Windows Hardening: Detailed Checklist for Windows Server and Windows 10

What is Windows Hardening?

System hardening is the practice of minimizing the attack surface of a computer system or server. The goal is to reduce the amount of security weaknesses and vulnerabilities that threat actors can exploit.

System hardening is generally categorized into five areas—server hardening, operating system (OS) hardening, software application hardening, network hardening, and database hardening. Each category involves hardening different areas of the environment.

OS hardening usually involves patching and securing the operating system of a server. Operating system vendors, like Microsoft, usually release updates, service packs, and patches, which users can manually or automatically install.

There are several operating system hardening techniques you can use when implementing Windows hardening. For example, you can encrypt the SSD and HDD that stores and hosts the OS, removing any unnecessary drivers. You should also limit system access permissions and authentication processes, and restrict privileges.

What are Windows Security Baselines?

Windows and Windows Server are designed with security in mind. Microsoft secures certain aspects and also provides organizations with controls that enable granular security configuration. To help organizations properly leverage security controls, Microsoft provides Security Baselines that offer guidance.

Each Windows Security Baseline is a group of configuration settings based on feedback from Microsoft’s security engineers, as well as product groups, customers, and partners. These Security Baselines are available in a consumable format, including as Group Policy Object Backups.

Windows Security Baselines can help organizations ensure that device and user settings that have already been set up are in compliance with Windows baselines. It can also help set up configuration settings for new operating system installations, for example when using Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy

Security Baselines are available from the Microsoft Download Center.

Windows Server Hardening Checklist

Use the following checklist to harden a Windows Server installation.

Windows User Configuration

Follow these guidelines to reduce risks from privileged user accounts on Windows Server:

• Disable the local administrator—it is usually not required, and is a popular target for attackers.
• Set up a custom admin account—it can be a domain Active Directory (AD) account or a local account in the administrators group
• Prefer to run as a regular user account—to reduce the chance of account compromise, connect to the server using a regular user account, and when you need to perform operations that require administrative privileges, request elevation using “Run As” (the Windows equivalent of sudo).

Windows Network Configuration

Take the following precautions to protect a Windows Server machine from network attacks:

• • Place the machine behind the firewall—production Windows Server instances should always run in a protected network segment.
  • Redundant DNS—configure two or more DNS servers and verify name resolution using nslookup.

• Verify DNS records—ensure the server has an A record and PTR record for reverse DNS lookups.

• Disable network services—any service the server is not actually using, like IPv6, should be disabled to reduce the attack surface.

Windows Service Configuration

Follow these guidelines to minimize the risk from services running on Windows Server:

• Disable unused services—many services that run by default on Windows Server may not be required in your specific use case, and should be disabled. Disable any service that is not required for basic functionality. Pay special attention to Windows Server 2008 and 2003, which had a larger number of redundant services.
• Limit security context—each service runs as a specific user account. By default these are Network Service, Local System, or Local Service accounts. For sensitive application and user services, set up accounts for each service and limit privileges to the minimum required for each service. This limits the ability for privilege escalation and lateral movement.

Network Time Protocol (NTP) Configuration

Windows login and other functions that leverage kerberos security rely on accurate NTP times. Even a small time difference can break functionality. To avoid service disruption, make sure that:

• Servers within domains automatically sync time with the domain controller
• Standalone servers sync with an external time source
• Domain controllers sync with a time server on an ongoing basis

Centralized Event Logs

Windows Server systems generate multiple logs, which can be configured to be more or less verbose. Logs are an important way to gain visibility over server operations for maintenance and security purposes. To provide convenient access to logs for an organization’s Windows Server instances, use a central syslog server, and ensure you have the following capabilities:

• Ability to assign categories to specific logs or entries
• Enable full text search and querying of log data
• Integrate logging with remediation tools to enable automated response to errors

Windows 10 Hardening Checklist

Use the following checklist to harden Windows 10.

Leverage Built-In Windows 10 Security Tools

Enterprise editions of Windows 10 come with several built-in security tools, including:

• Windows Defender Advanced Threat Protection – an advanced security system that includes state of the art antimalware protection, as well as exploit protection, automated attack surface reduction, application control, and hardware-based isolation.
• Microsoft SmartScreen – scans downloads and blocks execution of malicious payloads.
• Windows Sandbox – lets users install untrusted applications in a secure, isolated environment.

