Forum Discussion
Hardening Windows 10 on an IT Pro's laptop
a clean install of Windows 10 is pretty good, that said, I do have the following advice:
- It is important to properly configure User Account Control on all machines; out of the box it is very insecure meaning anything can bypass it to grab admin privileges.
- It is important to make sure that Secure Boot is enabled on all machines.
- BitLocker is an obvious one, enable it on all machines.
- You may want to use Windows Defender Firewall to block all inbound connections on the private and public profiles, its very effective for protecting devices in public places and usually has no negative impact but should be assessed per requirements.
- You should deploy the uBlock Origin browser extension to all browsers, it blocks a significant amount of malware and greatly reduces the bandwidth used by your org; for the record, Chrome and Edge are much more secure than other browsers.
- Also remember to properly patch, if Windows, Defender, or Browser are out of date then you WILL be targeted.
Following the above will significantly benefit you and your users and can be done by anybody without any extra cost; I hope that's useful for you
Edit: oh, and if you're ever able to: I recommend you look into Windows 10 S (soon to be called Windows Pro in S Mode)
yes, it gets a lot of stick for restricting you to Edge and Store apps but that thing is rock solid; even if you never ever use it, it's the best example of Device Guard Code Integrity in action and how powerful it can be when properly configured
Edit: from 1803 Hypervisor enforced Code Integrity (HVCI) will be enabled by default via clean install, you can enable it on previous versions by following these instructions: https://docs.microsoft.com/en-gb/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity
HVCI is a feature that helps defend against kernel level malware; I initially didn't mention it because I'm not sure what the real world benefits are and I'm aware that it can cause instability and performance problems, however since Microsoft seems to be pushing for its implementation I felt it was worth adding. (I imagine they may also do the same for DMA Protection in the future)
a clean install of Windows 10 is pretty good, that said, I do have the following advice:
- It is important to properly configure User Account Control on all machines; out of the box it is very insecure meaning anything can bypass it to grab admin privileges.
- It is important to make sure that Secure Boot is enabled on all machines.
- BitLocker is an obvious one, enable it on all machines.
- You may want to use Windows Defender Firewall to block all inbound connections on the private and public profiles, its very effective for protecting devices in public places and usually has no negative impact but should be assessed per requirements.
- You should deploy the uBlock Origin browser extension to all browsers, it blocks a significant amount of malware and greatly reduces the bandwidth used by your org; for the record, Chrome and Edge are much more secure than other browsers.
- Also remember to properly patch, if Windows, Defender, or Browser are out of date then you WILL be targeted.
Following the above will significantly benefit you and your users and can be done by anybody without any extra cost; I hope that's useful for you
Edit: oh, and if you're ever able to: I recommend you look into Windows 10 S (soon to be called Windows Pro in S Mode)
yes, it gets a lot of stick for restricting you to Edge and Store apps but that thing is rock solid; even if you never ever use it, it's the best example of Device Guard Code Integrity in action and how powerful it can be when properly configured
Edit: from 1803 Hypervisor enforced Code Integrity (HVCI) will be enabled by default via clean install, you can enable it on previous versions by following these instructions: https://docs.microsoft.com/en-gb/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity
HVCI is a feature that helps defend against kernel level malware; I initially didn't mention it because I'm not sure what the real world benefits are and I'm aware that it can cause instability and performance problems, however since Microsoft seems to be pushing for its implementation I felt it was worth adding. (I imagine they may also do the same for DMA Protection in the future)
For reference, here is how User Account Control should be configured if using Local Security Policy
Be aware that if you need to elevate unsigned executables you will have set "Only elevate executables that are signed and validated" to "Disabled", otherwise you will receive the "A referral was returned from the server." error when trying to run unsigned executables
Hardening of your machine should rely on the Least Privilege principle. Use a non admin account for daily use. Disabling un-used programs, services and firewall rules. Minimizing your attack surface and turning off un-used network facing Windows features.
While I applaud MS for improving protection on kernel things, attackers do not have to necessarily touch the kernel to do damage. I have seen damages to Windows Defender and Windows Edge, just as an example. And their improvements rest on having new hardware, which leaves countless older platforms unprotected. Also their new innovations also relies on Windows Server Active Directory, which no home user has.
And sometimes, even when MS has been notified of working exploits, they fail to make changes to their code. Like Google Project Zero's findings on exploitable WPAD ( Auto Proxy Detection ) and javascript bugs.
These MS techs only know to expound on their latest innovations. They are not incident responders. And they do not know how to harden Windows.
However, I do agree that BitLocker is the way to go since the thread starter's main concern is theft or lost laptop.
