CHAPS Remediation Guide
April 14, 2026 · View on GitHub
This document provides per-check remediation guidance for negative findings in a CHAPS report. For each check that can produce a [-] result, it describes what the finding means, why it matters, and how to fix it.
Entries are grouped by report section and ordered by check number to match the report layout. For the full check catalog, see CHECKS.md. For interpreting report output, see INTERPRETING_REPORTS.md.
Important. All remediations below modify system or security configuration. Validate each change in a non-production environment first, especially on ICS / OT systems where legacy applications may depend on weak settings (SMBv1, NTLMv1, old TLS, etc.). Coordinate with system and application owners before making changes on production systems.
How to Apply Remediations
Three common mechanisms appear below:
- Registry edits (via
regedit.exe,reg addfrom CMD, orSet-ItemPropertyfrom PowerShell). Registry edits apply at the next reboot or immediately depending on the setting. - Group Policy (via
gpedit.msclocal policy or a domain GPO). Preferred for managed environments because the policy is refreshed automatically. - Service / feature commands (via
Set-Service,Disable-WindowsOptionalFeature,Set-SmbServerConfiguration). Take effect immediately.
Where both a Group Policy path and a registry key are given, use the GPO in managed environments. Registry edits are the fallback for standalone systems.
Section 1 — System Info Checks
Check 4 — Auto Update Configuration
Finding: [-] Windows AutoUpdate is not configured to automatically install updates
Why it matters: Systems that do not install security updates remain vulnerable to publicly documented exploits.
Remediate:
- GPO:
Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates→ Enabled, option 4 — Auto download and schedule the install. - Registry:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU!AUOptions=4(DWORD).
ICS note: Patching schedules for OT systems typically follow a maintenance window. Set AUOptions=4 and configure the install schedule, or use WSUS to stage approved patches.
Check 6 — BitLocker
Finding: [-] BitLocker not detected on Operating System Volume or encryption is not complete
Why it matters: Without full-disk encryption, a stolen or improperly disposed drive exposes all data.
Remediate:
- Enable the BitLocker feature:
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker-All. - Enable BitLocker on the OS volume with a TPM:
Enable-BitLocker -MountPoint "C:" -TpmProtector. - Wait for encryption to complete:
Get-BitLockerVolume -MountPoint "C:".
Server editions require explicit installation of the BitLocker feature.
Check 7 — AlwaysInstallElevated
Finding: [-] Users can install software as NT AUTHORITY\SYSTEM
Why it matters: With both the HKLM and HKCU AlwaysInstallElevated keys set to 1, any user can craft an MSI that runs as SYSTEM — trivial local privilege escalation.
Remediate: Remove or set to 0 both of:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer!AlwaysInstallElevatedHKCU\SOFTWARE\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated
GPO path: Computer Configuration → Administrative Templates → Windows Components → Windows Installer → Always install with elevated privileges → Disabled, AND the same under User Configuration.
Check 8 — EMET / Exploit Protection
Finding (Windows 10+): [-] System-wide DEP / ASLR / CFG not enabled
Why it matters: DEP, ASLR, and Control Flow Guard are foundational exploit mitigations.
Remediate: Use Set-ProcessMitigation -System -Enable DEP,SEHOP,BottomUp,ForceRelocateImages,CFG. Default Windows 10+ configuration enables these; a negative finding suggests a security policy has disabled them.
Check 9 — LAPS
Finding: [-] Local Administrator Password Solution (LAPS) is not installed
Why it matters: Without LAPS, local Administrator passwords tend to be identical across systems or not rotated, enabling lateral movement.
Remediate: Deploy Windows LAPS (built into Windows 10 21H2+ and Server 2019+) or legacy LAPS. See Microsoft Windows LAPS documentation.
Check 10 — GPO Reprocessing
Finding: [-] GPO settings are configured to only be applied after change
Why it matters: If GPOs only reapply on change, locally-made changes that contradict policy persist until the next policy edit.
