Windows Hardning

When you have your Windows OS (Operating System) all decked out, with Windows Defender Firewall and Windows Defender Real-Time Virus Protection, and have automatic updates enabled. You should also have some other type of Antivirus protection to help Windows Defender tie up end-points that may allow hackers to slip through the cracks. Despite windows defender being so awesome at protecting our data and privacy, we can do some fine-tuning to aid in the defense of our Windows Operating systems.

Keeping in mind the balance between security and availability, the more secure the less available your system becomes, like being prompted by some security setting when we are trying to fulfill a simple task. Windows Hardening really depends on the security requirements of your organization or personal use, most companies will implement security solutions already for you in most cases. So these steps pertain to more small businesses and home users.

Now before we start let's create a window restore point. Also good idea to be familiar with this feature.

Goto search bar type in { restore }
Click on { Create a restore point }
When System Properties pops up click on { Configure }

You can adjust the disk space for system backups. Between 2% and 5% is enough.Considering your system at this time is working well let's delete all restore points so we can create a new one.

Click on { Delete }
Click { Continue }
Click { Close } then { ok }

Now you should be back to System properties

Click { Create }

Let's type in a description { point before windows hardening } this note is for your future reference.

Click { Create }

System restore point created! Click { Close }

Get in the habit of making restore points on your system before any changes. Some day you will thank yourself!

Fine-tuning Windows Defender

Goto search bar type in { security }
Click on { Windows security }
Click on { Virus & threat protection }
Virus & threat protection settings
Click on { Manage settings }
Scroll down to { Controlled folder access }
Click on { Manage Controlled folder access }

Now we should see Ransomware protection at the top of the page.There are some features we can enable, starting with

{ Controlled folder access } Click on.

Controlled Folder access enabled will protect us against PUPsWitch stands for “Potentially unwanted programs”. PUPs come in many forms of malware, so controlling folder access stops these programs from invoking dirt deeds.

Below Controlled folder access, you can see Ransomware data recovery you will need to set up OneDrive for this option. Backing up important data is crucial in today's world, take advantage of this awesome feature, hindsight does not bring back data!

Moving forward

Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength. This makes it more difficult for threat actors to access your device if you step away from your PC and forget to lock it with { Windows key + L }.

Goto search bar type in { security }
Click on { Windows security }
Click on { Account protection }
Click on { Dynamic lock settings }

How you login into your machine is important. Windows has more than one way to achieve a secure login. Most people use a Password to access Windows machines which ok if you have a strong password. Using multi-factor authentication to log in is ideal, at a bare minimum you should set up a pin. A pin is better than a password because passwords can be used across the web to login into accounts, but a PIN creates an asymmetric key pair that is entangled with hardware so knowing a user's pin is useless without that computer.

To learn more about PINs go here.

Moving forward

Below { Manage how you sign in to your devices }
Check box { Allow Windows to automatically lock your device }

Leaving your computer unlocked is like leaving the vault open at the bank allowing people to take what they want.

Goto search bar type in { security }
Click on { Windows security }
Click on { App & browser control }
Scroll to { Potentially unwanted app blocking }
Check { on }
Check { Block apps }
Check { Block Downloads }

Protection against PUPs “Potentially unwanted programs” as this can be a delivery system for Malware.

Moving forward

Goto search bar type in { security }
Click on { Windows security }
Click on { Device security }
Click on { Core isolation details }
Turn on { Memory integrity }

This is a preventative measure protecting against Code Injection.

Naming Workstation’s

Let's start off with the most simple and most missed, Naming your PC! When naming your Workstations give a generic name or just keep the one windows generically gives you. Do not use personal names.

The reason for this is, when threat actors have infiltrated your network you do not what them to see “Accounting PC” or “Dave Joans”. The accounting pc will have financial data and Dave Joans may be the owner of the company so we do not need to paint targets for cybercriminals. Keep hard records of what workstations are used for on paper in a safe location.

Network Wifi and Bluetooth

One question to ask yourself is do I need Network discovery and File and print sharing turned on? My answer is it depends. If you do not have a shared printer or shared folder on your network and just use your printer VIA USB cable you do not need file and printer sharing enabled. As this feature allows threat actors to laterally Move through the network, one other is to prevent malware from being spread. Network discovery means what it says if your computer is "discoverable" you can be found on the network. By default, Windows Defender Firewall turns these features off, let's check.

Goto search bar type in { network }
Click on { Network and Sharing Center }

When the other window pops up on the right-hand side of the page

Click on { Change advanced sharing settings }

Now you should see some choices to turn on/off network discover and turn on/off file and print sharing.

Turninning these features on or off depends on your requirements!

Most Windows computers will automatically connect to open networks, which is not always the best idea for security if you are using a laptop in a public place or maybe, some hacker is parked outside your building with an open wifi access point (homework google this —>Evil Twin Attack) and your pc automatically connects to this network, as you traverse the World Wide Web someone may be logging all of your sensitive data. So let's take control of these features.

Goto search bar type in { network status }
Click on { Wi-fi on the right column }
Click on { the Wi-Fi connection you are currently using }
Connect automatically when in range set to { Off }

Below is an optional setting for privacy you can set { Random hardware addresses } this stops companies from tracking you in public areas, you can turn on random hardware addresses to make it harder for them to track you when your PC scans for networks and connects. Awesome added privacy feature for laptops!

Bluetooth

You do not want to allow devices to find you VIA Bluetooth.

Goto search bar type in { Bluetooth }
Click on { Bluetooth and other device settings }
To the right of the page click on { More Bluetooth settings }

Bluetooth settings window should pop up

Now in the Discovery uncheck the box { Allow Bluetooth devices to find this PC }

Click {ok} your done, this is the most important one for Bluetooth. Being discoverable by other Bluetooth devices could make you vulnerable to Bluesnarfing.

Bluesnarfing is when hackers steal data from unsuspecting victims via Bluetooth connections. Cyberattackers can manipulate Bluetooth technology to get into devices with Bluetooth turned on. So two things we can do is, hide or keep Bluetooth off until needed!

Powershell

Powershell by default is set not to run scripts. Most cyber experts will say not to disable it as it is a very great tool for IT professionals to use for maintenance and deploying system updates.

One important thing we can do to harden up Powershell is to keep it updated. Let's do just that.

Goto search bar type in { Powershell }
- Now right-click on the { Windows PowerShell app }
- Now click { Run as Administrator }
  - let's check the power shell version with this command{ $PSVersionTable }
  - If your PowerShell version is 5.1 or greater you are ok if not keep going forward to update
  - Powershell update command { winget upgrade powershell }
  - When asked Do you type { y } for yes

Thank You!

By: Nick Keenan