Harden Windows 10 - A Security Guide

Windows has some minimal default anti-exploit settings for system files. I have chosen to augment them for svchost.exe and others because the custom settings have more protection features. Other programs added also included are the ones mentioned in the outbound and inbound 'default' firewall rules which MS re-enables after each Windows Update. To load those settings:

• Start an admin powershell
• Type in 'set-processmitigation -PolicyFilePath <\FolderWhereYouStoreConfigPack>\EP.xml'
• Reboot

• Calendar
• Mail
• Maps
• Mix Reality Viewer
• Microsoft Store (runs, can purchase movies, but can't install any games due to old PC not meeting requriements)
• Tips
• Get Help
• Groove Music
• Edge
• Sticky Notes
• One Note
• Weather
• People
• Photo
• Skype
• Movies & TV

• Feedback Hub
• Sticky Notes (it runs perfectly WITHOUT inbound or outbound firewall rules. You just don't get Cortana's integration)

Turn on Ransomware Protection

Windows Defender > Virus & Threat Protection > Ransomware Protection > Manage ransomware protection > Controlled Folder Access=On

Note that turning on Controlled Folder Access will forbid applications from creating files in documents folder. So for example, further down in this document, it tells you to create a baseline by using "driverquery > out.txt". This command will fail to create the out.txt because cmd.exe is not allowed to touch your Documents folder. You have to go to Windows Defender > Virus & Threat Protection > Ransomware Protection > Manage ransomware protection > Controlled Folder Access > Allow an app through ... > Recent .. powershell.exe . Also our Harden Windows 10 Services.bat also seems to trigger it. So it is best to turn off this feature while hardening the system.

Add your favorite word processors, spreadsheet app etc to 'Allow an app' as well.

Other Windows Defender defences

Device Security

MS hides certain features of Windows Defender if you don't have the hardware for it. For example: Core Isolation. If you have this item you will find inside a switch to turn on Memory Integrity. This item is not compatible with some DLL's and may make certain apps like Oracle's VirtualBox not work. The thing to do is turn it on, and test your apps.

Secure Boot

This is another item that MS hides if you don't have the hardware.(UEFI) To have this feature you have to disable "Legacy" option in BIOS and choose UEFI Secure Boot, and then install Windows. Installation from a DVD will be alright, but for USB, you will have to make sure the USB memory stick was created for UEFI in Rufus

Disable DCOM and Limit COM

DCOM is an ancient technology envisioned during the heyday of distributed computing. It is best disabled.

• Administrative Tools > Component Services.
• Component Servies > Computers > right click My Computer, Properties. Default Properties tab. Uncheckmark "Enable Distributed COM on this computer.
• COM Security tab > Access Permissions. For the "Self" and "Administrator" settings, uncheckmark "Remote Access".
• COM Security tab > Launch and Activation Permissions. For the "System", "Administrator" and "Interactive" settings, uncheckmark "Remote Launch" and "Remote Activation".

OSArmor

OSArmor (trialware 1 month. $20 per year) stops certain kinds of exploits and payloads. It isn't signature based, so it doesn't need to connect to the net to work, but it autoupdates. It can protect your browsers and office programs, and stops potential malware that execute off your USB memory stick. Most importantly it also prompts you before you can run a script; like the bat and powershell scripts in this Configuration Pack. That is because it is common for attacks to exploit a program and then launch a script. It can also stop 'Living Off the Land' attacks (LOLBins). 'Living off the land' script based attacks started happening to bypass anti-malware, because anti-malware commonly only know how to deal with exe's. Now, some antimalware programs can scan scripts also. But OSArmor is specialized to handle this. Windows' own software restriction policy provides limited protection against scripts because in this guide we included Windowsa' script engines in its configuration. But where SRP blocks the script engines, OSArmor blocks a whole lot more 'living off the land' attacks; and it understands a potentially misused exe's command line parameters. SRP doesn't understand parameters. It can also detect abnormal situations like programs running with very high privileges.

The way to use it is to first right click on the OSArmor systray icon, open Configurator, and check mark everything except Advanced tab > Block specific system processes > Block execution of NetSh. (NetSh is used by this guide to automatically take your admin account offline after sign in) You may uncheckmark Microsoft Edge, Cortana, System Settings if you use those things often. Then carry on as usual. When it finds anything suspicious, it will block it for you. If you are performing an action like opening Event Viewer; it will issue a blocked notice. Note what is blocked. You have 2 choices: a) Respond to the prompt by clicking on the Exclude button. This will populate the Exclusions Helper with what action you just performed. Then click on Add Exclusion button. If you don't plan to use this action often, then: b) Go to OSArmor > Configuratior. Search for the blocked action and uncheckmark it. After the application has opened, you can immediately set Protection back to checkmarked. You don't have to have protection disabled while running the application. Do NOT set Protection to Temporarily Disabled X mins, because that disables All Osarmor protections. And that is very dangerous while online.

Finally, you can see what attacks or commands that were blocked in the Logs choice by right clicking the OSArmor systray icon.

The author has seen in the OSArmor Logs and popup Notifications that he has been attacked via an unknown firewall opening and the attacker was running 'NET1 USE ADMINISTRATOR' in an attempt to gain admin privileges. That the logs showed that those commands were executed, I know that the attackers were able to connect and get a command prompt, or something close to that. OSArmor is great at stopping these kinds of attacks. It stops unusual attempts to run system tools.

It is prudent to assume that the attacker has also installed her tools unless VoodooShield or some similar anti-exe has been installed. The anti-exe will have eliminated the chance of any external exe's being introduced. If an anti-exe has not been deployed, then you will need to do backup of data files and eliminate the account. The services hardeninng step has disabled the secondary logon service; the intrusion is contained in that account and the attacker cannot cross over to the admin account. But because if there is no restriction of exe's being introduced when there is no anti-exe her tools will still be inside your account. However if you were using an admin account when the OSArmor popup occurred, then you will need to re-image the machine with the known-good-just-finished-hardening-still-offline image. After you recreated the account or restored from backup image, you will then need to revisit your firewall rules. Because the attack has to have gone thru the firewall directly or thru a vulnerable network app that is not sandboxed.

One possible firewall rule to eliminate is the DHCP outbound rule. You can assign a static ip address to the network adapter, then DHCP outbound rule is no longer necessary. The AUTHOST and WWAHOST outbound firewall rules are also candidates for removal if you don't use a MS Account. If you have any other rules that this guide did not recommend, then this is the time to remove them.

As you can tell from this tale, one can never go online while a protection app is disabled. Plan your work carefully in advance. If you have to open Services.msc, an admin terminal, or some app that OSarmor traps for, you uncheckmark the tools , start the tools and then re-checkmark them BEFORE you go online. If you find you have fogotten to pre-start a tool, then you go unplug the Ethernet, uncheckmark the specific tool and start your tool and immediately re-checkmark the tool, then re-enable the network adapter. You will encounter this situation when you register the Wazuh SIEM Agent to your server.

Disabling Vulnerable Services

Most people are aware that services can be security problems, and that some should be disabled. The culprits are partially network services that listen to the net. Anything that takes input from the net is candidate for manipulation by attackers. When one looks at the list of services that are disabled below, one might say that there are no known exploits for such and such a service. But the principle again is least privilege. Only those services that are needed should be active. And we don't want to wait until an exploit hits the security news sites and then take action. Least privilege is a pro-active, preventative concept.

There are various servers in the list of services which listens 24x7 to everybody sending them stuff.( which includes exploits ) Like the simply named 'Server' service that is responsible for File and Printer sharing. Another server is UPnP Device Host, which lets other PCs interact with devices on this PC. Components that allow remote management are also turned off - like Remote Registry and Windows Remote Management. The first allow other PCs to change your registry; and the second allows remote shell access. The Secondary Logon service is turned off, because it let command line users run programs as admin. It requires the admin's password, but then attackers have all day to figure that out. DNS Client used to be not needed, but MS has changed that in v1809 so that it can't be disabled. I have left 6 services on Automatic/Manual start which do react to inputs from the net, These services tell other windows programs about your network and allows you to choose your firewall profile (public or private). One of them is related to Direct Access, which only can be used in an environment that has Windows Servers, but I found that disabling it causes networking to malfunction. 

There is another angle to services that makes some more desirable targets, and that is the account that runs them. The System account is all powerful and is equal in power to administrators. A network facing service which use this account, like the WMI Performance Adapter (gone from v1809) or the Printer Extensions and Notifications, will be prized, A service running as System will also be targeted by attackers who gained entry into a Standard account, they will try to take over the service to gain System rights. (This is called "escalation of privilege").

There are some services which activate if you have the right equipment, like. Microsoft iSCSI initiator service, Bluetooth support service, Fax, SmartCard. SmartCard removal policy and WWAN autoconfig are all dependent on specific hardware. In my personal configuration, they are all disabled, because I don't have them. In particular, Bluetooth support service is one that ought to be disabled if one doesn't have any bluetooth peripherals; it is a networking component  that can be abused by attackers, and there are free hacking tools available. It is not disabled in the default configuration file because I don't want someone to apply the config and suddenly find that their keyboard or mouse doesn't work.

When you configure services, clicking on each will display a description. If that is not enough for you, you can check out http://blackviper.com, sometimes they have additional information..

If you have the Automated Configuration Pack, you can set up the services by right clicking on "Harden Win 10 Home Services.bat" and choosing "Run as Administrator"

Items in <angle brackets> are optional and not setup in the Automated Configuration file.

Right click on Start button/Control Panel/Administrative Tools/Services

Right click on the following services, choose Properties and set Startup Type to Disable.

Name (Original Mode),  what it does

---------------------------------------------------

• Application Layer Gateway Service (manual) no plug-in' for internet connection sharing allowed
• Application management:(manual) disabled because this is for installation of software thru domain group policy
• Auto Time Zone Updater (disabled) no need unless this is globe trotting laptop
• Branchcache:(manual) only used in enterprise
• Cellular time: (manual) this is not a phone
• Computer browser: (manual) no need to explore network.
• Connected User Experience and Telemetry (automatic) turns off some telemetry sent to MS
• Device Management Wireless Application Protocol (manual) WAP is a cell phone protocol
• Distributed link tracking client:(automatic) maintains shortcuts to files on network share if source file is renamed
• Distributed Transaction Coordinator (manual) No foreign network transactions allowed
• Download Maps Manager (automatic) Downloading maps may reveal your location
• function discovery provider host: (manual) no need to do network discovery on small lans
• function discovery resource publication.(manual) no need to publish this computer's services
• Interactive service detection: (manual) only old services do interaction with desktop. practice not encouraged by MS
• Internet connection sharing: (disabled by default)
• IP Helper:(automatic) enables IPv6 tunnels over IPv4. We dont want tunnels; non-inspectable by firewalls.
• IPsec Policy Agent (manual) Requires Kerberos server. may be necessary for VPN
• KTMRM for distributed transaction coordinator (manual) disabled because it is not used.
• Link layer topology discovery mapper: (manual) draws a map of your network. not needed
• Microsoft App-V Client (disabled) requires a server
• Microsoft Storage Space SMP (manual) requires a server
• Net.Tcp Port sharing service:(disabled by default)
• NetLogon: (manual) used by domain servers. disabled because no network logons allowed.
• Network connected devices auto setup:(manual) devices can still be manually setup
• Offline Files:(automatic) disabled because no server on lan
• Peer name resolution protocol:(manual) disabled because no peers on lan
• Peer networking grouping:(manual) home group. not used
• Peer networking identity manager:(manual) peer to peer networking. not used
• Performance counter DLL host:(manual) allows remote query to performance data
• Phone service (manual) this is not a phone
• PNRP machine name publication service:(manual) publishes peer name. disabled because no peers on lan
• Quality windows audio video experience:(manual) QOS. not used
• Remote access auto connection manager:(manual) remote access. not used
• Remote access connection manager (manual)
• Remote desktop configuration:(manual) Not used.
• Remote desktop services (manual) remote desktop. Not used
  
• Remote Desktop Services UserMode Port Redirector (manual) remote desktop. Not used
  
• Remote registry:(disabled by default)
• Retail demo service:(manual) for demo mode. not used
• Routing and remote access:(disabled by default)
• Secondary logon:(manual) the runas feature. not used
• Secure socket tunneling protocol service: (manual) disabled because no tunnels to remote points allowed. (may be necessary for VPN)
  
• Server:(automatic) disabled because no file and printer sharing allowed
• Shared PC account manager (disabled) requires central management tools
• SNMP trap:(manual) disabled because SNMP responds to queries over the network
• SSDP discovery:(manual) disabled because SSDP not allowed
• TCP/IP netbios helper:(manual) disabled because netbios not allowed
• UPnP device host:(manual) disabled becuase no hosting of devices allowed for other pc's
• Webclient:(manual) not used
• User Experience Virtualization service (disabled) requires server
• Windows Camera Frame Server (manual) enables sending camera video to multiple apps simultaneously, what if for example a spyware app is running in the background.
  
• Windows Management Service (manual) possibly requires a server
• Windows media player network sharing service:(manual) disabled because no sharing allowed
• Windows mobile hotspot service:(manual) disabled because no sharing allowed
• Windows Process Activation Service (manual) Was part of IIS, now a separate thing. not used.
• Windows Push Notification System Service (automatic) talks to an outside WNS server, allows third party app developers to talk to their app
• Windows remote management:(manual) disabled becuase this allows remote management
• Work folders:(manual) disabled because no domain servers in standalone config
• Workstation:(automatic) disabled because no file and print sharing is allowed in network
• Xbox accesory manager (manual). disabled because no connection to exterior devices allowed
  
• Xbox live auth manager:(manual). disabled because no connection to exterior devices allowed
• Xbox live game save:(manual) disabled because no connection to exterior devices allowed
• Xbox live networking service:(manual) disabled because no connection to exterior devices allowed

WARNING: Geolocation service:(manual) used by cortana, If you disable this one, you won't be able to reset it back to normal again. Current Windows bug as of 2015-Aug-19  Update 2018-10-05 Fixed in v1809, so you can now disable it if you don't like Windows'location tracking

If you have the Automated Configuration Pack, my personal additional settings are in "My Personal Win 10 Home Disabled Services.BAT".

• AllJoyn router service (manual) not used by me
• AVCTP service (manual) related to bluetooth audio and video, not used by me
• bluetooth handsfree service:(manual) not used by me.
• bluetooth support service:(manual) not used by me.
• Certificate propagation (manual) smart card related. not used by me.
• Data Usage (automatic) phone releated
• Enterprise App Management Service (manual) not used by me
• fax:(manual) not used by me
• HV Host Service (manual) virtualization, not used by me
• Hyper-V ... all services (manual) virtualization. not used by me
• Microsoft Account Sign in Assistant (manual) MS Accounts not used by me, NEEDED only for activation.
• Microsoft Cloud Identity Service. (manual) connects outside. I don't use any MS cloud service
• Microsoft iSCSI initiator service:(manual) not used by me
• Network Connection Broker (manual) used by Windows Store, not used by me
• Payments and NFC/SE Manager (manual) payment mechanism used by phone
• Phone Service (manual) not a phone
• Printer spooler:(automatic) not used by me
• Printer extensions and notifications:(manual) not used by me
• Sensor Data Service (manual) don't have sensors on my pc
• Sensor monitoring service:(manual) not used by me. dont have screen briteness control.
• Sensor service:(manual) no orientation device on my pc
• Smart card device enumeration service:(manual). dont have smartcard devices
• Smart card removal policy:(manual) dont have smartcard device. if hacked will lock pc.
• Spatial Data Service (manual) no 3D equipment
• Telephony: (manual) dont have telephony devices
• Touch keyboard and handwriting panel service:(manual) dont have such device
• WalletService (manual) don't use MS Wallet to make payments
• Wi-Fi Direct Services Connection Manager Service (manual) don't have Wi-Fi enabled monitor
• Windows biometric service:(manual) dont have such device
• Windows connect now - config registrar:(manual) dont have wireless on pc
• Windows Insider Service (manual) I don't run pre-public-release versions
  
• Windows Perception Service (manual) don't have 3D components
• Windows Perception Simulation Service (manual) don't have 3D components
• Windows PushToInstall Service (manual) I don't download apps from the Store
• WWAN autoconfig:(manual) dont have GSM or CDMA device

If you have the Automated Configuration Pack, you can additionally disable the non-configurable WinHTTP Proxy Auto Discovery Service. It provides an API that even Edge doesn't use. Right click on the reg file and choose Merge.

Stop Logins from the Network.

There should be limited logins available from the network. The 2 local security policies are set also in the Harden Win 10 Home Services BAT file if you have the Automated Configuration Pack. 

However, if we stop user and admin accounts from login through the network, then Simple Software Restriction Policy will stop working. However we are still protected by Windows Firewall. So the accounts that are denied are: Guests, Anonymous Logon, NETWORK SERVICE, SERVICE, and LOCAL SERVICE.

Before Installing Applications

Whenever you choose to install a new application, you need to consider it's security ramifications. For example an older app which needs admin rights and accesses the internet is bad. That's because one successful attack will give the attackers admin rights over your machine. Another thing is listening apps. Technically they are servers, like a FTP server. As revealed by doing 'netstat -abn' from an admin command prompt, and any such apps listens 24x7 to anyone who cares to connect. While you may sleep, servers do not, and you won't be around to monitor it's security. One may point out that FTP servers have username and password protection. But attackers don't usually attack the main entrance. If you are deploying a server, it would be a good idea to restrict connections to your friends' ip address in the firewall rules (bearing in mind that home ISP's change residential ip's frequently, and you'd have to update those ip addresses frequently)

It's a good idea to checkout www.exploit-db.com to look for existence of any attack exploits before installing any app. Some exploits only work in certain versions of the software. So if you find an old exploit, there is a chance it won't work against newer versions. But to be really sure, you would have to complile the exploit and test it, which if you aren't a programmer, can be difficult. Be aware of the risk and decide.

Installation of New Software

Allways try to find installers that do not require internet access. Google for the 'offline installer' of the program. Web based setup programs are hazardous. It requires connection to the net while running as admin. And also most setup installers require turning off your anti-exe, and other protection.

When Software Restriction Policy is set up, remember that programs will not run when they are located outside of \Windows or \Program Files. To enable your install program to run, lets say from your Downloads folder, you have to go to Local Security Policy > Software Restriction Policies > Security Level, and set Unrestricted as the default policy temporarily. Always remember to re-enable SRP before leaving your admin account.

Do not be tempted to add your Downloads folder as an exception to SRP, as attackers will find that out and place their wares in there and run them.

When installing security programs, some installers require default settings of services and ACLs. In the Automated Configuration Pack, there are 2 bat files: Restore Services bat and Restore ACLs bat. If your antivirus installer causes errors, you can run them and then install your new antivirus and redo Harden Services bat and Dual Admin bat. Kaspersky products (Total Security and Small Office Security) are known to require this step.

Always try to find if there are SHA256 signatures published by the vendor for the programs that you are trying to download. (SHA1 is deprecated) If there is one, save it to a txt file. After downloading both the setup and the SHA, use Hash Tool to generate the SHA signature, copy it to the SHA txt file opened in notepad. Line the signatures up, and you will be able to see quickly if they match. Discard the download if the SHA signature fail to match; it has either been tampered with or corrupted.

If you are currently under attack, the attackers may modify the download or feed you one with an infection by sending you a faked download page. Or they can make the downloaded setup unexecutable. Always be quick to close the browser after the download finishes. Because there is a pathway from the net to your download, and closing the browser should severe that connection.

Minimizing Attack Surface (uninstalling all the apps that you don't run )

You should uninstall all the Win Apps that you don't use. It removes attack surface from your attackers. Go to Settings >l Apps > Apps and Features. Clicking on an app will reveal an uninstall button. Remove all the things you don't need. Note that this is a per account setting. Removing an app from the admin account still leaves the app enabled/installed for other accounts.

• Alarms and clock
• App Installer
• Camera
• Game bar
• Get Help
• HEIF Image Extensions
• Maps
• Messaging
• Microsoft Edge/Allow
• Microsoft Store
• People
• Photos
• Webp Image Extensions
• Your Phone

With the software that you want to install, allways choose Custom Installation if there is such an option in the setup program. For example, if you only want to use MS Word, and don't need Excel or Powerpoint, then uncheck those 2 options. Word and Excel can run macro's, which is a programming language and can be made to do useful or harmful things, depending who is wielding it. Attackers are Known to use macro's to infect machines.

If you use LibreOffice ( a free open source office suite competitive with MS Office ) there is a python language module. Languages like macro's can be harmful. Test if it is a core part of the program by renaming the exe to ex0; then run the program and see if it breaks. If it doesn't ( and it doesn't for me ) then leave it renamed that way.

