How does system hardening work with Windows 11? Are there any special recommendations for system hardening? We give you an overview of how to harden the new Windows operating system.
Note: We are constantly updating and adding to this post.
Windows 11 also has to be hardened!
Windows 11 was released in October 2021. The goal is clear: Microsoft wants to successively replace the very popular predecessor with its new Windows version.
Visually, there are only subtle changes, but “under the hood” there are some innovations. Innovations that make Windows 11 a bit more secure, among other things, when the security features are also used or activated. Nevertheless, even the current mass-market operating system is not armed against hacker attacks and other cyber-attacks. Quite the contrary!
Microsoft relies on some comfort features in Windows 11 that make it easier for the users to use. It is precisely these that give “data hijackers” and attackers the opportunity to penetrate the system and leak important information.
What helps against this? A system hardening.
How can Windows 11 be hardened?
The good thing is that Windows 11 is quite similar to its predecessor. Therefore, you can basically apply the Windows 10 hardening recommendations to the new Windows as well to configure your system to be more secure and resilient.
Basic Windows system hardening includes these measures, among others:
- Utilizing the anti-malware engine, firewall and Windows updates
- Enabling standard security features such as CredentialGuard and DeviceGuard, including the hardware requirements to do so
- Enabling selected AttackSurfaceReduction Rules (ASR Rules)
- The use of strong passwords and multifactor authentication
- The clear restriction of user rights
- The disabling of convenience features such as the automatic execution of USB sticks or disc media
- The disabling of unneeded (background) services
- Restricting the “data collection frenzy” of browsers and other applications
- Activation of security functions during the boot process
- Active use of encryption technology
- Switching off unneeded services
Not to be forgotten are also measures on the hardware level, mostly to be configured via the BIOS / UEFI. This includes these tips, for example:
- The TPM chip should be enabled and also used.
- The “SecureBoot” feature should be activated.
- A UEFI password should be configured.
- Bypassing the boot order (“F12”) should be disabled.
Further BIOS/UEFI measures can usually be found in the manuals of the respective manufacturers.
Where to find in-depth information for Windows 11 hardening
How companies in particular should harden their Windows systems, which settings are necessary, and which services are considered “not required” can be found in the Hardening Guidelines from the following organizations, among others:
- BSI (German Federal Office for Information Security)
- CIS (Center for Internet Security)
- DISA (Defense Information Systems Agency)
- ACSC (Australian Cyber Security Centre)
- Microsoft (Security Baseline)
The BSI has published the SiSyPhuS study for this purpose, among others. As soon as there is an update of the hardening recommendations for Windows 11, we will inform you about it in our blog.
How well is your Windows 11 hardened?
Have you taken initial steps towards system hardening? Do you want to know if your Windows 11 system hardening is sufficient? Then run a check – for example with the free AuditTAP.
AuditTAP checks the configuration of your IT systems with regard to specific, security-relevant settings. Since version 4.14, the tool also supports Windows 11 and Windows Server 2022. The result of the system hardening audit is an easy-to-understand report. This shows where you should further harden your Windows 11 to make it more secure.
With version 5.0 of AuditTAP, additional hardening recommendations for Windows 11 and Server 2022 are supported. Furthermore, the audit tool now also easily and clearly checks standard Windows security features and their status.
You can learn how to perform such a hardening check in this tutorial video:
How to automate Windows 11 hardening?
Hardening systems, when done manually, is a laborious undertaking. One that takes an extreme amount of time if you have dozens or even hundreds of computers in a large organization. It’s hardly something that can realistically be done with “manpower” alone.
The solution to this is automation. Leave the system hardening to a tool that automatically makes the settings and permanently monitors them. The Enforce Administrator offers precisely this standardized solution for complex IT system landscapes.
The hardening tool works according to the so-called no-code method. This means that you do not have to write a line of program code to perform hardening of your systems. This principle is called #NoCodeHardening.
Windows 11 Hardening: Can we support you?
Do you want to harden Windows systems in your company according to the latest findings or introduce a baseline for protection? Do you need continuous monitoring of hundreds of settings? Do you want to be able to easily serve compliance requirements and, for example, generate hardening reports on hundreds of systems at the push of a button?
FB Pro GmbH’s team of hardening experts will be happy to assist you in word and deed! We would be happy to conduct an audit of a reference system and advise on how to proceed.