If you are new to Windows 10 and want to create a secure workstation for your personal or professional use, this blog post is for you. In this post, I will show you how to set up a Windows 10 workstation with some basic security features that will help you protect your data and privacy. Here are the steps you need to follow:
Windows 10 is the most popular operating system in the world, powering millions of devices from desktops to laptops to tablets to smartphones. Windows 10 offers many features and functionalities that enhance the user experience and productivity. However, Windows 10 also faces many security challenges and threats from hackers, malware, ransomware, phishing, and other cyberattacks.
Windows 10 security settings are the policies and configurations that define how Windows 10 devices are protected from unauthorized access or modification. Windows 10 security settings are important for several reasons. First, they help ensure the confidentiality, integrity, and availability of the device and the data. By applying appropriate security settings, users can control who can access their device and data and monitor any changes or activities. This prevents data breaches, identity theft, or sabotage by malicious actors.
Second, they help maintain compliance with various regulations and standards, such as HIPAA, PCI DSS, GDPR, and NIST. These regulations and standards require organizations and individuals to implement certain security measures to protect the personal or sensitive information of their customers, employees, or partners. By following the best practices for Windows 10 security settings, users can avoid fines, lawsuits, or reputational damage.
Third, they help improve the performance and efficiency of the device and the IT staff. By using Windows 10 security settings to enforce password policies, firewall rules, antivirus software, encryption methods, and other settings, users can reduce the risk of human errors, virus infections, network attacks, or data loss. This also reduces the workload and costs of managing and troubleshooting the device.
In this post, we’ll discuss the importance of the top 5 security settings in Windows 10:
- Windows Defender
- Windows Firewall
- User Account Control
- Windows Update
Microsoft is updating Defender for Office 365 soon to help protect customers from embedded email threats while they are previewing quarantined emails. Microsoft is rolling out more quarantine management features that will help allow IT professionals and end users to better investigate quarantined emails:
- Quarantine folder policy and user release request workflow
- Customer organization branding
- Streamlined email submission from the quarantine portal
- Robust release of bulk quarantined emails
- Secured preview of quarantined emails
- Quarantine support for shared mailboxes
Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection) provides world-class protection for enterprise email accounts against threats that include business email compromise and credential phishing. They even have some features that help with automated attack remediation.
These new enhancements should help limit risk to unwanted or malicious content by providing additional security controls to help block embedded threats to help prevent threat actors from knowing their intended victim has loaded an image or other embedded content in the quarantine preview.
“We’re changing the way users preview quarantined messages to provide additional security against embedded threats,” Microsoft explains on the Microsoft 365 roadmap. The idea is to provide some additional controls when previewing an email to make sure the threats are contained and the sender is less likely to know you have contained the suspicious email. With this change some components in quarantined messages will be distorted and not displayed by default. To see the full contents of the message, users can choose to reveal the full message.”
Other new features will allow for more control over quarantine items, release workflow options, corporate branding, and support for shared mailboxes.
Microsoft also plans on adding more intelligence around what kinds of attacks are targeting your business and options around how to deal with ongoing threats.
A offensive security tool developed by Benjamin Delpy in 2011 is named Mimikatz. Mimikatz is a free tool that tries to scrape the memory of the target computer looking for the process responsible for Windows authentication(LSASS) to reveal cleartext passwords and NTLM hashes that the attacker can then use to attack other computers on the same network. The attacker can then escalate their account privilege either by authenticating with the clear text credentials they just stole or by simply passing the stolen hash.
Mimikatz has been used by nation-state attackers, the first known case being the 2011 hack of the now-defunct Dutch certificate authority DigiNotar. The attackers issued bogus certificates for Google and used them to spy on the Gmail accounts of several hundred thousand Iranian users. Mimikatz has since been used by many malware creators to automate the spread of their worms, including the NotPetya attack and the 2017 BadRabbit ransomware outbreak. Mimikatz will likely remain an effective offensive security tool on Windows platforms for many years to come.
Mimikatz exploits Windows single sign-on (SSO) functionality to harvest credentials. Until Windows 10, Windows by default used a feature called WDigest that loads encrypted passwords into memory, but also loads the secret key to decrypt them. WDigest has been a useful feature for authenticating large numbers of users on an enterprise or government network, but also let Mimikatz exploit this feature by dumping memory and extracting the passwords.
Microsoft has reacted (somewhat slowly) to Mimikatz by publishing changes to address the security vulnerabilities identified, but you must apply the patches and recommendations below to address this security issue.
Microsoft Endpoint Management (Microsoft Intune) is a service available as part of the traditional O365 environment that allows a business to configure and enroll their Windows 10 devices (as well as macOS, iOS, and Android devices) to centrally manage corporate devices while ensuring that they meet your basic compliance requirements. You can read more about Microsoft Intune here.
