3 years ago 2 years ago Hardening Share

Hardening Windows – How to Secure and Protect Windows

How to Harden/Protect Windows 10

I’ve gone through a fair bit of this page https://www.hardenwindows10forsecurity.com/ on my own Windows installations. There are many key techniques mentioned. Some are: creating a non-administrator-privileged user account for daily use, going over the list of services and other things like network protocols, and disabling anything not really needed, and setting up the Windows Firewall to work in both incoming (like default) and also outgoing mode (so that only whitelisted executables can access the internet).

When I had Windows 7 it was a bit more hardened because I had the Ultimate version, which had the Software Restriction Policy option available, unlike the Home Edition of Windows 10 that came preinstalled on my current PC. The SRP meant that nothing could run unless it was located in a whitelisted directory (e.g. C:\Program Files). The SRP combined with using a non-privileged user account (which didn’t have the permission to write to any of the whitelisted program directories) meant that it would take vastly more effort for a hacker to get malicious code running on my system. Since nothing running under my normal account could write to any directory in which code could be run, then anything which got into the system (like an .exe in a temp file) would not run. Without the SRP, it could run, but the outgoing firewall would block it accessing the internet.

I noticed just then that the current version of this web page for Windows 10 mentions a free product called “Simple Software Restriction Policy 2.1 by IWR Consultancy”, which I might give a try sometime. When I got my current PC (about 2 years ago) there was a free option for this mentioned on the then-current version of this web page, and I gave it a try, though there were a lot of limitations, and it seemed more hassle than it was worth, and gave up on it. Perhaps the new version mentioned here is better. It did feel extra secure having one on Windows 7, and knowing that a lot of the malicious executable code that might find its way into my machine somehow would just not run.

More Details

I've learned a lot from this page (and not only about security but some of the features of Windows also)

https://www.hardenwindows10forsecurity.com/

When I forget how to find the page, I search for hardening windows 10, and then its the page with the bright orange background (clever idea that) which makes it stand out, and its usually in the top few results (it was about #5 for me this time)

I havent done everything on it as its massively long. 

I didn't buy his scripts but did it manually.

The main features are (trying to remember as it was a while ago):

Make a user account with only normal priveleges and not administrator ones, and use that account for your daily use. Only use the admin account when you are doing a lot of admin tasks on the OS.

Set up the Windows Defender Firewall to work in outgoing mode also. By default, the firewall only looks at incoming traffic to your PC but ignores everything outgoing from your PC to the internet. If you enable the outgoing mode, then only apps which are specifically on the whitelist of allowed apps can talk to the internet at all. This is really good for security, since it means if you end up with a malicious script somehow, the script wont be able to access the internet (unless its somehow writing itself over an exe that is already on your whitelist).

If your Windows OS is advanced enough (I think the cheapest "home" one does not have this feature unf) , you can set up a Software Restriction Policy . this will only allow programs in specifically allowed directories to run at all (!!) . you have to be somewhat careful setting this up as it would be possible to lock yourself out of being able to do anything , even to run the config for this, to undo it. But it is an amazing feature if you can be bothered as it means that only programs in allowed folder (e.g. program files) can run at all.

Both the 2 above features (Esp the 2nd) do make it more of a hassle to install new apps though. some apps are worse than others dep on how they are configured to install. ones that install to your user folder (like in "appdata") are usually more of a hassle, esp with the Software Restriction Policy, as you then have to allow that folder specifically.

e.g. if you have an outgoing firewall, then you have to find the location of the .exe and allow it in the list in the firewall control panel before it can access the net at all. 

Also some apps are annoying , like i have a FB desktop app that changes its location every time it updates , so  i have to go into the firewall settings and update that.

also, I've disabled v many of the services and other things he says to in the orange web page, though not all of them

 apart from the security advantage , a lot of it is also just a good exercise in learning Windows Admin skills

I had sandboxie for a while but later versions didnt seem to work anymore so i gave up on it.

if you have a VM you can use that for anything you might ever look at which has more chance of having malicious content, and that is prob better than just a sandbox anyway, since its effectively a sandbox for the whole OS thats running in the VM and not just for individual apps like sandboxie is

I think Linux now must be a lot more secure than it used to be "out of the box" i.e. on a fresh install. I was using Debian also as my main OS for about a year around 2016, then I went back to Windows mainly because it could run more things that I was using a lot (e.g. Photoshop).


About 2000 I installed a Linux server at an ISP for a small private company (not for the ISP, the company was just renting rack space at the ISP, and it was a much faster connection to have their physical server at the ISP), I had no idea what I was doing other than following the basic instructions.... It got hacked (with a rootkit) in about a week oops

Cover image by Shutterstock

Byte.Yoga Homepage - Australian Cyber Security Web Magazine

Share This Page

If you liked this page, please share it with others! You can use the links to share on Facebook, Twitter, LinkedIn, Pinterest, and Email. Ther is also an RSS feed to get updates for the website.