In addition to these built-in Microsoft tools, assess your threat environment and deploy additional antivirus or endpoint protection tools on all protected Windows 10 machines.

Application Management

It is strongly preferred to configure Windows to only allow the installation of approved applications from controlled software repositories or application marketplaces. You can do this by setting the “Allow apps from the Store only” option under Apps & Features, or using Windows Defender code Integrity policies.

This can prevent attackers from emailing malware to users, convincing them to download and install malware, or deploying malware via drive-by downloads or deceptive links on malicious websites. Note that even if you require administrative access on the local machine to install software, attackers can bypass this with social engineering.

Application Control

Many attack vectors rely on execution of malicious code, even if it is not installed on the user’s device. Whitelisting and blacklisting of executables in Windows 10 can be effective at preventing these attacks. Many security best practices advise creating a new whitelist of files that are allowed to execute on end-user machines, without relying on lists from application vendors or existing files on the machine.

However, in real enterprise environments, it can be difficult to create such a whitelist and maintain it across a large number of machines. Whitelists will also tend to be overly restrictive, hurting user productivity.

Disable Remote Access

Windows 10 comes with Microsoft Remote Desktop that provides remote access to a user’s machine. This feature is often used by attackers to gain remote control of user devices, install malware, and steal information. Remote Desktop is disabled by default, but in case users enable it, it is important to make sure it is disabled except when needed for approved, legitimate use.

PowerShell

PowerShell is a scripting language that is extremely powerful in the hands of an attacker. Follow these guidelines to secure systems against PowerShell exploits:

• Remove PowerShell version 2.0 or earlier, which had security vulnerabilities
• Set PowerShell to Constrained Language Mode
• Enable PowerShell logging to provide an audit trail
• Setting an execution policy – a safety feature that specifies under which conditions PowerShell will load configuration files and run scripts

Enable Auto-Updates

Deploy Microsoft security updates on all user devices immediately. Automate and enforce deployment of regular Windows updates—if possible, without the user’s involvement.

Support for Windows 7 ended in January 2020, and so any end-user device running Windows 7 or earlier is at immediate risk of cyberattacks. If users are running an older version of Windows that is no longer supported, upgrade it to a supported version urgently, and in cases where upgrades are not possible, isolate the outdated systems from the network.

Learn more in our detailed guide to Windows 10 hardening 

Windows Hardening with Hysolate

Hysolate provides a fully managed isolated Workspace for Windows 10, for added security for employees and contractors dealing with risky or sensitive activities on their endpoint device.

With Hysolate you can split your users’ endpoint devices into a more secure corporate OS and a less secure OS for daily productivity tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open productivity zone, for accessing necessary but less trusted websites and applications.

Admins can harden the Workspace OS by choosing which applications can be used, and they can remotely deploy applications, as well as deploy patches and security updates from the cloud. Policies can be set for transferring between Workspace and the host OS, including copy/paste, keylogging, screenshotting etc. Unlike traditional browser isolation solutions, Hysolate isolates your whole OS, including websites, files, documents, applications and even peripherals like USBs and printers.

For users, the Hysolate Workspace mimics their native Windows 10 experience, with minimal lag and latency issues. Hysolate takes minutes to be deployed from the cloud, and users can easily switch between the different operating systems with a press of a button.

Try Hysolate Free here, a free isolation solution for Windows 10..

Windows 10 Hardening: 19 Ways to Secure Your Workstations

What Is Windows 10 Hardening?

Windows 10 offers many useful features for businesses. Unfortunately, some of these features, while convenient for users, can increase exposure to cyber threats. If a workstation running Windows 10 is used to perform sensitive activities, store sensitive data, or access sensitive corporate systems, it is essential to optimize its security settings.

You can harden a Windows 10 PC by using built-in Windows features like Windows Defender, Microsoft SmartScreen and Windows Sandbox, and by applying system hardening best practices like disabling remote access and limiting PowerShell capabilities. This can help protect the device and your organization against threats like malware, ransomware, unauthorized access, and privilege escalation.

12 Built-In Windows 10 Security Features

Windows 10 provides extensive built-in security features, which you can use to harden the operating system.

Windows Defender Antivirus

Windows Defender Antivirus is built into Windows, and does not require any manual configuration or support (except for automatic updates). This is a major advantage compared to third party antivirus solutions.

WDA has a built-in firewall and a secure browsing environment to protect users from the most common threats. The firewall supports three network configurations (domain, private and public). However, in general, this feature is enabled by default (to comply with security by default rules) and is effective without any adjustments.

WDA automatically scans each newly downloaded file when a user opens it. It is recommended to perform a deep rootkit scan at least once a month.

Windows Defender Exploit Guard

Microsoft Windows Defender Exploit Guard is anti-malware software that protects Windows 10 users from intrusion. Exploit Guard is available as part of Windows Defender Security Center and can help protect your computer from many types of attacks. For example, it offers memory protection measures to prevent attacks that manipulate internal memory. Other intrusion prevention methods used include reducing the attack surface of applications, preventing malware from accessing folders, and protecting networks from malware.

You can use the Windows Defender Security Center app or Windows PowerShell to change your Exploit Guard settings. You can also manage this tool using the Windows Defender Advanced Threat Protection (ATP) management console. The ATP management console offers detailed reports, including activity alerts for suspicious traffic.

Windows Defender Device Guard

Windows Defender Device Guard is designed to protect your device by whitelisting applications and implementing a code integrity policy. This prevents malicious code from finding its way onto your computer and compromising the operating system.

Code integrity policies determine if software is allowed to run on Windows 10, so IT can block unknown or untrusted plug-ins, applications and add-ons from accessing endpoint devices.

Windows Defender Application Guard

Windows Defender Application Guard is built into Microsoft Edge to protect the desktop from malicious activity. This security tool runs browser sessions in a virtual machine (VM) to isolate them from the desktop.

Trusted sites can be whitelisted so they don’t have to run Windows Defender Application Guard, but any other site accessed must open with this tool. The site is run in an isolated Hyper-V container.

Windows Defender Credential Guard

Windows Defender Credential Guard helps prevent credential theft by isolating login information from the overall operating system.

With Credential Guard, user credentials can only be accessed by privileged software. To prevent brute-force attacks, credential information is stored as randomized, full-length hashes. Domain credentials are also protected.

Microsoft SmartScreen

SmartScreen is a built-in feature that scans and prevents the execution of known malware. It also compares the reliability of emails and websites to Microsoft’s blacklist, so it can alert Windows 10 users when they try to open suspicious content. Combined with traditional cybersecurity awareness training for employees, this cloud-based tool can provide an additional level of protection against phishing and malware attacks.

Windows Hello

Microsoft Windows Hello is an access control feature that supports biometric identification via fingerprint scanners, iris scanners, and facial recognition technologies on compatible devices running Windows 10. The Hello engine allows users to securely log into a device with the necessary hardware components so they don’t have to enter a password.

Windows Sandbox

If administrators decide to allow users to install unknown applications, Windows Sandbox is the perfect solution. It allows you to run new applications on an isolated virtual silo and avoid full exposure to threats.

Windows Secure Boot

The Secure Boot feature safeguards a user’s UEFI/BIOS to protect against ransomware. Windows 10 users can configure the Secure Boot feature so that all code that runs immediately after the operating system starts must be signed by Microsoft or the hardware manufacturer.

UEFI Secure Boot can also create Windows 10 save points. Secure Boot prevents the installation of hardware-based malware, but safe points offer a safety net for when you have trouble installing new applications.

Windows BitLocker Encryption

Encryption processes encode data in a manner that makes it unusable to unauthorized users who do not have the decryption key. The main advantage of encryption is that it turns data into an unreadable form that cannot be used when stolen. Windows offers a feature called BitLocker, which enables you to encrypt entire drives and prevent unauthorized system changes.

BitLocker was designed by Microsoft to provide encryption for disk volumes. It is a free and built-in feature in many Windows versions, including Windows Vista and Windows 10. BitLocker asks users for a password, generates a recovery key, and proceeds to encrypt the entire hard drive.

Enhanced Mitigation Experience Toolkit and Exploit Protection

Enhanced Mitigation Experience Toolkit (EMET) is a security tool designed by Microsoft to provide protection and mitigation for third-party and legacy applications. In Windows 10 versions, from 1709 and onwards, as well as Windows Server version 2016 and onwards, EMET comes as part of the exploit protection function of the operating system.

