Enforcing password history prevents users from cycling through old passwords to reuse a favorite. Setting the value to **24** (maximum) means a user must create 24 different passwords before reusing any previous one. Without this policy, users can change their password twice in a row to immediately restore their preferred (potentially compromised) password, completely circumventing password age requirements.
Setting a minimum password age of **1 day** prevents users from immediately changing their password multiple times to exhaust the password history and return to their original password. This policy works in tandem with ACC-001 (Password History = 24).
These two settings work together with ACC-006 (lockout threshold):
Fine-Grained Password Policies (Password Settings Objects / PSOs) allow **different password policies for different user groups** within the same AD domain — overcoming the single-domain-policy limitation. Use this to enforce much stricter policies for privileged accounts.
The Application Identity service (AppIDSvc) is the prerequisite for AppLocker enforcement. Without this service running, AppLocker rules are defined in policy but **never enforced** — apps run freely regardless of rules. This is a critical configuration gap often missed in AppLocker deployments. The service must be set to Automatic startup so it persists across reboots.
The AppLocker default executable rules form the baseline allowlist for EXE and COM files. They permit execution from Windows and Program Files directories (where only admins can write) while implicitly denying execution from user-writable locations like %TEMP%, %APPDATA%, and Desktop — the most common malware staging paths. Start with default rules before adding publisher-based rules for specific applications.
Script rules block execution of script files (.ps1, .vbs, .js, .bat, .cmd, .wsf) from user-writable paths. Script-based attacks — especially PowerShell and JavaScript — are among the most common malware delivery methods. Blocking scripts from %TEMP%, %APPDATA%, Desktop, and Downloads removes the most dangerous execution paths while preserving legitimate scripts deployed to system directories.
Publisher rules are the recommended rule type for AppLocker. They identify executables by digital signature (publisher name, product name, file name, and version) rather than file path or hash. This means publisher rules survive application updates and file moves without requiring policy changes. Publisher rules also provide more meaningful policy documentation — "Allow Microsoft Corporation / Office 365" is far more readable than a file hash.
Windows Installer (MSI/MSP/MST) rules control which installer packages can run. Without MSI rules enforced, a standard user can run any .msi installer — including malware delivered as a signed or unsigned MSI package. MSI files are increasingly used in phishing campaigns because many security tools skip scanning them. Restricting MSI execution to signed files or specific publishers significantly reduces the attack surface.
Packaged App rules control execution of MSIX and Store (UWP) apps. If you enforce Executable rules without configuring Packaged App rules, all Store/MSIX apps may be blocked by default. This policy ensures Store apps used in the enterprise (Teams, Calculator, Photos) are explicitly allowed, while providing a mechanism to block unwanted Store apps (gaming apps, social media) that arrive via Windows Update or user installation.
DLL rules extend AppLocker to control which DLL files can be loaded. This closes the DLL hijacking attack path where malware drops a malicious DLL with the same name as a legitimate one in a user-writable directory. However, DLL rules are the most complex and high-maintenance AppLocker collection — you must create allow rules for **every** DLL that every allowed application loads, or apps will break silently.
Blocks the abuse of vulnerable signed drivers (BYOVD — Bring Your Own Vulnerable Driver). Attackers load legitimately-signed but exploitable kernel drivers (e.g., RTCore64.sys, gdrv.sys) to disable security products, escalate privileges, or tamper with kernel memory. This rule detects and blocks known vulnerable driver loading patterns.
Prevents Adobe Reader from spawning child processes. PDF-based attacks frequently use Adobe Reader as an initial access vector, executing JavaScript that spawns cmd.exe, PowerShell, or other processes to deliver payloads. This rule blocks that execution chain at the process creation level.
Blocks Microsoft Office applications (Word, Excel, PowerPoint, OneNote, Outlook) from spawning child processes. Macro-based attacks and document exploits rely on Office spawning cmd.exe, PowerShell, wscript.exe, or mshta.exe. This rule breaks the most common Office-based initial access execution chains seen in ransomware and APT campaigns.
Prevents Office applications from writing executable files (.exe, .dll, .sys, .scr, etc.) to disk. Malicious macros and exploits frequently drop payload executables or DLLs from Office processes. This rule stops the file-write step of the attack chain.
Prevents Office applications from injecting code into other processes via techniques like `VirtualAllocEx`, `WriteProcessMemory`, or `CreateRemoteThread`. Process injection is a core technique for running shellcode, bypassing application controls, and hiding malicious activity inside legitimate processes.
Blocks JavaScript (.js) and VBScript (.vbs) files from launching executables they download from the internet. This breaks the dropper pattern where a .js/.vbs attachment downloads and executes a payload binary. One of the most effective rules for blocking drive-by and email-based malware delivery.
Detects and blocks scripts that use obfuscation techniques — char/string encoding, base64-embedded code, XOR encoding, compressed blobs — commonly used by malware to evade static analysis. Covers PowerShell, JavaScript, VBScript, and other scripting engines.
Blocks process creation via PSExec and WMI — two of the most widely abused lateral movement tools in enterprise environments. Ransomware operators (LockBit, BlackCat, Ryuk) use WMI and PSExec to deploy payloads across a network. This rule is critical but has significant false positive potential in environments using SCCM, MECM, or RMM tools.
Blocks attempts to read memory from LSASS (Local Security Authority Subsystem Service) — the process that stores NTLM hashes, Kerberos tickets, and other credentials in memory. This is the ASR-layer complement to CRED-003 (LSA PPL). Detects and blocks OpenProcess() + ReadProcessMemory() calls targeting lsass.exe, which is the core Mimikat
Blocks execution of unsigned or untrusted processes launched from USB/removable drives. Blocks the classic "found a USB in the parking lot" attack vector, BadUSB payloads, and physical access attacks where attackers plug in a USB with malicious executables.
Blocks malware from using WMI event subscriptions for persistence — a fileless persistence technique where attackers subscribe to system events (logon, process creation, time-based) to re-execute their payload without writing to disk. Used by APT groups and fileless malware families. Removes one of the most effective fileless persistence mechanisms on Windows.
Blocks Microsoft Teams, Skype for Business, Lync, and other Office communication applications from spawning child processes. Communication apps are increasingly used as initial access vectors — malicious links or files in Teams chats can execute payloads. This rule stops the communication app → shell execution chain.
Provides advanced heuristic detection and blocking for ransomware-like behavior — rapid file encryption, bulk file renaming, shadow copy deletion, and other ransomware behavioral patterns. This rule uses cloud-backed intelligence from Microsoft Defender's global threat intelligence to detect
Blocks Office VBA macros from making Win32 API calls using `Declare Function` (direct API calls via kernel32.dll, shell32.dll, etc.). This technique is widely used by macro malware to bypass VBA sandbox restrictions and execute shellcode. Blocks macro-based shellcode injection, process hollowing, and API-based execution techniques that evade standard macro security controls.
Windows has two audit policy systems: the legacy 9-category system and the Advanced Audit Policy with 53 granular subcategories. This policy forces Windows to use the advanced system, ignoring any legacy settings. Advanced audit policy is the foundation for all other AUDIT-* policies — without this enabled, subcategory settings have no effect. Every enterprise environment should have this enabled as the first audit configuration step.
Logon auditing is the most fundamental security monitoring capability. Event 4625 (failed logon) is the primary indicator for password spray and brute force attacks. Event 4648 (explicit credentials) fires when `runas` or Pass-the-Hash is used, making it a reliable lateral movement indicator. Special Logon (4672) fires every time a privileged account logs on, enabling privilege use tracking.
Process creation auditing with command line logging (Event 4688) is the single most powerful endpoint detection capability after EDR. Every process launch is logged with its full command line, enabling detection of: malware execution, LOLBin abuse (certutil, bitsadmin, mshta), Office macro shells, PowerShell download cradles, and lateral movement tools (psexec, wmiexec). The command line field reveals attacker intent that process name alone cannot.
PowerShell Script Block Logging (Event 4104) captures the actual content of every PowerShell script block executed on the system, including dynamically generated code and decoded obfuscated payloads. This is the single most effective control for detecting PowerShell-based attacks — when an attacker runs an obfuscated download cradle, PowerShell deobfuscates it before execution, and Script Block Logging captures the deobfuscated version. Combined with AMSI, this closes the obfuscation evasion gap.
Object access auditing logs access to files, registry keys, and other securable objects — but only for objects that have a System Access Control List (SACL) configured. Apply SACLs selectively to high-value targets: credential stores, sensitive data folders, critical registry keys (Run keys, SAM, LSA secrets). Auditing everything generates enormous log volume; auditing selectively provides high signal-to-noise detection.
Account management auditing tracks every change to user accounts and security groups. The most critical events are group membership changes to privileged groups (4728/4732) — attackers who gain admin access often add their own accounts or backdoor accounts to Domain Admins. Account creation outside business hours (4720) is a strong persistence indicator. Password resets by admins (4724) targeting service accounts indicate credential harvesting.
Policy change auditing detects attackers modifying security configurations to cover their tracks or weaken defenses. Event 4719 (audit policy changed) is critical: sophisticated attackers disable audit logging before performing malicious actions. Event 4906 (CrashOnAuditFail changed) indicates an attempt to disable audit enforcement. Firewall change events (4944-4950) detect malware or attackers opening firewall holes. These events should trigger immediate SOC investigation.
Privilege use auditing logs when sensitive Windows privileges are invoked. SeDebugPrivilege is used by credential dumping tools (Mimikat
Event 1102 (Security log cleared) is the single highest-priority event in Windows security monitoring. Attackers clear event logs after gaining access to remove evidence of their activity. This event itself cannot be suppressed — even clearing the log generates this event. Event 7045 (new service installed) is a primary persistence mechanism indicator: both legitimate software and malware install Windows services. Any unexpected service installation should trigger investigation.
Network share access auditing (5140/5145) detects lateral movement via SMB. Attackers using PsExec, Cobalt Strike, or manual SMB enumeration access admin shares (C$, ADMIN$) — Event 5140 logs every share access with source IP and username. Bulk 5145 events (thousands of file access checks in seconds) indicate ransomware staging for encryption. Filtering Platform events (5152-5158) provide network connection visibility without a full network monitoring solution.
The default Security event log si
Windows Event Forwarding (WEF) centrali
Deception-based detection using honeypot accounts and honey files provides near-
BitLocker Network Unlock allows domain-joined desktop machines to automatically unlock their BitLocker-protected OS drive at boot when connected to the corporate wired network — without requiring a user to enter a PIN. The unlock is performed by the WDS (Windows Deployment Services) server using a certificate-based key exchange.
BitLocker on servers is primarily used to protect against **physical access threats** — a decommissioned server, stolen drive, or data center breach. For servers that don’t have a keyboard (headless), Network Unlock (BL-007) is the standard unlock mechanism.
Startup key protectors store the BitLocker unlock key on a USB drive that must be present at boot. This is an alternative to TPM+PIN for systems without a TPM chip, and can be combined with TPM for a two-factor approach.
BitLocker can be temporarily suspended (protectors turned off, drive still encrypted but key stored in cleartext on disk). This is used legitimately during firmware/BIOS updates. Attackers can abuse suspension to extract the unprotected FVEK from the unencrypted metadata area of the disk.
Microsoft LAPS automatically manages and rotates the local Administrator account password on each machine, storing it securely in Active Directory or Entra ID. Without LAPS, a single compromised local admin password can be used for lateral movement across every machine sharing that password — the most common ransomware propagation vector. Windows 11 22H2+ includes LAPS natively (no separate MSI required).
WDigest is a legacy HTTP authentication protocol that caches plaintext (reversible) user passwords in LSASS memory. Tools like **Mimikat
LSA Protection (Protected Process Light — PPL) prevents untrusted processes from reading LSASS memory. When enabled, LSASS runs as a protected process, and only code-signed Microsoft drivers/processes can access it. This directly defeats Mimikat
Credential Guard uses Virtuali
NTLMv1 and LM (LAN Manager) hashes are cryptographically weak and can be cracked in seconds with modern hardware. Level 5 forces the OS to only send NTLMv2 responses and refuse incoming NTLMv1/LM authentication requests. This removes the ability to downgrade authentication to a weaker protocol and eliminates a large class of credential relay and cracking attacks.
Prevents Windows from sending NTLM authentication to remote servers. This eliminates the ability for attackers to coerce NTLM authentication (via responder, PrinterBug, PetitPotam, etc.) to a rogue server where the hash can be captured and cracked or relayed. Use Audit mode (value=1) first to identify legitimate NTLM dependencies before enforcing Deny.
Members of the **Protected Users** security group receive automatic authentication protections enforced by the Domain Controller: - NTLM authentication is **blocked** (Kerberos required) - DES and RC4 Kerberos encryption is **blocked** (AES required) - Kerberos credential delegation is **blocked** - Kerberos TGT lifetime is **capped at 4 hours** (not 10 hours default) - No credential caching on the local machine (no offline logon)
By default, Windows caches the last 10 domain logon credentials (as DCC2/MSCACHEv2 hashes) to allow offline logon when the DC is unavailable. These cached credentials are stored in the SAM hive and can be extracted with SYSTEM privileges and cracked offline. Setting the count to 0 eliminates this attack surface at the cost of requiring DC connectivity for logon.
RC4 (ARCFOUR) and DES are cryptographically broken encryption algorithms. Kerberoasting attacks specifically target service accounts using RC4-encrypted TGS tickets — offline cracking of RC4 Kerberos tickets is feasible in hours with modern hardware. Forcing AES-only Kerberos encryption closes the Kerberoasting attack vector for AES-keyed accounts. This setting also addresses CVE-2022-37966 and the broader KB5021131 Kerberos PAC security updates.
Real-time protection continuously monitors file system operations, process creation, network connections, and registry changes for malicious behavior. It is the primary detection layer in Microsoft Defender Antivirus. Disabling it — even temporarily — creates a window of exposure where malware can execute, persist, and spread without detection. This policy ensures the setting cannot be changed by users or malware.
Cloud-delivered protection sends metadata about suspicious files and behaviors to Microsoft's cloud intelligence service (MAPS — Microsoft Active Protection Service) for rapid analysis. This enables sub-second detection of brand-new malware variants before local signatures are available. Combined with automatic sample submission, it dramatically reduces the window between malware release and detection. For air-gapped or high-privacy environments, this may need to be disabled with compensating controls.
Behavior monitoring analy
Network Protection extends Microsoft Defender SmartScreen to the OS level, blocking outbound connections to malicious hosts, phishing domains, exploit-hosting URLs, and known C2 infrastructure. It works at the Windows Filtering Platform (WFP) layer, intercepting connections before they reach the application. This is a critical control for stopping malware C2 callbacks, drive-by downloads, and credential phishing attempts on enterprise endpoints.
Attack Surface Reduction rules are granular behavioral controls that block specific attacker techniques at the kernel level. Each rule targets a distinct attack vector: email-delivered executables, Office macro abuse, script obfuscation, process injection, and more. ASR rules work independently of signatures and are effective against
Controlled Folder Access (CFA) protects user documents, Desktop, Downloads, and other configured folders from being modified by unauthori
Defender exclusions are necessary for some legitimate applications (SQL Server, backup agents, AV management consoles) but must be carefully scoped. Attackers enumerate exclusion paths using `Get-MpPreference` and stage payloads there to bypass detection. This policy documents the minimum-exclusion principle: exclude only specific executables or paths, never entire drives or extension classes like `.exe` or `.ps1`. Regularly audit all configured exclusions.
Tamper Protection prevents unauthori
Scheduled scans run independently of real-time protection and serve as a secondary detection layer for threats that may have persisted on disk without triggering real-time alerts. Quick scans (recommended default) check the most likely locations for active threats in under 5 minutes on most systems. Full scans are resource-intensive and typically reserved for weekly or post-incident scanning. Scans are skipped when the system is in use by default — configure `ScanOnlyIfIdle` for low-interrupt operation.
