Windows 10 Hardening: background, measures, tips & best practices

With a market share of still around 70 percent, Windows 10 is by far the most widely used desktop operating system in the world. Understandably, it is therefore a popular target for hackers and other “cyber gangsters”. This is another reason why you absolutely have to deal with the secure configuration (“System hardening”) of Windows 10!

Windows 10 hardening: What does it mean?

“Hardening” in IT terminology is an abbreviation for System Hardening. System Hardening refers to special protective measures to safeguard IT systems such as workstations, servers and cloud systems. The focus here is on the correct configuration of the individual components or parts.

The goal is to disable and/or restrict unneeded services, features and functions to the extent that as little attack surface as possible remains for exploitation. In conclusion, Windows 10 hardening is the System Hardening of a computer with Windows 10 as operating system.

Examples: What hardening of Windows 10 looks like

There are a wide range of measures you can take to harden a Windows 10 system. Following are a few exemplary areas where hardening measures contribute to significantly increased resilience and security:

    • Secure configuration of user accounts, e.g., via strong passwords and multifactor authentication.
    • Secure configuration of network settings, e.g., by enforcing secure protocols and algorithms (TLS 1.2 or higher instead of SSL 1.2 or TLS 1.0).
    • Control of feature and service configuration. For example, Xbox services should be disabled on a Windows 10 workstation used for business purposes. Also the question should be allowed, why one must have the print services activated on a Web server or DomainController.
    • Enabling logging and monitoring so that, if the worst comes to the worst, log data can also be used forensically to track attacker activity.

Good to know: Most of the measures are also suitable for a System Hardening of Windows 11.

Why is Windows 10 hardening so important?

As mentioned at the beginning, Microsoft’s operating system has become widespread in recent years. It is used very frequently in companies as well as in private environments. Accordingly, it is worthwhile for cyber criminals to focus on this operating system and compromise it.

If a Windows 10 system has been configured insecurely – and “ex works” the focus is on the greatest possible compatibility instead of security – the door is symbolically open. With the correct hardening of Windows 10 (e.g. according to DISA, CIS and BSI), you close potential security gaps. This significantly reduces the risk of your company falling victim to a successful cyber attack.

Why do companies need a Windows 10 hardening?

Reducing attack vectors is extremely important for companies because they are a popular target for hackers and other online criminals. Data leakage, sabotage, espionage and blackmail cause extremely high damages in the economy every year.

In addition to direct damage, indirect damage can also occur. For example, if your company violates the General Data Protection Regulation (GDPR) because poorly secured systems lead to the theft of customer data, you could face hefty fines. In the worst case, these can run into the millions.

The bottom line is that every unhardened Windows 10 represents an enormous risk for your company! System Hardening is more important than ever.

The consequences of this negligence can be severe on several levels, possibly even threatening your very existence!

What happens during Windows 10 System Hardening?

In simple terms, you or IT security experts check the configuration of your Windows 10 systems. If weaknesses in information security, data protection or IT compliance are discovered, they are closed.

Eliminating the vulnerabilities increases the security of Windows 10. On the one hand, this allows data-hungry companies like Microsoft, Facebook or Google to collect less information about users. On the other hand, there are fewer gateways for cyber criminals.

Conclusion: A sensible OS Hardening or specific Windows 10 hardening will improve information security as well as data protection in your company.

FB Pro Audit TAP Windows 10 GDPR Report Auszug

Use free Windows 10 hardening & security checklists

Current recommendations such as the BSI’s (Bundesamt für Informationssicherheit / German Federal Office for Information Security) SiSyPHuS study are a good resource for hardening your Windows 10 to the current state of the art.

Other guidelines and recommendations for Windows hardening include those from:

    • Center for Internet Security (CIS)
    • Defense Information Systems Agency (DISA)
    • Australian Cyber Security Centre (ACSC)

And you should use a Windows 10 security checklist from Microsoft. For the start, please read the guide “Introducing the security configuration framework: A prioritized guide to hardening Windows 10“.

How often does Windows 10 need to be hardened?

While you can harden all Windows computers and use Windows Server System Hardening “in one go,” that’s not the end of it! To keep your systems up to date, appropriate audits must be performed regularly and appropriate adjustments made.

Only if information security is understood as a process and not as a one-off task can regular optimization be incorporated into your company’s DNA.

You should also consider another factor: Support for Windows 10 will end in the foreseeable future. You need to prepare your systems for this as well, and plan for appropriate migration projects.

Please note: Windows security hardening with a sense of proportion!

When hardening Windows 10, many comfort functions are deactivated, for example the autostart function of CDs/DVDs and USB sticks. And you introduce security measures such as the mandatory use of strong passwords, which may not have existed before.

So in some places you have to weigh up how far a System Hardening should or may disable functions. Because under certain circumstances, the efficiency or productivity of individual employees may suffer.

Windows 10 hardening: How can an audit be performed?

There are several ways to do this. On the one hand, you have the option of following the current recommendations from Microsoft, DISA and CIS. In this case, the audit is performed manually.

On the other hand, you can use special tools such as the free AuditTAP (Audit Test Automation Package). This automatically documents the configuration of your systems and compares them with current recommendations for Windows 10.

How to create a report with AuditTAP, you can see in this video:

Which tools are suitable for Windows 10 hardening?

Microsoft used to offer a good tool in the form of SCM (Security Compliance Manager), but its support has now expired. Instead, you can use the Microsoft Security Compliance Toolkit to compare your GPO (Group Policy Objects) with the recommended policies.

In addition, you can find numerous scripts and tools on the Internet, such as Hardentools or HardenKitty, which promise to perform a quick hardening of Windows 10. Be very careful with such programs, especially if you want to use them to perform Windows 10 hardening on business computers!

If used improperly, such supposedly simple hardening tools can cause considerable damage to your systems!

Can Windows 10 be hardened automatically in a corporate environment?

Yes! Permanent System Hardening of Windows 10 turns out to be very time-consuming if you do it manually. That’s why FB Pro GmbH has encapsulated various approaches to hardening Windows 10 and other systems in the Enforce Administrator.

Enforce Administrator is the central management tool for larger companies and large corporations. Both approaches reliably result in hardened systems.

Windows 10 hardening: Do you need support?

Would you like to professionally harden the Windows 10 computers as well as other systems in your company? FB Pro GmbH’s team of hardening experts will be happy to assist you in word and deed! We audit your systems and perform System Hardening based on recognized standards.

Contact us!

 

Leave a Reply