Forum Discussion
Hardening Windows 10 on an IT Pro's laptop
a clean install of Windows 10 is pretty good, that said, I do have the following advice:
- It is important to properly configure User Account Control on all machines; out of the box it is very insecure meaning anything can bypass it to grab admin privileges.
- It is important to make sure that Secure Boot is enabled on all machines.
- BitLocker is an obvious one, enable it on all machines.
- You may want to use Windows Defender Firewall to block all inbound connections on the private and public profiles, its very effective for protecting devices in public places and usually has no negative impact but should be assessed per requirements.
- You should deploy the uBlock Origin browser extension to all browsers, it blocks a significant amount of malware and greatly reduces the bandwidth used by your org; for the record, Chrome and Edge are much more secure than other browsers.
- Also remember to properly patch, if Windows, Defender, or Browser are out of date then you WILL be targeted.
Following the above will significantly benefit you and your users and can be done by anybody without any extra cost; I hope that's useful for you
Edit: oh, and if you're ever able to: I recommend you look into Windows 10 S (soon to be called Windows Pro in S Mode)
yes, it gets a lot of stick for restricting you to Edge and Store apps but that thing is rock solid; even if you never ever use it, it's the best example of Device Guard Code Integrity in action and how powerful it can be when properly configured
Edit: from 1803 Hypervisor enforced Code Integrity (HVCI) will be enabled by default via clean install, you can enable it on previous versions by following these instructions: https://docs.microsoft.com/en-gb/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity
HVCI is a feature that helps defend against kernel level malware; I initially didn't mention it because I'm not sure what the real world benefits are and I'm aware that it can cause instability and performance problems, however since Microsoft seems to be pushing for its implementation I felt it was worth adding. (I imagine they may also do the same for DMA Protection in the future)
Yep, I think that' son Deleted security todo list which I am slowly going through , starting with Bitlocker. One thing I did was turn was allowing complex passwords prior to enabling Bitlocker. Oddly I didn't get much feedback regarding Drive C whereas Drive D I got the full progress dialog. Seems to be working well and will test hibernation recovery at some stage.
As for your suggestion, Are there any downsides to this as I want to work seamlessly with PowerShell, Azure, REST calls etc
When encrypting the C drive it'll ask you to reboot, and the process will start after you next log in. Other drives will start encrypting immediately, that might explain the missing progress dialog.
Chris' suggestion is not something I've mentioned. I've had successful implementation of that sort of model as the level of role, domain, or infrastructure segregation, but as a single user on a single machine it would essentially mean trying to keep all your more "dodgy stuff" to one VM whilst your "sensitive stuff" is in other VMs, potentially a VM for each contract/client/environment. I feel like the concept is aspirational but in reality creates a lot of management overhead, interrupts workflow, and leads to a false sense of security.
That said, I'm glad to see your input Chris and ultimately I may be misunderstanding; I'd love to learn more
We'd certainly like to hope that PAWs are not just aspirational - it's a key aspect of our Securing Privileged Access Roadmap: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access
We've got them deployed for tens of thousands of our own internal users at Microsoft who have privilege in our dev-ops workflows, as well as at hundreds of customers.
That's really impressive
This is unrelated, but are there any plans to move Windows 10 S to this kind of model by default?
I use Windows 10 S as the host on all my personal machines, and there are non-store programs that I run in Windows 10 Pro guest VMs.The current advice plastered all over S though is that users take the free upgrade to Pro so they can run non-store programs; wouldn't it be more beneficial to provide users with a lightweight VM to run such "untrusted" software? Potentially similar to how Windows Defender Application Guard functions as a container for Edge?
