Security für Windows 10 – Registry Hacks

Security Registry Hacks

Mit diesen Registry Hacks lassen sich folgende Sicherheitseinstellungen vornehmen:

Enable DEP and isolation in Internet Explorer

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main” /v “DEPOff” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main” /v “Isolation64Bit” /t REG_DWORD /d 1 /f

Disable SSLv3 fallback, and the ability to ingore certificate errors, in Internet Explorer

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings” /v “CallLegacyWCMPolicies” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings” /v “EnableSSL3Fallback” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings” /v “PreventIgnoreCertErrors” /t REG_DWORD /d 1 /f

Disable Flash Player in Edge

reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\MicrosoftEdge\Addons” /v “FlashPlayerEnabled” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons” /v “FlashPlayerEnabled” /t REG_DWORD /d 0 /f

Enable Edge Phising Filter

reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter” /v “EnabledV9” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter” /v “EnabledV9” /t REG_DWORD /d 1 /f

Disable and configure Windows Remote Desktop and Remote Desktop Services

reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Terminal Services” /v “AllowSignedFiles” /t REG_DWORD /d 0 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Terminal Services” /v “AllowUnsignedFiles” /t REG_DWORD /d 0 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Terminal Services” /v “DisablePasswordSaving” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Conferencing” /v “NoRDS” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS” /v “AllowRemoteShellAccess” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” /v “AllowSignedFiles” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” /v “AllowUnsignedFiles” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” /v “CreateEncryptedOnlyTickets” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” /v “DisablePasswordSaving” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” /v “fAllowToGetHelp” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” /v “fAllowUnsolicited” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” /v “fDenyTSConnections” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client” /v “fEnableUsbBlockDeviceBySetupClass” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client” /v “fEnableUsbNoAckIsochWriteToDevice” /t REG_DWORD /d 80 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client” /v “fEnableUsbSelectDeviceByInterface” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings” /v “Enabled” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop” /v “Enabled” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\UPnPFramework” /v “Enabled” /t REG_DWORD /d 0 /f

Block Macros and other Content Execution for Office 2016

reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\access\security” /v “vbawarnings” /t REG_DWORD /d 4 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\excel\security” /v “vbawarnings” /t REG_DWORD /d 4 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\excel\security” /v “blockcontentexecutionfrominternet” /t REG_DWORD /d 1 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\excel\security” /v “excelbypassencryptedmacroscan” /t REG_DWORD /d 0 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\ms project\security” /v “vbawarnings” /t REG_DWORD /d 4 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\ms project\security” /v “level” /t REG_DWORD /d 4 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\outlook\security” /v “level” /t REG_DWORD /d 4 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\powerpoint\security” /v “vbawarnings” /t REG_DWORD /d 4 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\powerpoint\security” /v “blockcontentexecutionfrominternet” /t REG_DWORD /d 1 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\publisher\security” /v “vbawarnings” /t REG_DWORD /d 4 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\visio\security” /v “vbawarnings” /t REG_DWORD /d 4 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\visio\security” /v “blockcontentexecutionfrominternet” /t REG_DWORD /d 1 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\word\security” /v “vbawarnings” /t REG_DWORD /d 4 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\word\security” /v “blockcontentexecutionfrominternet” /t REG_DWORD /d 1 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\word\security” /v “wordbypassencryptedmacroscan” /t REG_DWORD /d 0 /f
reg add “HKEY_CURRENT_USER\Software\Policies\Microsoft\office\common\security” /v “automationsecurity” /t REG_DWORD /d 3 /f

Enable Automatic Updates for Office

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate” /v “enableautomaticupdates” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate” /v “hideenabledisableupdates” /t REG_DWORD /d 1 /f

Enable Enhanced Face Spoofing Protection

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures” /v “EnhancedAntiSpoofing” /t REG_DWORD /d 1 /f

Disable Pushing of Apps for Installation from the Windows Store

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall” /v “DisablePushToInstall” /t REG_DWORD /d 1 /f

Disable Projecting (Connect) to the Device, and require a PIN for pairing

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent” /v “AllowProjectionToPC” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent” /v “RequirePinForPairing” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WirelessDisplay” /v “EnforcePinBasedPairing” /t REG_DWORD /d 1 /f
reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings” /v “NoPresentationSettings” /t REG_DWORD /d 1 /f

Force enable Data Execution Prevention (DEP)

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer” /v “NoDataExecutionPrevention” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System” /v “DisableHHDEP” /t REG_DWORD /d 0 /f

Disable Autorun

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v “NoAutorun” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v “NoDriveTypeAutoRun” /t REG_DWORD /d 255 /f

Disable Active Desktop

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v “ForceActiveDesktopOn” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v “NoActiveDesktop” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v “NoActiveDesktopChanges” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop” /v “NoAddingComponents” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop” /v “NoComponents” /t REG_DWORD /d 1 /f

Disable Desktop Gadgets

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar” /v “TurnOffSidebar” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar” /v “TurnOffUnsignedGadgets” /t REG_DWORD /d 1 /f

Force Process digital Certificates when running Executables

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers” /v “authenticodeenabled” /t REG_DWORD /d 1 /f

Enable Network Authentication

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” /v “UserAuthentication” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v “UserAuthentication” /t REG_DWORD /d 1 /f

Disable Picture Passwords

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System” /v “BlockDomainPicturePassword” /t REG_DWORD /d 1 /f

Enable SmartScreen

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System” /v “EnableSmartScreen” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System” /v “ShellSmartScreenLevel” /t REG_SZ /d “Warn” /f

Disable Windows Update deferrals

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v “DeferFeatureUpdates” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v “DeferQualityUpdates” /t REG_DWORD /d 0 /f

Enable Windows Defender

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” /v “DisableAntiSpyware” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” /v “ServiceKeepAlive” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableIOAVProtection” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableRealtimeMonitoring” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan” /v “CheckForSignaturesBeforeRunningScan” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan” /v “DisableHeuristics” /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments” /v “ScanWithAntiVirus” /t REG_DWORD /d 3 /f

Do not allow Users and Apps to connect to Malicious Websites

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection” /v “EnableNetworkProtection” /t REG_DWORD /d 1 /f