Potentially Unwanted Application (PUA) protection detects and blocks software that, while not strictly malicious, degrades security posture, harvests user data, installs unwanted browser extensions, or bundles additional software without clear consent. Common PUA categories include: adware, download managers with bundled installs, browser modifiers, cryptocurrency miners, and remote administration tools used without authori
Disables InPrivate browsing mode in Microsoft Edge. InPrivate mode bypasses browser history, cookies, and caching, which can be exploited to evade DLP controls, conduct unauthori
The Edge built-in password manager saves credentials in an encrypted local store tied to the Windows user profile and optionally syncs to a Microsoft account. In enterprise environments, this creates risk: credentials may sync outside the corporate boundary, and local credential stores can be extracted by attackers with user-level access. Enterprise environments should disable the built-in manager and enforce use of an approved PAM or password manager solution (CyberArk, 1Password Business, Keeper, etc.).
Microsoft Defender SmartScreen in Edge checks visited URLs and downloaded files against Microsoft's threat intelligence database of known malicious sites, phishing pages, and malware distribution points. The `PreventSmartScreen*` policies remove the user’s ability to bypass SmartScreen warnings, ensuring that even a socially engineered user cannot proceed to a blocked site. `SmartScreenPuaEnabled` extends protection to PUA downloads.
Edge AutoFill for credit cards stores payment card numbers, expiration dates, and CVV values in the browser’s local profile database (`Web Data` SQLite file in the user profile). This data is accessible to any process running as the user, and malware routinely targets browser payment data stores. On enterprise devices, payment cards should not be stored in browser profiles; disable this feature and ensure users understand corporate device payment policies.
`ForceBingSafeSearch` appends the `safeSearch=strict` or `safeSearch=moderate` parameter to all Bing queries regardless of user settings. `ForceGoogleSafeSearch` does the same for Google searches. These registry values cannot be overridden by users when set via GPO/Intune. Use `value=2` (Strict) for education or kiosk environments; `value=1` (Moderate) for general enterprise use. Note: this only affects Bing and Google — additional web filtering is recommended for full content control.
Forces Edge to upgrade HTTP connections to HTTPS automatically and blocks SSL/TLS errors from being bypassed. Without this, users can: - Visit HTTP sites where credentials/data are transmitted in cleartext - Click through SSL certificate errors on malicious MITM sites - Load mixed content (HTTP resources on HTTPS pages)
Site Isolation runs each website in a separate renderer process, preventing malicious cross-site attacks from accessing another site's data even after a Spectre-style speculative execution attack. Without site isolation, a malicious script on `evil.com` could potentially read data from `bank.com` open in another tab using Spectre side-channel attacks. `IsolateOrigins` adds an extra layer for specific high-value origins (login pages, banking portals) that should always have their own dedicated process.
Edge's Copilot integration and AI sidebar send page content to Microsoft's cloud for processing. In enterprise environments, this means sensitive internal documents, intranet pages, and confidential data viewed in the browser may be transmitted to external AI services. Disabling `CopilotCDPPageContext` is particularly important — it prevents the current page's content from being automatically sent to Copilot, which could leak confidential business data. Organi
Sets the corporate intranet as the default homepage and new tab page, disables the Bing news feed and Bing AI chat on the new tab page. This ensures users start every browser session at a known corporate resource, and eliminates consumer-oriented content (news articles, weather, Bing promotions) from the enterprise browser experience. The news feed also generates outbound requests to CDNs that may trigger security monitoring false positives.
Controls what types of files Edge will download. `DownloadRestrictions = 2` blocks both SmartScreen-flagged malicious downloads AND downloads from URLs with no reputation (unverified publishers/sources). Disabling `AutoOpenFileTypes` prevents Edge from automatically opening downloaded files without user confirmation — a common malware delivery mechanism where `.exe`, `.msi`, or `.hta` files auto-execute after download.
Prevents users from signing into Edge with personal Microsoft accounts, disables Guest mode, and blocks creation of additional browser profiles. Without these controls:
Enhanced Phishing Protection (part of Windows Defender, integrated with Edge) warns users when their corporate credentials are typed into phishing sites, insecure applications, or reused on personal sites. Unlike SmartScreen (which blocks known bad URLs), this feature monitors the actual act of credential entry — providing protection even against
Internet Explorer mode in Edge renders sites using the legacy Trident engine, which has a significantly larger attack surface than Edge's modern Chromium renderer. IE mode should be:
Connection Security Rules (IPsec) in Windows Firewall enforce authenticated and/or encrypted communication between machines. Domain Isolation uses IPsec to ensure only domain-authenticated machines can communicate with each other — rogue or guest machines cannot reach domain resources even if physically on the network.
The default Windows Firewall allows all outbound traffic. For high-security environments (Public profile or sensitive workstations), an explicit outbound allowlist limits which applications can reach the network — blocking malware C2, lateral movement, and data exfiltration by unknown processes.
Malware and C2 frameworks commonly abuse DNS by tunneling data over DNS queries (DNS tunneling) or using non-standard ports for DNS to bypass firewall controls. This policy restricts outbound DNS to trusted DNS servers only and blocks non-standard DNS transports.
Authenticated firewall bypass rules allow specific users or computers (identified by AD security group) to bypass standard firewall rules. This is used for monitoring agents, security scanners, and administrative tools that need unrestricted network access to endpoints — without opening ports for all traffic.
