Windows 10/11 Hardening Checklist

blog.payperitem.com,

1. OS and Software Updates

  • Enable automatic Windows Updates (including drivers, Defender, Edge).
  • Regularly update all installed software.
  • Disable optional legacy features (like Internet Explorer, SMBv1).

2. Account and Credential Hardening

  • Enforce strong password policies (length, complexity, expiration).
  • Enable Account Lockout after failed logon attempts.
  • Use Microsoft Account, AzureAD Join, or Hybrid Join for personal devices.
  • Use Local Accounts only if absolutely necessary (with strict password policy).
  • Disable local Administrator account (or rename it).
  • Enable Credential Guard (Win 10 Enterprise/Education, Win 11 Pro/Edu/Ent).

3. BitLocker and Disk Encryption

  • Enable BitLocker for all system and data drives.
  • Require PIN/TPM protection for BitLocker pre-boot.
  • Store recovery keys securely (Azure AD, printed copy, or encrypted backup).

4. Windows Defender and Security Features

  • Enable Windows Defender Antivirus with Tamper Protection ON.
  • Enable Microsoft Defender SmartScreen for web protection.
  • Enable Exploit Protection and Controlled Folder Access.
  • Enable Reputation-based Protection (potentially unwanted apps blocking).

5. Firewall and Network Protection

  • Use Windows Defender Firewall — ensure it’s ON for all profiles (Domain, Private, Public).
  • Block all inbound connections except essential services.
  • Enable Network Level Authentication (NLA) for Remote Desktop.
  • Disable unnecessary network protocols (IPv6 if not used, SMBv1, NetBIOS).

6. Remote Access Hardening

  • Disable RDP unless absolutely needed.
  • If RDP is enabled:
    • Use Network Level Authentication (NLA).
    • Change the default RDP port (3389).
    • Restrict access via firewall rules and allowlist IPs.
    • Use RDP Gateways for remote access.
  • Use VPN with MFA instead of exposing RDP or SMB ports.

7. Application Control

  • Enable Smart App Control (Windows 11).
  • Deploy Windows Defender Application Control (WDAC) or AppLocker rules.
  • Restrict script execution (disable PowerShell v2, only allow signed scripts).

8. Browser Hardening

  • Use Edge with enhanced security mode or hardening extensions (uBlock Origin, HTTPS Everywhere).
  • Enable automatic updates for browsers.
  • Block unsafe ActiveX controls and Flash.

9. Device and Hardware Security

  • Ensure Secure Boot is enabled in UEFI.
  • Enable TPM 2.0 (required for Windows 11).
  • Enable Memory Integrity (Core Isolation > Memory Integrity in Windows Security).

10. Privacy and Telemetry

  • Minimize telemetry to Basic or Security (where possible).
  • Disable “Advertising ID” and unwanted diagnostics settings.
  • Turn off location tracking unless necessary.

11. Advanced Policies (Group Policy / Intune / Registry)

  • Audit Logs: Enable logging for Account Logon, Logon Events, Policy Changes.
  • Disable USB Storage unless needed (can be done via GPO).
  • LSA Protection: Enable LSA (Local Security Authority) Protection for credentials.
  • Turn off “Allow remote access to Plug and Play” in registry.
  • Enable User Account Control (UAC) to the highest level.
  • Restrict Anonymous Access (various registry and local policy settings).

Security Windows

Related Posts

How to Get the Classic (old) Context Menu on Windows 11

If you want to remove the “Show More Options” entry from Windows 11 Context Menu and restore classic Right Click menus in Windows 11 you can use following registry entries. Restore full right click context menu in Windows 11 via Registry Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32]@=”” Get the default…

Read More