Remediate: Set HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoGPOListChanges = 0. GPO path: Computer Configuration → Administrative Templates → System → Group Policy → Registry policy processing → Enabled, and tick Process even if the Group Policy objects have not changed.
Check 11 — Net Session Enumeration
Finding: [-] SrvsvcSessionInfo registry key is not configured (Net Session Enumeration may be unrestricted)
Why it matters: Unauthenticated users can enumerate active sessions, aiding reconnaissance and AD enumeration tools.
Remediate: Apply the "Net Cease" hardening — restrict the DefaultSecurity SDDL on HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity!SrvsvcSessionInfo to exclude Authenticated Users. See Net Cease hardening.
Additionally set HKLM\SYSTEM\CurrentControlSet\Control\Lsa!RestrictRemoteSAM to the SDDL that permits only specific administrator groups.
Check 12 — AppLocker
Finding: [-] AppLocker not configured to manage PowerShell scripts
Why it matters: Without application allowlisting, unauthorized executables and scripts can run unchecked.
Remediate: Configure AppLocker rules via Secpol.msc → Application Control Policies → AppLocker. At a minimum, define rule collections for Executable rules and Script rules. In high-security environments prefer Windows Defender Application Control (WDAC) over AppLocker.
Check 13 — Credential Guard / Device Guard
Finding: [-] Credential Guard or HVCI service is not running
Why it matters: Credential Guard isolates LSASS secrets in VBS, blocking Mimikatz-class credential theft.
Remediate: Requires UEFI, Secure Boot, TPM 2.0, and VBS-capable CPU. GPO path: Computer Configuration → Administrative Templates → System → Device Guard → Turn On Virtualization Based Security → Enabled, Credential Guard Configuration → Enabled with UEFI lock.
Validate with msinfo32 (look for "Virtualization-based security: Running" and "Credential Guard: Running").
Check 14 — MS Office Macros
Finding: [-] Office <ver> <app> VBAWarnings is not set to restrict macros
Why it matters: Macro-borne malware remains a top initial-access vector.
Remediate:
- Registry per app:
HKCU\Software\Microsoft\Office\<ver>\<app>\Security!VBAWarnings=3(disable all except digitally signed) or4(disable all). - Also set
BlockContentExecutionFromInternet=1to block macros originating from internet-sourced files. - GPO: deploy the Office ADMX templates and configure macro security under
User Configuration → Administrative Templates → Microsoft <App> <ver> → <App> Options → Security → Trust Center.
Check 15 — Sysmon
Finding: [-] No Sysmon service detected. Consider deploying Sysmon for endpoint visibility.
Why it matters: Sysmon provides granular process, network, and file event logging far beyond default Windows audit.
Remediate: Download Sysmon from Sysinternals and install with a vetted configuration:
Sysmon64.exe -accepteula -i <path-to-config.xml>
Curated configs include SwiftOnSecurity/sysmon-config and Olaf Hartong's sysmon-modular. For ICS systems, ensure the config does not generate excessive events for industrial protocol traffic.
Check 17 — Antivirus / EDR
Finding: [-] Windows Defender Antivirus is not enabled or [-] <AV> definitions may be out of date
Why it matters: No active antivirus means no runtime protection against known malware.
Remediate: Enable Windows Defender via Set-MpPreference -DisableRealtimeMonitoring $false (or deploy a third-party AV/EDR). Update signatures via Update-MpSignature or vendor-specific channels.
Check 19 — UAC Configuration
Finding: [-] UAC is disabled (EnableLUA: 0) or [-] UAC admin prompt may not be secure
Why it matters: UAC is the primary defense against silent elevation. Disabled UAC means any process running as an admin user runs with full token.
Remediate:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System!EnableLUA=1!ConsentPromptBehaviorAdmin=2(prompt for consent on secure desktop)!PromptOnSecureDesktop=1!FilterAdministratorToken=1on sensitive systems- GPO:
Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → User Account Control: *
Reboot required for EnableLUA changes.
Check 20 — Account Policies
Findings:
[-] Account lockout threshold is not configured: Never[-] Minimum password length is too short: <n>[-] Guest account is enabled[-] Built-in Administrator account has not been renamed
Why it matters: Weak or missing account policies enable password-spray attacks and unauthorized access via well-known accounts.
Remediate:
net accounts /lockoutthreshold:5 /lockoutduration:15 /minpwlen:14- Disable Guest:
net user Guest /active:no - Rename built-in Administrator (via
lusrmgr.mscor GPOComputer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → Accounts: Rename administrator account).
Check 21 — Secure Boot
Finding: [-] Secure Boot is not enabled
Why it matters: Secure Boot prevents pre-OS malware (bootkits) by refusing to load unsigned boot code.
Remediate: Enable Secure Boot in UEFI firmware settings. Requires the disk to be GPT-partitioned and Windows installed in UEFI mode. Converting BIOS → UEFI may require mbr2gpt.exe and should be tested.
Check 22 — LSA Protection
Finding: [-] LSA Protection (RunAsPPL) is not enabled
Why it matters: LSA Protection prevents non-protected processes from reading LSASS memory, blocking Mimikatz-class credential theft.
Remediate:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa!RunAsPPL=1(or2for UEFI lock on Windows 11 22H2+).- Reboot required.
- On first boot after enabling, check Event Viewer → Windows Logs → System for LSA errors from drivers that cannot run as protected. Disable incompatible drivers or leave RunAsPPL off on that system.
Check 23 — Risky Services
Finding: [-] <service> service is RUNNING. Evaluate whether this service is needed.
Why it matters: Each of these services is an attack surface:
- Print Spooler — PrintNightmare (CVE-2021-34527)
- Remote Registry — remote registry enumeration
- SNMP — community string enumeration
- Telnet Server — unencrypted remote shell
- Remote Access — routing/VPN services
- .NET TCP Port Sharing — WCF port sharing
- Internet Connection Sharing — network bridging
Remediate: Disable unneeded services:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Repeat for each unneeded service. Always confirm the service is unused before disabling: Print Spooler is required on any system that prints; SNMP is required where the monitoring system polls it.
Section 2 — Security Checks
Check 24 — Unquoted Service Paths
Finding: [-] Unquoted service path: <service> -> C:\Some Path\service.exe
Why it matters: When a Windows service has an ImagePath that contains a space and is not enclosed in quotes, an attacker who can write to an earlier space-separated path (e.g., C:\Some.exe) can hijack execution. The Service Control Manager tries each parsed prefix as an executable.
Remediate: Quote the ImagePath value in the registry. For each affected service:
sc config <ServiceName> binPath= "\"C:\Some Path\service.exe\" -optional-args"
Or edit HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>!ImagePath directly and add quotes around the executable path. Restart the service. Vendor-installed services are the most common offenders; report the issue to the vendor or wrap the path yourself.
ICS note: Some PLC programming environments and HMI vendor services install with unquoted paths. Test that the service still starts after editing the registry value before deploying widely.
Check 25 — Weak Program Directory Permissions
Finding: [-] Weak ACL: 'C:\Vendor\App' grants Modify, Write to NT AUTHORITY\Authenticated Users
Why it matters: When a non-admin user can write to a folder containing executables that run with elevated privileges (services, scheduled tasks, helper utilities run by admins), they can replace those executables with malicious versions. Classic local privilege escalation.
Remediate: Tighten the ACL so only Administrators and SYSTEM have Modify/Write:
$path = 'C:\Vendor\App'
icacls $path /inheritance:r
icacls $path /grant:r 'BUILTIN\Administrators:(OI)(CI)(F)' 'NT AUTHORITY\SYSTEM:(OI)(CI)(F)' 'BUILTIN\Users:(OI)(CI)(RX)'
Or via Properties → Security tab in Explorer: remove the "Modify"/"Write" permission for Users / Authenticated Users / Everyone, leaving only Read & Execute.
ICS note: Some legacy vendor installers default to writable Program Files folders so the runtime user can write log/config files there. Move those files to %ProgramData%\<Vendor> and tighten the install folder. Validate the application still runs after permission changes.
Check 26 — Installed Compilers
Finding: [-] N compiler/build tool binary(ies) detected (living-off-the-land risk)
Why it matters: Compilers and build tools (gcc, MinGW, clang, MSVC cl.exe, NASM, Strawberry Perl, Python, make) on a production system give an attacker the ability to compile malware locally — bypassing antivirus signatures that would catch a pre-built binary. Compilers are rarely needed on operator workstations, HMIs, or production servers.
Remediate: If the compiler/tool is not required for normal operation:
- Uninstall via Control Panel → Programs, or
msiexec /uninstall <ProductCode>for MSI-installed tools. - For MinGW/MSYS/Strawberry Perl etc. installed by extracting an archive, delete the install folder and remove its
bin\directory fromPATH. - For Visual Studio Build Tools, uninstall via the Visual Studio Installer.
If the tool is genuinely required (e.g., a vendor-supplied build utility), document the business justification, restrict the binary's NTFS ACL to specific users, and consider AppLocker rules to block execution by the broader user population.
ICS note: Some vendor SDKs and engineering workstations legitimately need compilers (e.g., systems that compile PLC code, custom build servers). For HMI/operator workstations with no engineering role, treat compiler presence as a finding to remove.
Check 27 — SMB Server Configuration
Findings:
[-] SMBv1 is Enabled[-] SMBv1 Auditing is Disabled[-] SMB Server Require Security Signature is Disabled[-] SMB Server Encryption (EncryptData) is Disabled
Why it matters: SMBv1 is obsolete and vulnerable (WannaCry / EternalBlue). SMB signing and encryption prevent relay and tampering attacks.
Remediate:
# Disable SMBv1 server
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
# Enable SMBv1 auditing (to catch clients that still try to use it)
Set-SmbServerConfiguration -AuditSmb1Access $true -Force
# Require signing
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
# Require encryption (SMB 3.x, Windows 8/Server 2012+)
Set-SmbServerConfiguration -EncryptData $true -Force
ICS note: Some legacy HMI or PLC vendor systems communicate using SMBv1. Audit first; disable only after confirming nothing depends on it.
Check 28 — Anonymous Enumeration
Findings:
[-] RestrictAnonymous registry key is not configured[-] RestrictAnonymoussam registry key is not configured
Why it matters: Anonymous SMB/SAM enumeration leaks user, group, and share information.
Remediate:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa!RestrictAnonymous=1HKLM\SYSTEM\CurrentControlSet\Control\Lsa!RestrictAnonymousSAM=1- GPO:
Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → Network access: Do not allow anonymous enumeration of SAM accounts and shares→ Enabled.
Check 29 — Untrusted Fonts (Windows 10+)
Finding: [-] Kernel MitigationOptions key is configured not to block
Why it matters: Blocks untrusted font loading by kernel mode, mitigating certain exploit paths.
Remediate: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel!MitigationOptions — set the appropriate hex bitmask for font blocking. See Block untrusted fonts.
Check 30 — ASR Rules
Finding: [-] No Attack Surface Reduction rules configured. (or [-] ASR Rule <GUID>: Disabled)
Why it matters: ASR rules block common attack techniques (Office macro child processes, credential theft from LSASS, obfuscated scripts).
Remediate: Configure ASR via Set-MpPreference:
# Example: enable "Block credential stealing from the Windows local security authority subsystem"
Set-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 `
-AttackSurfaceReductionRules_Actions Enabled
See ASR rules reference for the full list of GUIDs and actions.
