25 lines
1.2 KiB
Markdown
25 lines
1.2 KiB
Markdown
|
## Windows Hardening
|
|||
|
|
|||
|
ref: https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures?WT.mc_id=EM-MVP-5003177
|
|||
|
ref: https://pulsesecurity.co.nz/articles/TPM-sniffing
|
|||
|
ref: https://dys2p.com/de/2021-12-tamper-evident-protection.html
|
|||
|
ref: https://github.com/proninyaroslav/blink-comparison
|
|||
|
ref: https://github.com/Aorimn/dislocker
|
|||
|
ref: https://github.com/libyal/libbde/blob/main/documentation/BitLocker%20Drive%20Encryption%20(BDE)%20format.asciidoc
|
|||
|
|
|||
|
ref: https://github.com/carlospolop/PEASS-ng
|
|||
|
|
|||
|
|
|||
|
### Bitlocker PIN
|
|||
|
1. activate Bitlocker on systemdrive
|
|||
|
2. change gpo for TPM+PIN
|
|||
|
Computerkonfiguration – Administrative Vorlagen – Windows-Komponenten – BitLocker-Laufwerksverschlüsselung – Betriebssystemlaufwerke
|
|||
|
Zusätzliche Authentifizierung beim Start anfordern
|
|||
|
TPM-Systemstart-PIN konfigurieren
|
|||
|
Start-PIN bei TPM erforderlich
|
|||
|
ggf Erweiterte PINs für Systemstart zulassen
|
|||
|
3. `manage-bde -status`
|
|||
|
4. `manage-bde -protectors -add c: -TPMAndPIN` ggf. ist auch die Bitlocker GUI dazu in der Lage
|
|||
|
5. `manage-bde -changepin c:`
|
|||
|
6. `manage-bde -protectors -add c: -TPM`` to 'remove' the PIN
|
|||
|
7. `manage-bde -w Drive:` um den freien Speicherplatz zu löschen
|