software Removal Tool via Windows Update..."
Set-ItemPropertyVerified -Path "$PathToLMPoliciesMRT" -Name "DontOfferThroughWUAU" -Type DWord -Value 0
Write-Status -Types "?", $TweakType -Status "For more tweaks, edit the '$PSCommandPath' file, then uncomment '#SomethingHere' code lines" -Warning
# Consumes more RAM - Make Windows Defender run in Sandbox Mode (MsMpEngCP.exe and MsMpEng.exe will run on background)
# Details: https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/
#Write-Status -Types "+", $TweakType -Status "Enabling Windows Defender Sandbox mode..."
#setx /M MP_FORCE_USE_SANDBOX 1 # Restart the PC to apply the changes, 0 to Revert
# Disable Windows Script Host. CAREFUL, this may break stuff, including software uninstall.
#Write-Status -Types "+", $TweakType -Status "Disabling Windows Script Host (execution of *.vbs scripts and alike)..."
#Set-ItemPropertyVerified -Path "HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings" -Name "Enabled" -Type DWord -Value 0
}
Optimize-Security # Improve the Windows Security