By default, local firewall rules created by users, applications, or local admins are **merged** with GPO-delivered rules. This means a user or malware with local admin rights can create a `netsh advfirewall` rule that opens any port — bypassing GPO restrictions.
A focused set of inbound block rules for ports commonly abused by malware, ransomware, and lateral movement frameworks. These are explicit deny rules that act as a secondary defense layer even if default policy drifts.
Secure channel communications are the Netlogon RPC channel between domain members and domain controllers — used for authentication, policy retrieval, and machine account operations. Signing and encrypting this channel prevents:
When a user logs on locally, removable media (CD/DVD/USB) should only be accessible to that user — not accessible to network users simultaneously. This prevents a network-connected attacker from accessing removable media inserted by a local user. Blocking non-admin printer driver installation prevents a common privilege escalation vector (print spooler / driver abuse).
The Windows pagefile (pagefile.sys) contains swapped memory pages from all running processes — which can include plaintext passwords, encryption keys, decrypted documents, browser session tokens, and other sensitive data that was in RAM and swapped to disk. When the system shuts down normally, pagefile.sys remains on disk with all this data intact.
Windows has two audit policy systems: 1. **Legacy category-based** (9 categories, coarse-grained) 2. **Advanced subcategory-based** (56 subcategories, fine-grained)
NetBIOS over TCP/IP (NBT) is a legacy name resolution protocol from the 1980s that is actively exploited by tools like Responder to poison name resolution and capture Net-NTLMv2 hashes. Disabling it removes the NBT broadcast attack surface entirely. A
LLMNR is a protocol that resolves single-label hostnames on the local link when DNS fails. Attackers use tools like **Responder** to answer LLMNR queries with a rogue IP, capturing NTLMv2 hashes for offline cracking or relay attacks. Disabling LLMNR is one of the highest-impact, lowest-effort hardening steps for any Windows environment.
Enables Windows Defender Firewall on all three network location profiles (Domain, Private, Public). Required by every major security baseline. Disabling the firewall via Group Policy (or registry) is a common attacker persistence technique and a frequent misconfiguration in enterprise environments.
VBA (Visual Basic for Applications) macros embedded in Word, Excel, and PowerPoint documents are the most common malware delivery mechanism in phishing campaigns. Attackers embed macro droppers that download and execute second-stage payloads (Emotet, QakBot, ransomware loaders) when the user clicks "Enable Content." Setting `VBAWarnings=2` disables macros by default but shows a notification bar, allowing users to enable macros for legitimate trusted documents. This is the recommended enterprise baseline setting.
When a file is downloaded from the internet (email, browser, Teams), Windows marks it with the "Mark of the Web" (MOTW)
Trusted Locations are file system paths (local or UNC) where Office will run macros without security warnings. Configuring these via policy allows IT to define an allowlist of approved macro sources — typically controlled network shares or local paths managed by the IT team. Any macro-enabled document opened from outside these paths is subject to standard macro blocking (see OFFICE-001 and OFFICE-002). This is the most mature macro control architecture: combine with digital signing (OFFICE-001 `VBAWarnings=3`) for defense-in-depth.
Protected View (PV) is Office's built-in sandbox. Files opened in PV run in a restricted AppContainer process that cannot write to the file system, launch child processes, or access network resources. This contains
OLE (Object Linking and Embedding) allows Office documents to embed and execute external objects — executables, scripts, Flash objects, and other file types. Attackers abuse OLE to embed malicious executables disguised as icons or images inside documents. When a user double-clicks the embedded object, the payload executes outside of macro controls. The `PackagerActivation=0` registry key blocks all OLE package activations, preventing any embedded executable from running. This is separate from macro controls and addresses a distinct attack vector.
The Windows Print Spooler service (spoolsv.exe) was the target of **PrintNightmare** (CVE-2021-34527) and **PrinterBug** (SpoolSample), two critical vulnerabilities enabling remote code execution and NTLM coercion. Disabling the Spooler on machines that do not need printing (Domain Controllers, servers, admin workstations) is the definitive mitigation. Microsoft explicitly recommends disabling the Spooler on all Domain Controllers.
Point and Print allows users to install printer drivers from a print server without admin rights. PrintNightmare exploited this to load malicious DLLs as SYSTEM. KB5005010 (August 2021) changed the default behavior to require elevation for driver installation, but explicit GPO configuration is required to restrict which servers are trusted and ensure elevation prompts appear. Setting `NoWarningNoElevationOnInstall=0` is mandatory — setting it to 1 re-opens the PrintNightmare vector.
This policy blocks the Print Spooler from accepting inbound remote RPC connections, while still allowing the machine to use local printing. This is the recommended middle-ground mitigation for workstations that need local printing but should not accept print jobs from remote clients — it blocks the network-facing PrintNightmare exploitation vector while preserving local print functionality. Combined with PRINT-001 (disable Spooler) for servers/DCs, this covers both scenarios.
Prevents non-administrator users from installing printer drivers. Since printer drivers run in the Spooler process (SYSTEM context), malicious drivers can be used to execute arbitrary code as SYSTEM. This is a supporting control for PrintNightmare mitigation — even if an attacker reaches the Point and Print code path, they cannot install a driver without elevation.
New in Windows 11 22H2 (KB5022913) and surfaced in the 24H2 ADMX templates — runs printer drivers in an isolated process separate from spoolsv.exe (SYSTEM). If a printer driver is exploited, the compromise is contained to the isolated process rather than escalating to SYSTEM. This is a defense-in-depth control complementing PRINT-001 through PRINT-004.
