SOLVED
Home

Hardening Windows 10 on an IT Pro's laptop

%3CLINGO-SUB%20id%3D%22lingo-sub-180502%22%20slang%3D%22en-US%22%3EHardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-180502%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20just%20bought%20a%20new%20Windows%2010%20Pro%20laptop%20for%20work%20as%20a%20freelance%20IT%20Consultant%26nbsp%3B%20and%20I%20figured%20this%20would%20be%20good%20time%20adopt%20some%20of%20the%20latest%20best%20practices%2C%20pertinent%26nbsp%3B%20to%20securing%20my%20machine.%20Given%2C%20this%20machine%20is%20also%20for%20personal%20use%2C%20so%20I%20am%20looking%20to%20balance%20convenience%20against%20security%20and%20privacy%20in%20the%20event%20of%20loss%20or%20theft.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20found%20some%20extensive%20posts%20on%20the%20subject%20including%20the%20one%20shown%20below%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.infoworld.com%2Farticle%2F3121994%2Fsecurity%2Flockdown-harden-windows-10-for-maximum-security.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.infoworld.com%2Farticle%2F3121994%2Fsecurity%2Flockdown-harden-windows-10-for-maximum-security.html%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20however%2C%20like%20to%20hear%20any%20comments%20anyone%20has%3A%20from%20bitlocker%20and%20beyond....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-180502%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Esecurity%20best%20practices%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindow%2010%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278998%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278998%22%20slang%3D%22en-US%22%3E%3CP%3EHowever%2C%20I%20do%20agree%20that%20BitLocker%20is%20the%20way%20to%20go%20since%20the%20thread%20starter's%20main%20concern%20is%20theft%20or%20lost%20laptop.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278974%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278974%22%20slang%3D%22en-US%22%3E%3CP%3EHardening%20of%20your%20machine%20should%20rely%20on%20the%20Least%20Privilege%20principle.%20Use%20a%20non%20admin%20account%20for%20daily%20use.%20Disabling%20un-used%20programs%2C%20services%20and%20firewall%20rules.%20Minimizing%20your%20attack%20surface%20and%20turning%20off%20un-used%20network%20facing%20Windows%20features.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20I%20applaud%20MS%20for%20improving%20protection%20on%20kernel%20things%2C%20attackers%20do%20not%20have%20to%20necessarily%20touch%20the%20kernel%20to%20do%20damage.%20I%20have%20seen%20damages%20to%20Windows%20Defender%20and%20Windows%20Edge%2C%20just%20as%20an%20example.%20And%20their%20improvements%20rest%20on%20having%20new%20hardware%2C%20which%20leaves%20countless%20older%20platforms%20unprotected.%20Also%20their%20new%20innovations%20also%20relies%20on%20Windows%20Server%20Active%20Directory%2C%20which%20no%20home%20user%20has.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20sometimes%2C%20even%20when%20MS%20has%20been%20notified%20of%20working%20exploits%2C%20they%20fail%20to%20make%20changes%20to%20their%20code.%20Like%20Google%20Project%20Zero's%20findings%20on%20exploitable%20WPAD%20(%20Auto%20Proxy%20Detection%20)%20and%20javascript%20bugs.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThese%20MS%20techs%20only%20know%20to%20expound%20on%20their%20latest%20innovations.%20They%20are%20not%20incident%20responders.%20And%20they%20do%20not%20know%20how%20to%20harden%20Windows.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190080%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190080%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20reference%2C%20here%20is%20how%20%3CSTRONG%3EUser%20Account%20Control%3C%2FSTRONG%3E%20should%20be%20configured%20if%20using%20%3CSTRONG%3ELocal%20Security%20Policy%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBe%20aware%20that%20if%20you%20need%20to%20elevate%20unsigned%20executables%20you%20will%20have%20set%20%22Only%20elevate%20executables%20that%20are%20signed%20and%20validated%22%20to%20%22Disabled%22%2C%20otherwise%20you%20will%20receive%20the%20%22%3CSTRONG%3EA%20referral%20was%20returned%20from%20the%20server.%3C%2FSTRONG%3E%22%20error%20when%20trying%20to%20run%20unsigned%20executables%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20856px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F33518iD96F5E81CFBED34D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22uac.png%22%20title%3D%22uac.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187714%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187714%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20really%20impressive%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThis%20is%20unrelated%2C%20but%20are%20there%20any%20plans%20to%20move%20Windows%2010%20S%20to%20this%20kind%20of%20model%20by%20default%3F%3CBR%20%2F%3EI%20use%20Windows%2010%20S%20as%20the%20host%20on%20all%20my%20personal%20machines%2C%20and%20there%20are%20non-store%20programs%20that%20I%20run%20in%20Windows%2010%20Pro%20guest%20VMs.%3C%2FP%3E%3CP%3EThe%20current%20advice%20plastered%20all%20over%20S%20though%20is%20that%20users%20take%20the%20free%20upgrade%20to%20Pro%20so%20they%20can%20run%20non-store%20programs%3B%20wouldn't%20it%20be%20more%20beneficial%20to%20provide%20users%20with%20a%20lightweight%20VM%20to%20run%20such%20%22untrusted%22%20software%3F%20Potentially%20similar%20to%20how%20Windows%20Defender%20Application%20Guard%20functions%20as%20a%20container%20for%20Edge%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187666%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187666%22%20slang%3D%22en-US%22%3E%3CP%3EWe'd%20certainly%20like%20to%20hope%20that%20PAWs%20are%20not%20just%20aspirational%20-%20it's%20a%20key%20aspect%20of%20our%20Securing%20Privileged%20Access%20Roadmap%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fsecuring-privileged-access%2Fsecuring-privileged-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fsecuring-privileged-access%2Fsecuring-privileged-access%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe've%20got%20them%20deployed%20for%20tens%20of%20thousands%20of%20our%20own%20internal%20users%26nbsp%3Bat%20Microsoft%20who%20have%20privilege%20in%20our%20dev-ops%20workflows%2C%26nbsp%3Bas%20well%20as%20at%20hundreds%20of%20customers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187659%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187659%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20encrypting%20the%20C%20drive%20it'll%20ask%20you%20to%20reboot%2C%20and%20the%20process%20will%20start%20after%20you%20next%20log%20in.%20Other%20drives%20will%20start%20encrypting%20immediately%2C%20that%20might%20explain%20the%20missing%20progress%20dialog.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChris'%20suggestion%20is%20not%20something%20I've%20mentioned.%20I've%20had%20successful%20implementation%20of%20that%20sort%20of%20model%26nbsp%3Bas%20the%20level%20of%20role%2C%20domain%2C%20or%20infrastructure%20segregation%2C%20but%26nbsp%3Bas%20a%20single%20user%20on%20a%20single%20machine%20it%20would%20essentially%20mean%20trying%20to%20keep%20all%20your%20more%20%22dodgy%20stuff%22%20to%20one%20VM%20whilst%20your%20%22sensitive%20stuff%22%20is%20in%20other%20VMs%2C%20potentially%20a%20VM%20for%20each%20contract%2Fclient%2Fenvironment.%20I%26nbsp%3Bfeel%20like%20the%20concept%20is%20aspirational%20but%26nbsp%3Bin%20reality%20creates%20a%20lot%20of%20management%20overhead%2C%20interrupts%20workflow%2C%20and%20leads%20to%20a%20false%20sense%20of%20security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20said%2C%20I'm%20glad%20to%20see%20your%20input%20Chris%20and%20ultimately%26nbsp%3BI%20may%20be%20misunderstanding%3B%20I'd%20love%20to%20learn%20more%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187596%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187596%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F61207%22%20target%3D%22_blank%22%3E%40Chris%20Jackson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYep%2C%20I%20think%20that'%20son%26nbsp%3B%40Deleted%20security%20todo%20list%20which%20I%20am%20slowly%20going%20through%20%2C%20starting%20with%20Bitlocker.%20%26nbsp%3B%20One%20thing%20I%20did%20was%26nbsp%3B%20turn%20was%20allowing%20complex%20passwords%20prior%20to%20enabling%20Bitlocker.%20Oddly%20I%20didn't%20get%20much%20feedback%20regarding%20Drive%20C%20whereas%20Drive%20D%20I%20got%20the%20full%20progress%20dialog.%26nbsp%3B%20Seems%20to%20be%20working%20well%20and%20will%20test%20hibernation%20recovery%20at%20some%20stage.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20your%20suggestion%2C%26nbsp%3B%20Are%20there%20any%20downsides%20to%20this%20as%20I%20want%20to%20work%20seamlessly%20with%20PowerShell%2C%20Azure%2C%20REST%20calls%20etc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187446%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187446%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20want%20to%20go%20for%20more%20than%20just%20%22kind%20of%20secure%2C%20unless%20it's%20inconvenient%22%20consider%20leveraging%20Client%20Hyper-V%20to%20use%20a%20hypervisor%20boundary%20to%20protect%20your%20sensitive%20config%20from%20your%20productivity%20%2F%20riskier%20usage.%3C%2FP%3E%0A%3CP%3EWe%20talk%20about%20Privileged%20Access%20Workstations%20here%3A%20%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fcyberpaw%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2Fcyberpaw%3C%2FA%3E%20-%20Jian%20Yan%20has%20been%20working%20on%20this%20model%20and%20talk%20about%20an%20updated%20architecture%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fdatacentersecurity%2F2017%2F10%2F13%2Fprivileged-access-workstationpaw%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fdatacentersecurity%2F2017%2F10%2F13%2Fprivileged-access-workstationpaw%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EWe%20also%20document%20our%20security%20baselines%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-security-baselines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-security-baselines%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187132%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187132%22%20slang%3D%22en-US%22%3E%3CP%3Eyep%2C%20I%20would%20say%20that%206%20digits%20is%20%22the%20standard%22%3CBR%20%2F%3E4%20digit%20pins%20are%20%22gently%20discouraged%22%20but%20not%20uncommon%3C%2FP%3E%3CP%3ETPM%2Fhello%20pins%20literally%26nbsp%3Bexist%20to%20give%20you%20the%26nbsp%3Bbenefits%20of%20a%20good%20complex%20password%20but%26nbsp%3Bwithout%20the%20inconvenience%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187047%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187047%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20very%20much.%26nbsp%3B%20I%20did%20google%20but%20all%20I%20could%20find%20is%20the%20non-tpm%20configuration.%20Anyway%2C%20I%20gather%20the%20%22Hello%22%20Pin%20doesn't%20have%20be%20long%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-why-pin-is-better-than-password%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-why-pin-is-better-than-password%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGood%20news%20on%20the%20auto%20unlock%20on%20the%20data%20drives.%26nbsp%3B%20Ok%20I%20will%20go%20forth%20and%20Bitlock%20my%20world!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-186975%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186975%22%20slang%3D%22en-US%22%3E%3CP%3Eyep!%20that's%20exactly%20correct%3C%2FP%3E%3CP%3E%3CBR%20%2F%3Enow%20when%26nbsp%3Benabling%20BitLocker%20this%20policy%20will%20force%20you%20to%20set%20a%20TPM%20based%20pin%3B%20that%20pin%20will%20have%20the%20brute-forcing%20protections%20of%20the%20TPM%2C%20which%20is%20the%20best%20possible%20protection%20for%20your%20data%20if%20the%26nbsp%3Bdevice%20is%20ever%20stolen%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3Eyou%20only%20need%20to%20set%20up%20this%20pin%20for%20the%20OS%20drive%3C%2FSTRONG%3E%20though%2C%20after%20that%20your%20data%20drives%20can%20be%20set%20up%20as%20%3CSTRONG%3Eauto%20unlock%3C%2FSTRONG%3E%20drives%20(they're%20unlocked%26nbsp%3Bwhen%20the%20OS%20drive%20is%20unlocked%20and%20are%20essentially%20linked%2C%20they%20are%20secure)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-186582%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186582%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20my%20laptop%20which%20does%20have%20TPM%202.0%20%3A%20%26nbsp%3B%20does%20this%20look%20ok%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20685px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F32899iC91EDD726C83D600%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Require%20authentication%20with%20TMP%20and%20PIN.PNG%22%20title%3D%22Require%20authentication%20with%20TMP%20and%20PIN.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183329%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183329%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20glad%20to%20help%3C%2FP%3E%3CP%3EIT%20security%20is%26nbsp%3Bmore%20important%26nbsp%3Bthan%20ever%20but%20it%20should%20never%20stop%20you%20from%20doing%20your%20job%3C%2FP%3E%3CP%3EI'm%20also%20glad%20that%20you%20openly%20asked%20for%20outside%20knowledge%2Fexperience%2C%26nbsp%3Bvery%20professional%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183246%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183246%22%20slang%3D%22en-US%22%3E%3CP%3EOk%2C%20You%20have%20convinced%20me%3A%20BItLocker%20universal%20it%20will%20be.%26nbsp%3B%20I%20will%20report%20back%20once%20I%20have%20set%20the%20startup%20policy%20and%20enabled%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183213%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183213%22%20slang%3D%22en-US%22%3E%3CP%3Enearly%20all%20AV%20firewalls%20layer%20on%20top%20of%20the%20windows%20filtering%20engine%20anyway%2C%20it%20usually%20doesn't%20make%20a%20difference%20which%20you%20use%2C%20I%26nbsp%3Bsuggest%20that%20you%20use%20which%20ever%20you%20find%20most%20convenient%20to%20manage%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20highly%20recommend%20BitLocker%20on%20%3CSTRONG%3Eall%20drives%3C%2FSTRONG%3E%2C%20Windows%20will%20not%20only%20accumulate%20a%20significant%20amount%20of%20data%20over%20time%20that%20can%20be%20used%20to%20identify%20and%20break%20into%20your%20devices%2Fdrives%2Faccounts%2C%20but%20it%20also%20caches%20file%20data%20locally%2C%20even%20if%20it%20is%20stored%20on%26nbsp%3Bencrypted%20drives%3B%20to%20be%20absolutely%20clear%3A%20%3CSTRONG%3Edata%20stored%20on%26nbsp%3Bany%20drive%20will%20leak%20onto%20the%26nbsp%3BC%3A%20drive%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%2C%20before%20you%26nbsp%3Benable%20BitLocker%20I%20recommend%20that%20you%20configure%26nbsp%3Bthe%20%22%3CSTRONG%3ERequire%20additional%20authentication%20at%20startup%3C%2FSTRONG%3E%22%20local%20group%20policy%20setting%20first%3A%3C%2FP%3E%3COL%3E%3CLI%3Eset%20the%20policy%20to%20%22%3CSTRONG%3EEnabled%3C%2FSTRONG%3E%22%3C%2FLI%3E%3CLI%3E%3CSTRONG%3Eif%20your%20device%20doesn't%20have%20a%20TPM%3C%2FSTRONG%3E%2C%20tick%20the%26nbsp%3B%22%3CSTRONG%3EAllow%20BitLocker%20without%20a%20compatible%20TPM%3C%2FSTRONG%3E%22%20checkbox%3B%20this%20enables%20you%20to%20set%20up%20BitLocker%20with%20a%20password%2C%20preventing%20the%20%22missing%20TPM%22%20error%3C%2FLI%3E%3CLI%3E%3CSTRONG%3Eif%20your%20device%20has%20a%20TPM%3C%2FSTRONG%3E%2C%20set%20the%20second%20drop%20down%20box%20to%20%22%3CSTRONG%3ERequire%20startup%20PIN%20with%20TPM%3C%2FSTRONG%3E%22%20and%20set%20the%20other%20three%20to%20%22Do%20not%20allow%22%3B%20this%20enables%20you%20to%20set%20up%20Bitlocker%20with%20a%20PIN%2C%20preventing%20the%20insecure%20%22automatic%20unlock%22%20aka%20%22TPM%20only%22%20configuration%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20686px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F32305iD7D19E16005245E2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22tpm.png%22%20title%3D%22tpm.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183154%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183154%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20very%20much%20for%20your%20feed%20back%20-%20you%20are%20very%26nbsp%3Bwell%20informed.%26nbsp%3B%26nbsp%3BYou%20have%20also%20stuck%20the%20balance%20I%20was%20looking%20for%2C%20between%26nbsp%3Bsecurity%20and%20convenience.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20just%20got%20my%20laptop%20from%20the%20supplier%20so%20other%20than%20Office%202016%20via%20The%20Office%20365%20Portal%20it%20is%20a%20clean%20build.%20I%20have%20a%20list%20of%20tools%2C%20utilities%2C%20PowerShell%20modules%20I%20want%20to%20install%20but%20I%20will%20hold%20off%20until%20the%20machine%20is%20hardened.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20look%20at%20the%20Windows%20Defender%20Firewall%20and%20see%20how%20it%20compares%20with%20the%20Firewall%20that%20comes%20with%20my%20current%20AV%26nbsp%3B%20(%20who%20were%20recently%20in%20the%20news%20for%20the%20wrong%20reasons%20%3B)%3C%2Fimg%3E%20).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBitlocker%20-%20think%20I%20won't%20bother%20with%20my%20boot%20up%20(C%3A)%26nbsp%3Bjust%20my%20data%20drive%20so%20my%20code%20(repos)%20%2C%20OneDrives%20etc%20unless%20you%20think%20I%20should%20do%20all%20drives%20(note%20will%20need%20to%20verify%20TPM%20status%20with%20PowerShell%20beforehand)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20thought%20of%20some%20anti-theft%20protection%20such%20as%20%3CA%20href%3D%22https%3A%2F%2Fwww.preyproject.com%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPrey%20Project%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20addition%2C%20picking%20a%20decent%20VPN%20when%20I%20am%20working%20away%2C%20%26nbsp%3Bsuch%20as%20Express%20VPN%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182711%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182711%22%20slang%3D%22en-US%22%3E%3CP%3Ea%20clean%20install%20of%20Windows%2010%20is%20pretty%20good%2C%26nbsp%3Bthat%20said%2C%20I%20do%20have%20the%20following%20advice%3A%3C%2FP%3E%3CUL%3E%3CLI%3EIt%20is%20important%20to%20properly%20configure%26nbsp%3B%3CSTRONG%3EUser%20Account%20Control%3C%2FSTRONG%3E%20on%20all%20machines%3B%26nbsp%3Bout%20of%20the%20box%20it%20is%20very%20insecure%26nbsp%3Bmeaning%20anything%20can%20bypass%20it%20to%20grab%20admin%20privileges.%3C%2FLI%3E%3CLI%3EIt%20is%20important%20to%20make%20sure%20that%20%3CSTRONG%3ESecure%20Boot%3C%2FSTRONG%3E%20is%20enabled%20on%20all%20machines.%3C%2FLI%3E%3CLI%3E%3CSTRONG%3EBitLocker%3C%2FSTRONG%3E%20is%20an%20obvious%20one%2C%20enable%20it%20on%20all%20machines.%3C%2FLI%3E%3CLI%3EYou%20may%20want%20to%20use%20Windows%20Defender%20Firewall%20to%20%3CSTRONG%3Eblock%20all%20inbound%20connections%3C%2FSTRONG%3E%20on%20the%20private%20and%20public%20profiles%2C%20its%20very%20effective%20for%20protecting%20devices%20in%20public%20places%20and%20usually%20has%20no%20negative%20impact%20but%20should%20be%20assessed%20per%20requirements.%3C%2FLI%3E%3CLI%3EYou%20should%20deploy%20the%20%3CSTRONG%3EuBlock%20Origin%3C%2FSTRONG%3E%20browser%20extension%20to%20all%20browsers%2C%20it%20blocks%20a%20significant%20amount%20of%20malware%20and%20greatly%20reduces%20the%20bandwidth%20used%26nbsp%3Bby%20your%20org%3B%20for%20the%20record%2C%20%3CSTRONG%3EChrome%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EEdge%3C%2FSTRONG%3E%20are%20much%20more%20secure%20than%20other%20browsers.%3C%2FLI%3E%3CLI%3EAlso%20remember%20to%20properly%20%3CSTRONG%3Epatch%3C%2FSTRONG%3E%2C%20if%20Windows%2C%20Defender%2C%20or%26nbsp%3BBrowser%20are%20out%20of%20date%26nbsp%3Bthen%20you%20WILL%20be%20targeted.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EFollowing%20the%20above%20will%20significantly%20benefit%20you%20and%20your%20users%20and%20can%20be%26nbsp%3Bdone%20by%20anybody%20without%20any%20extra%20cost%3B%20I%20hope%20that's%20useful%20for%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3CBR%20%2F%3EEdit%3A%20oh%2C%20and%20if%20you're%20ever%20able%20to%3A%20I%20recommend%20you%20look%20into%20%3CSTRONG%3EWindows%2010%20S%3C%2FSTRONG%3E%20(soon%20to%20be%20called%20Windows%20Pro%20in%20%3CSTRONG%3ES%20Mode%3C%2FSTRONG%3E)%3CBR%20%2F%3Eyes%2C%20it%20gets%20a%20lot%20of%20stick%20for%26nbsp%3Brestricting%20you%20to%20Edge%20and%20Store%20apps%20but%20that%20thing%20is%20rock%20solid%3B%20even%20if%20you%20never%20ever%20use%20it%2C%20it's%20the%20best%20example%20of%20%3CSTRONG%3EDevice%20Guard%20Code%20Integrity%3C%2FSTRONG%3E%20in%20action%20and%20how%20powerful%20it%20can%20be%20when%20properly%20configured%3CBR%20%2F%3E%3CBR%20%2F%3EEdit%3A%20from%201803%26nbsp%3B%3CSTRONG%3EHypervisor%20enforced%20Code%20Integrity%3C%2FSTRONG%3E%20(HVCI)%20will%20be%20enabled%20by%20default%26nbsp%3Bvia%20clean%20install%2C%20you%20can%20enable%20it%20on%20previous%20versions%20by%20following%20these%20instructions%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fwindows%2Fsecurity%2Fthreat-protection%2Fenable-virtualization-based-protection-of-code-integrity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fwindows%2Fsecurity%2Fthreat-protection%2Fenable-virtualization-based-protection-of-code-integrity%3C%2FA%3E%3CBR%20%2F%3EHVCI%20is%20a%20feature%20that%20helps%20defend%20against%20kernel%20level%20malware%3B%20I%20initially%20didn't%20mention%20it%20because%20I'm%20not%20sure%20what%20the%20real%20world%20benefits%20are%20and%20I'm%20aware%20that%20it%20can%20cause%20instability%20and%20performance%20problems%2C%26nbsp%3Bhowever%20since%20Microsoft%20seems%20to%20be%20pushing%20for%20its%20implementation%20I%20felt%20it%20was%20worth%20adding.%20(I%20imagine%20they%20may%20also%20do%20the%20same%20for%26nbsp%3B%3CSTRONG%3EDMA%20Protection%3C%2FSTRONG%3E%20in%20the%20future)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-475874%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-475874%22%20slang%3D%22en-US%22%3Esome%20new%20and%20useful%20resources%20here%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-10-security%2FHardening-Windows-10%2Fm-p%2F475686%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-10-security%2FHardening-Windows-10%2Fm-p%2F475686%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-788413%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788413%22%20slang%3D%22en-US%22%3EI%20searched%20through%20this%20page%20and%20nobody%20mentioned%20these%20so%20i'm%20gonna%20do%20that%20now.%20make%20sure%20you%20turn%20on%20these%20features%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ein%20Windows%20Defender%3A%20Memory%20Integrity%20and%20Core%20Isolation%3CBR%20%2F%3Ein%20Windows%20settings%3A%20DEP%20for%20ALL%20programs%20instead%20of%20only%20for%20Windows%20services.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-788449%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788449%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%26nbsp%3B%20So%20glad%20my%20original%20question%2Fpost%20is%20hanging%20around%20%3D).%20I%20have%20a%20different%20AV%20so%20can%20I%20configure%20the%20changes%20you%20mention%20in%20addition%20to%20what%20I%20have%20or%20do%20I%20need%20to%20have%20Defender%20as%20my%20only%20AV%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-788559%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788559%22%20slang%3D%22en-US%22%3EI%20don't%20know%20which%20AV%20you're%20using%2C%20it%20may%20or%20may%20not%20work%20alongside%20Windows%20Defender.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792580%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792580%22%20slang%3D%22en-US%22%3E%3CP%3Ecore%20isolation%2Fmemory%20integrity%20is%20the%20HVCI%20feature%20i%20mentioned%20a%20while%20back%2C%20though%20like%20all%20things%20Microsoft%20there's%20a%20lack%20of%20consistency%20and%20even%20the%20link%20i%20gave%20is%20now%20broken%20haha%3CBR%20%2F%3Eit%20can%20be%20enabled%20regardless%20of%20third%20party%20AV%20and%20its%20actually%20enabled%20by%20default%20on%20new%2Fcompatible%20devices%20so%20i%20see%20no%20reason%20to%20discourage%20it's%20usage%2C%20it%20may%20break%20some%20older%20drivers%20but%20only%20because%20they%20are%20doing%20things%20they%20shouldn't%20be%2C%20potentially%20worth%20noting%20that%20the%20feature%20has%20also%20been%20bypassed%20so%20its%20usefulness%20is%20questionable%3CBR%20%2F%3E%3CBR%20%2F%3Ethe%20DEP%20setting%20mentioned%20is%20outdated%2C%20despite%20the%20wording%20apps%20do%20run%20with%20DEP%20enabled%20by%20default%3CBR%20%2F%3E%3CBR%20%2F%3Eone%20thing%20to%20note%20about%20third%20party%20AV%20is%20that%20most%20lack%20support%20for%20vital%20features%20like%20AMSI%20and%20ELAM%20which%20defender%20has%20enabled%20by%20default%2C%20you%20should%20check%20with%20your%20AV%20provider%20to%20see%20if%20these%20are%20implemented%20and%20encourage%20them%20to%20do%20so%20if%20they%20havent%3CBR%20%2F%3E%3CBR%20%2F%3Emain%20thing%20i've%20not%20mentioned%20that%20i%20do%20suggest%20looking%20into%20is%20%22Attack%20Surface%20Reduction%20rules%22%2C%20ASR%20rules%20are%20part%20of%20windows%20defender%20but%20they%20are%20off%20by%20default%2C%20they%20are%20a%20collection%20of%20features%20blocking%20the%20most%20common%20behaviours%20seen%20in%20the%20wild%2C%20they%20will%20genuinely%20save%20you%20from%20spear%20%26amp%3B%20phishing%20attacks%20that%20wont%20be%20picked%20up%20by%20any%20AVs%20for%20about%20a%20week%20after%20its%20too%20late%2C%20they%20also%20seem%20to%20add%20a%20new%20one%20with%20each%20release%20of%20windows%2010%3CBR%20%2F%3Eyou%20can%20learn%20about%20them%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-exploit-guard%2Fattack-surface-reduction-exploit-guard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-exploit-guard%2Fattack-surface-reduction-exploit-guard%3C%2FA%3E%3CBR%20%2F%3Eto%20enable%20the%20current%20ones%20without%20the%20hassle%20of%20figuring%20it%20out%20i%20refer%20to%20the%20powershell%20in%20my%20comment%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-10-security%2FHarden-Windows-10%2Fm-p%2F475686%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-10-security%2FHarden-Windows-10%2Fm-p%2F475686%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792603%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792603%22%20slang%3D%22en-US%22%3E%3CP%3E1.%20press%20ctrl%2BF%20in%20this%20page%20and%20type%20in%20core%20isolation.%20no%20one%20else%20mentioned%20it%20before.%3CBR%20%2F%3E2.%20source%20for%20saying%20DEP%20is%20outdated%3F%3CBR%20%2F%3E3.%20that%20other%20thread%20you%20mentioned%20looks%20suspicious.%20created%20by%20%22deleted%22%20user%20name%20profile%3F%3CBR%20%2F%3E4.%20i%20don't%20know%20which%20AVs%20you've%20used%20before%20but%20something%20better%20than%20Windows%20Defender%20is%20Kaspersky%20AV%20(Internet%20Security%20or%20End%20point%20security%20which%20is%20equivalent%20to%20the%20Windows%20Defender%20ATP).%20Kaspersky%20has%20Online%20connection%20to%20their%20threat%20center.%20you%20say%20week%3F%20for%20them%20it%20takes%20only%20minutes%20to%20few%20hours%20to%20pass%20over%20the%20new%20malware's%20database%20to%20the%20other%20users.%20Kaspersky%20was%20the%20First%20and%20only%20company%20that%20found%20Stuxnet%20and%20blocked%20it%2C%20the%20world's%20Most%20advanced%20malware%20ever%20created%20by%20co-operation%20of%20U.S%20and%20Israel.%20then%20other%20AV%20companies%20copy%20Kaspersky's%20database%20and%20use%20it%20on%20their%20own%20system.%20Kaspersky%20even%20got%20them%20red%20handed%20by%20intentionally%20putting%20a%20false%20alarm%20in%20their%20database%20and%20then%20watched%20a%20lot%20of%20AVs%20giving%20the%20same%20false%20alarm.%20lol%20don't%20believe%20the%20news%20saying%20that%20Kaspersky%20is%20run%20by%20Russian%20government%20and%20it%20will%20steal%20your%20data%2C%20it's%20total%20BS%20and%20propaganda.%3CBR%20%2F%3E5.%20Microsoft%20constantly%20changes%20things%20and%20technet%20guides%20because%20Windows%20is%20constantly%20changing%20and%20getting%20better.%20it's%20the%20duty%20of%20system%20admins%20to%20stay%20up%20to%20date.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792658%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792658%22%20slang%3D%22en-US%22%3E%3CP%3Eim%20not%20trying%20to%20argue%20or%20anything%2C%20i%20have%20no%20conflict%20with%20most%20of%20what%20you're%20saying%3CBR%20%2F%3E%3CBR%20%2F%3E1%20correct%2C%20i%20was%20adding%20that%20this%20is%20what%20used%20to%20be%20known%20as%20HVCI%2C%20it%20was%20a%20more%20up%20and%20coming%20feature%20that%20didnt%20exist%20as%20core%20isolation%20at%20the%20time%20and%20now%20it%20does%2C%20memory%20isolation%20also%20has%20more%20features%20that%20arent%20exposed%20in%20the%20GUI%20so%20it%20may%20be%20useful%20for%20some%20to%20know%3CBR%20%2F%3E%3CBR%20%2F%3E2%20DEP%20as%20a%20memory%20feature%20isn't%20outdated%2C%20that%20GUI%20setting%20and%20its%20wording%20however%20is%2C%20if%20you%20want%20a%20gui%20to%20manage%20it%20the%20correct%20place%20to%20configure%20it%20now%20is%20via%20the%20%22exploit%20protection%22%20area%20of%20the%20security%20centre%20where%20you%20will%20also%20see%20that%20it%20is%20on%20by%20default%3CBR%20%2F%3E%3CBR%20%2F%3E3%20when%20i%20clear%20my%20microsoft%20account%20privacy%20settings%20it%20deletes%20my%20tech%20community%20account%2C%20the%20posts%20themselves%20would%20be%20deleted%20if%20there%20were%20any%20issues%3CBR%20%2F%3E%3CBR%20%2F%3E4%20again%2C%20not%20trying%20to%20argue%2C%20but%20since%20you%20bring%20it%20up%20i%20will%20say%20i%20am%20a%20kaspersky%20customer%20and%20my%20opinion%20is%20that%20kaspersky%20is%20generally%20as%20good%20as%20windows%20defender%2C%20their%20database%20is%20historically%20the%20best%20though%20defender%20in%20the%20last%20year%20has%20definitely%20caught%20up%20and%20is%20in%20second%20place%2C%20but%20toward%20my%20point%3A%20Kaspersky%20does%20indeed%20support%20AMSI%20and%20ELAM%20which%20most%20other%20AVs%20do%20not%2C%20Kaspersky%20also%20treats%20unknowns%20just%20as%20defender%20does%20which%20is%20why%20they%20pick%20up%20wrapped%20variants%20very%20quickly%2C%20but%20i%20maintain%20that%20it%20is%20impossible%20to%20catch%20everything%20the%20first%20time%20its%20ever%20seen%2C%20such%20as%20your%20example%20stuxnet%20was%20caught%20after%20the%20damage%20was%20done%2C%20not%20before%2C%20and%20something%20preventative%20like%20ASR%20could%20have%20prevented%20it%20ever%20getting%20into%20the%20supplier's%20systems%3CBR%20%2F%3E%3CBR%20%2F%3E5%20exactly%2C%20i%20just%20ask%20that%20you%20be%20less%20hostile%2C%20theres%20enough%20testosterone%20fuelled%20cesspits%20on%20the%20internet%20already%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792961%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792961%22%20slang%3D%22en-US%22%3E%3CP%3Eabout%20DEP%2C%20the%20underlying%20code%20and%20script%20is%20the%20same%20and%20the%20OP%20is%20having%20just%20a%20Windows%2010%20pro%2C%20other%203rd%20party%20tools%20like%20that%20require%20additional%20paid%20licenses%20and%20they%20are%20supposed%20to%20be%20installed%20on%20a%20stationary%20server%2C%20not%20a%20portable%20device%20like%20OP's%20laptop.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehmm%20that's%20weird.%20I've%20changed%20my%20privacy%20settings%20a%20lot%20of%20times%20and%20never%20had%20that%20happen%20to%20me..%20if%20it's%20a%20bug%20in%20the%20site%20then%20report%20it.%20the%20only%20way%20i%20know%20it%20happens%20is%20that%20when%20you%20deliberately%20delete%20your%20account%20and%20create%20a%20new%20one%20with%20a%20different%20Email%20address..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20767px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F125999i1D79FCD7820FAE24%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-08-07%20165058.png%22%20title%3D%22Annotation%202019-08-07%20165058.