Feb 25,  · A security guide on how to secure Windows 10 for non-enterprise environment. Hardening is performed using mostly native Windows tools and Microsoft tools. This documentation contains all the hardening steps which are necessary to make Windows 10 more secure. Windows recognizes the User who is sitting at the keyboard with a User replace.meted Reading Time: 50 secs. Mar 24,  · Some Windows hardening with free tools. First, big thanks to @gw1sh1n and @bitwise for their help on this. Second, as I hear at security meetups, “if you don’t own it, don’t pwn it”. Apr 11,  · The security configuration framework is designed to help simplify security configuration while still allowing enough flexibility to allow you to balance security, productivity, and user experience. We are defining discrete prescriptive Windows 10 security configurations (levels 5 through 1) to meet many of the common device scenarios we see today in the enterprise.
 
 

Download Microsoft Security Compliance Toolkit from Official Microsoft Download Center

Emails, public cloud services, and social media platforms, for example, can all lead to data leaks. Windows Information Protection WIP is designed to protect against potential data leaks without disrupting user experience.

Formerly known as enterprise data protection EDP , this service is especially designed to reduce data leak risks originating from bring your own device BYOD practices, including protection for both personally-owned and company-owned devices.

WIP does not require modifying existing environments. It is offered as a mobile application management MAM mechanism on Windows You can use WIP to manage data policy enforcement for documents and applications on Windows 10 desktop operating systems. It can also help you remove access to company data from all devices. WIP can help separate personal and company data without making employees switch between applications or environments.

The service also provides data protection for existing line-of-business applications without having to update the applications. Additionally, it lets you wipe company data from enrolled Intune MDM devices without having to delete personal data. Another major advantage of WIP is that it provides audit reports that let you track issues as well as remedial actions. In addition to using built-in Windows security tools, described in the previous section, follow this checklist to ensure Windows 10 workstations are adequately protected against security threats.

For more background on hardening operating systems, read our detailed guide to OS hardening. To learn about general Windows hardening best practices and hardening for Windows Server, read our guide to Windows hardening coming soon.

It is strongly preferred to configure Windows to only allow the installation of approved applications from controlled software repositories or application marketplaces. This can prevent the following security risks:.

Whitelisting and blacklisting of executables in Windows 10 can be extremely effective at preventing these attacks. It is advised to create a whitelist of files that are allowed to execute on end-user machines, and do this from scratch, without relying on the files currently running on the machine or a list from an application vendor.

The whitelist should explicitly specify executables, libraries, scripts, and installers that are allowed to execute. The Windows Remote Desktop feature in Windows 10 allows users to connect their computer remotely via a network connection.

A user with remote access can control the computer just as a user with direct access. The downside of Remote Desktop is that attackers can exploit remote access to wrest control of your system and steal sensitive information or install malware. The remote access feature is disabled by default and you can easily disable it once enabled.

Make sure you turn off this feature whenever users are not actively using it. Microsoft has developed PowerShell to enable automated system administration through an integrated interface.

This powerful scripting language is a central feature of a system administrator toolkit as it is ubiquitous and allows you to easily control your Microsoft Windows environment.

Unfortunately, attackers can also exploit this to fully control your system. In particular, earlier PowerShell versions are dangerous due to their security vulnerabilities, so you should remove PowerShell 2.

You should set language mode to Constrained Language Mode, which will help you balance your functionality and security needs. Make sure that any urgent security update is installed immediately.

The faster you apply a new security patch, the faster you can fix vulnerabilities and protect yourself from the latest known threats. Your organization likely has a security policy for updating operating systems.

The files are automatically named and receive a timestamp. Using the parameters ReportFile or LogFile , it is also possible to assign your own name and path. The Filter parameter can be used to filter the hardening list. HardeningKitty can be executed with a specific list defined by the parameter FileFindingList. If HardeningKitty is run several times on the same system, it may be useful to hide the machine information.

The parameter SkipMachineInformation is used for this purpose. Backups are important. Really important. Therefore, HardeningKitty also has a function to retrieve the current configuration and save it in a form that can be easily restored.

The Backup switch specifies that the file is written in form of a finding list and can thus be used for the HailMary mode. The name and path of the backup can be specified with the parameter BackupFile. Please test this function to see if it really works properly on the target system before making any serious changes.

The HailMary method is very powerful. It can be used to deploy a finding list on a system. All findings are set on this system as recommended in the list. With power comes responsibility. Please use this mode only if you know what you are doing. Be sure to have a backup of the system. Each Passed finding gives 4 points, a Low finding gives 2 points, a Medium finding gives 1 point and a High Finding gives 0 points.

The tool can be used to create your own lists and provides additional information on the hardening settings. The source code is under AGPL license and there is a demo site. Skip to content. Star 1. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Branches Tags. Could not load branches. Could not load tags. A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch? Local Codespaces. If the default configuration is used, we strongly recommend that departments implement the security features outlined in this document and the baseline settings detailed in the GC Security Baseline for Windows These settings fall into two categories: minimum baseline settings and additional enhanced baseline settings.

See Section 8. To establish these settings, we consulted configuration guidance publications developed by other organizations:. These settings are considered mandatory for GC departments because they provide most endpoint devices with the level of security required to protect GC information assets and infrastructure against threats.

Certain settings have been selected to hard code them. The enhanced baseline settings are operating system settings specific to supporting Protected B environments. The enhanced baseline settings, along with additional security requirements not covered in this document, are required to provide additional security for sensitive information.

Several Windows 10 workarounds and fixes, which are specific to release , are listed in the subsections below. The algorithms are inherent to the FIPS mode functionality. Application testing should be conducted to determine that Windows 10 can function properly in FIPS mode for a given environment.

Recommendation: Peer-to-peer networking services should not be configured i. This setting intended to lock down specific capabilities, such as real-time communications e. These peer-to-peer technologies can reduce requirements for expensive server equipment at each location with sub-optimal bandwidth.

There should be no impact if the setting is turned on. For example:. There is no supported ability to disable PowerShell Footnote 8. It has become a critical component of the operating system and many applications. However, there are several ways to lock it down slightly for non-privileged users. Consider the following:. Windows 10 supports several sleep states for compatible devices, as described in System Sleeping States Footnote The four states that are most commonly encountered on modern hardware are:.

Note: States S1 and S2 are not detailed in the table below because the issues discussed do not affect these states. Systems waking from other sleep states, such as S3, will proceed directly to the lock screen without a PIN prompt.

Power consumption Maximum. However, the power state of individual devices can change dynamically as power conservation takes place on a per device basis. Unused devices can be powered down and powered up as needed. Power consumption Less consumption than in state S2. Processor is off, and some chips on the motherboard might be off. Software resumption After the wake-up event, control starts from the processor’s reset vector. System hardware context Only system memory is retained.

CPU context, cache contents, and chipset context are lost. System power state S4, the hibernation state, is the lowest-powered sleep state and has the longest wake-up latency. To reduce power consumption to a minimum, the hardware powers off all devices. However, operating system context is maintained in a hibernation file an image of memory that the system writes to disk before entering the S4 state. Upon restart, the loader reads this file and jumps to the system’s previous pre-hibernation location.

If a computer in state S1, S2, or S3 loses all AC or battery power, it loses system hardware context, and therefore, must reboot to return to S0. A computer in state S4 can restart from its previous location even after it loses battery or AC power because operating system context is retained in the hibernation file. A computer in the hibernation state uses no power with the possible exception of trickle current.

Power consumption Off, except for trickle current to the power button and similar devices. Software resumption System restarts from the saved hibernation file. If the hibernation file cannot be loaded, rebooting is required. Reconfiguring the hardware while the system is in state S4 might result in changes that prevent the hibernation file from loading correctly.

Hardware latency Long and undefined. Only physical interaction returns the system to the working state. Such interaction might include the user pressing the ON switch or, if the appropriate hardware is present and wake-up is enabled, an incoming ring for the modem or activity on a LAN. The machine can also awaken from a resume timer if the hardware supports it. System hardware context None retained in hardware.

The system writes an image of memory in the hibernation file before powering down. When the operating system is loaded, it reads this file and jumps to its previous location. In state S5, or shutdown state, the machine has no memory state and is not performing any computational tasks. The only difference between states S4 and S5 is that the computer can restart from the hibernation file in state S4, while restarting from state S5 requires rebooting the system.

Power consumption Off, except for trickle current to devices such as the power button. Only physical interaction, such as the user pressing the ON switch, returns the system to the working state. The BIOS can also awaken from a resume timer if the system is so configured. The guidance in this document forms foundational baseline elements to help harden Windows 10 operating systems.

This document outlines the GPO settings and operations according to release of Windows Microsoft indicated that continuous improvements will be made to Windows New releases are expected to occur in six-month increments. Significant changes or additions to the workarounds and fixes described in this document will be released as addendums. Windows 10 provides updated security features and tools.

These security features and tools should be used to develop a secure common desktop operating environment for GC departments. To get a copy of the detailed GPO settings, see Section 8.

Security Best Practices for Your Windows 10 Computer | Carbide

Combined with traditional cybersecurity awareness training for employees, this cloud-based tool can provide an additional level of protection against phishing and malware attacks.

Microsoft Windows Hello is an access control feature that supports biometric identification via fingerprint scanners, iris scanners, and facial recognition technologies on compatible devices running Windows If administrators decide to allow users to install unknown applications, Windows Sandbox is the perfect solution.

It allows you to run new applications on an isolated virtual silo and avoid full exposure to threats. Windows 10 users can configure the Secure Boot feature so that all code that runs immediately after the operating system starts must be signed by Microsoft or the hardware manufacturer. Secure Boot prevents the installation of hardware-based malware, but safe points offer a safety net for when you have trouble installing new applications.

