Q&A Harden Windows 10 - A Security Guide

SecureKongo

Level 22
Verified
Feb 25, 2017
1,154

Introduction​

Harden Windows 10 - A Security Guide provides documentation on how to harden your Windows 10 21H1 (configuration pack version 21H1-B 2021-08-02).. It explains how to secure your Windows 10 computer. The knowledge contained stems from years of experience starting with Windows Vista. Hardening is performed using mostly native Windows tools and Microsoft tools.

Malware and hackers attack by exploiting security bugs and vulnerabilities. Even talented programmers make coding bugs, guaranteed by evidence of the last 50 years of computing, and unavoidable. The solution is to reduce attack surface so that we expose less opportunities for exploitation. One core concept is Least Privilege, when you are using an admin account and you get successfully attacked, the attacker gains admin control over the whole PC. Least privilege says you don't run as admin for day to day tasks, and thus you lessen the chance of a complete takeover. Another core concept is minimization. You configure your system so that it is only able to do what you normally do, and nothing else. This minimizes the number of exploitable security bugs that can possibly run, lessens your exposure, which is called the attack surface. By removing services and programs that listen or respond to the internet 24/7, you take out the possibility of anybody sending them an exploit. If a new vulnerability is found months down the road, but it does not run on your system, it is already taken care of. We will reveal several other security principles, which allows you to adapt and evolve your defenses as threats change with the times. There are many places in Windows where risk outweighs features, and this hardening guide goes through them one by one. Also, we will implement several layers of FREE security (anti-malware is not the only thing that does security), if one layer gets broken through, you still have another, then another.
 

Vitali Ortzi

Level 21
Verified
Dec 12, 2016
1,084
I'd rather have my machines usable, so no thanks.
This is so restrictive it's not even funny.
This definitely has its use case but I don't wanna be that guy that needs to troubleshoot when my family will try to run a game with an anti cheat or zoom
Used to have more restrictions for my family but I'm too busy working as servant in a restaurant for minimum wage and no tips (tips go to the business lol)
 

Gangelo

Level 5
Verified
Jul 29, 2017
211
This definitely has its use case but I don't wanna be that guy that needs to troubleshoot when my family will try to run a game with an anti cheat or zoom
I agree. There are some things here and there that someone can implement but this is literally crippling the OS, chopping parts and services away like there is no tomorrow.. You can be sure that something will go wrong while using this system and I completely hate micromanaging every single error trying to find the cause.

Using Arch linux would be easier than this.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,161
I often recommend some hardening, but not of this kind. Most people will probably suffer after applying the tweaks proposed in the Guide. Many options are not relevant to Home users and will produce serious problems in the Business environment. Furthermore, some hardening tweaks (proposed in the Guide) can give users a false sense of security and are totally ineffective. For example, after disabling Autorun and Autoplay one can think that using the USB stick, CD, or DVD from unsafe sources is OK. In fact, there is no need to disable the Autorun or Autoplay. They are disabled for USB devices by default (from Windows Vista SP2) and because of it, the attackers use Bad USB nowadays. Also disabling these features for CD or DVD is totally ineffective because CD, DVD disks are used to install something (game, application), so the user will run the malware by himself.

This Guide will be helpful for people who understand the consequences of proposed tweaks, can choose some of them to support already installed security, and can easily revert to the default setup.
 
Last edited:
Top