- Oct 3, 2022
- 558
Introduction
Harden Windows 11 - A Security Guide provides documentation on how to harden your Windows 11 23H2 (configuration pack
version 23H2-A1 2023-11-08). It explains how to secure your Windows 11 computer. The knowledge contained stems from
years of experience starting with Windows Vista. Hardening is performed using mostly native Windows tools and Microsoft
tools.
Malware and hackers attack by exploiting security bugs and vulnerabilities. Even talented programmers make coding bugs,
guaranteed by evidence of the last 50 years of computing, and unavoidable. Some security bugs/vulnerabilities are known to
us - they are contributed by white hat hackers (the good guys) who have notified Microsoft and MS is doing it's part by patching
them. But there are also those security vulnerabilities that the black hat hackers (the bad guys) know about which they keep to
themselves. So while MS urges us to do Windows Update monthly to patch the known security holes, there are security
vulnerabilities for which there are no solutions, and no amount of patching will do any good.
The solution is to reduce attack surface so that we expose less opportunities for exploitation. One core concept is Least
Privilege, when you are using an admin account and you get successfully attacked, the attacker gains admin control over the
whole PC. Least privilege says you don't run as admin for day to day tasks, and thus you lessen the chance of a complete
takeover. Another core concept is minimization. You configure your system so that it is only able to do what you normally do,
and nothing else. This minimizes the number of exploitable security bugs that can possibly run, lessens your exposure, which
is called the attack surface. By removing services and programs that listen or respond to the internet 24/7, you take out the
possibility of anybody sending them an exploit. If a new vulnerability is found months down the road, but it does not run on your
system, it is already taken care of; and you won't have to anxiously wait for a patch to arrive.. We will reveal several other
security principles, which allows you to adapt and evolve your defenses as threats change with the times. There are many
places in Windows where risk outweighs features, and this hardening guide goes through them one by one. Also, we will
implement several layers of FREE security (anti-malware is not the only thing that does security), if one layer gets broken
through, you still have another, then another.
In today's environment, criminals attack vulnerable PCs to gain access personal data for id theft purposes, to steal your credit
card data, to install ransomware and to conduct business espionage. Regular hackers want to get their hands on anything,
spread viruses and laugh at you trying to debug their introduced errors. So any PC is game for intrusion and it is not an
elaborate thing, attacking a PC only requires a few minutes.
This guide will save you time and headache when dealing with intrusion. It is hacker tested.
Good security consists of deter, deny, delay, detection and remediation. Hardening historically covers the first 3. We will cover
all 5 in this guide. Hardening is more than just setting group policies (which Windows Home users don't have access to). A
good admin will periodically check every machine in an organization for intrusions and errors. And she also performs recovery
quickly to minimize disruption. We show you what to do.
This guide is frequently updated with new technologies, techniques and ideas to improve security. A version number is provided
at the top.
If you followed this hardening guide and you still got hacked, I want to know about it. Security is an ongoing, evolving series of
improvements. Send me a mail on MalwareTips : Victor M.
Harden your Windows 11 Pro using all the built security features. WDAC, SRP, Defender Firewall, TLS 1.3 plus free security tools like MS Security Baseline, MalwareBytes Anti-Exploit ... Must do Security Principles, and how to implement them using Windows settings.
Last edited by a moderator: