{"id":45981188,"url":"https://github.com/harvester57/security-admx","last_synced_at":"2026-07-05T19:00:30.058Z","repository":{"id":54198251,"uuid":"318139015","full_name":"Harvester57/Security-ADMX","owner":"Harvester57","description":"Custom ADMX template focused on hardening Windows 10 \u0026 Windows 11 systems","archived":false,"fork":false,"pushed_at":"2026-07-03T07:31:46.000Z","size":577,"stargazers_count":100,"open_issues_count":1,"forks_count":8,"subscribers_count":10,"default_branch":"main","last_synced_at":"2026-07-03T09:25:34.215Z","etag":null,"topics":["admx","hardening","security","windows","windows-10","windows-11"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Harvester57.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-12-03T09:22:18.000Z","updated_at":"2026-07-03T07:31:43.000Z","dependencies_parsed_at":"2024-11-03T13:27:17.401Z","dependency_job_id":"8067a4da-f13c-4b4c-84a6-bed117d91f76","html_url":"https://github.com/Harvester57/Security-ADMX","commit_stats":null,"previous_names":[],"tags_count":42,"template":false,"template_full_name":null,"purl":"pkg:github/Harvester57/Security-ADMX","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Harvester57%2FSecurity-ADMX","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Harvester57%2FSecurity-ADMX/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Harvester57%2FSecurity-ADMX/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Harvester57%2FSecurity-ADMX/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Harvester57","download_url":"https://codeload.github.com/Harvester57/Security-ADMX/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Harvester57%2FSecurity-ADMX/sbom","scorecard":{"id":1237463,"data":{"date":"2025-09-11T12:26:39Z","repo":{"name":"github.com/Harvester57/Security-ADMX","commit":"7e9b0d2ed83a88e8dc31c76a9400885fe4dbb28d"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":6.8,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:   8 out of   8 GitHub-owned GitHubAction dependencies pinned","Info:   6 out of   6 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"Code-Review","score":0,"reason":"Found 0/4 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/linting.yml:47","Info: jobLevel 'contents' permission set to 'read': .github/workflows/linting.yml:45","Info: jobLevel 'checks' permission set to 'read': .github/workflows/scorecards.yml:35","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:29","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:30","Info: jobLevel 'issues' permission set to 'read': .github/workflows/scorecards.yml:32","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/scorecards.yml:33","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/linting.yml:12","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:18","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: all commits (26) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"Contributors","score":3,"reason":"project has 1 contributing companies or organizations -- score normalized to 3","details":["Info: found contributions from: european space agency"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"13 out of 13 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}}]},"last_synced_at":"2025-09-11T15:44:36.231Z","repository_id":54198251,"created_at":"2025-09-11T15:44:36.233Z","updated_at":"2025-09-11T15:44:36.233Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35165562,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-05T02:00:06.290Z","response_time":100,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["admx","hardening","security","windows","windows-10","windows-11"],"created_at":"2026-02-28T18:02:46.973Z","updated_at":"2026-07-05T19:00:30.026Z","avatar_url":"https://github.com/Harvester57.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Security-ADMX\n\nCustom ADMX template focused on hardening Windows 10 and Windows 11 systems.\n\n## Release status\n\n[![Linting](https://github.com/Harvester57/Security-ADMX/actions/workflows/linting.yml/badge.svg)](https://github.com/Harvester57/Security-ADMX/actions/workflows/linting.yml)\n[![Latest release](https://img.shields.io/github/v/release/Harvester57/Security-ADMX)](https://github.com/Harvester57/Security-ADMX/releases)\n\n## Table of contents\n\n- [System policies](#system-policies)\n- [Network policies](#network-policies)\n- [Debugging policies](#debugging-policies)\n- [Installation procedure](#installation-procedure)\n\n## Installation procedure\n\n### Automatic installation\n\nYou can automatically install the ADMX and ADML files to your local machine (Active Directory Central Store is not supported by the script) using the `install.ps1` PowerShell script.\n\n1. Open a PowerShell terminal as Administrator.\n2. Navigate to the directory where you downloaded the project.\n3. Run the script:\n   ```powershell\n   .\\install.ps1\n   ```\n\n### Manual installation\n\n#### Active Directory PolicyDefinitions store\n\nTo make the policies available to all the machines in your domain, you need to copy the files to the Central Store configuration of your domain controller.\n\n1. Locate the Central Store: `\\\\yourdomain.com\\SYSVOL\\yourdomain.com\\Policies\\PolicyDefinitions`.\n2. Copy the `.admx` files to the root of the `PolicyDefinitions` folder.\n3. Copy the `.adml` files (located in the `en-US` and `fr-FR` folders) to the corresponding language-specific subfolders in the Central Store.\n\n#### Local PolicyDefinitions folder\n\nTo install the policies on a standalone machine or for testing purposes:\n\n1. Locate the Local Store: `C:\\Windows\\PolicyDefinitions`.\n2. Copy the `.admx` files to the root of the `PolicyDefinitions` folder.\n3. Copy the `.adml` files (located in the `en-US` and `fr-FR` folders) to the corresponding language-specific subfolders in the Local Store.\n\n## Available policies\n\n\n### System policies\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable secure mode for batch file processing\u003c/strong\u003e\u003c/summary\u003e\n\n- **Registry path(s):** SOFTWARE\\Microsoft\\Command Processor\n- **Registry key(s):** LockBatchFilesWhenInUse\n- **Values:** 0/1\n- **Description:** This policy gives administrators additional controls over the processing of batch files and CMD scripts.\n\n    If you enable this policy, a more secure mode for processing batch files is enabled, which ensures they do not change during execution by holding an opportunistic lock. This enhances the performance and security of batch file processing when Code Integrity is enabled, as signature validation will only be required to be performed a single time, instead of per statement executed in the batch file.\n\n    Note: This functionality is supported on Windows 11 Insider Preview Build 26300.7939 or later.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable Microsoft Vulnerable Driver Blocklist\u003c/strong\u003e\u003c/summary\u003e\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\CI\\Config\n- **Registry key(s):** VulnerableDriverBlocklistEnable\n- **Values:** 0/1\n- **Description:** This policy setting configures whether the Microsoft Vulnerable Driver Blocklist is enabled on the system.\n\n    The vulnerable driver blocklist is a security feature designed to prevent known insecure, kernel-mode third-party drivers from loading.\n\n    If you enable this policy setting, the Vulnerable Driver Blocklist is enabled.