The basic approach to cloud management of your Windows 10 devices is quite simple, but it can take a little work to get the pieces into place.
- Enroll new devices so that once you remove a new laptop from the box, your users log directly into the device using their standard network login to enroll new devices into Endpoint Management. This is how your devices will be managed and configured. This will take a little bit of work to get configured.
- Configure new devices so that your preferred settings are detected and applied to the devices during the initial enrollment. This can be a few settings to hundreds of specific settings, depending on how detailed you want your configuration to be, and the settings applied can be controlled based on Azure AD groups, so some devices can be configured differently that other devices.
- Require specific settings be applied before the device can be considered “compliant”, which can help you verify how secure a device is or isn’t, which can help you target specific devices for remediation.
- Download software directly onto the device, which can make software deployment almost effortless, software inventory easier, and may significantly reduce user complaints.
- Configure Windows Update to automatically update the Windows 10 endpoint, which will help avoid a missing patch from causing security headaches later.
Configuration Policy – Endpoint Security
Click on the Devices option, then select Configuration Policies, then select Create new policy, for the platform, select Windows 10 and later, select Profile and select Endpoint Protection. Set a name for your policy, such as “Windows Security Configuration”.
Microsoft Defender Smart Screen
- SmartScreen for apps and files: Enable
- Minutes of lock screen inactivity until screen saver initiates: 15
- Require CTRL + ALT + DEL to log on: Enable
Local device security options
- Guest account: Block
- Guest Account: Rename
- Administrator Account: Rename
Network access and security
- Anonymous access to Names Pipes ad Shares: Block
- Anonymous enumeration of SAM accounts: Block
- Anonymous enumeration of SAM accounts and shares: Block
- LAN Manager hash value stored on password change: Block
- Insecure Guest logons: Block
User Account Control
- Elevated prompt for app installations: Enabled
Click on the Devices option, then select Compliance Policies, then select Create new policy, for the platform, select Windows 10 and later. Set a name for your policy, such as ‘Windows Security Compliance”.
- Require Bitlocker: Require
- Require a password to unlock mobile devices.: Require
- Password type: Device default
- Minimum password length: 8
- Firewall: Required
- Trusted Platform Module (TPM): Required
- Antivirus: Required
- Antimalware: Required
- Microsoft Defender Antimalware: Required
- Microsoft Defender Antimalware security intelligence up-to-date: Required
- Real-time protection: Required
Windows 10 Update rings
Click on the Devices option, then select Windows 10 update rings, then select Create profile, set a name for your policy, such as “Windows Update Configuration”.
- Servicing channel: Semi-annual
- Microsoft product updates: Allow
- Windows drivers: Allow
- Quality update deferral period (days) : 3
- Feature update deferral period (days): 3
- Automatic update behavior: Auto install at maintenance time
- Active hours start: 8 am
- Active hours end: 8 pm
- Restart checks: Allow
- Option to pause Windows updates: Disable
You can also create other Configuration Profiles to enforce various policies that you may be using GPO policies to enforce today, like various network settings, Windows Defender Firewall settings, renaming the local administrator account, disabling the guest account, etc. You can also create Apps, which allows you to install various software directly to the enrolled device.
Once you start working with Endpoint Manager (Intune) you will see the enormous potential that cloud management brings to your environment.
The current Microsoft Windows is the most popular operating system in the world, which also makes it the primary target for hackers and malicious actors attempting to gain access to your computer so they can steal your data. While most software vendors regularly correct security issues, Microsoft is constantly updating it’s software to help protect it’s users from potential compromise. They provide monthly updates and special patches as issues are discovered, but with constant improvements and the addition of new features also brings the possibility of new bugs and vulnerabilities.
While some people might just throw up their hands and decide there isn’t much a typical user can do to adequately secure their systems, there are simple things you can do that will help prevent a successful attack. Let’s look at some simple tips that you should follow to make Windows 10 more secure.
1. Update Windows and Other Programs
Microsoft has an entire team of people that help make Windows 10 as secure as possible, and when they find a problem they issue a fix to help remediate the issue before hackers can take advantage of the flaw. This only works if you actually patch your software to add the fix onto your system.
Allowing your computer to become outdated will eventually cause an issue that could lead to a successful attack on your computer. Hackers and other malicious actors are actively looking for systems with known vulnerabilities, so to help prevent your computer from being on their attack list, frequently patch your system.
Make sure that you enable Windows updates, that you check occasionally to make sure your system isn’t missing any updates, and that you verify all the software on your computer is also getting updates. Some people worry that installing a patch will break something, but that is easily corrected by simply removing the patch if that happens to your computer.
