The Windows 10 operating system was released about 15 months ago and is being used increasingly for both private and business purposes.
Initial enthusiasm for Windows 10 was muted and has not increased much since the launch. The graphical interface e. Scant attention was paid to improving security functions and settings. Some windows 10 enterprise hardening checklist free download these functions were windows 10 enterprise hardening checklist free download withheld from enterprise windows 10 enterprise hardening checklist free download, such as Credential and Device Guard.
Based on the CIS Microsoft Windows 10 BenchmarksI have created a checklist that can be used to harden Windows 10 in both the private and business domain. The hardening checklist can be used for all Windows versions, but the GroupPolicyEditor is not integrated into Windows 10 Home; adjustments have to be carried out directly in the registry. To protect against unauthorized physical access, the hard drive should be encrypted. The integrated BitLocker function can be used for this. Ideally, Bitlocker should be used in combination with SecureBoot.
The integrated Windows Defender solution can be used as anti-virus software. Windows Defender offers adequate protection against known malware and has not been found to have any serious weaknesses. According to an analysisby Will Dormannthis is not yet the case with the current version of Windows EMET should therefore continue to be operated on a correctly hardened system.
In Windows 10, the properties of Windows Update were altered. After a certain amount of time, Windows updates are installed automatically and the system is re-started. This has not been popular with users and has led to the recommendation to deactivate the Windows update processes. This year, there have been at least three privilege escalation vulnerabilities MSMSand MSfor which functioning exploits were published within a few days of the patch being released.
An eight-digit password can be windows 10 enterprise hardening checklist free download out in just a few hours. A new security function blocks untrustworthy fonts truetype fonts but is not active in the windows 10 enterprise hardening checklist free download settings. This function should therefore be activated.
A few vulnerabilities were found in Windows which enable a privilege escalation up to kernel level of the operating system when a font is opened or viewed.
It is now possible to deactivate the support for untrustworthy fonts in order to mitigate the vulnerability. For example, user behavior can be analyzed by capturing telemetry data. These include the storage function OneDrive and the speech recognition software Cortana.
Most of these issues can be managed using group policies and deactivated if required. It is therefore possible to switch off the logging and transmission of error messages to Microsoft, reduce the capturing of telemetry data to a minimum it can only be switched off completely in the Enterprise versionand deactivate cloud applications such as OneDrive or Cortana. Security-related events must be logged and assessed on a hardened system. To do this, the default settings need to be extended.
In order to detect an attempted attack or the misuse of access data at an early stage, failed login attempts should be logged. Strengthening the log settings, however, only helps if the integrity of the logs is assured and they have been recorded properly. The maximum size of the event log should therefore be expanded in order to ensure that no entries can be lost by being overwritten. In addition, access rights should be restricted to administrators.
The full checklist with all settings can be downloaded in text format. The settings should be seen as security recommendations; before accepting them, check carefully whether they will affect the operation of your windows 10 enterprise hardening checklist free download or impair the usability of key functions. A balance should be struck between security and usability. Michael Schneider has been in IT since Since he is focused on information security. He is an expert at penetration testinghardening and the detection of vulnerabilities in operating systems.
He is well-known for a variety of tools written in PowerShell to find, exploit, and mitigate weaknesses. ORCID Windows 10 Client Hardening Instructions for ensuring a secure system. Basic principles To protect against unauthorized physical access, the hard windows 10 enterprise hardening checklist free download should be encrypted.
Auditing and logs Security-related events must be logged and assessed on a hardened system. Full checklist The full checklist with all settings can be downloaded in text format.
About the Author. You want more? Further articles available here.
