HotCakeX
commented
5 days ago All of the suggestions are now implemented: https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/Hardening-Module-v.0.6.6
Closed agpt8 closed 5 days ago
HotCakeX
commented
5 days ago All of the suggestions are now implemented: https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/Hardening-Module-v.0.6.6
Are you sure the Security measure is not already implemented?
Please explain your new Security measure suggestion
From discussion #349.
Hey there,
The very recent hardening measures in Device guard and networking are welcoming. Though I believe SMB can be hardened even further. Please let me know your thoughts on changing/enabling the following behavior.
Chaning cipher suite order (found in GPO > Admin templates > Network > Lanman Server > Cipher Suite order), also applicable to lanman workstation (found in GPO > Admin templates > Network > Lanman Workstation > Cipher Suite order): Default is listed as:
SMB 3.11 cipher suites: AES_128_GCM AES_128_CCM AES_256_GCM AES_256_CCM
I am proposing:
AES_256_GCM AES_256_CCM AES_128_GCM AES_128_CCM
The default is by no means insecure; however, utilizing AES-256 encryption significantly enhances security. Learn more
Enable SMB over QUIC (found in the same list as above), also applicable to lanman workstation (found at the path listed above): QUIC requires TLS 1.3 for all data making it inherently secure. There are also latency benefits.
https://techcommunity.microsoft.com/t5/networking-blog/what-s-quic/ba-p/2683367 https://blog.cloudflare.com/the-road-to-quic/ https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security-hardening#smb-over-quic-in-windows-server https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security-hardening#smb-over-quic-client-access-control The first two posts are old at this point but they still apply.
While there are caveats, I believe the trade-offs are justified. The configuration provided by this module, once enabled, exceeds Microsoft's recommendations for properly secured workstations. In my opinion, it aligns perfectly with the philosophy of this module.