2. Enable System Restore
System restore is an option built into Windows 10 that allows you to set the system back to the previous date whenever there are problems. By default, “System Restore” is disabled in Windows 10. If you want to be able to quickly undo any problem that happen on your system, simply restore back to a previous restore point, and any changes to your system after that date and time are removed.
System Restore does not restore user data or documents, so it will not cause users to lose their files, e-mail, browsing history, or favorites.
You can find instructions on how to use this feature here.
3. Use Drive Encryption
Unless BitLocker is enabled on your Windows 10 computer, your drive contents are stored in “Plain Text”. This means if your laptop is stolen, the drive can be removed and the contents can be read from another computer. Encryption is essential if you are keeping critical information in your laptop. By enabling BitLocker, a feature already available on your computer, Windows will encrypt the contents of your hard drive, making it very difficult for an unauthorized person to view the contents of your hard drive.
You can find instructions on how to use this feature here.
4. Use Anti-Virus Tools
Windows 10 has a built-in protection feature to stop viruses and malware called Microsoft Defender and the Windows Security Center. By enabling Microsoft Defender you get built-in protection from most virus and malware programs. The Windows Security Center is were you go to modify and customize your Defender settings and check on the overall security status of your computer. Check the home screen from the Windows Security Center and ensure all systems are showing in green.
If malware gets onto your computer, one of the first things it will attempt is to programmatically disable Microsoft Defender. The best feature you can enable is Tamper Protection. This feature makes it very difficult to disable Microsoft Defender protection without your approval. You can find instructions on how to enable this feature here. Continue reading “10 Tips for Securing Windows 10”
Ransomware is malware installed on your machine intended deny access to your critical files. Once you can’t access you documents, pictures, and music the attacker offers to release the files back to you for a fee. Sometimes the fee might be several hundred dollars, but for businesses the fee might be in the millions.
The attacker uses fairly standard attack methods to install software on your computer that scans your system for specific file types, then encrypts the files using a method that is usually not recoverable. Then the malware will present you with a key value to redeem for a decryption key. If you present your key and the appropriate fee, the cyber criminals provide you with a decryption key that makes you files available again. Usually. Sometimes you pay and they don’t respond or the key that is provided doesn’t work correctly.
There are some specific things you can do to make the risk much smaller of a successful attack on your computer, as well as ways to make the impact smaller so you might not have to pay the ransom. Some of these are easy for a non-technical user to tackle, but others are better suited for technical personnel at a business or government agency.
Inexpensive Ways to Reduce Ransomware Attack Success
- Backup Your Important Data – If you have a backup of your data that hasn’t been encrypted, you probably won’t have to pay the attacker a fee. Depending on how often your data changes, you might be able to perform a weekly backup (there is a utility built into Windows 10, or you can buy a program that doesn’t a backup either to an external hard drive or the cloud). Keep backups separate from your computer so that a successful attack won’t have access to the backup files. If your files get encrypted, you can safely reload Windows 10 onto your computer and copy your files from the backup to the clean laptop.
- Enable Microsoft Defender – Microsoft Defender is included with Windows 10. It has some powerful feature to protect your computer from malicious attacks, but only if they are enabled and properly configured. Enable controlled folder access to prevent unauthorized applications from modifying protected files, turn on cloud-delivered protection and automatic sample submission for better protection, and enable tamper protection to prevent the protection from being disabled when you need it the most. You should also enable the attack surface reduction rules in Defender, including rules that block ransomware activity and other activities associated with and attack.
- Protect Systems – Don’t have anything directly on the internet that isn’t correctly hardened and patched to prevent an easy attack surface. If you don’t know how to properly configure a server or other infrastructure item, don’t guess because the hackers know what they are looking for when they stage an attack.
- Use MFA – Enable Multi-Factor Authentication (MFA) when possible. Many online sites now allow you to enable this extra protection that requires you to know your standard account password as well as have possession of a specific device to successfully log into their systems. This can be really handy to prevent someone guessing your password and accessing your Facebook, Twitter, or O365 account from anywhere in the world.
- Education – Educate yourself on how to detect and avoid phishing emails and potentially malicious websites.
A Windows 10 laptop right out of the box is not a truly secure laptop. Building a secure laptop using Windows 10 will take a little work. Microsoft has done a good job balancing usability and security, making sure the device is mostly compatible with what an average person wants to do without security getting in the way.
If you want a secure laptop there are some tweaks you need to make to get your laptop to the next level of security. Some are done by default, but you should make sure you have the settings correct, and some of off by default so you’ll need to configure the settings and turn them on.
I’ll go through some of the settings to show you how you can go from default settings to secure, but you have to understand there are always more things you can do to make your Windows 10 device even more secure. Continue reading “Securing Windows 10”