Forum Discussion
Hardening Windows 10
I think at least some of the actions you previously had to do are now redundant.
Microsoft Windows Defender is a powerful all-in-one security solution that can cover most of those things. it provides enterprise class security tools to the normal users.
It can protect sensitive folders from unwanted programs and you can also add your own folders to the list for even more security, I think this makes more sense instead of shifting permission from one user to another.
Windows defender specially in 1903 (I'm using Pro edition so not sure what options are missing in Home, if Any) is pretty much complete solution.
you can try turning on tamper protection, Core Isolation, Memory Integrity (these options are turned off by default).
the only things you should do is to turn off services, optional features, protocols that you do not intend to use and also make Firewall rules for every new app and software you install. for example a photo editing software you install doesn't need internet connection. for its updates you can manually install newer versions. yes that's some additional work but you asked for it cause hardening is not gonna be easy.
To be honest Windows 10 itself can only be compromised by Zero day vulnerabilities, those that are not found yet, because Microsoft keeps Windows 10 updated and in every 6 months they change the core OS to make it better and more secure. so even if you are a black hat hacker and spend hours and hours trying to make an exploit for Windows 10 using a zero-day bug, you won't be able to use that for long.Microsoft will patch that bug in a day or two and the constant change in the Core OS renders all the old tools useless, all the time.
so all you can worry about is the 3rd party apps and programs you install that increase the attack surface as each of those 3rd party programs can have security holes and bugs that can be exploited, but again for those 3rd party programs you can utilize Windows Firewall rules and Windows Defender.
Also don't forget to turn on DEP (Data Execution Prevention) for ALL programs. (by default it is only turned on for essential Windows programs and services.)Everything I said above was based on the assumption that you have a Windows 10 Home edition (as you mentioned). for real protecting and hardening you need Windows 10 Enterprise E5, one of its most predominant features is the immunity to zero-day attacks. you can read more about it here:
https://faq.rhipe.com/Search/Article/baf6fcbe-f04c-40e5-b88a-2da862a2620d
Have a look at this comparison between different Windows 10 edition security features:
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2O8jv
Sorry I somehow overlooked that you run Windows 10 Home and asked for a home-system. The information below is a little overkill then and can't be done on W10Home anyway.
But for reference, if someone else might need it, I will keep my original post here.
---------------------------------------------------------------------------------------
If you want to secure a modern Windows network you can and should use this guidance: https://github.com/microsoft/SecCon-Framework/blob/master/windows-security-configuration-framework.md
It covers most security tasks, including hardware, settings and behaviors you should implement for different tiers of security (basic, enhanced and high security).
Additionally, for securing access management inside your network, you should read and implement this guidance: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access
Does the Github page you mentioned
https://github.com/microsoft/SecCon-Framework
has something to download or any guide to read? there are only few MD files there that have basic explanations.
The Github Page is the guide to read. Open the .md files to read the guidance. It explains what you should have as a minimum for the respective security level you are looking for (in terms of hardware, policies, controls and behavior).
Start with "windows-security-configuration-framework.md" which contains the basic information how to use this framework and what each security level is supposed to provide. Then work your way up level for level. Each successive security level builds on the previous, so to reach a security level of 3 you have to implement level 1 and 2 guidance first. Sadly, the PAW security configurations are still not done in this framework. But the three security levels for productivity devices are complete and can be used as guidance.
If you need configuration and practices for PAWs, look here: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations
There is a new guidance for "Secured-core PCs" available now which you should take as guidance for modern and secure devices: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure
If you are concerned with high security setups, make sure all your devices fulfill the Secured-core guidance and you implemented everything from level 1 to 3 in the security configuration framework. Additonally implement privileged access management strategies for your network and servers.