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-798590%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-798590%22%20slang%3D%22en-US%22%3E%3CP%3Esorry%20i%20should%20be%20clearer%2C%20it%20is%20not%20third%20party%2C%20and%20it%20is%20not%20implemented%20the%20same%20way%2C%20i%20am%20talking%20about%20the%20below%20image%2C%20built%20into%20windows%2010%20for%20free%3CBR%20%2F%3E%3CBR%20%2F%3Etechnically%20it%20is%20a%20replacement%20of%20a%20previously%20optional%20windows%207%20tool%20known%20as%20%22EMET%22%20which%20itself%20was%20a%20gui%20tool%20for%20multiple%20exploit%20mitigations%20(not%20just%20DEP)%3CBR%20%2F%3E%3CBR%20%2F%3Ein%20current%20windows%2010%20DEP%20is%20enabled%20by%20default%20by%20this%20new%20implementation%20for%20applications%26nbsp%3Bdespite%20of%20what%20you%20see%20in%20that%20older%20interface%2C%20hence%20i%20try%20to%20explain%20that%20the%20setting%20you%20are%20advising%20doesn't%20have%20the%20assumed%20impact%20as%20the%20outdated%20wording%20is%20misleading%3C%2FP%3E%3CP%3E%3CBR%20%2F%3Ethat%20old%20interface%20is%20from%202003%20and%20you%20will%20see%20in%20the%20new%20one%20that%20there%20are%20a%20whole%2020%20more%20configurable%20exploit%20mitigations%20(the%20ones%20pictured%20can%20be%20configured%20as%20system%20wide%20defaults%2C%20the%20rest%20have%20to%20be%20configured%20on%20an%20app%20by%20app%20basis)%3CBR%20%2F%3E%3CBR%20%2F%3Ei%20hope%20this%20information%20is%20interesting%20and%20valuable%20%26lt%3B3%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20907px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F126476i95FF8675C1000F00%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22sdvsdfsbdsvzdfsbbz.jpg%22%20title%3D%22sdvsdfsbdsvzdfsbbz.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-798602%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-798602%22%20slang%3D%22en-US%22%3EIt's%20not%20misleading.%20it's%20correct.%20the%20DEP%20option%20in%20computer%20properties%20has%202%20options%20for%20enabling%20either%20for%20some%20services%20or%20all%20programs%2C%20in%20Windows%20defender%20there%20is%20only%20one%20option.%20you%20really%20couldn't%20tell%20the%20difference%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-798653%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-798653%22%20slang%3D%22en-US%22%3E%3CP%3Ebut%20it%20does%20not%20even%20matter%2C%20changing%20that%20option%20does%20not%20do%20that%2C%20it%20does%20not%20function%20like%20it%20says%2C%20i%20dont%20know%20how%20else%20to%20explain%20this%20to%20you%2C%20seriously%3CBR%20%2F%3E%3CBR%20%2F%3Ewhat%20i%20have%20shown%20is%20not%20part%20of%20windows%20defender%2C%20DEP%20is%20part%20of%20windows%20itself%2C%20the%20security%20centre%20GUI%20is%20just%20a%20way%20to%20manage%20some%20windows%20security%20features%20AND%20windows%20defender%20features%2C%20and%20it%20has%20the%20same%20TWO%20DEP%20options%3A%3CBR%20%2F%3EON%3A%20this%20is%20the%20SAME%20as%3A%20%22Turn%20on%20DEP%20for%20all%20programs%20and%20services%22%20except%20it%20actually%20WORKS%3CBR%20%2F%3EOFF%3A%20this%20is%20the%20SAME%20as%3A%20%22Turn%20on%20DEP%20for%20essential%20Windows%20programs%20and%20services%20only%22%20except%20it%20actually%20WORKS%3CBR%20%2F%3E%3CBR%20%2F%3ETHE%20DEFAULT%20IS%20ON%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20as%20you%20have%20noticed%20by%20default%20the%20OLD%20setting%20is%20set%20to%26nbsp%3B%22Turn%20on%20DEP%20for%20essential%20Windows%20programs%20and%20services%20only%22%20which%20is%20the%20same%20as%20OFF%3CBR%20%2F%3E%3CBR%20%2F%3Ehow%20can%20DEP%20be%20ON%20and%20OFF%20for%20any%20application%20at%20the%20same%20time%3F%3CBR%20%2F%3E%3CBR%20%2F%3Esimple%3A%20it%20cannot%2C%20it%20is%20either%20off%20or%20it%20is%20on%2C%20and%20it%20is%20ON%20because%3CBR%20%2F%3E%3CBR%20%2F%3ETHE%20NEW%20SETTING%20WORKS%3CBR%20%2F%3E%3CBR%20%2F%3ETHE%20OLD%20SETTING%20DOES%20NOT%3CBR%20%2F%3E%3CBR%20%2F%3Ehow%20can%20you%20suggest%20that%20i%20%22really%20cant%20tell%20the%20difference%22%20when%20i%20am%20wasting%20my%20time%20trying%20to%20explain%20this%20to%20you%20that%20what%20you%20SEE%20is%20a%20misconception%3CBR%20%2F%3E%3CBR%20%2F%3Etheres%20many%20obscure%20features%20in%20windows%20that%20have%20been%20depreciated%2C%20buttons%20that%20connect%20to%20nothing%2C%20text%20that%20is%20incorrect%3CBR%20%2F%3E%3CBR%20%2F%3Ethe%20option%20you%20place%20trust%20in%20is%2015%20years%20old%2C%20yes%20it%20has%20two%20options%2C%20but%20DEP%20has%20four%20states%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EDEP%20is%20already%20enabled%2C%20for%20all%20programs%20and%20services%2C%20even%20though%20that%20option%20is%20not%20selected%3CBR%20%2F%3E%3CBR%20%2F%3Ebecause%20that%20option%20is%20overridden%20by%20the%20ON%20setting%20in%20the%20GUI%20in%20the%20image%20i%20showed%20you%3CBR%20%2F%3E%3CBR%20%2F%3Eit%20is%20YOU%20that%20cannot%20tell%20the%20difference%3CBR%20%2F%3E%3CBR%20%2F%3Emanual%20exceptions%20is%20the%20only%20reason%20why%20that%20old%20interface%20is%20still%20there%2C%20because%20sometimes%20you%20need%20to%20opt%20out%20of%20this%2015%20year%20old%20security%20feature%20to%20run%20even%20older%20software%3CBR%20%2F%3E%3CBR%20%2F%3Ebut%20even%20that%20is%20essentially%20broken%20too%20as%20manual%20exceptions%20is%20replaced%20by%20application%20opt%20outs%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDEP%20is%20already%20enabled%2C%20for%20all%20programs%20and%20services%2C%20with%20application%20opt%20outs%20instead%20of%20manual%20exceptions%3CBR%20%2F%3E%3CBR%20%2F%3Eenabling%20the%20option%20you%20are%20suggesting%2C%20only%20disables%20those%20application%20opt%20outs%20causing%20some%20old%20software%20to%20be%20unable%20to%20run%2C%20thats%20why%20its%20NOT%20SELECTED%20BY%20DEFAULT%3CBR%20%2F%3E%3CBR%20%2F%3Ethings%20are%20the%20way%20they%20are%20for%20a%20reason%2C%20Microsoft%20did%20not%20spend%20the%20last%20fifteen%20years%20doing%20random%20engineering%20for%20the%20fun%20of%20it%3CBR%20%2F%3E%3CBR%20%2F%3Eto%20put%20it%20in%20your%20own%20words%2C%20%22%3CSPAN%3EWindows%20is%20constantly%20changing%20and%20getting%20better.%20it's%20the%20duty%20of%20system%20admins%20to%20stay%20up%20to%20date.%22%20and%20im%20not%20even%20sure%20you%20are%20a%20system%20admin%3CBR%20%2F%3E%3CBR%20%2F%3Estuff%20changes%2C%20the%20best%20option%20changes%2C%20new%20becomes%20old%3CBR%20%2F%3Eusing%20windows%207%20changing%20the%20option%20is%20better%20than%20the%20default%2C%20feel%20free%20to%20enable%20it%2C%20i%20encourage%20it%3CBR%20%2F%3Eusing%20windows%2010%20changing%20the%20option%20is%20worse%20than%20the%20default%2C%20leave%20it%20alone%2C%20you%20dont%20understand%20what%20you%20are%20breaking%3CBR%20%2F%3E%3CBR%20%2F%3Eonly%20reason%20i%20am%20responding%20at%20all%20is%20because%20there%20is%20so%20much%20outdated%20windows%20advice%20that%20people%20still%20follow%20and%20share%20online%20to%20the%20detriment%20of%20many%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-798875%22%20slang%3D%22en-US%22%3ERe%3A%20Hardening%20Windows%2010%20on%20an%20IT%20Pro's%20laptop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-798875%22%20slang%3D%22en-US%22%3Eit%20does%20matter.%3CBR%20%2F%3EThe%20problem%20is%20that%20it's%20just%20You%20talking%20about%20it%20WITHOUT%20PROOF.%3CBR%20%2F%3E%3CBR%20%2F%3Ejust%20because%20you%20say%20something%20works%20or%20doesn't%20work%20doesn't%20mean%20it's%20true.%20how%20hard%20is%20it%20to%20understand.%20people%20on%20the%20internet%20don't%20just%20believe%20what%20someone%20else%20says%20without%20proof.%20i%20can%20go%20ahead%20and%20say%20real%20time%20protection%20of%20Windows%20Defender%20doesn't%20work%2C%20turn%20it%20off.%20should%20you%20believe%20me%20then%3F%20of%20course%20not.%3CBR%20%2F%3E%3CBR%20%2F%3Eso%20unless%20you%20understand%20this%20basic%20idea%20then%20it's%20pointless%20to%20continue%20this%20conversation.%20sure%20you%20can%20believe%20whatever%20you%20want%20but%20don't%20try%20to%20shove%20it%20into%20others.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Highlighted
Daniel Westerdale
Regular Contributor

Hi

 

I have just bought a new Windows 10 Pro laptop for work as a freelance IT Consultant  and I figured this would be good time adopt some of the latest best practices, pertinent  to securing my machine. Given, this machine is also for personal use, so I am looking to balance convenience against security and privacy in the event of loss or theft. 

  

I have found some extensive posts on the subject including the one shown below:

https://www.infoworld.com/article/3121994/security/lockdown-harden-windows-10-for-maximum-security.h...

 

I would however, like to hear any comments anyone has: from bitlocker and beyond....

 

 

 

29 Replies
Solution

a clean install of Windows 10 is pretty good, that said, I do have the following advice:

  • It is important to properly configure User Account Control on all machines; out of the box it is very insecure meaning anything can bypass it to grab admin privileges.
  • It is important to make sure that Secure Boot is enabled on all machines.
  • BitLocker is an obvious one, enable it on all machines.
  • You may want to use Windows Defender Firewall to block all inbound connections on the private and public profiles, its very effective for protecting devices in public places and usually has no negative impact but should be assessed per requirements.
  • You should deploy the uBlock Origin browser extension to all browsers, it blocks a significant amount of malware and greatly reduces the bandwidth used by your org; for the record, Chrome and Edge are much more secure than other browsers.
  • Also remember to properly patch, if Windows, Defender, or Browser are out of date then you WILL be targeted.

Following the above will significantly benefit you and your users and can be done by anybody without any extra cost; I hope that's useful for you

 
Edit: oh, and if you're ever able to: I recommend you look into Windows 10 S (soon to be called Windows Pro in S Mode)
yes, it gets a lot of stick for restricting you to Edge and Store apps but that thing is rock solid; even if you never ever use it, it's the best example of Device Guard Code Integrity in action and how powerful it can be when properly configured

Edit: from 1803 Hypervisor enforced Code Integrity (HVCI) will be enabled by default via clean install, you can enable it on previous versions by following these instructions: https://docs.microsoft.com/en-gb/windows/security/threat-protection/enable-virtualization-based-prot...
HVCI is a feature that helps defend against kernel level malware; I initially didn't mention it because I'm not sure what the real world benefits are and I'm aware that it can cause instability and performance problems, however since Microsoft seems to be pushing for its implementation I felt it was worth adding. (I imagine they may also do the same for DMA Protection in the future)

Hi

 

 

Thanks very much for your feed back - you are very well informed.  You have also stuck the balance I was looking for, between security and convenience.

 

I have just got my laptop from the supplier so other than Office 2016 via The Office 365 Portal it is a clean build. I have a list of tools, utilities, PowerShell modules I want to install but I will hold off until the machine is hardened.

 

I will look at the Windows Defender Firewall and see how it compares with the Firewall that comes with my current AV  ( who were recently in the news for the wrong reasons ;) ).

 

Bitlocker - think I won't bother with my boot up (C:) just my data drive so my code (repos) , OneDrives etc unless you think I should do all drives (note will need to verify TPM status with PowerShell beforehand)

 

I also thought of some anti-theft protection such as Prey Project

 

In addition, picking a decent VPN when I am working away,  such as Express VPN

 

 

nearly all AV firewalls layer on top of the windows filtering engine anyway, it usually doesn't make a difference which you use, I suggest that you use which ever you find most convenient to manage

 

I highly recommend BitLocker on all drives, Windows will not only accumulate a significant amount of data over time that can be used to identify and break into your devices/drives/accounts, but it also caches file data locally, even if it is stored on encrypted drives; to be absolutely clear: data stored on any drive will leak onto the C: drive

Also, before you enable BitLocker I recommend that you configure the "Require additional authentication at startup" local group policy setting first:

  1. set the policy to "Enabled"
  2. if your device doesn't have a TPM, tick the "Allow BitLocker without a compatible TPM" checkbox; this enables you to set up BitLocker with a password, preventing the "missing TPM" error
  3. if your device has a TPM, set the second drop down box to "Require startup PIN with TPM" and set the other three to "Do not allow"; this enables you to set up Bitlocker with a PIN, preventing the insecure "automatic unlock" aka "TPM only" configuration

 

tpm.png

 

Ok, You have convinced me: BItLocker universal it will be.  I will report back once I have set the startup policy and enabled it.

 

 

 

I'm glad to help

IT security is more important than ever but it should never stop you from doing your job

I'm also glad that you openly asked for outside knowledge/experience, very professional

Hi

 

On my laptop which does have TPM 2.0 :   does this look ok?

 

Require authentication with TMP and PIN.PNG

 

yep! that's exactly correct


now when enabling BitLocker this policy will force you to set a TPM based pin; that pin will have the brute-forcing protections of the TPM, which is the best possible protection for your data if the device is ever stolen

 

you only need to set up this pin for the OS drive though, after that your data drives can be set up as auto unlock drives (they're unlocked when the OS drive is unlocked and are essentially linked, they are secure)

Hi

 

Thanks very much.  I did google but all I could find is the non-tpm configuration. Anyway, I gather the "Hello" Pin doesn't have be long: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-p...

 

Good news on the auto unlock on the data drives.  Ok I will go forth and Bitlock my world!

yep, I would say that 6 digits is "the standard"
4 digit pins are "gently discouraged" but not uncommon

TPM/hello pins literally exist to give you the benefits of a good complex password but without the inconvenience

If you want to go for more than just "kind of secure, unless it's inconvenient" consider leveraging Client Hyper-V to use a hypervisor boundary to protect your sensitive config from your productivity / riskier usage.

We talk about Privileged Access Workstations here: http://aka.ms/cyberpaw - Jian Yan has been working on this model and talk about an updated architecture here: https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/

We also document our security baselines here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines

@Chris Jackson 

 

Yep, I think that' son @Deleted security todo list which I am slowly going through , starting with Bitlocker.   One thing I did was  turn was allowing complex passwords prior to enabling Bitlocker. Oddly I didn't get much feedback regarding Drive C whereas Drive D I got the full progress dialog.  Seems to be working well and will test hibernation recovery at some stage.

 

As for your suggestion,  Are there any downsides to this as I want to work seamlessly with PowerShell, Azure, REST calls etc

 

 

 

 

 

 

When encrypting the C drive it'll ask you to reboot, and the process will start after you next log in. Other drives will start encrypting immediately, that might explain the missing progress dialog.

 

Chris' suggestion is not something I've mentioned. I've had successful implementation of that sort of model as the level of role, domain, or infrastructure segregation, but as a single user on a single machine it would essentially mean trying to keep all your more "dodgy stuff" to one VM whilst your "sensitive stuff" is in other VMs, potentially a VM for each contract/client/environment. I feel like the concept is aspirational but in reality creates a lot of management overhead, interrupts workflow, and leads to a false sense of security.

 

That said, I'm glad to see your input Chris and ultimately I may be misunderstanding; I'd love to learn more

We'd certainly like to hope that PAWs are not just aspirational - it's a key aspect of our Securing Privileged Access Roadmap: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privile...

 

We've got them deployed for tens of thousands of our own internal users at Microsoft who have privilege in our dev-ops workflows, as well as at hundreds of customers.

That's really impressive


This is unrelated, but are there any plans to move Windows 10 S to this kind of model by default?
I use Windows 10 S as the host on all my personal machines, and there are non-store programs that I run in Windows 10 Pro guest VMs.

The current advice plastered all over S though is that users take the free upgrade to Pro so they can run non-store programs; wouldn't it be more beneficial to provide users with a lightweight VM to run such "untrusted" software? Potentially similar to how Windows Defender Application Guard functions as a container for Edge?

For reference, here is how User Account Control should be configured if using Local Security Policy

 

Be aware that if you need to elevate unsigned executables you will have set "Only elevate executables that are signed and validated" to "Disabled", otherwise you will receive the "A referral was returned from the server." error when trying to run unsigned executables

 

uac.png

 

 

Hardening of your machine should rely on the Least Privilege principle. Use a non admin account for daily use. Disabling un-used programs, services and firewall rules. Minimizing your attack surface and turning off un-used network facing Windows features. 

 

While I applaud MS for improving protection on kernel things, attackers do not have to necessarily touch the kernel to do damage. I have seen damages to Windows Defender and Windows Edge, just as an example. And their improvements rest on having new hardware, which leaves countless older platforms unprotected. Also their new innovations also relies on Windows Server Active Directory, which no home user has. 

 

And sometimes, even when MS has been notified of working exploits, they fail to make changes to their code. Like Google Project Zero's findings on exploitable WPAD ( Auto Proxy Detection ) and javascript bugs.  

 

These MS techs only know to expound on their latest innovations. They are not incident responders. And they do not know how to harden Windows.

 

 

 

 

 

 

However, I do agree that BitLocker is the way to go since the thread starter's main concern is theft or lost laptop.

I searched through this page and nobody mentioned these so i'm gonna do that now. make sure you turn on these features,

in Windows Defender: Memory Integrity and Core Isolation
in Windows settings: DEP for ALL programs instead of only for Windows services.