Check 31 — SMB Client Signing
Findings:
[-] SMB Client Require Security Signature is Disabled[-] SMB Client Enable Security Signature is Disabled
Why it matters: SMB client signing prevents relay attacks against the client.
Remediate:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters!RequireSecuritySignature=1!EnableSecuritySignature=1- GPO:
Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → Microsoft network client: Digitally sign communications (always)→ Enabled.
Check 32 — TLS/SSL Protocol Configuration
Finding: [-] <proto> Server is enabled (should be disabled) — for SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
Why it matters: Deprecated TLS/SSL protocols have known cryptographic weaknesses (POODLE, BEAST, etc.).
Remediate: Under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\<proto>\Server:
- Disable:
Enabled=0(DWORD),DisabledByDefault=1(DWORD) - Enable (for TLS 1.2 / 1.3):
Enabled=1,DisabledByDefault=0
Also disable client-side by repeating under \Client. Reboot required. Test server-side applications (e.g., IIS, SQL Server, WSUS) for compatibility before disabling TLS 1.0/1.1 on production.
Check 33 — Audit Policy
Finding: [-] Audit policy for <subcategory>: No Auditing
Why it matters: Without audit events, forensic investigation and detection are impossible.
Remediate:
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
For domain-managed systems, configure via GPO: Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration. See Microsoft's recommended audit policy.
Section 3 — Authentication Checks
Check 34 — RDP Deny
Findings:
[-] AllowRemoteRPC should be disabled to deny RDP: 1[-] fDenyTSConnections should be set to not allow remote connections: 0
Why it matters: If RDP is not intended for this system, any exposure is unnecessary attack surface.
Remediate:
- To deny RDP entirely:
HKLM\System\CurrentControlSet\Control\Terminal Server!fDenyTSConnections=1. - Also set
!AllowRemoteRPC=0. - GPO:
Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections → Allow users to connect remotely by using Remote Desktop Services→ Disabled.
Check 35 — Local Administrators
Finding: [-] More than one account is in local Administrators group
Why it matters: Multiple local admins mean more account compromise paths and harder accountability.
Remediate: Review membership (net localgroup Administrators). Remove service/user accounts that do not need local admin. Where domain admin access is needed, use a dedicated admin account or Just-In-Time (JIT) access via tools like PAM.
Check 36 — NTLM Session Security
Findings:
[-] NtlmMinServerSec not configured. Recommend 0x20080030.[-] NtlmMinClientSec not configured. Recommend 0x20080030.
Why it matters: 0x20080030 enforces NTLMv2 session security plus 128-bit encryption. Lower values allow weak protocols in the NTLM handshake.
Remediate:
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0!NtlmMinServerSec=0x20080030(DWORD).!NtlmMinClientSec=0x20080030.- GPO:
Security Options → Network security: Minimum session security for NTLM SSP based (including secure RPC) <servers/clients>→ Require NTLMv2 session security, Require 128-bit encryption.
Check 37 — LAN Manager Authentication
Findings:
[-] LmCompatibilityLevel not configured. Default may allow LM/NTLM.[-] NoLmHash registry key is not configured
Why it matters: LM hashes are trivially crackable. LMCompatibilityLevel 5 refuses both LM and NTLMv1 entirely.
Remediate:
HKLM\System\CurrentControlSet\Control\Lsa!LmCompatibilityLevel=5HKLM\System\CurrentControlSet\Control\Lsa!NoLmHash=1- GPO:
Security Options → Network security: LAN Manager authentication level→ Send NTLMv2 response only. Refuse LM & NTLM.
Check 38 — Cached Logons
Finding: [-] CachedLogonsCount Is Not Set to 0 or 1
Why it matters: Cached logon credentials can be extracted by an attacker with SYSTEM access and used for offline cracking.