Encryption processes encode data in a manner that makes it unusable to unauthorized users who do not have the decryption key. The main advantage of encryption is that it turns data into an unreadable form that cannot be used when stolen. Windows offers a feature called BitLocker, which enables you to encrypt entire drives and prevent unauthorized system changes.

BitLocker was designed by Microsoft to provide encryption for disk volumes. It is a free and built-in feature in many Windows versions, including Windows Vista and Windows BitLocker asks users for a password, generates a recovery key, and proceeds to encrypt the entire hard drive. Enhanced Mitigation Experience Toolkit EMET is a security tool designed by Microsoft to provide protection and mitigation for third-party and legacy applications.

In Windows 10 versions, from and onwards, as well as Windows Server version and onwards, EMET comes as part of the exploit protection function of the operating system. As more organizations allow employees to use their personally-owned devices, the risk of accidental data leaks increases. Employees use many corporate applications and services that cannot be controlled by the organization. Emails, public cloud services, and social media platforms, for example, can all lead to data leaks.

Windows Information Protection WIP is designed to protect against potential data leaks without disrupting user experience. Formerly known as enterprise data protection EDP , this service is especially designed to reduce data leak risks originating from bring your own device BYOD practices, including protection for both personally-owned and company-owned devices. A clean installation of your former operating system will be required, and you will need to re-install all your programs and data.

If you fail to activate this evaluation after installation, or if your evaluation period expires, the desktop background will turn black, you will see a persistent desktop notification indicating that the system is not genuine, and the PC will shut down every hour. Things to Know Windows 10 Enterprise should work with the same devices and programs that work with Windows 8. In some cases, a device or program might not work or may require an update, or you might need to uninstall some programs and then reinstall them after installing the evaluation.

Downloading Windows 10 Enterprise could take a few hours. The exact time will depend on your provider, bandwidth, and traffic ISP fees may apply. For the latest information on deprecated features and additional requirements to use certain features, please see Windows 10 computer specifications. For technical questions, please visit the Windows 10 Tech Community. Verify Download If you would like to verify the data integrity and authenticity of your download, you can follow these steps: Download the ISO file and follow the installation guidelines.

Download Microsoft Security Compliance Toolkit 1. Microsoft Security Compliance Toolkit 1. Choose the download you want. Download Summary:. Total Size: 0. Back Next. Microsoft recommends you install a download manager. Microsoft Download Manager. Manage all your internet downloads with this easy-to-use manager. It features a simple interface with many customizable options:. Set a password with your screensaver.

Turn on your firewall. Disable remote access. Enable or install antivirus protection tools. Enable auto-updates for your operating system. Set up file backups. Turn on encryption. Set up your user accounts. Set up a password manager. This is one of the first settings that you should change or check on your computer. Get the steps here: How to Disable Automatic Login in Windows 10 Bonus tip: If you do travel with your laptop or work from public places, you may want to get a privacy screen protector.

If you want to check the settings for your Windows Firewall, we have instructions for you here: How to Turn on the Firewall in Windows 10 4. We have the steps you need to turn off remote access in Windows 10 here: How to Disable Remote Access in Windows 10 5.

You can use File History and other free tools in Windows 10 to create file backups. You can create a recovery drive to restore your system from an image backup. With a storage-sync-and-share service, you can put your backups in the cloud. These are easy to set up, especially some of the most popular ones like OneDrive, Dropbox, or Google Drive. You can also set up multiple accounts with different levels of permissions: Administrator Account : The first account on a Windows 10 PC is a member of the Administrators group and has the right to install software and modify the system configuration.

Standard Account: Additional accounts can and should be set up as Standard users. You can use a Standard user account for your regular use, which limits access to the Administrator account, preventing a nontechnical user from inadvertently making changes to your system or helping block an unwanted software installation.

Guest Account: By default, a Guest account has a blank password. We are eager to gather feedback on how we could make this guidance more useful, and if there are security controls and configurations you feel may be misplaced or missing! Questions, concerns, or insights on this story? Follow us on Twitter MsftSecIntel. Skip to main content. Priority What do I do next? Comparison Understanding where you lie in a continuum of security is also valuable.

The security configuration framework The security configuration framework is designed to assist with exactly this scenario. Mimicking the DEFCON levels used to determine alert state by the United States Armed Forces, lower numbers indicate a higher degree of security hardening: Enterprise basic security — We recommend this configuration as the minimum-security configuration for an enterprise device. Recommendations for this security configuration level are generally straightforward and are designed to be deployable within 30 days.

Enterprise enhanced security — We recommend this configuration for devices where users access sensitive or confidential information.

[Windows 10 enterprise hardening guide free download

 
 
For example, Microsoft terminated support for Windows 7 in Januaryso anyone still using it is at risk of new attacks. For home. It can also help you remove http://replace.me/46465.txt to company data from all devices.