@HotCakeX  So glad my original question/post is hanging around =). I have a different AV so can I configure the changes you mention in addition to what I have or do I need to have Defender as my only AV?

 

 

I don't know which AV you're using, it may or may not work alongside Windows Defender.

core isolation/memory integrity is the HVCI feature i mentioned a while back, though like all things Microsoft there's a lack of consistency and even the link i gave is now broken haha
it can be enabled regardless of third party AV and its actually enabled by default on new/compatible devices so i see no reason to discourage it's usage, it may break some older drivers but only because they are doing things they shouldn't be, potentially worth noting that the feature has also been bypassed so its usefulness is questionable

the DEP setting mentioned is outdated, despite the wording apps do run with DEP enabled by default

one thing to note about third party AV is that most lack support for vital features like AMSI and ELAM which defender has enabled by default, you should check with your AV provider to see if these are implemented and encourage them to do so if they havent

main thing i've not mentioned that i do suggest looking into is "Attack Surface Reduction rules", ASR rules are part of windows defender but they are off by default, they are a collection of features blocking the most common behaviours seen in the wild, they will genuinely save you from spear & phishing attacks that wont be picked up by any AVs for about a week after its too late, they also seem to add a new one with each release of windows 10
you can learn about them here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/a...
to enable the current ones without the hassle of figuring it out i refer to the powershell in my comment here: https://techcommunity.microsoft.com/t5/Windows-10-security/Harden-Windows-10/m-p/475686

1. press ctrl+F in this page and type in core isolation. no one else mentioned it before.
2. source for saying DEP is outdated?
3. that other thread you mentioned looks suspicious. created by "deleted" user name profile?
4. i don't know which AVs you've used before but something better than Windows Defender is Kaspersky AV (Internet Security or End point security which is equivalent to the Windows Defender ATP). Kaspersky has Online connection to their threat center. you say week? for them it takes only minutes to few hours to pass over the new malware's database to the other users. Kaspersky was the First and only company that found Stuxnet and blocked it, the world's Most advanced malware ever created by co-operation of U.S and Israel. then other AV companies copy Kaspersky's database and use it on their own system. Kaspersky even got them red handed by intentionally putting a false alarm in their database and then watched a lot of AVs giving the same false alarm. lol don't believe the news saying that Kaspersky is run by Russian government and it will steal your data, it's total BS and propaganda.
5. Microsoft constantly changes things and technet guides because Windows is constantly changing and getting better. it's the duty of system admins to stay up to date.

im not trying to argue or anything, i have no conflict with most of what you're saying

1 correct, i was adding that this is what used to be known as HVCI, it was a more up and coming feature that didnt exist as core isolation at the time and now it does, memory isolation also has more features that arent exposed in the GUI so it may be useful for some to know

2 DEP as a memory feature isn't outdated, that GUI setting and its wording however is, if you want a gui to manage it the correct place to configure it now is via the "exploit protection" area of the security centre where you will also see that it is on by default

3 when i clear my microsoft account privacy settings it deletes my tech community account, the posts themselves would be deleted if there were any issues

4 again, not trying to argue, but since you bring it up i will say i am a kaspersky customer and my opinion is that kaspersky is generally as good as windows defender, their database is historically the best though defender in the last year has definitely caught up and is in second place, but toward my point: Kaspersky does indeed support AMSI and ELAM which most other AVs do not, Kaspersky also treats unknowns just as defender does which is why they pick up wrapped variants very quickly, but i maintain that it is impossible to catch everything the first time its ever seen, such as your example stuxnet was caught after the damage was done, not before, and something preventative like ASR could have prevented it ever getting into the supplier's systems

5 exactly, i just ask that you be less hostile, theres enough testosterone fuelled cesspits on the internet already

about DEP, the underlying code and script is the same and the OP is having just a Windows 10 pro, other 3rd party tools like that require additional paid licenses and they are supposed to be installed on a stationary server, not a portable device like OP's laptop.

 

hmm that's weird. I've changed my privacy settings a lot of times and never had that happen to me.. if it's a bug in the site then report it. the only way i know it happens is that when you deliberately delete your account and create a new one with a different Email address..

 

Annotation 2019-08-07 165058.png

 

sorry i should be clearer, it is not third party, and it is not implemented the same way, i am talking about the below image, built into windows 10 for free

technically it is a replacement of a previously optional windows 7 tool known as "EMET" which itself was a gui tool for multiple exploit mitigations (not just DEP)

in current windows 10 DEP is enabled by default by this new implementation for applications despite of what you see in that older interface, hence i try to explain that the setting you are advising doesn't have the assumed impact as the outdated wording is misleading


that old interface is from 2003 and you will see in the new one that there are a whole 20 more configurable exploit mitigations (the ones pictured can be configured as system wide defaults, the rest have to be configured on an app by app basis)

i hope this information is interesting and valuable <3

sdvsdfsbdsvzdfsbbz.jpg

It's not misleading. it's correct. the DEP option in computer properties has 2 options for enabling either for some services or all programs, in Windows defender there is only one option. you really couldn't tell the difference?

but it does not even matter, changing that option does not do that, it does not function like it says, i dont know how else to explain this to you, seriously

what i have shown is not part of windows defender, DEP is part of windows itself, the security centre GUI is just a way to manage some windows security features AND windows defender features, and it has the same TWO DEP options:
ON: this is the SAME as: "Turn on DEP for all programs and services" except it actually WORKS
OFF: this is the SAME as: "Turn on DEP for essential Windows programs and services only" except it actually WORKS

THE DEFAULT IS ON

 

but as you have noticed by default the OLD setting is set to "Turn on DEP for essential Windows programs and services only" which is the same as OFF

how can DEP be ON and OFF for any application at the same time?

simple: it cannot, it is either off or it is on, and it is ON because

THE NEW SETTING WORKS

THE OLD SETTING DOES NOT

how can you suggest that i "really cant tell the difference" when i am wasting my time trying to explain this to you that what you SEE is a misconception

theres many obscure features in windows that have been depreciated, buttons that connect to nothing, text that is incorrect

the option you place trust in is 15 years old, yes it has two options, but DEP has four states


DEP is already enabled, for all programs and services, even though that option is not selected

because that option is overridden by the ON setting in the GUI in the image i showed you

it is YOU that cannot tell the difference

manual exceptions is the only reason why that old interface is still there, because sometimes you need to opt out of this 15 year old security feature to run even older software

but even that is essentially broken too as manual exceptions is replaced by application opt outs

 

DEP is already enabled, for all programs and services, with application opt outs instead of manual exceptions

enabling the option you are suggesting, only disables those application opt outs causing some old software to be unable to run, thats why its NOT SELECTED BY DEFAULT

things are the way they are for a reason, Microsoft did not spend the last fifteen years doing random engineering for the fun of it

to put it in your own words, "Windows is constantly changing and getting better. it's the duty of system admins to stay up to date." and im not even sure you are a system admin

stuff changes, the best option changes, new becomes old
using windows 7 changing the option is better than the default, feel free to enable it, i encourage it
using windows 10 changing the option is worse than the default, leave it alone, you dont understand what you are breaking

only reason i am responding at all is because there is so much outdated windows advice that people still follow and share online to the detriment of many

it does matter.
The problem is that it's just You talking about it WITHOUT PROOF.

just because you say something works or doesn't work doesn't mean it's true. how hard is it to understand. people on the internet don't just believe what someone else says without proof. i can go ahead and say real time protection of Windows Defender doesn't work, turn it off. should you believe me then? of course not.

so unless you understand this basic idea then it's pointless to continue this conversation. sure you can believe whatever you want but don't try to shove it into others.
Related Conversations