Creates Windows Firewall rules to block inbound RPC connections to the Print Spooler from non-local addresses. This is a network-layer mitigation complementing the Spooler configuration policies. It prevents remote exploitation even if the Spooler is running and accepting connections, by ensuring only local processes can reach the Spooler RPC endpoint.
Disables the Windows Internet Printing Protocol (IPP over HTTP/HTTPS) which allows printing to internet-connected printers. Reduces attack surface by preventing outbound HTTP printing connections and eliminating a browser-accessible print management interface that has historically had vulnerabilities.
Enables the Microsoft-Windows-PrintService/Operational event log to capture printer driver installation, document printing, and spooler errors. Event ID 316 (driver added) is a critical detection signal for PrintNightmare exploitation attempts. This policy provides visibility without blocking functionality — essential for SIEM integration and threat hunting.
Forces all SMB client connections to use encryption (SMB 3.x AES-128-GCM or AES-256-GCM). Connections to servers that do not support SMB encryption will be refused. Introduced as a granular policy in Windows 11 24H2 ADMX templates.
Disables SMB compression to mitigate exploitation of compression-related vulnerabilities (CVE-2020-0796 "SMBGhost" class). SMB compression was introduced in SMB 3.1.1 (Windows 10 2004) and has been a source of critical pre-auth RCE vulnerabilities.
Requires all SMB client communications to be digitally signed. SMB signing authenticates each packet, preventing tampering and relay attacks. This is a foundational control against NTLM relay and Pass-the-Hash attacks. Required by the Microsoft Security Baseline since Windows 11 23H2.
Requires all inbound SMB connections to the Windows file server to be digitally signed. This is the server-side counterpart to SMB-003. Both client and server signing must be enabled for end-to-end signing. Default on Domain Controllers since Windows Server 2025; should be explicitly enforced on all member servers.
New in Windows 11 24H2 ADMX templates — allows administrators to enforce a minimum SMB dialect, effectively blocking connections that downgrade to SMB 2.0 or SMB 2.1. Combined with SMB-001 (encryption) and SMB-003 (signing), this closes dialect downgrade attack vectors.
`SeDebugPrivilege` allows a process to read/write memory of ANY other process, bypassing all object-level security. This is the privilege Mimikat
`SeTcbPrivilege` is one of the most powerful privileges in Windows — it grants an account the ability to act as a trusted part of the OS itself. A process with this privilege can:
`SeCreateTokenPrivilege` allows a process to call `
Controls which accounts can interactively log on at the physical console or via RDP. Service accounts should **never** be allowed to log on interactively — if an attacker gains code execution as a service account, they shouldn't be able to spawn an interactive session to further explore the system. Deny interactive logon for all service accounts explicitly.
Restricts who can connect via Remote Desktop. The critical addition is `S-1-5-113` (Local account) — this blocks local user accounts from RDP access, preventing attackers from using compromised local credentials to RDP into machines across the network. Domain accounts in the Remote Desktop Users group retain access. On workstations that should never receive RDP connections, consider adding `S-1-5-32-544` (Administrators) to the deny list as well.
`SeBackupPrivilege` allows reading ANY file regardless of its ACL — including SAM, SYSTEM, SECURITY hives (which contain all local password hashes), and any protected file. `SeRestorePrivilege` allows writing to ANY location regardless of ACL — including System32, registry hives, and startup locations. These two privileges together are equivalent to SYSTEM-level file access without being SYSTEM. Attackers with these privileges can:
`SeTakeOwnershipPrivilege` allows any process to take ownership of any securable object — files, directories, registry keys, processes, threads, tokens — regardless of existing ACLs. Once ownership is taken, the account can change the DACL to grant itself full control, effectively bypassing all file system and registry security.
`SeLoadDriverPrivilege` allows loading arbitrary kernel-mode drivers into the Windows kernel. A malicious driver runs at Ring 0 (kernel level), giving complete control of the system — all security software, EDR, AV can be disabled or bypassed from kernel level. This is the access level used by rootkits and advanced persistent threats (APTs).
Prevents Guest accounts from being used as scheduled task or service identities. Guest accounts have minimal auditing and accountability — if a service or scheduled task runs as Guest, its actions appear as unauthenticated/anonymous in logs, making incident response and forensics much harder. More critically, a Guest account running a service could be leveraged to execute code with reduced visibility.
Anonymous access to Windows systems was historically enabled for backward compatibility. Without these restrictions, unauthenticated users on the network can:
`SeSecurityPrivilege` controls who can: - Configure audit policies (SACL) - Clear the Security event log (Event 1102) - Read the Security event log - View/modify the audit settings of any object
`SeImpersonatePrivilege` is abused by **Potato attacks** — a family of privilege escalation exploits (RottenPotato, JuicyPotato, PrintSpoofer, GodPotato, SweetPotato) that use this privilege to escalate from a low-privileged service account to SYSTEM.
Enables all components of Windows Defender real-time protection. Each component addresses a specific attack vector:
IOAV (Interfaces of Anti-Virus) protection scans all files immediately upon download before they are written to disk. Disabling archive scanning is a common attacker trick — malware delivered in
On Windows Server, certain roles and processes should have targeted exclusions to prevent Defender from scanning files it cannot usefully inspect (like live database files or Hyper-V VHDs) or causing deadlocks with critical processes. These are **narrow, justified exclusions** — not broad folder exclusions.
