2022-10-20 09:02:58 +00:00
|
|
|
|
## Windows Hardening
|
|
|
|
|
|
|
2022-10-21 10:47:14 +00:00
|
|
|
|
ref: https://github.com/carlospolop/PEASS-ng
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Bitlocker PIN
|
|
|
|
|
|
#### ref
|
2022-10-20 09:02:58 +00:00
|
|
|
|
ref: https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures?WT.mc_id=EM-MVP-5003177
|
|
|
|
|
|
ref: https://pulsesecurity.co.nz/articles/TPM-sniffing
|
|
|
|
|
|
ref: https://dys2p.com/de/2021-12-tamper-evident-protection.html
|
|
|
|
|
|
ref: https://github.com/proninyaroslav/blink-comparison
|
|
|
|
|
|
ref: https://github.com/Aorimn/dislocker
|
|
|
|
|
|
ref: https://github.com/libyal/libbde/blob/main/documentation/BitLocker%20Drive%20Encryption%20(BDE)%20format.asciidoc
|
|
|
|
|
|
|
2022-10-21 10:47:14 +00:00
|
|
|
|
#### guide
|
2022-10-20 09:02:58 +00:00
|
|
|
|
1. activate Bitlocker on systemdrive
|
|
|
|
|
|
2. change gpo for TPM+PIN
|
|
|
|
|
|
Computerkonfiguration – Administrative Vorlagen – Windows-Komponenten – BitLocker-Laufwerksverschlüsselung – Betriebssystemlaufwerke
|
|
|
|
|
|
Zusätzliche Authentifizierung beim Start anfordern
|
|
|
|
|
|
TPM-Systemstart-PIN konfigurieren
|
|
|
|
|
|
Start-PIN bei TPM erforderlich
|
|
|
|
|
|
ggf Erweiterte PINs für Systemstart zulassen
|
|
|
|
|
|
3. `manage-bde -status`
|
|
|
|
|
|
4. `manage-bde -protectors -add c: -TPMAndPIN` ggf. ist auch die Bitlocker GUI dazu in der Lage
|
|
|
|
|
|
5. `manage-bde -changepin c:`
|
|
|
|
|
|
6. `manage-bde -protectors -add c: -TPM`` to 'remove' the PIN
|
2022-10-21 10:47:14 +00:00
|
|
|
|
7. `manage-bde -w Drive:` um den freien Speicherplatz zu löschen
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### driver blocklist
|
|
|
|
|
|
#### ref
|
|
|
|
|
|
ref: https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### guide
|
