Forum Discussion
Hardening Windows 10 on an IT Pro's laptop
a clean install of Windows 10 is pretty good, that said, I do have the following advice:
- It is important to properly configure User Account Control on all machines; out of the box it is very insecure meaning anything can bypass it to grab admin privileges.
- It is important to make sure that Secure Boot is enabled on all machines.
- BitLocker is an obvious one, enable it on all machines.
- You may want to use Windows Defender Firewall to block all inbound connections on the private and public profiles, its very effective for protecting devices in public places and usually has no negative impact but should be assessed per requirements.
- You should deploy the uBlock Origin browser extension to all browsers, it blocks a significant amount of malware and greatly reduces the bandwidth used by your org; for the record, Chrome and Edge are much more secure than other browsers.
- Also remember to properly patch, if Windows, Defender, or Browser are out of date then you WILL be targeted.
Following the above will significantly benefit you and your users and can be done by anybody without any extra cost; I hope that's useful for you
Edit: oh, and if you're ever able to: I recommend you look into Windows 10 S (soon to be called Windows Pro in S Mode)
yes, it gets a lot of stick for restricting you to Edge and Store apps but that thing is rock solid; even if you never ever use it, it's the best example of Device Guard Code Integrity in action and how powerful it can be when properly configured
Edit: from 1803 Hypervisor enforced Code Integrity (HVCI) will be enabled by default via clean install, you can enable it on previous versions by following these instructions: https://docs.microsoft.com/en-gb/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity
HVCI is a feature that helps defend against kernel level malware; I initially didn't mention it because I'm not sure what the real world benefits are and I'm aware that it can cause instability and performance problems, however since Microsoft seems to be pushing for its implementation I felt it was worth adding. (I imagine they may also do the same for DMA Protection in the future)
core isolation/memory integrity is the HVCI feature i mentioned a while back, though like all things Microsoft there's a lack of consistency and even the link i gave is now broken haha
it can be enabled regardless of third party AV and its actually enabled by default on new/compatible devices so i see no reason to discourage it's usage, it may break some older drivers but only because they are doing things they shouldn't be, potentially worth noting that the feature has also been bypassed so its usefulness is questionable
the DEP setting mentioned is outdated, despite the wording apps do run with DEP enabled by default
one thing to note about third party AV is that most lack support for vital features like AMSI and ELAM which defender has enabled by default, you should check with your AV provider to see if these are implemented and encourage them to do so if they havent
main thing i've not mentioned that i do suggest looking into is "Attack Surface Reduction rules", ASR rules are part of windows defender but they are off by default, they are a collection of features blocking the most common behaviours seen in the wild, they will genuinely save you from spear & phishing attacks that wont be picked up by any AVs for about a week after its too late, they also seem to add a new one with each release of windows 10
you can learn about them here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
to enable the current ones without the hassle of figuring it out i refer to the powershell in my comment here: https://techcommunity.microsoft.com/t5/Windows-10-security/Harden-Windows-10/m-p/475686
1. press ctrl+F in this page and type in core isolation. no one else mentioned it before.
2. source for saying DEP is outdated?
3. that other thread you mentioned looks suspicious. created by "deleted" user name profile?
4. i don't know which AVs you've used before but something better than Windows Defender is Kaspersky AV (Internet Security or End point security which is equivalent to the Windows Defender ATP). Kaspersky has Online connection to their threat center. you say week? for them it takes only minutes to few hours to pass over the new malware's database to the other users. Kaspersky was the First and only company that found Stuxnet and blocked it, the world's Most advanced malware ever created by co-operation of U.S and Israel. then other AV companies copy Kaspersky's database and use it on their own system. Kaspersky even got them red handed by intentionally putting a false alarm in their database and then watched a lot of AVs giving the same false alarm. lol don't believe the news saying that Kaspersky is run by Russian government and it will steal your data, it's total BS and propaganda.
5. Microsoft constantly changes things and technet guides because Windows is constantly changing and getting better. it's the duty of system admins to stay up to date.
im not trying to argue or anything, i have no conflict with most of what you're saying
1 correct, i was adding that this is what used to be known as HVCI, it was a more up and coming feature that didnt exist as core isolation at the time and now it does, memory isolation also has more features that arent exposed in the GUI so it may be useful for some to know
2 DEP as a memory feature isn't outdated, that GUI setting and its wording however is, if you want a gui to manage it the correct place to configure it now is via the "exploit protection" area of the security centre where you will also see that it is on by default
3 when i clear my microsoft account privacy settings it deletes my tech community account, the posts themselves would be deleted if there were any issues
4 again, not trying to argue, but since you bring it up i will say i am a kaspersky customer and my opinion is that kaspersky is generally as good as windows defender, their database is historically the best though defender in the last year has definitely caught up and is in second place, but toward my point: Kaspersky does indeed support AMSI and ELAM which most other AVs do not, Kaspersky also treats unknowns just as defender does which is why they pick up wrapped variants very quickly, but i maintain that it is impossible to catch everything the first time its ever seen, such as your example stuxnet was caught after the damage was done, not before, and something preventative like ASR could have prevented it ever getting into the supplier's systems
5 exactly, i just ask that you be less hostile, theres enough testosterone fuelled cesspits on the internet alreadyabout DEP, the underlying code and script is the same and the OP is having just a Windows 10 pro, other 3rd party tools like that require additional paid licenses and they are supposed to be installed on a stationary server, not a portable device like OP's laptop.
hmm that's weird. I've changed my privacy settings a lot of times and never had that happen to me.. if it's a bug in the site then report it. the only way i know it happens is that when you deliberately delete your account and create a new one with a different Email address..
sorry i should be clearer, it is not third party, and it is not implemented the same way, i am talking about the below image, built into windows 10 for free
technically it is a replacement of a previously optional windows 7 tool known as "EMET" which itself was a gui tool for multiple exploit mitigations (not just DEP)
in current windows 10 DEP is enabled by default by this new implementation for applications despite of what you see in that older interface, hence i try to explain that the setting you are advising doesn't have the assumed impact as the outdated wording is misleading
that old interface is from 2003 and you will see in the new one that there are a whole 20 more configurable exploit mitigations (the ones pictured can be configured as system wide defaults, the rest have to be configured on an app by app basis)
i hope this information is interesting and valuable ❤️