\n\n    If you disable this policy setting, the Vulnerable Driver Blocklist is disabled, allowing known vulnerable drivers to load. Note: Disabling this feature reduces system security.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable Virtualization-Based Security in Mandatory mode\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\n- **Registry key(s):** Mandatory\n- **Values:** 0/1\n- **Description:** This policy will enable the Virtualization-Based Security (VBS) function in Mandatory mode.\n\n    Mandatory mode is a new functionnality introduced to prevent the Windows Downdate attack (and other related dowgrading attacks) by forcing the verification of the components of the Secure Kernel and the hypervisor at boot time. Consequently, enabling this functionnality can lead to boot failure (and a denial of service) in case of a modification of a core component of Secure Kernel, hypervisor or a related dependant module.\n\n    NOTE: if you already have Virtualization-Based Security enabled with UEFI Lock, this setting will not do anything, as the VBS configuration is already written and locked in a UEFI variable. This variable needs to be deleted using the bcdedit.exe tool before deploying the Mandatory flag and the UEFI Lock. Guidance and more information about this procedure are available here:\n\n    \u003chttps://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=reg#disable-virtualization-based-security\u003e\n\n    Enabling this policy will set the Mandatory flag and force the verification of the VBS components at boot time.\n\n    Enabling this policy with UEFI Lock already enabled wil do nothing.\n\n    Disabling this policy will disable the verification of the components, only if the UEFI Lock is not enabled. Otherwise, disabling this policy will do nothing.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable Generative AI features in Acrobat and Acrobat Reader\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SOFTWARE\\Policies\\Adobe\\Adobe Acrobat\\DC\\FeatureLockDown\n- **Registry key(s):** bEnableGentech\n- **Values:** 0/1\n- **Description:** The generative AI features in Acrobat and Acrobat Reader are turned on by default. This policy controls the state of the feature.\n\n    Enabling this policy will enable the Generative AI feature.\n\n    Disabling this policy will disable the Generative AI feature. For privacy purposes, it is recommended to set this policy to Disabled.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eConfigure the Windows Sudo command behavior\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SOFTWARE\\Policies\\Microsoft\\Windows\\Sudo\n- **Registry key(s):** Enabled\n- **Values:** 0/1/2/3\n- **Description:** This policy configures the behavior of the Sudo command introduced in Windows 11 24H2.\n\n    Possible choices are:\n\n  - Force a new elevated window to open (default behavior)\n  - Disable inputs to the elevated process\n  - Run in the current window\n  - Disable the functionnality\n\n    It is recommended to use the default behavior and let the Sudo command open a new elevated window.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable Secure Boot/Code Integrity mitigations for BlackLotus (CVE-2023-24932)\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Secureboot\n- **Registry key(s):** AvailableUpdates\n- **Values:** 64/256/128/512\n- **Description:** This policy sets the Registry keys needed to apply the updated Secure Boot denylist (DBX), the new signing certificate in the allowlist (DB), the anti-rollback mecanisme (SVN) and the Code Integrity Boot Policy, to prevent untrusted/vulnerable Windows boot managers from loading when Secure Boot is turned on.\n\n    IMPORTANT: carefully read the Microsoft documentation associated with this protection, as it can render your device unable to boot if you do not follow the pre-required steps:\n\n  - \u003chttps://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d\u003e\n  - \u003chttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932\u003e\n\n    In particular, you should read all the steps descriptions present in the list and the associated manual operations you need to perform (reboots, additional checks, ...) for each of them in the section of the documentation:\n\n  - \u003chttps://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#bkmk_mitigation_guidelines\u003e\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003ePrevent standard users to install root certificates\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots\n- **Registry key(s):** Flags\n- **Values:** 0/1\n- **Description:** This policy prevent standard (non-administrators) users to install root certificate authorities to their user-specific trust store.\n\n    Enabling this policy can help prevent code signing certificate cloning attacks. It is recommended to enable this policy.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eBlock drivers co-installers applications\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer\n- **Registry key(s):** DisableCoInstallers\n- **Values:** 0/1\n- **Description:** A co-installer is a user-mode Win32 DLL that typically writes additional configuration information to the registry, or performs other installation tasks that require information that is not available when an INF is written.\n\n    If you enable this setting, co-installers execution will be prevented, and additional configuration software for specific devices (mouses, gaming keyboards, etc) must be downloaded and manually installed from the manufacturer website.\n\n    If you disable this setting, co-installers execution will be permitted, which is a significant security risk (potentially dangerous code execution).\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eLimits print driver installation to Administrators\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\n- **Registry key(s):** RestrictDriverInstallationToAdministrators\n- **Values:** 0/1\n- **Description:** Determines whether users that aren't Administrator can install print drivers on this computer.\n\n    By default, users that aren't Administrators can't install print drivers on this computer.\n\n    If you enable this setting or do not configure it, the system will limit installation of print drivers to Administrators of this computer.\n\n    If you disable this setting, the system will not limit installation of print drivers to this computer.\n\n    Additional information: \u003chttps://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7\u003e\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable the strict Authenticode signature verification mechanism\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - Software\\Microsoft\\Cryptography\\Wintrust\\Config\n  - Software\\Wow6432Node\\Microsoft\\Cryptography\\Wintrust\\Config\n- **Registry key(s):** EnableCertPaddingCheck\n- **Values:** 1/`\u003cdelete\u003e`\n- **Description:** The strict Authenticode signature verification mechanism disallow to add extraneous information in the WIN_CERTIFICATE structure.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable AMSI Authenticode signature verification\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SOFTWARE\\Microsoft\\AMSI\n- **Registry key(s):** FeatureBits\n- **Values:** 2/1\n- **Description:** This policy enables the verification of the Authenticode signature of the AMSI provider.