Forum Discussion
Hardening Windows 10 on an IT Pro's laptop
a clean install of Windows 10 is pretty good, that said, I do have the following advice:
- It is important to properly configure User Account Control on all machines; out of the box it is very insecure meaning anything can bypass it to grab admin privileges.
- It is important to make sure that Secure Boot is enabled on all machines.
- BitLocker is an obvious one, enable it on all machines.
- You may want to use Windows Defender Firewall to block all inbound connections on the private and public profiles, its very effective for protecting devices in public places and usually has no negative impact but should be assessed per requirements.
- You should deploy the uBlock Origin browser extension to all browsers, it blocks a significant amount of malware and greatly reduces the bandwidth used by your org; for the record, Chrome and Edge are much more secure than other browsers.
- Also remember to properly patch, if Windows, Defender, or Browser are out of date then you WILL be targeted.
Following the above will significantly benefit you and your users and can be done by anybody without any extra cost; I hope that's useful for you
Edit: oh, and if you're ever able to: I recommend you look into Windows 10 S (soon to be called Windows Pro in S Mode)
yes, it gets a lot of stick for restricting you to Edge and Store apps but that thing is rock solid; even if you never ever use it, it's the best example of Device Guard Code Integrity in action and how powerful it can be when properly configured
Edit: from 1803 Hypervisor enforced Code Integrity (HVCI) will be enabled by default via clean install, you can enable it on previous versions by following these instructions: https://docs.microsoft.com/en-gb/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity
HVCI is a feature that helps defend against kernel level malware; I initially didn't mention it because I'm not sure what the real world benefits are and I'm aware that it can cause instability and performance problems, however since Microsoft seems to be pushing for its implementation I felt it was worth adding. (I imagine they may also do the same for DMA Protection in the future)
Hi
Thanks very much for your feed back - you are very well informed. You have also stuck the balance I was looking for, between security and convenience.
I have just got my laptop from the supplier so other than Office 2016 via The Office 365 Portal it is a clean build. I have a list of tools, utilities, PowerShell modules I want to install but I will hold off until the machine is hardened.
I will look at the Windows Defender Firewall and see how it compares with the Firewall that comes with my current AV ( who were recently in the news for the wrong reasons ;-) ).
Bitlocker - think I won't bother with my boot up (C:) just my data drive so my code (repos) , OneDrives etc unless you think I should do all drives (note will need to verify TPM status with PowerShell beforehand)
I also thought of some anti-theft protection such as https://www.preyproject.com/
In addition, picking a decent VPN when I am working away, such as Express VPN
nearly all AV firewalls layer on top of the windows filtering engine anyway, it usually doesn't make a difference which you use, I suggest that you use which ever you find most convenient to manage
I highly recommend BitLocker on all drives, Windows will not only accumulate a significant amount of data over time that can be used to identify and break into your devices/drives/accounts, but it also caches file data locally, even if it is stored on encrypted drives; to be absolutely clear: data stored on any drive will leak onto the C: drive
Also, before you enable BitLocker I recommend that you configure the "Require additional authentication at startup" local group policy setting first:
- set the policy to "Enabled"
- if your device doesn't have a TPM, tick the "Allow BitLocker without a compatible TPM" checkbox; this enables you to set up BitLocker with a password, preventing the "missing TPM" error
- if your device has a TPM, set the second drop down box to "Require startup PIN with TPM" and set the other three to "Do not allow"; this enables you to set up Bitlocker with a PIN, preventing the insecure "automatic unlock" aka "TPM only" configuration
Hi
On my laptop which does have TPM 2.0 : does this look ok?
yep! that's exactly correct
now when enabling BitLocker this policy will force you to set a TPM based pin; that pin will have the brute-forcing protections of the TPM, which is the best possible protection for your data if the device is ever stolenyou only need to set up this pin for the OS drive though, after that your data drives can be set up as auto unlock drives (they're unlocked when the OS drive is unlocked and are essentially linked, they are secure)
Hi
Thanks very much. I did google but all I could find is the non-tpm configuration. Anyway, I gather the "Hello" Pin doesn't have be long: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
Good news on the auto unlock on the data drives. Ok I will go forth and Bitlock my world!
Ok, You have convinced me: BItLocker universal it will be. I will report back once I have set the startup policy and enabled it.
I'm glad to help
IT security is more important than ever but it should never stop you from doing your job
I'm also glad that you openly asked for outside knowledge/experience, very professional