Windows Information Protection

As more organizations allow employees to use their personally-owned devices, the risk of accidental data leaks increases. Employees use many corporate applications and services that cannot be controlled by the organization. Emails, public cloud services, and social media platforms, for example, can all lead to data leaks.

Windows Information Protection (WIP) is designed to protect against potential data leaks without disrupting user experience. Formerly known as enterprise data protection (EDP), this service is especially designed to reduce data leak risks originating from bring your own device (BYOD) practices, including protection for both personally-owned and company-owned devices.

WIP does not require modifying existing environments. It is offered as a mobile application management (MAM) mechanism on Windows 10. You can use WIP to manage data policy enforcement for documents and applications on Windows 10 desktop operating systems. It can also help you remove access to company data from all devices.

WIP can help separate personal and company data without making employees switch between applications or environments. The service also provides data protection for existing line-of-business applications without having to update the applications. Additionally, it lets you wipe company data from enrolled Intune MDM devices without having to delete personal data.

Another major advantage of WIP is that it provides audit reports that let you track issues as well as remedial actions. You can integrate WIP with existing management systems, including Microsoft Endpoint Configuration Manager and Microsoft Intune. It can also be integrated with existing MDM systems, which can help you set up, deploy, and manage WIP.

7 Best Practices for Windows 10 Hardening

In addition to using built-in Windows security tools, described in the previous section, follow this checklist to ensure Windows 10 workstations are adequately protected against security threats.

For more background on hardening operating systems, read our detailed guide to OS hardening.

To learn about general Windows hardening best practices and hardening for Windows Server, read our guide to Windows hardening (coming soon)

Application Management

It is strongly preferred to configure Windows to only allow the installation of approved applications from controlled software repositories or application marketplaces. This can prevent the following security risks:

• Attackers can email malicious applications to the user, or use social engineering to convince them to download and install it.
• Even if you require administrative access on the local machine to install software, users can be convinced to sign in as administrator to install a malicious app.
• Installing applications via elevated privileges can be exploited by attackers to create a compromised administrator account on the user’s machine.

Related content: Read our guide to application hardening (coming soon)

Application Control

Many attack vectors rely on execution of malicious code, even if it is not installed on the user’s device. Whitelisting and blacklisting of executables in Windows 10 can be extremely effective at preventing these attacks.

It is advised to create a whitelist of files that are allowed to execute on end-user machines, and do this from scratch, without relying on the files currently running on the machine or a list from an application vendor. The whitelist should explicitly specify executables, libraries, scripts, and installers that are allowed to execute.

Disabling Remote Access

The Windows Remote Desktop feature in Windows 10 allows users to connect their computer remotely via a network connection. A user with remote access can control the computer just as a user with direct access.

The downside of Remote Desktop is that attackers can exploit remote access to wrest control of your system and steal sensitive information or install malware. The remote access feature is disabled by default and you can easily disable it once enabled. Make sure you turn off this feature whenever users are not actively using it.

PowerShell

Microsoft has developed PowerShell to enable automated system administration through an integrated interface. This powerful scripting language is a central feature of a system administrator toolkit as it is ubiquitous and allows you to easily control your Microsoft Windows environment. Unfortunately, attackers can also exploit this to fully control your system.

In particular, earlier PowerShell versions are dangerous due to their security vulnerabilities, so you should remove PowerShell 2.0 and under from your operating system. You should set language mode to Constrained Language Mode, which will help you balance your functionality and security needs.

Incident responders can leverage PowerShell’s logging functionality (i.e. transcription, module logging and script block logging) to extract important information following a security incident involving a malicious exploit of PowerShell.

Enable Auto-Updates for Your Operating System

Make sure that any urgent security update is installed immediately. The faster you apply a new security patch, the faster you can fix vulnerabilities and protect yourself from the latest known threats.

Your organization likely has a security policy for updating operating systems. Users should be made aware of the policy so they know whether they should install updates straight away or wait to hear from IT when to install updates. Some companies give the responsibility for updating operating systems to the IT team.

Businesses that are running older versions of Windows are at greater risk. For example, Microsoft terminated support for Windows 7 in January 2020, so anyone still using it is at risk of new attacks. Therefore, it is important to ensure your operating systems are upgraded before you are exposed.