\n\n    If you enable this policy, the AMSI provider must be signed by a trusted certificate.\n\n    If you disable or do not configure this policy, the signature verification is disabled (default behavior).\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDisable standard users in Safe-Boot mode\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\n- **Registry key(s):** SafeModeBlockNonAdmins\n- **Values:** 0/1\n- **Description:** An adversary with standard user credentials that can boot into Microsoft Windows using Safe Mode, Safe Mode with Networking or Safe Mode with Command Prompt options may be able to bypass system protections and security functionalities. To reduce this risk, users with standard credentials should be prevented from using Safe Mode options to log in.\n\n    Enabling this policy will prevent standard users to open a session in Safe Mode.\n\n    Disabling this policy will allow standard users to open a session in Safe Mode.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable additional LSA process hardening\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Lsa\n- **Registry key(s):** RunAsPPL\n- **Values:** 0/1\n- **Description:** Enable this option to allow the LSA process to run as a PPL (Protected Process Light), in order to disallow its debugging.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDisable the SAM server TCP listener\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Lsa\n- **Registry key(s):** SamDisableListenOnTCP\n- **Values:** 0/1\n- **Description:** By default, the SAM server (lsass.exe) is constantly listening on a random TCP port, bound to all network interfaces.\n\n    Enabling this policy will disable the TCP listener.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable PowerShell Constrained Language Mode\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\n- **Registry key(s):** __PSLockdownPolicy\n- **Values:** 4/0\n- **Description:** Enable the Constrained Language Mode for Powershell. This mode disallow several language elements that can be leveraged by attackers to perform sensitive APIs calls.\n\n    NOTE: since this policy is only rewritting the __PSLockdownPolicy environment variable, this is not a secure way to enable CLM, and this is intended for defense-in-depth only. CLM can only be securely enforced by AppLocker and/or WDAC.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eAllow custom DLL loading list for application processes\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n- **Registry key(s):** LoadAppInit_DLLs\n- **Values:** 0/1\n- **Description:** The list is located in the registry key HKLM:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WindowsAppInit_DLLs\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eNumber of PBKDF2 iterations for cached logons credentials hashing\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SECURITY\\Cache\n- **Registry key(s):** NL$IterationCount\n- **Values:** 1 to 200000000\n- **Description:** For domains logons, if credentials caching is enabled, credentials are stored as MSCacheV2 hashes, derived using the PBKDF2-SHA1 hashing algorithm.\n\n    The number of iterations for the PBKDF2-SHA1 algorithm used for hashing operations can be controlled with this policy, with the following logic:\n\n  - For a value lower than or equal to 10240, the setting acts as a 1024-mutiplier (for example, setting it to 20 will result in 20480 iterations).\n  - For a value greater than 10240, the setting acts as the chosen value (modulo 1024).\n\n    The recommended value depends on the target environment, the CPU power available and the performance hit you are willing to tolerate at logon (a high value can incur a net performance penalty for the logon process).\n\n    When the policy is enabled, the default value configured is 1954 (2 000 896 rounds). This is the recommended value (at the time of December 2022) for the PBKDF2-HMAC-SHA1 algorithm, considering the compute power of a RTX 4090 GPU in a offline bruteforce attack model.\n\n    More information:\n  - \u003chttps://tobtu.com/minimum-password-settings/\u003e\n  - \u003chttps://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2\u003e\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDisable administrative shares for workstations\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\n- **Registry key(s):** AutoShareWks\n- **Values:** 0/1\n- **Description:** Not recommended, except for highly secure environments.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDisable administrative shares for servers\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters\n- **Registry key(s):** AutoShareServer\n- **Values:** 0/1\n- **Description:** Not recommended, except for highly secure environments.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable Spectre and Meltdown mitigations\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\n  - SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Virtualization\n- **Registry key(s):**\n  - FeatureSettingsOverride\n  - FeatureSettingsOverrideMask\n  - MinVmVersionForCpuBasedMitigations\n- **Values:**\n  - 72/8264/8/0/1/64/3\n  - 3\n  - 1.0\n- **Description:** The FeatureSettingsOverride registry key in Windows, typically found under SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management and often managed alongside FeatureSettingsOverrideMask, provides administrators with granular control over software-based mitigations for CPU speculative execution vulnerabilities like Spectre and Meltdown.\n\n    These vulnerabilities can potentially allow unauthorized access to sensitive data. Windows implements various mitigations to counter these threats, but they can sometimes introduce performance overhead. The FeatureSettingsOverride key allows for a tailored approach, enabling administrators to selectively enable or disable specific mitigations—such as those for different variants of Spectre (like v2 or Speculative Store Bypass - SSB) and Meltdown—or even to disable all of them if the performance impact is deemed too high for a particular environment, or to apply specific configurations like disabling Hyper-Threading on Intel CPUs in conjunction with these mitigations.\n\n    This policy also allows to enable Hyper-V mitigations for virtual machines below version 8.0 (MinVmVersionForCpuBasedMitigations).\n\n    Available options:\n  - Intel and AMD: enable all available mitigations\n  - Intel: enable all mitigations (with Hyper-Threading disabled)\n  - Intel: enable mitigations for Spectre v2, Meltdown, and SSB\n  - Intel: enable mitigations for Spectre v2 and Meltdown\n  - Intel: enable mitigations for Meltdown only\n  - AMD and ARM: enable mitigations for Spectre v2\n  - Disable all mitigations\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable Structured Exception Handling Overwrite Protection (SEHOP)\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel\n- **Registry key(s):** DisableExceptionChainValidation\n- **Values:** 0/1\n- **Description:** SEHOP blocks exploits that use the Structured Exception Handling overwrite technique, a common buffer overflow attack.\n\nThis policy is only effective on 32 bits systems.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable Network Level Authentication (NLA) for RDP connections\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\n- **Registry key(s):**\n  - SecurityLayer\n  - UserAuthentication\n  - MinEncryptionLevel\n- **Values:**\n  - 2\n  - 1\n  - 3\n- **Description:** This policy enable Network Level Authentication for RDP connections, with the following settings:\n\n  - TLS is required for server authentication and link encryption.\n  - High level of encryption (128 bits) for the data link.\n  - User authentication is required at connection time.\n\n  Disabling this policy does nothing.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eHarden network logons and authentication security\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Lsa\n- **Registry key(s):** LmCompatibilityLevel\n- **Values:** 5/1\n- **Description:** Enable this policy to disable LM and NTLM authentication modes, and enable use of NTLMv2 only.\n\nDisable this policy to restore LM and NTLMv1 capabilities, in addition to NTLMv2.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDisable WDigest protocol\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\n- **Registry key(s):**\n  - UseLogonCredential\n  - Negotiate\n- **Values:**\n  - 0\n  - 0\n- **Description:** Enabling this policy will disable the WDigest protocol, now considered obsolete.\n\n    Keeping WDigest enabled could allow an attacker to retrieve plain-text passwords stored in the LSA service with a tool such as Mimikatz, and it is therefore recommended to enable this policy.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDomain credentials caching hardening\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\n  - SYSTEM\\CurrentControlSet\\Control\\Lsa\n- **Registry key(s):**\n  - CachedLogonsCount\n  - TokenLeakDetectDelaySecs\n- **Values:**\n  - 2\n  - 30\n- **Description:** Enabling this policy modifiy two settings related to how the local system handles domain-related credentials:\n\n  - Reduce the caching count (2 cached credentials) of domain-related credentials for offline authentication if no domain controller is available\n  - The delay before the credentials are cleared from memory after a logoff is set to 30 seconds.\n\n  Those settings reduce the exposure time of credentials to attack tools such as Mimikatz.\n\n  NOTE: those settings can prevent a new session opening, if the network is not available, or if a domain controler is not reachable.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eForce the randomization of relocatable images (ASLR)\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\n- **Registry key(s):** MoveImages\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling this policy will enable ASLR even for relocatable images that do not explicitly expose this capability.\n\n  Disabling this policy will explicitly disable the ASLR mechanism.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eAdditional registry fix for CVE-2015-6161\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SOFTWARE\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING\n  - SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING\n- **Registry key(s):** iexplore.exe\n- **Values:** 0/1\n- **Description:** Enable this policy to change the registry value FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING to 1.\n\n  This modification is necessary to fully fix an ASLR bypass vulnerability (CVE-2015-6161). For more information, refer to the MS15-124 security bulletin (\u003chttps://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-124\u003e).\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eAdditional registry fix for CVE-2017-8529\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SOFTWARE\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX\n  - SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX\n- **Registry key(s):** iexplore.exe\n- **Values:** 0/1\n- **Description:** Enable this policy to change the registry value FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX to 1.\n\n    This modification is necessary to fully fix an information disclosure vulnerability in Microsoft browsers (CVE-2017-8529). For more information, refer to the related security update guide (\u003chttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529\u003e).\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable kernel-level shadow stacks\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\KernelShadowStacks\n- **Registry key(s):** Enabled\n- **Values:** 0/1\n- **Description:** The policy enable kernel-level shadow stacks, also known as Intel CET (Control-flow Enforcement Technology) or AMD Shadow Stack.\n\n    Please note that this security function require specific hardware support (AMD Zen 3 or Intel 11th Gen. processors) and OS support (Windows 21H2 or newer).\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDisable the WPBT functionnality\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Session Manager\n- **Registry key(s):** DisableWpbtExecution\n- **Values:** 0/1\n- **Description:** This policy disable the Windows Platform Binary Table (WPBT) functionnality, that can be used for persistence through an UEFI implant.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDisable Time-Travel Debugging\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SOFTWARE\\Microsoft\\TTD\n- **Registry key(s):** RecordingPolicy\n- **Values:** 0/2\n- **Description:** This policy disable the Time-Travel Debugging (TTD) functionnality, that can be used to dump sensitive processes memory content, and to launch third-party executables.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eRemove current working directory from DLL search\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Session Manager\n- **Registry key(s):** CWDIllegalInDllSearch\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** The CWDIllegalInDllSearch registry entry is used to remove the current working directory (CWD) from the DLL search order.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable Windows Defender sandbox\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\n- **Registry key(s):** MP_FORCE_USE_SANDBOX\n- **Values:** 0/1\n- **Description:** This policy enables the sandbox (content process) for the main process of Windows Defender.\n\n    The new content processes, which run with low privileges, aggressively leverage all available mitigation policies to reduce the attack surface. They enable and prevent runtime changes for modern exploit mitigation techniques such as Data Execution Prevention (DEP), Address space layout randomization (ASLR), and Control Flow Guard (CFG). They also disable Win32K system calls and all extensibility points, as well as enforce that only signed and trusted code is loaded.\n\n    More information: \u003chttps://www.microsoft.com/en-us/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/\u003e\n\n\u003c/details\u003e\n\n### Network policies\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eTLS cipher suites configuration\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SOFTWARE\\Policies\\Microsoft\\Cryptography\\Configuration\\SSL\\00010002\n- **Registry key(s):** Functions\n- **Values:**\n  - TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256\n  - TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\n  - TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\n- **Description:** This policy allows you to select between several TLS cipher suites configuration profiles.\n\n    NOTE: for profiles listed with TLS 1.3, please verify that your OS version support TLS 1.3 (Windows 10 v1903 and up) and that TLS 1.3 support is enabled in the Schannel \"Protocols\" section, otherwise you could break TLS support on your system.\n\n    Changing this setting will require a restart of the computer before the setting will take effect. You can check the applied configuration with the Get-TlsCiphersuite cmdlet in a PowerShell session.\n\n    Ciphers enabled for each profile, in order of preference:\n\n    **Modern (TLS 1.3 only)**\n\n    TLS_AES_256_GCM_SHA384\n    TLS_AES_128_GCM_SHA256\n    TLS_CHACHA20_POLY1305_SHA256\n    TLS_AES_128_CCM_SHA256\n\n    **Modern (TLS 1.3 and 1.2)**\n\n    TLS_AES_256_GCM_SHA384\n    TLS_AES_128_GCM_SHA256\n    TLS_CHACHA20_POLY1305_SHA256\n    TLS_AES_128_CCM_SHA256\n    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\n    TLS_ECDHE_ECDSA_WITH_AES_128_CCM\n    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\n    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\n    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n\n    **Standard (TLS 1.2 only)**\n\n    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\n    TLS_ECDHE_ECDSA_WITH_AES_128_CCM\n    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\n    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\n    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n\n    **Backward compatible (TLS 1.3, 1.2, 1.1 and 1.0)**\n    TLS_AES_256_GCM_SHA384\n    TLS_AES_128_GCM_SHA256\n    TLS_CHACHA20_POLY1305_SHA256\n    TLS_AES_128_CCM_SHA256\n    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\n    TLS_ECDHE_ECDSA_WITH_AES_128_CCM\n    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\n    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\n    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\n\n    **Backward compatible (TLS 1.2, 1.1 and 1.0)**\n\n    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\n    TLS_ECDHE_ECDSA_WITH_AES_128_CCM\n    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\n    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\n    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eConfigure the IP source routing protection level\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** System\\CurrentControlSet\\Services\\Tcpip\\Parameters\n- **Registry key(s):** DisableIPSourceRouting\n- **Values:** 0/1/2\n- **Description:** Allows to choose a protection for source-routed packets.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eConfigure the IP source routing protection level for IPv6\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\n- **Registry key(s):** DisableIPSourceRouting\n- **Values:** 0/1/2\n- **Description:** Allows to choose a protection for source-routed packets.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable Kerberos events logging\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters\n- **Registry key(s):** LogLevel\n- **Values:** 0/1\n- **Description:** Enable logging of debug events related to Kerberos in the System Event log.\n\n    If disabled, this policy disable Kerberos-related events logging (this is the default behavior). Enabling this option is only recommended for debugging purposes. Security auditing of events related to Kerberos events should be configured with Advanced Auditing policies.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDisable IAKerb (Initial and Pass-Through Authentication using Kerberos)\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters\n- **Registry key(s):** DisableIAKerb\n- **Values:** 0/1 (0 = Enabled/Default, 1 = Disabled)\n- **Description:** Disable the IAKerb feature, which allows Kerberos authentication to function when the client has no direct connectivity to a Domain Controller.\n\n    If disabled (registry value set to 0), IAKerb is enabled, allowing target services to proxy Kerberos exchanges. If enabled (registry value set to 1), IAKerb is disabled, potentially falling back to NTLM.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDisable Local KDC (Local Key Distribution Center)\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters\n- **Registry key(s):** DisableLocalKDC\n- **Values:** 0/1 (0 = Enabled, 1 = Disabled/Default)\n- **Description:** Disable the Local KDC feature, which brings Kerberos-based authentication to local accounts.\n\n    If disabled (registry value set to 0), Local KDC is enabled, extending Kerberos semantics to local account scenarios. If enabled (registry value set to 1), Local KDC is disabled, which defaults authentication for local accounts back to NTLM.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDisable SMB 1.0 support (client and server)\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\n  - SYSTEM\\CurrentControlSet\\services\\mrxsmb10\n- **Registry key(s):**\n  - SMB1\n  - Start\n- **Values:**\n  - 0\n  - 4\n- **Description:** Disable SMB 1.0 support (client and server)\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eConfigure the minimum SMB2/3 client dialect supported\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\n- **Registry key(s):** MinSMB2Dialect\n- **Values:** 514/528/768/770/785/`\u003cdelete\u003e`\n- **Description:**This policy allows you to configure the minimum SMB2/3 version supported when acting as a client.\n\n    It is recommended to select the minimal version supported by your environment.\n\n    NOTE: if you select a version above what the remote server can, handle, you will not be able to connect to the remote file share.\n\n    Supported versions:\n  - SMB 2.0.2\n  - SMB 2.1.0 (Windows 7)\n  - SMB 3.0.0 (Windows 8)\n  - SMB 3.0.2 (windows 8.1)\n  - SMB 3.1.1 (Windows 10, Windows Server 2016)\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eConfigure the maximum SMB2/3 client dialect supported\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\n- **Registry key(s):** MaxSMB2Dialect\n- **Values:**\n- **Description:** This policy allows you to configure the maximum SMB2/3 version supported when acting as a client.\n\n    It is recommended to not configure this policy and to let the system negociate the most suitable version.\n\n    NOTE: do not configure this policy with a value below the one selected in the \"Configure minimum SMB2 client dialect supported\" policy, otherwise you could break SMB support on your system.\n\n    Supported versions:\n  - SMB 2.0.2\n  - SMB 2.1.0 (Windows 7)\n  - SMB 3.0.0 (Windows 8)\n  - SMB 3.0.2 (windows 8.1)\n  - SMB 3.1.1 (Windows 10, Windows Server 2016)\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable support for TLS 1.2 only in WinHTTP\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\n  - SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\n- **Registry key(s):** DefaultSecureProtocols\n- **Values:** 2048/`\u003cdelete\u003e`\n- **Description:** Enabling this policy will enable the support for TLS 1.2 only for applications based on WinHTTP and specifying the WINHTTP_OPTION_SECURE_PROTOCOLS flag.\n\n    Disabling this policy will remove the DefaultSecureProtocols value, and restore the default behavior of WinHTTP.\n\n    NOTE: for Windows 7, Windows Server 2008 R2, Windows Server 2012 and Windows 8 Embedded, you need to install the KB3140245 update before enabling this policy.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable advanced logging for Schannel\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\n- **Registry key(s):** EventLogging\n- **Values:** 1/2/3/4/5/6/7/0\n- **Description:** Enabling this policy will enable detailed Schannel events generation. You can choose the desired level of verbosity.