WDAC enforces code integrity at the kernel level — preventing any code not explicitly trusted by the policy from running. The audit mode deployment allows you to identify what would be blocked before enforcement, building a block list of violations that you can evaluate and either add to the allow list or confirm as legitimate blocks.
After running in Audit mode, WDAC generates Event 3076 for every file that would have been blocked. This workflow converts those audit events into actual allow rules, merges them with the base policy, and prepares an enforcement-ready policy. This is the core "audit → learn → enforce" cycle that makes WDAC deployable in production without mass application breakage.
Managed Installer is a WDAC feature that automatically trusts applications deployed by a designated software management tool (SCCM, Intune). Without Managed Installer, every application deployed by IT must have an explicit WDAC allow rule. With Managed Installer, anything deployed via SCCM or Intune is automatically tagged and trusted — dramatically reducing policy maintenance overhead in enterprise environments.
Supplemental policies extend a base WDAC policy without modifying it. This architecture allows a centrally managed base policy (maintained by security team) to be extended by app owners or local admins with scoped supplemental policies. Supplemental policies can be deployed, updated, and removed independently — making WDAC practical in large enterprises where thousands of applications need coverage.
WPAD (Web Proxy Auto-Discovery) allows Windows to automatically locate a proxy configuration (PAC) file via DHCP option 252 or DNS lookup for `wpad.<domain>`. Attackers on the local network can respond to LLMNR/NBT-NS/DHCP queries with a malicious PAC file, routing all HTTP and HTTPS traffic (including authenticated requests and credentials) through an attacker-controlled proxy. This is a well-documented MitM technique used in internal network penetration tests and real-world attacks. Disabling the `WinHttpAutoProxySvc` service and setting `WpadOverride=1` fully eliminates this vector.
Controls the volume of diagnostic and telemetry data sent from the device to Microsoft. When set to `0` (Security level), only minimal security-related data is transmitted — this is the lowest possible setting and is only honored on Windows Enterprise, Education, and Server editions. On Home and Pro editions, the minimum effective value is `1` (Basic). This policy should be combined with `DisableEnterpriseAuthProxy` and `DoNotShowFeedbackNotifications` for a comprehensive telemetry lockdown.
Cortana sends search queries, typing patterns, and voice data to Microsoft cloud services. It has also been exploited to execute code from the lock screen (CVE-2018-8140, CVE-2019-1253) in pre-2020 versions. Disabling reduces data exfiltration risk and removes the Cortana attack surface from lock screen exposure. On Windows 11, Cortana is already largely deprecated but the policy still applies to residual components.
Prevents OneDrive from syncing files to Microsoft cloud storage. In environments handling sensitive data (HIPAA, PCI-DSS, legal privilege), uncontrolled cloud sync can constitute a compliance violation or data breach. This policy disables both the OneDrive client integration and prevents users from re-enabling it. Note: this disables personal OneDrive; SharePoint/OneDrive for Business sync is controlled separately via `DisableLibrariesDefaultSaveToSkyDrive`.
AutoRun and AutoPlay automatically execute programs when removable media (USB, CD, DVD) is inserted. This is one of the oldest and most consistently exploited attack vectors — malware like Conficker spread globally by abusing AutoRun. **Disabling AutoRun on all drives is a mandatory baseline security requirement.**
SMB version 1 is a legacy protocol (1983) with no encryption, no integrity validation, and multiple critical CVEs. It was exploited by EternalBlue (CVE-2017-0144) to spread WannaCry ransomware globally. Microsoft deprecated it in 2013 and recommends disabling it on all modern Windows systems.
Link-Local Multicast Name Resolution (LLMNR) is abused by attackers using **Responder** to capture NTLMv2 hashes when a host sends an unanswered LLMNR query. Disabling it forces clients to use DNS exclusively.
NetBIOS Name Service (NBT-NS) is a legacy broadcast name resolution protocol. When a DNS lookup fails, Windows falls back to NBT-NS, broadcasting a query on the local subnet. Attackers use tools like Responder to poison these broadcasts and capture NTLMv2 hashes for offline cracking or relay attacks. Disabling NBT-NS forces proper DNS resolution and eliminates this attack vector.
Windows Firewall with Advanced Security provides host-based packet filtering across three network profiles: Domain (corporate network), Private (home/trusted), and Public (untrusted). Ensuring all three profiles are enabled is a foundational security baseline that prevents unauthori
Windows Defender Credential Guard uses Virtuali
WDigest is a legacy authentication protocol designed for HTTP digest authentication. When enabled, Windows caches the user's plaintext password in LSASS memory so WDigest can respond to HTTP challenges. Attackers using Mimikat
PowerShell Script Block Logging records the full content of every script block executed by PowerShell, including obfuscated and decoded content. Logs are written to the Windows Event Log under **Microsoft-Windows-PowerShell/Operational** (Event ID 4104). This provides critical forensic visibility into fileless malware, living-off-the-land attacks, and all PowerShell-based offensive tooling. PowerShell 5.0+ automatically deobfuscates content before logging, defeating most basic obfuscation techniques.
Audit Process Creation logs Event ID 4688 whenever a new process starts on the system, including the process name, executable path, parent process, and (with command line auditing enabled) the full command line arguments. This is one of the most valuable event sources for detecting malware execution, lateral movement tools, credential dumping utilities, and persistence mechanisms. Pair with command line inclusion for maximum forensic value.
