Windows 10/11 Hardening Checklist

blog.payperitem.com,

1. OS and Software Updates

  • Enable automatic Windows Updates (including drivers, Defender, Edge).
  • Regularly update all installed software.
  • Disable optional legacy features (like Internet Explorer, SMBv1).

2. Account and Credential Hardening

  • Enforce strong password policies (length, complexity, expiration).
  • Enable Account Lockout after failed logon attempts.
  • Use Microsoft Account, AzureAD Join, or Hybrid Join for personal devices.
  • Use Local Accounts only if absolutely necessary (with strict password policy).
  • Disable local Administrator account (or rename it).
  • Enable Credential Guard (Win 10 Enterprise/Education, Win 11 Pro/Edu/Ent).

3. BitLocker and Disk Encryption

  • Enable BitLocker for all system and data drives.
  • Require PIN/TPM protection for BitLocker pre-boot.
  • Store recovery keys securely (Azure AD, printed copy, or encrypted backup).

4. Windows Defender and Security Features

  • Enable Windows Defender Antivirus with Tamper Protection ON.
  • Enable Microsoft Defender SmartScreen for web protection.
  • Enable Exploit Protection and Controlled Folder Access.
  • Enable Reputation-based Protection (potentially unwanted apps blocking).

5. Firewall and Network Protection

  • Use Windows Defender Firewall — ensure it’s ON for all profiles (Domain, Private, Public).
  • Block all inbound connections except essential services.
  • Enable Network Level Authentication (NLA) for Remote Desktop.
  • Disable unnecessary network protocols (IPv6 if not used, SMBv1, NetBIOS).

6. Remote Access Hardening

  • Disable RDP unless absolutely needed.
  • If RDP is enabled:
    • Use Network Level Authentication (NLA).
    • Change the default RDP port (3389).
    • Restrict access via firewall rules and allowlist IPs.
    • Use RDP Gateways for remote access.
  • Use VPN with MFA instead of exposing RDP or SMB ports.

7. Application Control

  • Enable Smart App Control (Windows 11).
  • Deploy Windows Defender Application Control (WDAC) or AppLocker rules.
  • Restrict script execution (disable PowerShell v2, only allow signed scripts).

8. Browser Hardening

  • Use Edge with enhanced security mode or hardening extensions (uBlock Origin, HTTPS Everywhere).
  • Enable automatic updates for browsers.
  • Block unsafe ActiveX controls and Flash.

9. Device and Hardware Security

  • Ensure Secure Boot is enabled in UEFI.
  • Enable TPM 2.0 (required for Windows 11).
  • Enable Memory Integrity (Core Isolation > Memory Integrity in Windows Security).

10. Privacy and Telemetry

  • Minimize telemetry to Basic or Security (where possible).
  • Disable “Advertising ID” and unwanted diagnostics settings.
  • Turn off location tracking unless necessary.

11. Advanced Policies (Group Policy / Intune / Registry)

  • Audit Logs: Enable logging for Account Logon, Logon Events, Policy Changes.
  • Disable USB Storage unless needed (can be done via GPO).
  • LSA Protection: Enable LSA (Local Security Authority) Protection for credentials.
  • Turn off “Allow remote access to Plug and Play” in registry.
  • Enable User Account Control (UAC) to the highest level.
  • Restrict Anonymous Access (various registry and local policy settings).

Security Windows

Related Posts