Enable File Backups

Setting up file backups on a regular basis can help prevent critical data loss during disasters like hardware failures or malware attacks. To help you protect your data, Windows 10 offers several tools and features, including:

• Use File History – this free tool can help you easily backup files.
• Create recovery drives – serve as backup images from which you can restore a system.
• Backup to the cloud – use cloud storage services, such as Dropbox, Google Drive, and OneDrive, or enterprise cloud backup solutions, to continuously back up your data.

Host-Based Intrusion Prevention System

The majority of legacy antivirus solutions rely heavily on signature-based detection, which searches for known patterns of malicious code. This technique can help detect known threats but cannot provide protection against unknown variables like new malware and zero-day exploits.

Host-based intrusion prevention systems (HIPS) can help protect against unknown threats. HIPS employs two main technologies – detection via behavioral analysis and network filtering. The system creates a baseline of normal behavior and then looks for anomalous behavior that might indicate an attack, like keystroke logging and process injection. HIPA is an important second line of defense that can stop attacks if they were not detected by antivirus and endpoint protection measures.

Windows 10 Hardening with Hysolate

Hysolate provides a fully managed sandbox on steroids for Windows 10, so admins can harden their Windows OS for employees and contractors.

With Hysolate you can split your users’ endpoint devices into a more secure corporate zone and a less secure zone for daily tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open productivity zone, for accessing necessary but less trusted websites and applications.

Admins can harden the Workspace OS by choosing which applications can be used, and they can remotely deploy applications, as well as deploy patches and security updates from the cloud. Policies can be set for transferring between Workspace and the host OS, including copy/paste, keylogging, screenshotting etc. Unlike traditional browser isolation solutions, Hysolate isolates your whole OS, including websites, files, documents, applications and even peripherals like USBs and printers.

For users, the Hysolate Workspace mimics their native Windows 10 experience, and with minimal lag and latency issues, and users can easily switch between the different operating systems with a press of a button. Getting set up on Hysolate is simple, and takes minutes to be deployed from the cloud.

Try Hysolate Free here, a free isolation solution for Windows 10

OS Hardening: 10 Best Practices

What is OS Hardening?

Operating system (OS) hardening, a type of system hardening, is the process of implementing security measures and patching for operating systems, such as Windows, Linux, or Apple OS X, with the objective of protecting sensitive computing systems. Hardening an operating system typically includes:

• Following security best practices and ensuring secure configuration
• Automatically updating the operating system with patches and service packs
• Deploying additional security measures such as firewalls, endpoint protection systems, and operating system security extensions such as AppArmor for Linux.

10 Operating System Hardening Best Practices

Although each operating system has its own unique characteristics, there are several hardening practices common to all operating systems. Here are ten best practices that can help you enhance security for your operating systems.

OS Updates

1. Service packs—keep programs up to date and install the latest version. No single action can protect against all attacks, especially against a zero-day attack, but using service packs dramatically reduces these risks
2. Patch management—includes planning, testing, timely implementation, and continuously auditing, to ensure that operating systems and individual programs on client computers are always patched with the latest updates.

Secure Configuration

3. Clean programs—delete unnecessary and unused programs. Any program installed on your device should be evaluated regularly, as it is a potential entry point for malicious attackers. If software has not been approved or reviewed by the company, it should not be allowed. This technique can help you find and fix security holes and minimize risk.

4. Access control—use features that restrict access to files, networks, and other resources. Access control management features for users and groups are provided by all major operating systems, including Windows, Linux, and OS X. The default settings are usually less strict than needed, so you should configure access to apply the principle of least privilege, and provide access only to those who really need it, when they need it.

5. Group policies—assign users to groups, and define strict privileges for each group, to limit the damage that can be done by careless or malicious users. Continuously update the user policy, and communicate it to end users, to ensure they understand and comply with access privileges.

6. Security templates—use templates to manage and enforce security configurations in a centralized manner. Templates can be used to manage group policies and ensure consistency across the organization.

Additional Security Measures

7. Firewall configuration—not all operating systems have a firewall configured by default, and if a firewall is running—the firewall rules may not be strict enough. To ensure the firewall is running as needed, you should review and modify your firewall configuration. Ideally, you should set it to allow only traffic from known, approved IP addresses and ports. Unnecessary open ports represent a security risk.

8. Hardening frameworks—use frameworks like AppArmor and SELinux to add improved access control and protect against attacks like buffer overflow and code injection. These frameworks can automatically apply a large number of effective security best practices.

9. Endpoint protection—Windows comes with an advanced endpoint protection solution called Windows Defender. Beyond this solution, there is a selection of mature endpoint protection platforms (EPP) that provide several layers of protection for operating systems – including malware protection, email and social engineering protection, detection of malicious processes, and automated isolation of an OS in case of infection.

10. Data and workload isolation—ensure that sensitive databases or applications run in their own virtual machines or containers, to isolate them from other workloads and reduce the attack surface. Alternatively, you can isolate applications by restricting network access between different workloads. In this way, if attackers take control of one workload, they cannot get access to another.

OS hardening can help you reduce the risk of a successful cyber attack. However, to be truly effective, your OS hardening strategy should be implemented alongside a data backup process. This ensures that you have copies of your data and operational systems, and can use them to restore operations if failure occurs.

Beyond the Basics: Center for Internet Security (CIS) Benchmarks for OS Security

The Center of Internet Security (CIS) is a non-profit organization whose mission is to “identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.” It is a collaborative effort by security and computing experts from governments, universities, and the private sector. The center develops security benchmarks and best practices with broad applicability, using a consensus model.

A CIS benchmark serves as a configuration baseline and also as a best practices for securely configurating systems. A benchmark consists of multiple recommendations, each consisting of one or more controls that can be implemented by organizations to improve security for a certain computing system. The recommendations and controls are mapped to compliance standards including ISO 27000, PCI DSS, HIPAA, NIST CSF, and NIST SP 800-53.

For operating systems, CIS provides a series of benchmarks that cover secure configuration, with a dedicated benchmark for all major versions of all popular operating systems – including Windows, Windows Server, OS X, and all common Linux distributions.

CIS also offers pre-configured and hardened OS images, which you can access via major cloud providers. Hardened images are pre-configured with security best practices, and greatly limit security vulnerabilities that may lead to network attacks.

The following are CIS benchmarks and hardened images for common operating systems:

Microsoft Windows Service

• Security Benchmark Available For Versions: 2017 RTM, 2019 STIG, 2019, 2016 STIG, 2012 R2, 2012, 2008 R2, 2008, 2003
• Hardened OS Image Available On: AWS, Azure, Google Cloud Platform, Oracle Cloud

Ubuntu Linux

• Security Benchmark Available For Versions: 20.04 LTS, 18.04 LTS, 16.04 LTS, 14.04 LTS, 14.04 LTS Server, 12.04 LTS Server, 16.04 LTS
• Hardened OS Image Available On: AWS, Azure, Google Cloud Platform, Oracle Cloud

Red Hat Enterprise Linux (RHEL)

• Security Benchmark Available For Versions: 8, 7 STIG, 7, 6, 5
• Hardened OS Image Available On: AWS, Azure, Google Cloud Platform

Apple OS X (MacOS)

• Security Benchmark Available For Versions: 11.0, 10.15, 10.14, 10.13, 10.12, 10.9, 10.8, 10.12, 10.11, 10.10
• Hardened OS Images: N/A

To access the CIS benchmarks and hardened OS images:

• CIS benchmarks are here (filter by Operating Systems)
• CIS hardened OS images are here

Learn more in our detailed guides about:

• OS security (coming soon)

• Windows hardening (coming soon)

OS Hardening with Hysolate

Hysolate is a full OS isolation solution for Windows 10, splitting your endpoint into a more secure corporate zone and a less secure zone for daily tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open zone for accessing untrusted websites and applications.

Admins can harden the Workspace OS by choosing which applications can be used, and they can remotely deploy applications, as well as deploy patches and security updates from the cloud. Policies can be set for transferring between Workspace and the host OS, including copy/paste, keylogging, screenshotting etc. Unlike traditional browser isolation solutions, Hysolate isolates your whole OS, including websites, files, documents, applications and even peripherals like USBs and printers.

For users, the Hysolate Workspace mimics their native Windows experience, and with minimal lag and latency issues, and users can easily switch between the different operating systems with a press of a button.

Try Hysolate Free here, a free isolation solution for Windows 10.