Windows 10 Hardening: 19 Ways to Secure Your Workstations
What Is Windows 10 Hardening?
Windows 10 offers many useful features for businesses. Unfortunately, some of these features, while convenient for users, can increase exposure to cyber threats. If a workstation running Windows 10 is used to perform sensitive activities, store sensitive data, or access sensitive corporate systems, it is essential to optimize its security settings.
You can harden a Windows 10 PC by using built-in Windows features like Windows Defender, Microsoft SmartScreen and Windows Sandbox, and by applying system hardening best practices like disabling remote access and limiting PowerShell capabilities. This can help protect the device and your organization against threats like malware, ransomware, unauthorized access, and privilege escalation.
12 Built-In Windows 10 Security Features
Windows 10 provides extensive built-in security features, which you can use to harden the operating system.
Windows Defender Antivirus
Windows Defender Antivirus is built into Windows, and does not require any manual configuration or support (except for automatic updates). This is a major advantage compared to third party antivirus solutions.
WDA has a built-in firewall and a secure browsing environment to protect users from the most common threats. The firewall supports three network configurations (domain, private and public). However, in general, this feature is enabled by default (to comply with security by default rules) and is effective without any adjustments.
WDA automatically scans each newly downloaded file when a user opens it. It is recommended to perform a deep rootkit scan at least once a month.
Windows Defender Exploit Guard
Microsoft Windows Defender Exploit Guard is anti-malware software that protects Windows 10 users from intrusion. Exploit Guard is available as part of Windows Defender Security Center and can help protect your computer from many types of attacks. For example, it offers memory protection measures to prevent attacks that manipulate internal memory. Other intrusion prevention methods used include reducing the attack surface of applications, preventing malware from accessing folders, and protecting networks from malware.
You can use the Windows Defender Security Center app or Windows PowerShell to change your Exploit Guard settings. You can also manage this tool using the Windows Defender Advanced Threat Protection (ATP) management console. The ATP management console offers detailed reports, including activity alerts for suspicious traffic.
Windows Defender Device Guard
Windows Defender Device Guard is designed to protect your device by whitelisting applications and implementing a code integrity policy. This prevents malicious code from finding its way onto your computer and compromising the operating system.
Code integrity policies determine if software is allowed to run on Windows 10, so IT can block unknown or untrusted plug-ins, applications and add-ons from accessing endpoint devices.
Windows Defender Application Guard
Windows Defender Application Guard is built into Microsoft Edge to protect the desktop from malicious activity. This security tool runs browser sessions in a virtual machine (VM) to isolate them from the desktop.
Trusted sites can be whitelisted so they don’t have to run Windows Defender Application Guard, but any other site accessed must open with this tool. The site is run in an isolated Hyper-V container.
Windows Defender Credential Guard
Windows Defender Credential Guard helps prevent credential theft by isolating login information from the overall operating system.
With Credential Guard, user credentials can only be accessed by privileged software. To prevent brute-force attacks, credential information is stored as randomized, full-length hashes. Domain credentials are also protected.
SmartScreen is a built-in feature that scans and prevents the execution of known malware. It also compares the reliability of emails and websites to Microsoft’s blacklist, so it can alert Windows 10 users when they try to open suspicious content. Combined with traditional cybersecurity awareness training for employees, this cloud-based tool can provide an additional level of protection against phishing and malware attacks.
Microsoft Windows Hello is an access control feature that supports biometric identification via fingerprint scanners, iris scanners, and facial recognition technologies on compatible devices running Windows 10. The Hello engine allows users to securely log into a device with the necessary hardware components so they don’t have to enter a password.
If administrators decide to allow users to install unknown applications, Windows Sandbox is the perfect solution. It allows you to run new applications on an isolated virtual silo and avoid full exposure to threats.
Windows Secure Boot
The Secure Boot feature safeguards a user’s UEFI/BIOS to protect against ransomware. Windows 10 users can configure the Secure Boot feature so that all code that runs immediately after the operating system starts must be signed by Microsoft or the hardware manufacturer.
UEFI Secure Boot can also create Windows 10 save points. Secure Boot prevents the installation of hardware-based malware, but safe points offer a safety net for when you have trouble installing new applications.
Windows BitLocker Encryption
Encryption processes encode data in a manner that makes it unusable to unauthorized users who do not have the decryption key. The main advantage of encryption is that it turns data into an unreadable form that cannot be used when stolen. Windows offers a feature called BitLocker, which enables you to encrypt entire drives and prevent unauthorized system changes.
BitLocker was designed by Microsoft to provide encryption for disk volumes. It is a free and built-in feature in many Windows versions, including Windows Vista and Windows 10. BitLocker asks users for a password, generates a recovery key, and proceeds to encrypt the entire hard drive.
Enhanced Mitigation Experience Toolkit and Exploit Protection
Enhanced Mitigation Experience Toolkit (EMET) is a security tool designed by Microsoft to provide protection and mitigation for third-party and legacy applications. In Windows 10 versions, from 1709 and onwards, as well as Windows Server version 2016 and onwards, EMET comes as part of the exploit protection function of the operating system.
Windows Information Protection
As more organizations allow employees to use their personally-owned devices, the risk of accidental data leaks increases. Employees use many corporate applications and services that cannot be controlled by the organization. Emails, public cloud services, and social media platforms, for example, can all lead to data leaks.
Windows Information Protection (WIP) is designed to protect against potential data leaks without disrupting user experience. Formerly known as enterprise data protection (EDP), this service is especially designed to reduce data leak risks originating from bring your own device (BYOD) practices, including protection for both personally-owned and company-owned devices.
