Windows Hardning

When you have your Windows OS (Operating System) all decked out, with Windows Defender Firewall and Windows  Defender Real-Time Virus Protection, and have automatic updates enabled. You should also have some other type of Antivirus protection to help Windows Defender tie up end-points that may allow hackers to slip through the cracks. Despite windows defender being so awesome at protecting our data and privacy, we can do some fine-tuning to aid in the defense of our Windows Operating systems.

Keeping in mind the balance between security and availability, the more secure the less available your system becomes, like being prompted by some security setting when we are trying to fulfill a simple task. Windows Hardening really depends on the security requirements of your organization or personal use, most companies will implement security solutions already for you in most cases. So these steps pertain to more small businesses and home users. 

Now before we start let's create a window restore point. Also good idea to be familiar with this feature.

You can adjust the disk space for system backups. Between 2% and 5% is enough.Considering your system at this time is working well let's delete all restore points so we can create a new one.

Now you should be back to System properties

Let's type in a description { point before windows hardening } this note is for your future reference.

System restore point created! Click { Close }

Get in the habit of making restore points on your system before any changes. Some day you will thank yourself!

Fine-tuning Windows Defender 

Now we should see Ransomware protection at the top of the page.There are some features we can enable, starting with 

Controlled Folder access enabled will protect us against PUPsWitch stands for “Potentially unwanted programs”. PUPs come in many forms of malware, so controlling folder access stops these programs from invoking dirt deeds.

Below Controlled folder access, you can see Ransomware data recovery you will need to set up OneDrive for this option. Backing up important data is crucial in today's world, take advantage of this awesome feature, hindsight does not bring back data!

Moving forward 

Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength. This makes it more difficult for threat actors to access your device if you step away from your PC and forget to lock it with { Windows key + L }

How you login into your machine is important. Windows has more than one way to achieve a secure login. Most people use a Password to access Windows machines which ok if you have a strong password. Using multi-factor authentication to log in is ideal, at a bare minimum you should set up a pin. A pin is better than a password because passwords can be used across the web to login into accounts, but a PIN creates an asymmetric key pair that is entangled with hardware so knowing a user's pin is useless without that computer.

To learn more about PINs go here. 

Moving forward 

Leaving your computer unlocked is like leaving the vault open at the bank allowing people to take what they want.


Protection against PUPs “Potentially unwanted programs” as this can be a delivery system for Malware.

Moving forward 

This is a preventative measure protecting against Code Injection.

Naming Workstation’s

Let's start off with the most simple and most missed, Naming your PC! When naming your Workstations give a generic name or just keep the one windows generically gives you. Do not use personal names.

The reason for this is, when threat actors have infiltrated your network you do not what them to see “Accounting PC” or “Dave Joans”. The accounting pc will have financial data and Dave Joans may be the owner of the company so we do not need to paint targets for cybercriminals. Keep hard records of what workstations are used for on paper in a safe location.

Network Wifi and Bluetooth

One question to ask yourself is do I need  Network discovery and File and print sharing turned on? My answer is it depends. If you do not have a shared printer or shared folder on your network and just use your printer VIA USB cable you do not need file and printer sharing enabled. As this feature allows threat actors to laterally Move through the network, one other is to prevent malware from being spread. Network discovery means what it says if your computer is "discoverable" you can be found on the network. By default, Windows Defender Firewall turns these features off, let's check. 

When the other window pops up on the right-hand side of the page 

Now you should see some choices to turn on/off network discover and turn on/off file and print sharing.

Turninning these features on or off depends on your requirements! 

Most Windows computers will automatically connect to open networks, which is not always the best idea for security if you are using a laptop in a public place or maybe, some hacker is parked outside your building with an open wifi access point (homework google this —>Evil Twin Attack) and your pc automatically connects to this network, as you traverse the World Wide Web someone may be logging all of your sensitive data. So let's take control of these features.

Below is an optional setting for privacy you can set { Random hardware addresses } this stops companies from tracking you in public areas, you can turn on random hardware addresses to make it harder for them to track you when your PC scans for networks and connects. Awesome added privacy feature for laptops!


You do not want to allow devices to find you VIA Bluetooth.

Bluetooth settings window should pop up

Click {ok} your done, this is the most important one for Bluetooth. Being discoverable by other Bluetooth devices could make you vulnerable to Bluesnarfing. 

Bluesnarfing is when hackers steal data from unsuspecting victims via Bluetooth connections. Cyberattackers can manipulate Bluetooth technology to get into devices with Bluetooth turned on. So two things we can do is, hide or keep Bluetooth off until needed!


Powershell by default is set not to run scripts. Most cyber experts will say not to disable it as it is a very great tool for IT professionals to use for maintenance and deploying system updates.

One important thing we can do to harden up Powershell is to keep it updated. Let's do just that. 

Thank You!

By: Nick Keenan