Winfortress, fortifying a Windows 10 workstation

2017 Jan 30

Continuing with my infosec learning, I recently finished the book "Máxima Seguridad en Windows: Secretos Técnicos" by Sergio de los Santos (@ssantosv) which in English would be something like "Maximum Security in Windows: Technical Secrets". The synopsis on the back of the book says "The first book about security for Windows that does not explicitly recommend an antivirus." Instead of that, it delves on how security solutions works and when to apply them.

In order to practise and apply what I learnt from the book, I started a new project called Winfortress.

What is Winfortress?

It is a collection of Powershell scripts aiming to enhance the security of a Windows 10 workstation. It is important to note that this project is focused on security and not on privacy. Although there are some privacy settings, they are marked as optional.

Also, Windows 10 is the only environment where the scripts have been tested.

All the scripts can be found at: https://github.com/camaya/winfortress

The main scripts can be categorised in:

• Windows security related settings.
• Administrative tools permissions.

For each category, there are 3 types of scripts:

1. A script to test the current workstation settings. These are the Test-[Category].ps1 scripts.
2. A script to apply the recommended settings to the workstation. These are the Protect-[Category].ps1 scripts.
3. A script to restore the settings to their original value. These are the [Backup|Unprotect]-[Category].ps1 scripts.

There are also scripts which contain common code, they follow the Winfortress.[something].ps1 naming convention.

What is changed when the Winfortress Protect scripts are executed?

The list of the security related settings that are changed, their possible values and the recommended value that is applied, is at: https://github.com/camaya/winfortress/blob/master/scripts/Winfortress.Registry.ps1

The list of administrative tools whose permissions are modified is at: https://github.com/camaya/winfortress/blob/master/scripts/Winfortress.AdministrativeTools.ps1

Recommendation

Although I tried to make the changes as general as possible, I'm sure there are settings that you may prefer to configure in a different way. My recommendation is that you fork the project and adapt it to your needs.

Summary

I wrote the Winfortress scripts to make it easy to secure my workstation and I hope they can help you too.

If you have any comment, suggestion or question you can reach me on Twitter @_camaya or you can send me an email to <cam at camaya.co>.

Cheers.

---

Big thanks to John Fisher for proofreading this post.