Implementing Hardening Guidance

Local Configuration

This article gives guidance on implementing the hardening guidance given by the Harden tool when configuring devices locally. Alternatively, if devices are centrally managed then tools such as Group Policy could be used.

This guide will discuss making changes to the low level configuration of Windows devices, such as modifying the Windows Registry. Changing this configuration incorrectly can lead to system instability and in some cases may cause the system to be inoperable. Therefore it is strongly recommended that a System Restore Point is created before any changes are made.

Create a Restore Point

System Restore Points can be used to restore the configuration of a device to a prior "known good" state, which is useful when testing potential configuration changes and to ensure that accidental changes, e.g. typos in configuration files and the registry, can be reversed.

To create a System Restore Point open System Properties by opening a Run dialog (Windows + R) and executing the command "sysdm.cpl".

In the System Properties menu select "System Protection" from the top bar menu, here a restore point can be created by selecting "Create...".

To create a System Restore Point, simply specify a name for the point and click "Create".

That's it - but if you need to restore for a created restore point at a later date, open System Properties and select "System Restore..." and then selecting the restore point you created above.

Registry Changes

There are several types of configuration change that may be required to implement hardening guidance, but one very common method is making changes to the Windows Registry. The registry stores low level configuration details for the operating system and installed software. Harden will refer to setting "Registry Keys" when a registry change is required.

To open the registry Editor, open a run Dialog (Windows + R) and type: "regedit".

There are three key terms in regards to making changes to the registry: "Hives", "Keys", and "Values".

Hives are logical collections of keys and subkeys, and the two most common hives you will use when implementing hardening are: "HKEY_LOCAL_MACHINE" and "HKEY_CURRENT_USER". Although, within our documentation these are typically abbreviated to "HKLM" and "HKCU" respectively.

HKEY_LOCAL_MACHINE (HKLM) is the hive most commonly modified when hardening a system as (you might have guessed!) it is used to make changes to the local machine, although a small number of changes - such as setting the configuration of the screensaver, is done per user.

For Multi-user Machines: When making user level changes via "HKCU", remember that these changes will need to be configured for each user individually. Therefore, if a device is used by several different users, it may be easier to configure these settings under "HKEY_USERS" instead, which lists each user by their "Security Identifier", allowing an Administrator to reconfigure other users, rather than just the current user.

"Keys" (and "subkeys") can be thought of like folders as they are hierarchically organised below the Hive. "Values" are like files, which have a name and contain data. Documentation (including our documentation) generally gives the Hive, Key, Subkeys, and Values all together, for example take the following registry location: "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast". This refers to the "HKEY_LOCAL_MACHINE" hive, and gives a list of Keys/Subkeys that ultimately contain the "EnableMulticast" Value. This can be seen in the following screenshot showing the registry editor:

At this point it's important to note that there are several different types of Values. The above example shows the "EnableMulticast" Value is of type REG_DWORD. The types are: REG_SZ, REG_BINARY, REG_DWORD, REG_QWORD, REG_MULTI_SZ, REG_EXPAND_SZ.

If the Harden guidance says to set a value to a specific value and the key does not already exist then it can be created, but the value type is important when creating registry keys. A new value can be created by right clicking the key and selecting "New" and then the value type. Values can be edited by double clicking the entry to be modified.

Local Security Policy Changes

Other hardening configurations may require changes to the Local Security Policy, this can be opened by using the Run Dialog (Windows + R) and typing: secpol.msc.

Navigation around the Local Security Policy is relatively intuative as it uses a simple folder structure style hierarchy. Entries can be modified by simply double clicking them: