I'm setting up a new laptop with Windows 11 and I'm interested in any PowerShell scripts or configuration methods that can help me achieve a hardened installation. I've found a script online, but I'm curious if there's an industry standard approach for making these changes. Any suggestions or resources you can share would be greatly appreciated! I'm new to this and still trying to get the hang of PowerShell.
4 Answers
Most professionals lean towards using group policies or Mobile Device Management (MDM) tools for hardening, so there isn’t really a one-size-fits-all standard for PowerShell scripts. Instead, it's often about creating custom scripts tailored to specific needs, since setups can vary so widely. Just be ready for some tweaking!
It really depends on your specific goals for hardening. If it's about compliance for business, you might look into frameworks like the Essential Eight (for Australia), Cyber Essentials (in the UK), or EUCC guidelines in Europe. For practical solutions, HardeningKitty is a great starting point, and if you want a more stringent approach, consider applying DoD STIGs—a bit more invasive, but very thorough! Check this out for automation: https://medium.com/@stevenrim/powershell-automation-for-disa-stig-compliance-and-hardening-6515d055d9ef
If you're looking to implement hardening effectively, look into using mandatory user profiles. They can help in managing user environments more securely. Here’s the link for more details: https://learn.microsoft.com/en-us/windows/client-management/client-tools/mandatory-user-profile
You should check out this GitHub project: https://github.com/HotCakeX/Harden-Windows-Security. It has a bunch of resources for hardening your Windows setup. They also have a related project for Application Control that could be worth your time: https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager
Thanks for the tips! I'll check out HardeningKitty and the DoD STIG. Sounds like a solid plan.