Forum Discussion
Hardening Windows 10
- Aug 05, 2019
I think at least some of the actions you previously had to do are now redundant.
Microsoft Windows Defender is a powerful all-in-one security solution that can cover most of those things. it provides enterprise class security tools to the normal users.
It can protect sensitive folders from unwanted programs and you can also add your own folders to the list for even more security, I think this makes more sense instead of shifting permission from one user to another.
Windows defender specially in 1903 (I'm using Pro edition so not sure what options are missing in Home, if Any) is pretty much complete solution.
you can try turning on tamper protection, Core Isolation, Memory Integrity (these options are turned off by default).
the only things you should do is to turn off services, optional features, protocols that you do not intend to use and also make Firewall rules for every new app and software you install. for example a photo editing software you install doesn't need internet connection. for its updates you can manually install newer versions. yes that's some additional work but you asked for it cause hardening is not gonna be easy.
To be honest Windows 10 itself can only be compromised by Zero day vulnerabilities, those that are not found yet, because Microsoft keeps Windows 10 updated and in every 6 months they change the core OS to make it better and more secure. so even if you are a black hat hacker and spend hours and hours trying to make an exploit for Windows 10 using a zero-day bug, you won't be able to use that for long.Microsoft will patch that bug in a day or two and the constant change in the Core OS renders all the old tools useless, all the time.
so all you can worry about is the 3rd party apps and programs you install that increase the attack surface as each of those 3rd party programs can have security holes and bugs that can be exploited, but again for those 3rd party programs you can utilize Windows Firewall rules and Windows Defender.
Also don't forget to turn on DEP (Data Execution Prevention) for ALL programs. (by default it is only turned on for essential Windows programs and services.)Everything I said above was based on the assumption that you have a Windows 10 Home edition (as you mentioned). for real protecting and hardening you need Windows 10 Enterprise E5, one of its most predominant features is the immunity to zero-day attacks. you can read more about it here:
https://faq.rhipe.com/Search/Article/baf6fcbe-f04c-40e5-b88a-2da862a2620d
Have a look at this comparison between different Windows 10 edition security features:
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2O8jv
you can apply Credential guard, Device guard, Virtualization Based security, hyperevisor code integrity ,
windows defender application control by creating new CI policy with fallback hash and then migrate to EFI partition
Enable Early Launch antimalware drivers set to Good only