Forum Discussion
Hardening Windows 10
I think at least some of the actions you previously had to do are now redundant.
Microsoft Windows Defender is a powerful all-in-one security solution that can cover most of those things. it provides enterprise class security tools to the normal users.
It can protect sensitive folders from unwanted programs and you can also add your own folders to the list for even more security, I think this makes more sense instead of shifting permission from one user to another.
Windows defender specially in 1903 (I'm using Pro edition so not sure what options are missing in Home, if Any) is pretty much complete solution.
you can try turning on tamper protection, Core Isolation, Memory Integrity (these options are turned off by default).
the only things you should do is to turn off services, optional features, protocols that you do not intend to use and also make Firewall rules for every new app and software you install. for example a photo editing software you install doesn't need internet connection. for its updates you can manually install newer versions. yes that's some additional work but you asked for it cause hardening is not gonna be easy.
To be honest Windows 10 itself can only be compromised by Zero day vulnerabilities, those that are not found yet, because Microsoft keeps Windows 10 updated and in every 6 months they change the core OS to make it better and more secure. so even if you are a black hat hacker and spend hours and hours trying to make an exploit for Windows 10 using a zero-day bug, you won't be able to use that for long.Microsoft will patch that bug in a day or two and the constant change in the Core OS renders all the old tools useless, all the time.
so all you can worry about is the 3rd party apps and programs you install that increase the attack surface as each of those 3rd party programs can have security holes and bugs that can be exploited, but again for those 3rd party programs you can utilize Windows Firewall rules and Windows Defender.
Also don't forget to turn on DEP (Data Execution Prevention) for ALL programs. (by default it is only turned on for essential Windows programs and services.)Everything I said above was based on the assumption that you have a Windows 10 Home edition (as you mentioned). for real protecting and hardening you need Windows 10 Enterprise E5, one of its most predominant features is the immunity to zero-day attacks. you can read more about it here:
https://faq.rhipe.com/Search/Article/baf6fcbe-f04c-40e5-b88a-2da862a2620d
Have a look at this comparison between different Windows 10 edition security features:
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2O8jv
I think at least some of the actions you previously had to do are now redundant.
Microsoft Windows Defender is a powerful all-in-one security solution that can cover most of those things. it provides enterprise class security tools to the normal users.
It can protect sensitive folders from unwanted programs and you can also add your own folders to the list for even more security, I think this makes more sense instead of shifting permission from one user to another.
Windows defender specially in 1903 (I'm using Pro edition so not sure what options are missing in Home, if Any) is pretty much complete solution.
you can try turning on tamper protection, Core Isolation, Memory Integrity (these options are turned off by default).
the only things you should do is to turn off services, optional features, protocols that you do not intend to use and also make Firewall rules for every new app and software you install. for example a photo editing software you install doesn't need internet connection. for its updates you can manually install newer versions. yes that's some additional work but you asked for it cause hardening is not gonna be easy.
To be honest Windows 10 itself can only be compromised by Zero day vulnerabilities, those that are not found yet, because Microsoft keeps Windows 10 updated and in every 6 months they change the core OS to make it better and more secure. so even if you are a black hat hacker and spend hours and hours trying to make an exploit for Windows 10 using a zero-day bug, you won't be able to use that for long.
Microsoft will patch that bug in a day or two and the constant change in the Core OS renders all the old tools useless, all the time.
so all you can worry about is the 3rd party apps and programs you install that increase the attack surface as each of those 3rd party programs can have security holes and bugs that can be exploited, but again for those 3rd party programs you can utilize Windows Firewall rules and Windows Defender.
Also don't forget to turn on DEP (Data Execution Prevention) for ALL programs. (by default it is only turned on for essential Windows programs and services.)
Everything I said above was based on the assumption that you have a Windows 10 Home edition (as you mentioned). for real protecting and hardening you need Windows 10 Enterprise E5, one of its most predominant features is the immunity to zero-day attacks. you can read more about it here:
https://faq.rhipe.com/Search/Article/baf6fcbe-f04c-40e5-b88a-2da862a2620d
Have a look at this comparison between different Windows 10 edition security features:
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2O8jv
Thanks so much for such a detailed response. I knew about the memory integrity and DEP; but the tamper protection was new [to me]. After MUCH more reading, it seems that DEP and Defender are a LOT more robust and bug-free than they used to be. Seriously, both used to be one of the first things I would uninstall/disable.
After posting, I learned that I could not even change the ACLs of the system files in Win 10 Home. I had a workaround for this in Vista; but it didn't work in Win 10.
Thanks again for your response.
Does exist a script or GPO way to enable DEP (Data Execution Prevention) for ALL programs ?
Also is this still relevant as EMET is now included in Windows Defender/ Security center ?
Deleted
Hi,
it is now included in Windows Defender and enabled by default
https://community.spiceworks.com/topic/357133-disable-dep-with-group-policy
- Thanks!
So your post about enable the (old) setting is now obsolete?:
https://techcommunity.microsoft.com/t5/Windows-10-security/Hardening-Windows-10/m-p/788325/highlight/true#M351
I wonder then why it's still there