\n\n  Logged events are available in the System event log.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDisable the strong-name bypass feature\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SOFTWARE\\Microsoft\\.NETFramework\n  - SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\n- **Registry key(s):** AllowStrongNameBypass\n- **Values:** 0/1\n- **Description:** Starting with the .NET Framework version 3.5 Service Pack 1 (SP1), strong-name signatures are not validated when an assembly is loaded into a full-trust xref:System.AppDomain object, such as the default xref:System.AppDomain for the MyComputer zone. This is referred to as the strong-name bypass feature. In a full-trust environment, demands for xref:System.Security.Permissions.StrongNameIdentityPermission always succeed for signed, full-trust assemblies regardless of their signature.\n\n    The only restriction is that the assembly must be fully trusted because its zone is fully trusted. Because the strong name is not a determining factor under these conditions, there is no reason for it to be validated. Bypassing the validation of strong-name signatures provides significant performance improvements.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e.NET Framework 4: enable strong cryptographic support\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\n  - SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\v4.0.30319\n- **Registry key(s):**\n  - SchUseStrongCrypto\n  - SystemDefaultTlsVersions\n- **Values:**\n  - 0/1\n  - 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for TLS 1.1 and TLS 1.2 in .NET Framework 4.\n\n  If this setting is left unconfigured, TLS 1.1 and TLS 1.2 will be enabled by default for applications targeting .NET Framework 4.6 or higher and disabled otherwise.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e.NET Framework 2: enable strong cryptographic support\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SOFTWARE\\Microsoft\\.NETFramework\\v2.0.50727\n  - SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\v2.0.50727\n- **Registry key(s):**\n  - SchUseStrongCrypto\n  - SystemDefaultTlsVersions\n- **Values:**\n  - 0/1\n  - 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for TLS 1.1 and TLS 1.2 in .NET Framework 2.\n\n  If this setting is left unconfigured, TLS 1.1 and TLS 1.2 will be disabled by default.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eMulti-Protocol Unified Hello\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\Multi-Protocol Unified Hello\\Client\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\Multi-Protocol Unified Hello\\Server\n- **Registry key(s):**\n  - Enabled\n  - DisabledByDefault\n- **Values:** 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for Multi-Protocol Unified Hello. This protocol will never be used by Schannel SSP.\n\n    Changing this setting will require a restart of the computer before the setting will take effect.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003ePCT 1.0\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\PCT 1.0\\Client\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\PCT 1.0\\Server\n- **Registry key(s):**\n  - Enabled\n  - DisabledByDefault\n- **Values:** 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for PCT 1.0. This protocol will never be used by Schannel SSP.\n\n    Changing this setting will require a restart of the computer before the setting will take effect.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eSSL 2.0\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 2.0\\Client\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 2.0\\Server\n- **Registry key(s):**\n  - Enabled\n  - DisabledByDefault\n- **Values:** 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for SSL 2.0. By default for Windows clients, SSL 2.0 is disabled.\n\n    Note that SSL 2.0 is insecure and should not be enabled.\n\n    Changing this setting will require a restart of the computer before the setting will take effect.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eSSL 3.0\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\\Client\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\\Server\n- **Registry key(s):**\n  - Enabled\n  - DisabledByDefault\n- **Values:** 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for SSL 3.0.\n\n    SSL 3.0 is insecure and considered obsolete, and therefore should not be used. TLS 1.2 or better should be used instead, if possible.\n\n    Changing this setting will require a restart of the computer before the setting will take effect.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eTLS 1.0\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Client\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Server\n- **Registry key(s):**\n  - Enabled\n  - DisabledByDefault\n- **Values:** 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for TLS 1.0.\n\n    TLS 1.0, while historically considered secure, is now being deprecated by Microsoft and should be disabled. However, it may be required for backward compatibility.\n\n    Changing this setting will require a restart of the computer before the setting will take effect.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eTLS 1.1\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server\n- **Registry key(s):**\n  - Enabled\n  - DisabledByDefault\n- **Values:** 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for TLS 1.1.\n\n    TLS 1.1, while historically considered secure, is now being deprecated by Microsoft and should be disabled. However, it may be required for backward compatibility.\n\n    Changing this setting will require a restart of the computer before the setting will take effect.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eTLS 1.2\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Client\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Server\n- **Registry key(s):**\n  - Enabled\n  - DisabledByDefault\n- **Values:** 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for TLS 1.2. TLS 1.2 has no known security issues, and it is recommended to enable it.\n\n    Changing this setting will require a restart of the computer before the setting will take effect.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eTLS 1.3\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.3\\Client\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.3\\Server\n- **Registry key(s):**\n  - Enabled\n  - DisabledByDefault\n- **Values:** 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for TLS 1.3. TLS 1.3 has no known security issues, and it is recommended to enable it.\n\n    !! WARNING: This setting is only compatible with Windows 10 v1903 and later. Enabling this setting on older OS versions will break Schannel, and you will need to manually remove the SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.3 key in the registry to fix it.\n\n    Changing this setting will require a restart of the computer before the setting will take effect.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDTLS 1.0\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\DTLS 1.0\\Client\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\DTLS 1.0\\Server\n- **Registry key(s):**\n  - Enabled\n  - DisabledByDefault\n- **Values:** 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for DTLS 1.0. Supported by Windows 7, Windows Server 2008 R2 and above.\n\n    Changing this setting will require a restart of the computer before the setting will take effect.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDTLS 1.2\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\DTLS 1.2\\Client\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\DTLS 1.2\\Server\n- **Registry key(s):**\n  - Enabled\n  - DisabledByDefault\n- **Values:** 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for DTLS 1.2. Supported by Windows 10 v1607 and above.\n\n    Changing this setting will require a restart of the computer before the setting will take effect.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDTLS 1.3\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):**\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\DTLS 1.3\\Client\n  - SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\DTLS 1.3\\Server\n- **Registry key(s):**\n  - Enabled\n  - DisabledByDefault\n- **Values:** 0/1\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for DTLS 1.3. Supported by Windows 10 v1903 and above.\n\n    Changing this setting will require a restart of the computer before the setting will take effect.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eNULL\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\NULL\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for NULL encryption ciphers. This is a weak cipher and should not be enabled.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    TLS_RSA_WITH_NULL_SHA\n    TLS_RSA_WITH_NULL_SHA256\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDES 56/56\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\DES 56/56\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for DES 56/56. This is a weak cipher and should not be enabled.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    SSL_RSA_WITH_DES_CBC_SHA\n    TLS_RSA_WITH_DES_CBC_SHA\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eRC2 40/128\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC2 40/128\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for RC2 40/128. This is a weak cipher and should not be enabled.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5\n    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eRC2 56/128\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC2 56/128\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for RC2 56/128. This is a weak cipher and should not be enabled.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    SSL_RSA_WITH_DES_CBC_SHA\n    TLS_RSA_WITH_DES_CBC_SHA\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eRC2 128/128\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC2 128/128\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for RC2 128/128. This is a weak cipher and should not be enabled.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eRC4 40/128\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 40/128\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for RC4 40/128. This is a weak cipher and should not be enabled.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    SSL_RSA_EXPORT_WITH_RC4_40_MD5\n    TLS_RSA_EXPORT_WITH_RC4_40_MD5\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eRC4 56/128\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 56/128\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for RC4 56/128. This is a weak cipher and should not be enabled.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eRC4 64/128\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 64/128\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for RC4 64/128. This is a weak cipher and should not be enabled.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eRC4 128/128\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 128/128\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for RC4 128/128. This is a weak cipher and should not be enabled.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    SSL_RSA_WITH_RC4_128_MD5\n    SSL_RSA_WITH_RC4_128_SHA\n    TLS_RSA_WITH_RC4_128_MD5\n    TLS_RSA_WITH_RC4_128_SHA\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eTriple DES 168\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\Triple DES 168\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for Triple-DES 168. This is a weak cipher and should not be enabled.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    SSL_CK_DES_192_EDE_CBC_WITH_MD5\n    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA\n    TLS_RSA_WITH_3DES_EDE_CBC_SHA\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eAES 128/128\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\AES 128/128\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for AES 128/128. Note that in order for Windows 2003 to support AES-128, hotfix KB948963 must be installed.\n\n    It is recommended to enable it.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    TLS_DHE_DSS_WITH_AES_128_CBC_SHA\n    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521\n    TLS_RSA_WITH_AES_128_CBC_SHA\n    TLS_RSA_WITH_AES_128_CBC_SHA256\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eAES 256/256\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\AES 256/256\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for AES 256/256.  Note that in order for Windows 2003 to support AES-256, hotfix KB948963 must be installed.\n\n    It is recommended to enable it.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    TLS_DHE_DSS_WITH_AES_256_CBC_SHA\n    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521\n    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384\n    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521\n    TLS_RSA_WITH_AES_256_CBC_SHA\n    TLS_RSA_WITH_AES_256_CBC_SHA256\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eMD5\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\MD5\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for the MD5 hashing algorithm. This is a weak hash algorithm, and it should not be enabled.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    SSL_CK_DES_192_EDE3_CBC_WITH_MD5\n    SSL_CK_DES_64_CBC_WITH_MD5\n    SSL_CK_RC4_128_EXPORT40_MD5\n    SSL_CK_RC4_128_WITH_MD5\n    TLS_RSA_EXPORT_WITH_RC4_40_MD5\n    TLS_RSA_WITH_NULL_MD5\n    TLS_RSA_WITH_RC4_128_MD5\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eSHA\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\SHA\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for the SHA hashing algorithm. This is a weak hash algorithm, and it should not be enabled.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA\n    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA\n    TLS_DHE_DSS_WITH_AES_128_CBC_SHA\n    TLS_DHE_DSS_WITH_AES_256_CBC_SHA\n    TLS_DHE_DSS_WITH_DES_CBC_SHA\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521\n    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA\n    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA\n    TLS_RSA_WITH_3DES_EDE_CBC_SHA\n    TLS_RSA_WITH_AES_128_CBC_SHA\n    TLS_RSA_WITH_AES_256_CBC_SHA\n    TLS_RSA_WITH_DES_CBC_SHA\n    TLS_RSA_WITH_NULL_SHA\n    TLS_RSA_WITH_RC4_128_SHA\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eSHA-256\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\SHA256\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for the SHA-256 hashing algorithm.\n\n    It is recommended to enable it.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256\n    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521\n    TLS_RSA_WITH_AES_128_CBC_SHA256\n    TLS_RSA_WITH_AES_256_CBC_SHA256\n    TLS_RSA_WITH_NULL_SHA256\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eSHA-384\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\SHA384\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for the SHA-384 hashing algorithm.\n\n    It is recommended to enable it.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521\n    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384\n    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eSHA-512\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes\\SHA512\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for the SHA-512 hashing algorithm.\n\n    It is recommended to enable it.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDiffie-Hellman\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for the Diffie-Hellman key exchange algorithm.\n\n    It is recommended to enable it.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA\n    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA\n    TLS_DHE_DSS_WITH_AES_128_CBC_SHA\n    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256\n    TLS_DHE_DSS_WITH_AES_256_CBC_SHA\n    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256\n    TLS_DHE_DSS_WITH_DES_CBC_SHA\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDiffie-Hellman Server-side Key Size\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\n- **Registry key(s):** ServerMinKeyBitLength\n- **Values:** 2048/3072/4096\n- **Description:** Sets the minimum Diffie-Hellman ephemeral key size for TLS server.\n\n    Please see Microsoft Security Advisory 3174644 for more information on DH modulus length. 4096 is the currently recommended minimum value.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDiffie-Hellman Client-side Key Size\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\Diffie-Hellman\n- **Registry key(s):** ClientMinKeyBitLength\n- **Values:** 2048/3072/4096\n- **Description:** Sets the minimum Diffie-Hellman ephemeral key size for TLS client.\n\n    Please see Microsoft Security Advisory 3174644 for more information on DH modulus length. 4096 is the currently recommended minimum value.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003ePKCS\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\PKCS\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for the PKCS key exchange algorithm.\n\n    It is recommended to enable it.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003ePKCS Client-side Key Size\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\PKCS\n- **Registry key(s):** ClientMinKeyBitLength\n- **Values:** 2048/3072/4096\n- **Description:** Sets the minimum PKCS ephemeral key size for TLS client.\n\n    Please see Microsoft Security Advisory 3174644 or https://support.microsoft.com/en-us/help/3174644/microsoft-security-advisory-updated-support-for-diffie-hellman-key-exc for more information on PKCS modulus length. 4096 is the currently recommended minimum value.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eECDH\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\KeyExchangeAlgorithms\\ECDH\n- **Registry key(s):** Enabled\n- **Values:** 4294967295 (0xFFFFFFFF)/0\n- **Description:** Enabling or disabling this policy will respectively enable or disable support for the Elliptic-Curve Diffie-Hellman key exchange algorithm.\n\n    It is recommended to enable it.\n\n    Changing this setting will have an effect on whether the following ciphers can be selected for use:\n\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384\n    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384\n    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384\n    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521\n    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384\n    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384\n    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384\n    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eRestrict anonymous access to SAM and Named Pipes/Shares\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\n- **Registry key(s):** RestrictNullSessAccess\n- **Values:** 0/1\n- **Description:** This policy controls whether standard anonymous users (null sessions) can access the SAM database and named pipes/shares.\n\n    Enabling this policy restricts anonymous access (value 1).\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDisable WPAD Override (User Preference)\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\n- **Registry key(s):** WpadOverride\n- **Values:** 0/1\n- **Description:** This policy controls whether the current user is restricted from using WPAD auto-discovery proxy overrides.\n\n    Enabling this policy sets WpadOverride to 1, disabling WPAD-based proxy automatic override behaviors to mitigate spoofing/poisoning risks.\n\n\u003c/details\u003e\n\n### Debugging policies\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable Kernel Address Sanitizer\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\n- **Registry key(s):** KasanEnabled\n- **Values:** 0/1\n- **Description:** The Kernel Address Sanitizer (KASAN) is a bug detection technology supported on Windows kernel drivers that enables you to detect several classes of illegal memory accesses, such as buffer overflows and use-after-free events.\n\n    It requires you to enable KASAN on your system, and recompile your kernel driver with a specific MSVC compiler flag.\n\n    This policy controls the support of KASAN in the kernel. Enabling this polic will enable the support of KASAN. Disabling this policy will disable the support of KASAN.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnable detailed Blue Screens of Death (BSOD)\u003c/strong\u003e\u003c/summary\u003e\n\n\n- **Registry path(s):** SYSTEM\\CurrentControlSet\\Control\\CrashControl\n- **Registry key(s):** DisplayParameters\n- **Values:** 0/1\n- **Description:** This policy controls whether detailed information is displayed during a Blue Screen of Death (BSOD):\n\n    - If this policy is disabled, Windows will not display detailed stop error information on the blue screen (default).\n    - If this policy is enabled, Windows will display detailed information, similar to older versions of Windows, which can be useful for troubleshooting the cause of the BSOD.\n\n\u003c/details\u003e\n\n## Credits\n\n- The Schannel configuration part is taken almost as-is from the [Crosse/SchannelGroupPolicy](https://github.com/Crosse/SchannelGroupPolicy) repository, a big kudo to him for his work :)\n- The legacy MSS and the settings from the Microsoft Security Guide are imported from the Microsoft Security Compliance Toolkit as-is\n  - More information: \u003chttps://www.microsoft.com/en-us/download/details.aspx?id=55319\u003e\n- The Windows Defender Attack Surface Reduction section is ported from Michael Grafnetter's [project](\u003chttps://github.com/MichaelGrafnetter/defender-asr-admx\u003e).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fharvester57%2Fsecurity-admx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fharvester57%2Fsecurity-admx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fharvester57%2Fsecurity-admx/lists"}