10 Steps to Securely Configuring Windows 10

Windows 10 is the most popular operating system in the world, but it also comes with some security risks. If you want to protect your data and privacy, you need to configure Windows 10 for security. Here are 10 steps you can follow to make your Windows 10 more secure.

  1. Update Windows 10 regularly – Windows 10 updates often include security patches and bug fixes that can prevent hackers from exploiting vulnerabilities in your system. To check for updates, go to Settings > Update & Security > Windows Update and click on Check for updates. If there are any available updates, install them as soon as possible.
  2. Use a strong password and a PIN – A strong password is one that is long, complex, and unique. It should include a mix of uppercase and lowercase letters, numbers, and symbols. A PIN is a four-digit code that you can use to unlock your device instead of typing your password. To set up a password and a PIN, go to Settings > Accounts > Sign-in options and choose Password and PIN. Make sure you don’t use the same password or PIN for other accounts or devices.
  3. Enable BitLocker encryption – BitLocker is a feature that encrypts your hard drive, making it unreadable to anyone who doesn’t have the right key. This can protect your data in case your device is lost, stolen, or hacked. To enable BitLocker, go to Settings > System > About and click on Device encryption. If your device supports BitLocker, you will see a Turn on button. Click on it and follow the instructions.
  4. Use Windows Defender Firewall and antivirus – Windows Defender Firewall is a feature that blocks unauthorized network connections, preventing hackers from accessing your device or data. Windows Defender antivirus is a feature that scans your device for malware and removes any threats. To use Windows Defender Firewall and antivirus, go to Settings > Update & Security > Windows Security and click on Firewall & network protection and Virus & threat protection. Make sure they are both turned on and up to date.
  5. Enable two-factor authentication – Two-factor authentication is a feature that adds an extra layer of security to your online accounts. It requires you to enter a code or use an app on your phone after entering your password, verifying your identity. To enable two-factor authentication, go to Settings > Accounts > Sign-in options and click on Security key or Windows Hello. Follow the instructions to set up your preferred method of two-factor authentication.
  6. Use a VPN service – A VPN service is a feature that encrypts your internet traffic, hiding your IP address and location from prying eyes. This can protect your privacy and security when you use public Wi-Fi or access geo-restricted content. To use a VPN service, you need to download and install a VPN app from the Microsoft Store or a trusted website. Then, launch the app and connect to a server of your choice.
  7. Disable unnecessary services and apps – Some services and apps that come with Windows 10 may not be essential for your needs, but they can consume resources and pose security risks. To disable unnecessary services and apps, go to Settings > Apps > Apps & features and click on the service or app you want to uninstall or modify. You can also go to Settings > Privacy and review the permissions that each app has access to.
  8. Use a secure browser and extensions – A secure browser is one that protects your online activity from trackers, ads, and malicious websites. A secure extension is one that enhances the functionality of your browser without compromising your security or privacy. To use a secure browser and extensions, you can choose one of the following options:
    • Use Microsoft Edge, which is the default browser for Windows 10. It has features like SmartScreen, Tracking Prevention, InPrivate mode, and Password Monitor that can improve your security and privacy.
    • Use Google Chrome, which is the most popular browser in the world. It has features like Safe Browsing, Incognito mode, Password Checkup, and Sync that can improve your security and privacy.
    • Use Mozilla Firefox, which is the most privacy-focused browser in the world. It has features like Enhanced Tracking Protection, Private Browsing mode, Lockwise, and Monitor that can improve your security and privacy.
  9. Backup your data regularly – Backing up your data is a feature that copies your files to another location, such as an external hard drive or a cloud service. This can protect your data from accidental deletion, corruption, or ransomware attacks. To protect your data regularly, go to Settings > Update & Security > Backup and click on Add a drive or Backup options. Choose where you want to store your backup files and how often you want to backup.
  10. Educate yourself on cyber threats and best practices – The most important feature for securing your Windows 10 is your own knowledge and awareness. You need to learn how to recognize and avoid common cyber threats, such as phishing, malware, or social engineering. You also need to follow best practices, such as using strong passwords, updating your software, and locking your device when not in use. You can find more information and tips on how to secure your Windows 10 on the Microsoft website or other reputable sources.

Limit SMB Traffic in Windows Environments

Microsoft recently posted an article talking about reducing your SMB traffic, and thereby reducing the risk of compromise on your systems. Before you think we’re saying this one change is the solution to all network security issues, even Microsoft states “We are not trying to make the entire network impervious to all threats. We are trying to make your network so irritating to an attacker that they just lose interest and go after some other target.”

Many times we know a security change doesn’t completely fix an issue, we are just making another small change in a series of small changes to make things slightly more secure. A group of small changes often work together to create an overall more secure environment.

If nothing else you’ll have a better understanding of what systems need SMB enabled and where SMB traffic is common on your network.

Server Message Block (SMB) Traffic

Reducing your SMB traffic can really help your risk profile. Server Message Block (SMB) traffic is a communication protocol for providing shared access to files, printers, and serial ports between devices on your network. It also provides an authenticated inter-process communication (IPC) mechanism. There are also security issues in Microsoft’s implementation of the protocol. Many vendors have security vulnerabilities in their solutions because of their lack of support for newer authentication protocols like NTLMv2 and Kerberos. Recent attacks show that SMB is one of the primary attack vectors for many intrusion attempts. Recently two SMB high-severity vulnerabilities were disclosed which can provide RCE (Remote Code Execution) privileges to systems that allow SMB traffic.

  1. Block inbound SMB access at the corporate firewalls – This means block inbound SMB traffic at the corporate firewall before it is on your LAN. This is usually the easiest way to block unauthorized traffic to your network and corporate systems. This will not work for remote systems that aren’t behind a managed firewall, but you can use this to help protect servers and other devices on the corporate network.
  2. Block outbound SMB access at the corporate firewall with exceptions for specific IP ranges – Sometimes, rarely, you need outbound SMB traffic. If you don’t know, block the traffic and monitor logs for anything that might break.
  3. Inventory for SMB usage and shares – It is understandable that employees need to connect to file servers to access file shares, as one example. Great, then allow inbound SMB traffic to just those servers, and block inbound SMB traffic to all Windows 10 clients or other servers. Start looking at your environment and begin blocking traffic unless it is required.
  4. Configure Windows Defender Firewall to block inbound and outbound traffic on the workstations – Use the  client firewall to block traffic except to required devices. There are several references to how to make this work, but it is past the time to start working out the details.
  5. Disable SMB Server if unused – If you know the device doesn’t require SMB services, you may be able to stop the SMB Server service on Windows clients and even many of your Windows Servers.
  6. Test at a small scale – Test the changes and make sure you understand the impact before you just deploy changes into production and break everything. As always, test twice and make sure you understand the changes (and have a rollback plan) before you deploy any changes into production.

Enable or Disable Windows Defender Firewall with PowerShell

The Windows Defender Firewall with Advanced Security is an important feature of Windows 10 that should be enabled to help protect your computer. Many businesses disable the built-in Windows firewall to prevent it from interfering with any internal processes, but that is an extremely rare problem.

I recommend you enable the Windows Defender Firewall with Advanced Security, and use the features available to help properly secure the user’s Windows 10 endpoint.

To enable the Windows Defender Firewall with Advanced Security using PowerShell:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

To configure the firewall to configure the “default” behavior:

Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\DefenderFirewall.log

To disable the Windows Defender Firewall with Advanced Security using PowerShell:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

My advice is to learn how to properly configure the Windows 10 firewall so you can use if to better secure the Windows 10 endpoint.

%d bloggers like this: