First I will preface this with that fact I am using a Windows 10 Enterprise LTSC 2021 base install as my normal Windows machine for this exercise. We are also going to focus more on the security of the average user.
We are going to grab a few tools to assist us, as most people will not be comfortable diving into the Registry and making changes, there are a few settings that will require us to use the Registry or the Group Policy Editor (if your not on Home Editions).
Software:
- Firewall (Tinywall)
- Tweaking Tool (WinAero Tweaker)
- Waterfox / Firefox
- Virtual Machines (VirtualBox)
Do Not Disable UAC (Running as Local Admin):
The UAC prompts can get annoying after some time, but if you do end up turning off UAC, always remember to turn the function back on. You don’t need to run every program as Administrator just as you do not need to prefix every command with “sudo” in Linux.
UAC is a huge step in security for any Windows system.
Who Are Admins:
If you have multiple accounts on a machine or share a machine with others, check to see who is a Local Admin on the machine and change users who do not need Local Admin rights. This is usually the case with a child that uses the machine, and goes on a spree installing all the latest Minecraft/Robolox/Other viruses and malware.
Also, most local Windows installs (not those associated with business or connected to Active Directory) allow accounts without passwords.
Make sure all accounts have passwords, and local Administrator accounts have strong passwords.
Passwords:
Although not a direct Windows relation; Get and use a password manager. Personally I have setup a self-hosted Nextcloud instance which I discuss how on this page.
You are going to want to use very strong passwords and store them in an encrypted password manager. Which one really does not matter, but the more control you have over it the better.
You will want to start using passwords that are strong, and most password managers can do this for you using generated passwords, for example “@nd07h€r5F@ctWe€ksHo1ding” is a password I just had my plugin create.
Most online services should be able to accept these passwords, and those that do not accept them you can usually modify the password to remove the special characters that the server does not accept.
You can use the service Have I Been Pwned to check various breaches and such. Although I am aware that your submitting data to a service that might have a target on it’s back.
Two Factor Authentication:
Again not directly related to Windows; Use a 2FA option on every service that allows it. Some services like Banks tend to lean to the SMS authentication, while others use a TOTP/Google Auth/Authy code. The TOTP codes can be generated using any 2FA Application. Since my work place uses Office 365, I lean to the Microsoft Authenticator as I can use that to handle all my 2FA needs. You can choose to enable backups of the codes to Microsoft servers or not; that’s up to you.
Firewall (Tinywall):
After installing Tinywall, you will lose all network connectivity. Do not install Tinywall over an RDP connection unless you have physical or console access to the system.
Right click on the system tray icon for Tinywall and enable “Unblock LAN Traffic”. This will enable Tinywall to perform internet traffic blocking only. Right click the icon again and click “Manage”. You can choose the options you want on the General tab, and then click over to the Application Exceptions tab.
Here I like to start with nothing, by Removing All entries. I do not use Edge or the Microsoft Store at all, so those defaults are not wanted. Under Special Exceptions tab you can choose what you want to enable or disable. I usually leave all of the Recommended checked except Windows Network Discovery and Windows Store Update. Under optional, for most normal users you won’t need anything here.
Click Apply to save the settings.
You can always right click the tray icon and select “Show Connections”, then at the bottom only select the check boxes for “Show Blocked Apps” to see what programs are communicating out to the internet. Here is where you will allow specific programs, one by one that you are aware of and want to allow.
Do not blindly allow programs to talk to the internet, there should be a good reason these need to communicate to the world. Internet games, browsers, and other applications will require internet access. “System” does not need internet access, nor does “wermgr.exe” or “lsass.exe”. There are quite a few background Windows processes that will be trying to talk to servers that will work fine without it.
Virtual Machines (VirtualBox):
You might be asking why I added VirtualBox to this page. There are a few very good uses for Virtual Machines besides what a Systems Engineer or Administrator might use them for. You can isolate software using a Virtual Machine and keep things orderly.
I have a VM for programming, and one for testing software from random sources. You can use a Virtual Machine to load software a child might be using to keep it away from the system itself.
If your testing a piece of software you do not fully trust, always load it inside a VM first.
Installation and Setup of a Virtual Machine is beyond the scope of this specific page but there are others around, and I might get to writing one up soon enough.
Tweaking Tool (WinAero Tweaker):
Although not completely security related, there are lots of options available to you using this tool, that would normally require digging for hours through the Registry.
There are a good about of Quality of Life settings as well as some security related settings. Go through the tool, one section at a time and just read. Most settings are personal preference.
Enable Bitlocker Drive Encryption:
If you have a version of Windows that supports Bitlocker, I suggest you enable it. Encrypt all internal hard drives, and utilize the TPM if you have one. There are some reasons why you might not want Bitlocker, if your dual booting or might need to move the hard drive from one machine to another but for most people; just enable the encryption.
You will not be able to recover your data if the machine fails, but you have backups right? You should. You will want to also backup and store your Bitlocker recovery keys on a USB drive, or printed sheet and keep it in a secure location that others do not have access to.
Disable “Debug Programs Policy” (Group Policy Editor):
Group Policy Management Editor -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Debug programs
In here you will need to remove all users and groups, and also define the policy settings by clicking the check box at the top to do so.
LSA Protection (Registry):
This protection can be enabled by creating the registry key RunAsPPL and setting the value 1 in the following registry location.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Disable PowerShell (Group Policy Editor):
On this machine I don’t use or need PowerShell at all, I do all of my console work using CMD. Some users will want to skip this if they need or use PowerShell.
User Configuration > Administrative Templates > System
On the right side, double-click the Don’t run specified Windows applications policy.
Select the Enabled option.
Under the Option’s section, click the Show button.
In the “Value” column, type “powershell.exe” to disable the PowerShell experience.
In the “Value” column, type “powershell_ise.exe” in a new cell to disable the PowerShell ISE interface.
In the “Value” column, type “pwsh.exe” in a new cell to disable PowerShell 7.
Click the Apply button.
Click the OK button.
Using AppLocker:
AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps (aka: Microsoft Store apps), and packaged app installers.
I won’t go into depth here how to use AppLocker as you can get into complex setups with it. I suggest reading this page to setup AppLocker correctly.
The most simple way to use AppLocker is just specifying paths that programs are allowed to run in, instead of trying to deny all paths and future paths.