The built-in Guest account provides unauthenticated access to the system with minimal privileges. While limited, it represents an unnecessary attack surface — especially in environments where physical access is possible or SMB null sessions are enabled.
Account lockout policies limit brute-force attacks against local and domain accounts by temporarily locking accounts after a defined number of failed authentication attempts.
LSA Protection runs the LSASS process as a Protected Process Light (PPL), preventing non-PPL processes (including administrator-level processes) from reading LSASS memory. This directly blocks Mimikat
Network Level Authentication (NLA) requires users to authenticate **before** a full RDP session is established. Without NLA, the Windows login screen is exposed to unauthenticated network attackers, enabling brute-force and BlueKeep-style pre-auth vulnerabilities.
AutoPlay automatically executes content when removable media (USB drives, optical discs, memory cards) is connected. This feature was exploited by Stuxnet (2010) and is routinely used in USB drop attacks where an attacker leaves malware-loaded drives in public areas. Even without AutoRun exploitation, AutoPlay presents a UI that social-engineers users into executing malicious content. Setting `NoDriveTypeAutoRun = 255` disables all AutoPlay across all drive types.
Prevents unauthenticated null-session connections from enumerating user accounts, groups, and shares via SMB — removing the attacker's ability to map out usernames before credential attacks. When `RestrictAnonymous = 0`, any unauthenticated client can connect via IPC$ and query the SAM database for a full list of local accounts. This feeds directly into password spraying, Kerberoasting targeting, and social engineering attacks.
User Account Control (UAC) Admin Approval Mode ensures that even administrators run with standard user privileges by default. Elevation to full admin rights requires explicit consent via a secure desktop prompt, preventing silent privilege escalation by malware.
The Windows Print Spooler service (Spooler) is responsible for managing print jobs. It has a long history of critical vulnerabilities including PrintNightmare (CVE-2021-34527) and SpoolFool (CVE-2022-21999). On non-print servers and workstations that don't print, it should be disabled entirely.
The Remote Registry service allows remote users to modify registry settings on this computer. It is a common target for lateral movement and reconnaissance — attackers use it to read credentials, enumerate installed software, and modify autorun keys remotely.
Insufficient event log si
Configures Windows Update to automatically download updates but schedule installation for off-hours (3:00 AM daily). This balances security (patches applied promptly) with operational stability (no surprise reboots during business hours). Combined with the no-reboot-with-logged-on-users setting, updates install overnight without disrupting active sessions.
Directs Windows Update clients to an internal WSUS server instead of Microsoft's public update servers. WSUS provides centrali
Pins endpoints to a specific Windows feature update version, preventing automatic upgrades to the next major version. Feature updates (e.g., 22H2 → 23H2) can break applications, change security configurations, and require significant testing before enterprise deployment. Deferring for 30 days allows Microsoft to identify and patch post-release issues before your fleet receives it. Use TargetReleaseVersionInfo to pin to a specific version until your IT team completes compatibility testing.
Defers quality updates (monthly Patch Tuesday cumulative updates, security patches) by 7 days. This provides a brief window to observe industry reports of update issues (broken printers, BSOD reports on forums) before patches automatically install. 7 days is the sweet spot: enough time to catch bad patches, short enough to maintain security posture. Pairing with update rings (pilot → standard → critical) further reduces risk.
Defines the active hours window (8 AM - 6 PM) during which Windows will not automatically restart for update installation. Outside this window (6 PM - 8 AM), Windows can freely restart to complete pending updates. This prevents the frustrating experience of a machine rebooting during a presentation or critical work session. The maximum active hours range is 18 hours, so at minimum 6 hours per day are available for update reboots.
Prevents Windows Update from automatically installing driver updates alongside security patches. While convenient, auto-installed drivers can break speciali
Delivery Optimi
Suppresses Windows Update notification popups and blocks non-admin users from accessing Windows Update settings. Notification suppression prevents users from being distracted by update prompts or, worse, clicking "Update now" during a critical work session. Blocking WU UI access prevents users from disabling updates, checking for updates outside the managed schedule, or installing unauthori
Deadline policy ensures that updates are installed within a maximum of 9 days (7-day deadline + 2-day grace period). Without deadlines, machines with WU-001's "no reboot with logged-on users" setting may never reboot if a user is always logged in. Deadlines provide the safety net: after the deadline, the machine will restart regardless, ensuring 100% patch compliance across the fleet even for users who avoid rebooting.
By default, Windows Update only covers Windows OS components. Enabling Microsoft Update extends coverage to all Microsoft products including Office, .NET Framework, Visual C++ Redistributables, SQL Server tools, and other Microsoft software. These components have their own CVEs and security patches — Office vulnerabilities are frequently exploited via malicious documents. Without Microsoft Update enabled, Office patches must be deployed through SCCM or manually, creating patch lag.
Prevents Windows Update from automatically downloading updates when the network connection is marked as metered (e.g., cellular data, mobile hotspot, satellite). This is critical for laptops that roam between networks — without this policy, a laptop connecting via a mobile hotspot could download several gigabytes of Windows updates, causing unexpected data charges. Updates will download once the device returns to an unmetered connection.
Comprehensive PowerShell script to audit Windows Update compliance state across a single machine or fleet. Reports missing updates, last install dates, WSUS configuration, reboot pending status, and patch age. Use as a standalone script or integrate into your RMM/SCCM monitoring.