Forum Discussion
Hardening Windows 10 on an IT Pro's laptop
a clean install of Windows 10 is pretty good, that said, I do have the following advice:
- It is important to properly configure User Account Control on all machines; out of the box it is very insecure meaning anything can bypass it to grab admin privileges.
- It is important to make sure that Secure Boot is enabled on all machines.
- BitLocker is an obvious one, enable it on all machines.
- You may want to use Windows Defender Firewall to block all inbound connections on the private and public profiles, its very effective for protecting devices in public places and usually has no negative impact but should be assessed per requirements.
- You should deploy the uBlock Origin browser extension to all browsers, it blocks a significant amount of malware and greatly reduces the bandwidth used by your org; for the record, Chrome and Edge are much more secure than other browsers.
- Also remember to properly patch, if Windows, Defender, or Browser are out of date then you WILL be targeted.
Following the above will significantly benefit you and your users and can be done by anybody without any extra cost; I hope that's useful for you
Edit: oh, and if you're ever able to: I recommend you look into Windows 10 S (soon to be called Windows Pro in S Mode)
yes, it gets a lot of stick for restricting you to Edge and Store apps but that thing is rock solid; even if you never ever use it, it's the best example of Device Guard Code Integrity in action and how powerful it can be when properly configured
Edit: from 1803 Hypervisor enforced Code Integrity (HVCI) will be enabled by default via clean install, you can enable it on previous versions by following these instructions: https://docs.microsoft.com/en-gb/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity
HVCI is a feature that helps defend against kernel level malware; I initially didn't mention it because I'm not sure what the real world benefits are and I'm aware that it can cause instability and performance problems, however since Microsoft seems to be pushing for its implementation I felt it was worth adding. (I imagine they may also do the same for DMA Protection in the future)
but it does not even matter, changing that option does not do that, it does not function like it says, i dont know how else to explain this to you, seriously
what i have shown is not part of windows defender, DEP is part of windows itself, the security centre GUI is just a way to manage some windows security features AND windows defender features, and it has the same TWO DEP options:
ON: this is the SAME as: "Turn on DEP for all programs and services" except it actually WORKS
OFF: this is the SAME as: "Turn on DEP for essential Windows programs and services only" except it actually WORKS
THE DEFAULT IS ON
but as you have noticed by default the OLD setting is set to "Turn on DEP for essential Windows programs and services only" which is the same as OFF
how can DEP be ON and OFF for any application at the same time?
simple: it cannot, it is either off or it is on, and it is ON because
THE NEW SETTING WORKS
THE OLD SETTING DOES NOT
how can you suggest that i "really cant tell the difference" when i am wasting my time trying to explain this to you that what you SEE is a misconception
theres many obscure features in windows that have been depreciated, buttons that connect to nothing, text that is incorrect
the option you place trust in is 15 years old, yes it has two options, but DEP has four states
DEP is already enabled, for all programs and services, even though that option is not selected
because that option is overridden by the ON setting in the GUI in the image i showed you
it is YOU that cannot tell the difference
manual exceptions is the only reason why that old interface is still there, because sometimes you need to opt out of this 15 year old security feature to run even older software
but even that is essentially broken too as manual exceptions is replaced by application opt outs
DEP is already enabled, for all programs and services, with application opt outs instead of manual exceptions
enabling the option you are suggesting, only disables those application opt outs causing some old software to be unable to run, thats why its NOT SELECTED BY DEFAULT
things are the way they are for a reason, Microsoft did not spend the last fifteen years doing random engineering for the fun of it
to put it in your own words, "Windows is constantly changing and getting better. it's the duty of system admins to stay up to date." and im not even sure you are a system admin
stuff changes, the best option changes, new becomes old
using windows 7 changing the option is better than the default, feel free to enable it, i encourage it
using windows 10 changing the option is worse than the default, leave it alone, you dont understand what you are breaking
only reason i am responding at all is because there is so much outdated windows advice that people still follow and share online to the detriment of many
The problem is that it's just You talking about it WITHOUT PROOF.
just because you say something works or doesn't work doesn't mean it's true. how hard is it to understand. people on the internet don't just believe what someone else says without proof. i can go ahead and say real time protection of Windows Defender doesn't work, turn it off. should you believe me then? of course not.
so unless you understand this basic idea then it's pointless to continue this conversation. sure you can believe whatever you want but don't try to shove it into others.