WIP does not require modifying existing environments. It is offered as a mobile application management (MAM) mechanism on Windows 10. You can use WIP to manage data policy enforcement for documents and applications on Windows 10 desktop operating systems. It can also help you remove access to company data from all devices.
WIP can help separate personal and company data without making employees switch between applications or environments. The service also provides data protection for existing line-of-business applications without having to update the applications. Additionally, it lets you wipe company data from enrolled Intune MDM devices without having to delete personal data.
Another major advantage of WIP is that it provides audit reports that let you track issues as well as remedial actions. You can integrate WIP with existing management systems, including Microsoft Endpoint Configuration Manager and Microsoft Intune. It can also be integrated with existing MDM systems, which can help you set up, deploy, and manage WIP.
7 Best Practices for Windows 10 Hardening
In addition to using built-in Windows security tools, described in the previous section, follow this checklist to ensure Windows 10 workstations are adequately protected against security threats.
For more background on hardening operating systems, read our detailed guide to OS hardening.
To learn about general Windows hardening best practices and hardening for Windows Server, read our guide to Windows hardening (coming soon)
It is strongly preferred to configure Windows to only allow the installation of approved applications from controlled software repositories or application marketplaces. This can prevent the following security risks:
- Attackers can email malicious applications to the user, or use social engineering to convince them to download and install it.
- Even if you require administrative access on the local machine to install software, users can be convinced to sign in as administrator to install a malicious app.
- Installing applications via elevated privileges can be exploited by attackers to create a compromised administrator account on the user’s machine.
Related content: Read our guide to application hardening (coming soon)
Many attack vectors rely on execution of malicious code, even if it is not installed on the user’s device. Whitelisting and blacklisting of executables in Windows 10 can be extremely effective at preventing these attacks.
It is advised to create a whitelist of files that are allowed to execute on end-user machines, and do this from scratch, without relying on the files currently running on the machine or a list from an application vendor. The whitelist should explicitly specify executables, libraries, scripts, and installers that are allowed to execute.
Disabling Remote Access
The Windows Remote Desktop feature in Windows 10 allows users to connect their computer remotely via a network connection. A user with remote access can control the computer just as a user with direct access.
The downside of Remote Desktop is that attackers can exploit remote access to wrest control of your system and steal sensitive information or install malware. The remote access feature is disabled by default and you can easily disable it once enabled. Make sure you turn off this feature whenever users are not actively using it.
Microsoft has developed PowerShell to enable automated system administration through an integrated interface. This powerful scripting language is a central feature of a system administrator toolkit as it is ubiquitous and allows you to easily control your Microsoft Windows environment. Unfortunately, attackers can also exploit this to fully control your system.
In particular, earlier PowerShell versions are dangerous due to their security vulnerabilities, so you should remove PowerShell 2.0 and under from your operating system. You should set language mode to Constrained Language Mode, which will help you balance your functionality and security needs.
Incident responders can leverage PowerShell’s logging functionality (i.e. transcription, module logging and script block logging) to extract important information following a security incident involving a malicious exploit of PowerShell.
Enable Auto-Updates for Your Operating System
Make sure that any urgent security update is installed immediately. The faster you apply a new security patch, the faster you can fix vulnerabilities and protect yourself from the latest known threats.
Your organization likely has a security policy for updating operating systems. Users should be made aware of the policy so they know whether they should install updates straight away or wait to hear from IT when to install updates. Some companies give the responsibility for updating operating systems to the IT team.
Businesses that are running older versions of Windows are at greater risk. For example, Microsoft terminated support for Windows 7 in January 2020, so anyone still using it is at risk of new attacks. Therefore, it is important to ensure your operating systems are upgraded before you are exposed.
Enable File Backups
Setting up file backups on a regular basis can help prevent critical data loss during disasters like hardware failures or malware attacks. To help you protect your data, Windows 10 offers several tools and features, including:
- Use File History – this free tool can help you easily backup files.
- Create recovery drives – serve as backup images from which you can restore a system.
- Backup to the cloud – use cloud storage services, such as Dropbox, Google Drive, and OneDrive, or enterprise cloud backup solutions, to continuously back up your data.
Host-Based Intrusion Prevention System
The majority of legacy antivirus solutions rely heavily on signature-based detection, which searches for known patterns of malicious code. This technique can help detect known threats but cannot provide protection against unknown variables like new malware and zero-day exploits.
Host-based intrusion prevention systems (HIPS) can help protect against unknown threats. HIPS employs two main technologies – detection via behavioral analysis and network filtering. The system creates a baseline of normal behavior and then looks for anomalous behavior that might indicate an attack, like keystroke logging and process injection. HIPA is an important second line of defense that can stop attacks if they were not detected by antivirus and endpoint protection measures.
Windows 10 Hardening with Hysolate
Hysolate provides a fully managed sandbox on steroids for Windows 10, so admins can harden their Windows OS for employees and contractors.
With Hysolate you can split your users’ endpoint devices into a more secure corporate zone and a less secure zone for daily tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open productivity zone, for accessing necessary but less trusted websites and applications.
Admins can harden the Workspace OS by choosing which applications can be used, and they can remotely deploy applications, as well as deploy patches and security updates from the cloud. Policies can be set for transferring between Workspace and the host OS, including copy/paste, keylogging, screenshotting etc. Unlike traditional browser isolation solutions, Hysolate isolates your whole OS, including websites, files, documents, applications and even peripherals like USBs and printers.
For users, the Hysolate Workspace mimics their native Windows 10 experience, and with minimal lag and latency issues, and users can easily switch between the different operating systems with a press of a button. Getting set up on Hysolate is simple, and takes minutes to be deployed from the cloud.
Try Hysolate Free here, a free isolation solution for Windows 10