Remediate:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon!CachedLogonsCount=0or1(REG_SZ containing"0"or"1").- Setting to 0 means no cached logons; users cannot authenticate if the domain is unreachable. Setting to 1 allows one cached logon. Choose based on the system's role.
Check 39 — Interactive Login (LocalAccountTokenFilterPolicy)
Finding: [-] LocalAccountTokenFilterPolicy Is Set
Why it matters: When set to 1, this key disables remote UAC filtering — local admin accounts receive a full admin token over the network, enabling pass-the-hash.
Remediate:
- Remove or set to 0:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system!LocalAccountTokenFilterPolicy. - Do the same in
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\policies\systemon 64-bit systems.
Check 40 — WDigest
Finding: [-] WDigest UseLogonCredential key is Enabled
Why it matters: When enabled, WDigest caches cleartext passwords in LSASS memory — trivial extraction with Mimikatz.
Remediate: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest!UseLogonCredential = 0. Disabled by default on Windows 8.1+ / Server 2012 R2+. An explicit 1 value means someone turned it back on and should be investigated.
Check 41 — Restrict RPC Clients
Finding: [-] RestrictRemoteClients registry key is not configured
Why it matters: Restricts unauthenticated RPC clients, reducing attack surface.
Remediate: HKLM\Software\Policies\Microsoft\Windows NT\Rpc!RestrictRemoteClients = 1 (authenticated). GPO: Computer Configuration → Administrative Templates → System → Remote Procedure Call → Restrict Unauthenticated RPC clients → Enabled, Authenticated.
Check 42 — RDP Network Level Authentication
Findings:
[-] RDP Network Level Authentication (NLA) is not required[-] RDP minimum encryption level is below High
Why it matters: Without NLA, an attacker can exhaust resources or exploit pre-auth vulnerabilities (e.g., BlueKeep). Weak RDP encryption allows session interception.
Remediate:
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp!UserAuthentication=1!MinEncryptionLevel=3(High) or4(FIPS)- GPO:
Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Security → Require user authentication for remote connections by using Network Level Authentication→ Enabled.
Section 4 — Network Checks
Check 44 — IPv6 Interfaces
Finding: [-] Host IPv6 network interface assigned
Why it matters: Unused IPv6 on a network without IPv6 monitoring creates a blind spot for DHCPv6 and router advertisement attacks.
Remediate: If IPv6 is not used in the environment, disable it on the adapter:
Disable-NetAdapterBinding -Name "<adapter>" -ComponentID ms_tcpip6
If IPv6 is used, ensure monitoring covers IPv6 and accept the finding.
Check 45 — WPAD
Findings:
[-] No WPAD entry detected. Should contain: wpad 255.255.255.255[-] WpadOverride registry key is configured to allow WPAD[-] WinHttpAutoProxySvc service is: Running[-] KB3165191 to harden WPAD is not installed
Why it matters: Windows auto-discovers proxies via WPAD, vulnerable to LLMNR/NBNS spoofing for credential theft.
Remediate:
- Add
255.255.255.255 wpadto%SystemRoot%\System32\drivers\etc\hosts(or block wpad DNS resolution at the DNS server). HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad!WpadOverride=1.- Disable the service:
Set-Service -Name WinHttpAutoProxySvc -StartupType DisabledthenStop-Service. - Apply KB3165191 (or a superseding cumulative update).
Check 46 — WINS Configuration
Findings:
[-] DNSEnabledForWINSResolution is enabled[-] WINSEnableLMHostsLookup is enabled
Why it matters: WINS and LMHosts lookup are legacy broadcast/resolution mechanisms exposed to poisoning attacks.
Remediate: On each network adapter (via adapter properties or registry): disable both. Via netsh:
netsh interface ipv4 set dnsservers "<adapter>" source=dhcp
And in the adapter's TCP/IP → Advanced → WINS tab, uncheck both.
Check 47 — LLMNR
Finding: [-] DNSClient.EnableMulticast does not exist or is enabled
Why it matters: LLMNR is spoofable on local networks, enabling credential theft.
Remediate: HKLM\Software\policies\Microsoft\Windows NT\DNSClient!EnableMulticast = 0. GPO: Computer Configuration → Administrative Templates → Network → DNS Client → Turn off multicast name resolution → Enabled.
Check 48 — Computer Browser Service
Finding: [-] Computer Browser service is: Running
Why it matters: Legacy NetBIOS browsing service, no longer needed on modern networks, and a known enumeration vector.
Remediate:
Stop-Service -Name Browser -Force
Set-Service -Name Browser -StartupType Disabled
Check 49 — NetBIOS over TCP/IP
Finding: [-] NetBios is Enabled: <value>
Why it matters: NetBIOS name service is spoofable (NBT-NS poisoning).
Remediate: Per adapter, set HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_<GUID>!NetbiosOptions = 2 (disable NetBIOS over TCP/IP). Can also be set on a DHCP server as a scope option, or in the adapter properties → TCP/IPv4 → Advanced → WINS → Disable NetBIOS over TCP/IP.
Check 52 — TCP/IP Stack Hardening
Findings:
[-] IP source routing is not fully disabled[-] ICMP redirects are enabled[-] IRDP router discovery is enabled
Why it matters: These legacy features allow attackers on the same network to redirect traffic.
Remediate: Under HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:
!DisableIPSourceRouting=2(highest protection)!EnableICMPRedirect=0!PerformRouterDiscovery=0
Section 5 — PowerShell Checks
Check 53 — Network Shares
Finding: [-] N non-default SMB share(s) detected: <name> -> <path>
Why it matters: Each user-created SMB share is a potential network entry point: misconfigured permissions can expose data, allow file write attacks, or enable lateral movement. Shares hosted on workstations and HMIs are particularly suspect — workstations are not file servers.
Remediate: For each share in the report, decide whether it's needed:
- Not needed: Remove the share.
Remove-SmbShare -Name <ShareName>(PowerShell) ornet share <ShareName> /delete(CMD). - Needed: Verify ACLs are correct. View with
Get-SmbShareAccess -Name <ShareName>and tighten withGrant-SmbShareAccess/Revoke-SmbShareAccess. Also verify NTFS ACLs on the underlying folder. - Replace with a different mechanism: For occasional file transfer, prefer pull-based tools (scp from a jump host, robocopy from a designated server) over leaving SMB shares running.
ICS note: Engineer/operator workstations sometimes have shares left over from initial system setup or troubleshooting. These are often forgotten and rarely reviewed. Eliminate them.
Check 54 — PowerShell Versions
Finding: [-] Current PowerShell Version is less than Version 5 or [-] PowerShell Version 2 should be disabled
Why it matters: PSv2 lacks the logging features of PSv5+ (script block logging, module logging) and is a documented downgrade attack vector.
Remediate: Disable the v2 engine:
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2,MicrosoftWindowsPowerShellV2Root
Also uninstall .NET Framework 2.0/3.5 if no applications require it.
Check 55 — PowerShell Language Mode
Finding: [-] Execution Language Mode Is Not ConstrainedLanguage
Why it matters: Full Language mode allows arbitrary .NET invocation from PowerShell, aiding malware.
Remediate: Configure AppLocker or WDAC in enforcement mode — PowerShell automatically switches to ConstrainedLanguage when a script-control policy is active. Manually setting $ExecutionContext.SessionState.LanguageMode is not durable.
Checks 52, 53, 54, 55 — PowerShell Logging
Findings:
[-] EnableModuleLogging Is Not Set[-] EnableScriptBlockLogging Is Not Set[-] EnableTranscripting Is Not Set[-] EnableProtectedEventLogging Is Not Set
Why it matters: PowerShell logging is the primary source of visibility into script-borne attacks.
Remediate: GPO path: Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell:
- Turn on Module Logging → Enabled, Modules =
* - Turn on PowerShell Script Block Logging → Enabled (tick "Log script block invocation start / stop events" for deep logging)
- Turn on PowerShell Transcription → Enabled, specify an
OutputDirectory - Turn on Protected Event Logging → Enabled with a certificate for encryption
Equivalent registry keys under HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\*.
Check 60 — WinRM
Findings:
[-] WinRM Services is running and may be accepting connections[-] WinRM Firewall Rule <name> is enabled
Why it matters: WinRM enables remote command execution; if not intentionally used, it's attack surface.
Remediate: If WinRM is not needed:
Disable-PSRemoting -Force
Stop-Service -Name WinRM
Set-Service -Name WinRM -StartupType Disabled
Disable-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)"
If WinRM is needed, restrict via:
- TrustedHosts:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value <list> - IPsec policies or firewall rules limiting source IPs
- HTTPS-only listener with a real certificate
Section 6 — Logging Checks
Check 61 — Event Log Sizes
Finding: [-] <log> max log size is smaller than <N> GB: <actual> GB
Why it matters: Small log sizes roll over quickly, losing forensic evidence within hours or days.
Remediate: Via wevtutil (per log):
wevtutil sl "Security" /ms:4294967296
(that's 4 GB in bytes). Or GPO: Computer Configuration → Administrative Templates → Windows Components → Event Log Service → <Log> → Specify the maximum log file size (KB).
Recommended thresholds (from CHAPS defaults):
- Application, System, Security, Windows PowerShell: ≥ 4 GB
- Operational logs (PowerShell, TerminalServices, TaskScheduler, SMBServer/Audit, Security-Netlogon, WinRM, WMI-Activity): ≥ 1 GB
Also configure log forwarding (Windows Event Forwarding, Splunk/Elastic agent, Sysmon channel forwarding) so events survive even if local logs roll.
Check 62 — Command-Line Auditing
Finding: [-] ProcessCreationIncludeCmdLine_Enabled Is Not Set
Why it matters: Without command-line auditing, process creation events (Event ID 4688) lack the command line, making malicious command reconstruction much harder.
Remediate: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit!ProcessCreationIncludeCmdLine_Enabled = 1. GPO: Computer Configuration → Administrative Templates → System → Audit Process Creation → Include command line in process creation events → Enabled.
Also ensure Process Creation is audited under Advanced Audit Policy (see Check 30).
Check 63 — Windows Script Host
Findings:
[-] WSH Setting Enabled key is Enabled[-] KB2871997 is not installed
Why it matters: WSH (VBScript, JScript) is a common malware execution environment. KB2871997 hardens credential caching.
Remediate:
- Disable WSH:
HKLM\Software\Microsoft\Windows Script Host\Settings!Enabled=0(DWORD). - Install current Windows cumulative updates (which include KB2871997 or its successor).
Remediation Priority
When the remediation backlog is long, apply fixes roughly in this priority order:
- Credential-theft vectors — WDigest, LSA Protection, Cached Logons, NTLM session security, LocalAccountTokenFilterPolicy.
- Logging and visibility — PowerShell logging (all four), Command-line auditing, Audit Policy, Event log sizes.
- Protocol hardening — SMBv1, TLS/SSL, LAN Manager authentication, NTLM levels.
- Attack-surface reduction — Risky services, RDP/WinRM configuration, LLMNR/NBNS/WPAD.
- OS-level exploit mitigations — UAC, LSA Protection, Secure Boot, Credential/Device Guard, ASR Rules, AppLocker/WDAC.
- Compliance / account hygiene — Account lockout, password policy, Guest account, Administrator rename, local admin count.
- Infrastructure — BitLocker, Auto Update, Office macros, USB device review.
Prioritize credential-theft and logging first: those provide both hardening and the visibility to detect when attacks do land.