Manual Setup Guide

Step-by-step instructions for manually configuring Windows security parameters

Important: Always create a backup of your current security settings before making any changes. Some changes may require a system restart to take effect.

Overview

This guide provides detailed instructions for manually configuring Windows security parameters using various methods including Local Security Policy, Registry Editor, Command Line, and Group Policy. Each method is suitable for different scenarios and administrative requirements.

Setup Methods

Local Security Policy

Graphical interface for configuring security policies

Registry Editor

Direct registry modification for advanced settings

Command Line

Automated configuration using command-line tools

Group Policy

Enterprise-level policy management

Local Security Policy

The Local Security Policy editor provides a graphical interface for configuring Windows security settings. This is the most user-friendly method for manual configuration.

Accessing Local Security Policy

Press Win + R to open the Run dialog
Type secpol.msc and press Enter
If prompted by UAC, click "Yes" to allow administrator access

Account Policies Configuration

Configuration Steps

1. Navigate to: Account Policies → Password Policy
2. Configure the following settings:
   - Enforce password history: 24 passwords remembered
   - Maximum password age: 90 days
   - Minimum password age: 1 day
   - Minimum password length: 12 characters
   - Password must meet complexity requirements: Enabled
   - Store passwords using reversible encryption: Disabled

3. Navigate to: Account Policies → Account Lockout Policy
4. Configure the following settings:
   - Account lockout duration: 15 minutes
   - Account lockout threshold: 5 invalid logon attempts
   - Reset account lockout counter after: 10 minutes

Local Policies Configuration

Configuration Steps

1. Navigate to: Local Policies → User Rights Assignment
2. Configure the following settings:
   - Access this computer from the network: Administrators, Authenticated Users
   - Allow log on locally: Administrators, Users
   - Back up files and directories: Administrators
   - Change the system time: Administrators, LOCAL SERVICE
   - Change the time zone: Administrators, LOCAL SERVICE

3. Navigate to: Local Policies → Security Options
4. Configure the following settings:
   - Accounts: Block Microsoft accounts: Users cannot add or log on with Microsoft accounts
   - Accounts: Guest account status: Disabled
   - Accounts: Limit local account use of blank passwords: Enabled
   - Interactive logon: Do not require CTRL+ALT+DEL: Disabled
   - Interactive logon: Don't display last signed in: Enabled

Registry Editor

Direct registry modification provides the most granular control over Windows security settings. This method is recommended for advanced users and automated deployments.

Warning: Incorrect registry modifications can cause system instability. Always backup the registry before making changes.

Accessing Registry Editor

Press Win + R to open the Run dialog
Type regedit and press Enter
If prompted by UAC, click "Yes" to allow administrator access

Password Policy Registry Settings

Registry Path

Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Set the following values:
- PasswordHistorySize: 24 (DWORD)
- MaximumPasswordAge: 90 (DWORD)
- MinimumPasswordAge: 1 (DWORD)
- MinimumPasswordLength: 12 (DWORD)
- PasswordComplexity: 1 (DWORD)
- ClearTextPassword: 0 (DWORD)

Account Lockout Registry Settings

Registry Path

Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Set the following values:
- LockoutBadCount: 5 (DWORD)
- LockoutDuration: 15 (DWORD)
- ResetLockoutCount: 10 (DWORD)
- AllowAdministratorLockout: 1 (DWORD)

Interactive Logon Registry Settings

Registry Path

Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Set the following values:
- DisableCAD: 0 (DWORD) - Require CTRL+ALT+DEL
- DontDisplayLastUserName: 0 (DWORD) - Don't display last signed in
- LegalNoticeCaption: "Legal Notice" (String)
- LegalNoticeText: "This system is restricted to authorized users" (String)

User Account Control Registry Settings

Registry Path

Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Set the following values:
- ConsentPromptBehaviorAdmin: 5 (DWORD) - Prompt for consent for non-Windows binaries
- ConsentPromptBehaviorUser: 3 (DWORD) - Automatically deny elevation requests
- EnableInstallerDetection: 1 (DWORD) - Enabled
- EnableLUA: 1 (DWORD) - Enabled
- PromptOnSecureDesktop: 1 (DWORD) - Enabled
- ValidateAdminCodeSignatures: 0 (DWORD) - Disabled

Command Line Configuration

Command-line tools provide automated configuration capabilities suitable for scripting and remote administration.

Using net accounts Command

Command Line

# Configure password policy
net accounts /uniquepw:24
net accounts /maxpwage:90
net accounts /minpwage:1
net accounts /minpwlen:12

# Configure account lockout policy
net accounts /lockoutthreshold:5
net accounts /lockoutduration:15
net accounts /lockoutwindow:10

# View current settings
net accounts

Using reg add Command

Command Line

# Password policy settings
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v PasswordHistorySize /t REG_DWORD /d 24 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v MaximumPasswordAge /t REG_DWORD /d 90 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v MinimumPasswordAge /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v MinimumPasswordLength /t REG_DWORD /d 12 /f

# Interactive logon settings
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableCAD /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 0 /f

# UAC settings
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorUser /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f

Using secedit Command

Command Line

# Export current security policy
secedit /export /cfg current_policy.inf

# Import security policy from file
secedit /configure /db security.sdb /cfg policy.inf

# Apply security template
secedit /configure /db security.sdb /cfg security_template.inf

Using auditpol Command

Command Line

# Configure audit policies
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Account Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable

# View current audit policy
auditpol /get /category:*

Group Policy Configuration

Group Policy provides enterprise-level policy management for Windows domains and organizational units.

Accessing Group Policy Management

Press Win + R to open the Run dialog
Type gpmc.msc and press Enter
Navigate to your domain and organizational units

Computer Configuration Policies

Group Policy Path

Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings

1. Account Policies → Password Policy
   - Enforce password history: 24 passwords remembered
   - Maximum password age: 90 days
   - Minimum password age: 1 day
   - Minimum password length: 12 characters
   - Password must meet complexity requirements: Enabled
   - Store passwords using reversible encryption: Disabled

2. Account Policies → Account Lockout Policy
   - Account lockout duration: 15 minutes
   - Account lockout threshold: 5 invalid logon attempts
   - Reset account lockout counter after: 10 minutes

3. Local Policies → User Rights Assignment
   - Access this computer from the network: Administrators, Authenticated Users
   - Allow log on locally: Administrators, Users
   - Back up files and directories: Administrators
   - Change the system time: Administrators, LOCAL SERVICE

4. Local Policies → Security Options
   - Accounts: Block Microsoft accounts: Users cannot add or log on with Microsoft accounts
   - Accounts: Guest account status: Disabled
   - Interactive logon: Do not require CTRL+ALT+DEL: Disabled
   - Interactive logon: Don't display last signed in: Enabled

Advanced Audit Policy Configuration

Group Policy Path

Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration

1. Account Logon
   - Audit Credential Validation: Success and Failure
   - Audit Kerberos Authentication Service: Success and Failure
   - Audit Kerberos Service Ticket Operations: Success and Failure

2. Account Management
   - Audit Application Group Management: Success and Failure
   - Audit Security Group Management: Success and Failure
   - Audit User Account Management: Success and Failure

3. Logon/Logoff
   - Audit Logon: Success and Failure
   - Audit Logoff: Success
   - Audit Account Lockout: Success and Failure

Microsoft Defender Application Guard

Group Policy Path

Navigate to: Computer Configuration → Policies → Administrative Templates → Windows Components → Microsoft Defender Application Guard

Configure the following settings:
- Allow auditing events: Disabled
- Allow camera and microphone access: Disabled
- Allow data persistence: Disabled
- Allow file download to host: Disabled
- Configure clipboard settings: Disabled
- Allow virtual GPU: Disabled
- Block non-enterprise content: Enabled
- Allow printing: Disabled
- Save files to host: Disabled
- Enable Application Guard: Enabled

Verification and Testing

Verifying Password Policy

Command Line

# Check password policy settings
net accounts

# Verify registry settings
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v PasswordHistorySize
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v MaximumPasswordAge
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v MinimumPasswordLength

Verifying Account Lockout Policy

Command Line

# Check account lockout settings
net accounts

# Verify registry settings
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LockoutBadCount
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LockoutDuration

Verifying UAC Settings

Command Line

# Check UAC registry settings
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v PromptOnSecureDesktop

Verifying Audit Policies

Command Line

# Check audit policy settings
auditpol /get /category:*

# Check specific subcategories
auditpol /get /subcategory:"Credential Validation"
auditpol /get /subcategory:"Account Logon"
auditpol /get /subcategory:"Logon"

Best Practices

Before Making Changes

Create a backup: Always backup current security settings before making changes
Test in non-production: Test all changes in a non-production environment first
Document changes: Keep detailed records of all security policy changes
Plan rollback: Have a rollback plan in case changes cause issues

Implementation Strategy

Phased approach: Implement changes in phases to minimize risk
Monitor impact: Monitor system performance and user experience after changes
User communication: Inform users of any changes that may affect their workflow
Regular reviews: Schedule regular reviews of security policy effectiveness

Maintenance and Monitoring

Regular audits: Conduct regular security audits to ensure compliance
Performance monitoring: Monitor system performance for any negative impacts
Security updates: Keep security policies updated with latest best practices
Incident response: Have procedures in place for security incidents

Troubleshooting

Common Issues

;

Issue: Changes not taking effect

Solution: Restart the system or log off and log back on. Some settings require a restart to take effect.

Issue: Access denied errors

Solution: Ensure you're running as Administrator and have proper permissions to modify security settings.

Issue: Group Policy not applying

Solution: Run gpupdate /force to refresh Group Policy settings and restart the system.

Recovery Procedures

Command Line

# Restore from backup using secedit
secedit /configure /db security.sdb /cfg backup_policy.inf

# Reset to default security settings
secedit /configure /db security.sdb /cfg %windir%\inf\defltbase.inf

# Restore specific registry keys from backup
reg import backup_registry.reg

Linux Manual Setup Guide

Step-by-step instructions for manually configuring Linux security parameters

Important: Always create a backup of your current configuration before making any changes. Some changes may require a system restart to take effect.

Overview

This guide provides detailed instructions for manually configuring Linux security parameters using various methods including system configuration files, command-line tools, and service management. Each method is suitable for different scenarios and administrative requirements.

Setup Methods

System Configuration

Direct modification of system configuration files

File Permissions

Managing file and directory permissions for security

Service Management

Configuring and managing system services

Network Security

Network configuration and firewall settings

System Configuration

Linux system configuration involves modifying various configuration files to implement security hardening measures.

Kernel Parameters

Configuration File

# Edit /etc/sysctl.conf
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf

# Apply changes
sysctl -p

Password Policy Configuration

Configuration File

# Edit /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_WARN_AGE 7
PASS_MIN_LEN 12

# Edit /etc/pam.d/common-password
password requisite pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1

SSH Configuration

Configuration File

# Edit /etc/ssh/sshd_config
Port 22
Protocol 2
PermitRootLogin no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 60
AllowUsers admin
Banner /etc/issue.net
PermitEmptyPasswords no
PasswordAuthentication yes
PubkeyAuthentication yes
X11Forwarding no
MaxSessions 2
MaxStartups 3:30:10

# Restart SSH service
systemctl restart sshd

File Permissions

Proper file permissions are crucial for Linux security. This section covers setting appropriate permissions for critical system files.

Critical File Permissions

Command Line

# Set permissions for critical files
chmod 600 /etc/shadow
chmod 644 /etc/passwd
chmod 644 /etc/group
chmod 600 /etc/gshadow
chmod 600 /etc/ssh/sshd_config
chmod 644 /etc/ssh/ssh_host_*_key.pub
chmod 600 /etc/ssh/ssh_host_*_key

# Set ownership
chown root:root /etc/shadow
chown root:root /etc/passwd
chown root:root /etc/group
chown root:root /etc/gshadow
chown root:root /etc/ssh/sshd_config

Directory Permissions

Command Line

# Set directory permissions
chmod 755 /home
chmod 700 /home/username
chmod 755 /tmp
chmod 1777 /tmp
chmod 755 /var/tmp
chmod 1777 /var/tmp

# Set sticky bit for temporary directories
chmod +t /tmp
chmod +t /var/tmp

Mount Options

Configuration File

# Edit /etc/fstab
# Add security options to mount points
/tmp /tmp tmpfs defaults,noexec,nosuid,nodev 0 0
/dev/shm /dev/shm tmpfs defaults,noexec,nosuid,nodev 0 0
/home /home ext4 defaults,nodev,nosuid 0 0
/var /var ext4 defaults,nodev,nosuid 0 0
/var/tmp /var/tmp ext4 defaults,noexec,nosuid,nodev 0 0
/var/log /var/log ext4 defaults,noexec,nosuid,nodev 0 0

Service Management

Disabling unnecessary services reduces the attack surface of your Linux system.

Disable Unnecessary Services

Command Line

# Disable common unnecessary services
systemctl disable avahi-daemon
systemctl disable cups
systemctl disable dhcpd
systemctl disable named
systemctl disable dnsmasq
systemctl disable vsftpd
systemctl disable slapd
systemctl disable dovecot
systemctl disable nfs-server
systemctl disable rpcbind
systemctl disable rsync
systemctl disable smb
systemctl disable snmpd
systemctl disable tftp
systemctl disable squid
systemctl disable httpd
systemctl disable xinetd
systemctl disable gdm
systemctl disable postfix

Enable Essential Services

Command Line

# Enable essential security services
systemctl enable sshd
systemctl enable ufw
systemctl enable fail2ban
systemctl enable auditd
systemctl enable rsyslog
systemctl enable cron

# Start services
systemctl start sshd
systemctl start ufw
systemctl start fail2ban
systemctl start auditd
systemctl start rsyslog
systemctl start cron

Configure Firewall

Command Line

# Configure UFW firewall
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable

# Check status
ufw status verbose

Network Security

Network security configuration involves setting up proper firewall rules and network parameters.

IPTables Configuration

Configuration Script

#!/bin/bash
# Basic iptables configuration

# Flush existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP and HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Save rules
iptables-save > /etc/iptables/rules.v4

Network Interface Security

Command Line

# Disable IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

# Disable ICMP redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects

# Enable IP spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

# Disable source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route

Verification and Testing

Verify File Permissions

Command Line

# Check critical file permissions
ls -la /etc/shadow
ls -la /etc/passwd
ls -la /etc/group
ls -la /etc/gshadow
ls -la /etc/ssh/sshd_config

# Check for world-writable files
find / -type f -perm -002 2>/dev/null
find / -type d -perm -002 2>/dev/null

Verify Service Status

Command Line

# Check service status
systemctl status sshd
systemctl status ufw
systemctl status fail2ban
systemctl status auditd

# List enabled services
systemctl list-unit-files --type=service --state=enabled

Verify Network Configuration

Command Line

# Check firewall status
ufw status verbose
iptables -L -n

# Check network interfaces
ip addr show
ip route show

# Check listening ports
netstat -tuln
ss -tuln

Best Practices

Before Making Changes

Create a backup: Always backup current configuration files before making changes
Test in non-production: Test all changes in a non-production environment first
Document changes: Keep detailed records of all configuration changes
Plan rollback: Have a rollback plan in case changes cause issues

Implementation Strategy

Phased approach: Implement changes in phases to minimize risk
Monitor impact: Monitor system performance and user experience after changes
User communication: Inform users of any changes that may affect their workflow
Regular reviews: Schedule regular reviews of security configuration effectiveness

Maintenance and Monitoring

Regular audits: Conduct regular security audits to ensure compliance
Performance monitoring: Monitor system performance for any negative impacts
Security updates: Keep security configurations updated with latest best practices
Incident response: Have procedures in place for security incidents

Troubleshooting

Common Issues

Issue: SSH access denied after configuration

Solution: Check SSH configuration syntax and ensure proper permissions. Test with verbose mode: ssh -v user@host

Issue: Services not starting

Solution: Check service status with systemctl status service-name and review logs with journalctl -u service-name

Issue: Network connectivity problems

Solution: Check firewall rules and network configuration. Verify with iptables -L and ip route show

Recovery Procedures

Command Line

# Restore from backup
cp /etc/ssh/sshd_config.backup /etc/ssh/sshd_config
systemctl restart sshd

# Reset firewall rules
ufw --force reset
iptables -F

# Restore file permissions
chmod 644 /etc/passwd
chmod 600 /etc/shadow
chmod 644 /etc/group
chmod 600 /etc/gshadow