Sign on Security

It is very important to guard your sign on passphrases, espcially your admin account one. attackers will try to trick you into giving out the passphrase by installing a tojan  that looks like the Windows sign on screen and upon seeing this most users will key in their passphrase without question. Microsoft has made a feature whereby you need to press CTRL-ALT-DEL in order to reach the sign on screen,  because the special key sequence CTRL-ALT-DEL can only be trapped by the operating system. This feature is normally only active when a PC is domain joined to Windows Servers. However it can be enabled without Windows servers. 

Another MS security feature is not displaying the account name in the sign on screen, even when the user is currently signed on and has locked the system by pressing WinKey-L. This means the attacker needs to get both the account name and the passphrase right and significantly enhances security. 

If you have the Automated Configuration Pack, you can right click on Harden Win 10 Pro Security options.bat and choose Run as admin to enable these 2 features. Further down the document, all the settings in Security options are given.

Privacy

New Account To Do List

• Remove all un-needed tiles on Start menu: Right click on tile > unpin from start.
• Find Sandboxie items on Start menu, right click on 'Run web browser sandoxed', Pin to start
• Settings > System > Shared experiences > Share across devices : off
• Settings > Devices
  • Bluetooth > off
  • Sound > Manage Sound Devices : off
  • AutoPlay > Off
  • Remote Desktop > Emable Remote Desktop: off
• Settings > Network and Internet > Proxy > Automatically detect settings > Off
• Settings > Personalization
  • Start > Show suggestions occasionally on Start > Off
  • Lockscreen > change Windows Spotlight to Picture ( it connects to the internet and is an attack vector; by setting this you won't get new pictures by MS on your lockscreen )
  • Themes > Desktop icon settings: checkmark the icons you want for desktop, Then right click on desktop > sort by name > twice
  • Taskbar > Notification > Select which icons appears on Taskbar: Always show all icons in notifcation area: ON
• Settings > Apps
  • Apps & features. Remove all the apps you don't use
  • Default Apps > click on Web browser > select your favorite web browser
  • Offline Maps > Automatically update maps > Off
  • Apps for Websites:
    • Maps (2) > Off
• Settings > Gaming > Game bar >
  • Record game ... : off
  • Captures ... : off
  • Broadcast ... : off
• Ease of Access > Display > show notifications for 1 min
• Settings > Privacy
  • General > Let website provide locally relevant ... > Off
  • General > Let Windows track app launches ... > Off
  • General > Show me suggest contents ... > Off
  • Speech > If you turn off online speech recognition ... > Off
  • Inking & typing personalization > When this is switched off ... > Off
  • Diagnostic & feedback > select Basic
  • Activity history > Un-checkmark: Store my activity history ...
  • Location > Change button > Off. Location for this device > Off
  • Camera > Change button > Off. Camera access for this device > Off
  • Microphone > Change button > Off. Microphone for this device > Off
  • Notifications > Change button > Off. User notification for this device > Off
  • Account Info > Change button > Off. Account info access for this device > Off
  • Contacts > Change button > Off. Contacts access for this device > Off
  • Calendar > Change button > Off. Calendar access for this device > Off
  • Phone Call > Change button > Off.
  • Call History > Change button > Off.
  • Email > Change button > Off. Email access for this device > Off
  • Tasks > Change button > Off. Task access for this device > Off
  • Messaging > Change button > Off. Messaging access for this device > Off
  • Radio > Change button > Off. Access to control radios for this device > Off
  • Other Devices > Off
  • Background Apps > Let apps run in the background > Off
  • App Diagnostics > Change button > Off. Apps diagnostics info for this device > Off
  • Automatic File Downloads > Off
  • Documents > Change button > Off. Document library access for this device > Off
  • Pictures > Change button > Off. Pictures library access for this device > Off
  • Videos > Change button > Off. Videos library access for this device > Off
  • File System > Change button > Off. File system access for this device > Off
  box
• Settings > Update & Security > For Developers
  • Change policy to show Run as different user in Start. UnCheck. Click Show settings. Show 'Run as different user ...' Disabled.
  • Uncheckmark: Change policy to allow Run as different user ...
• Set IE to turn on ActiveX Filtering for each account. Gear icon > Safety > ActiveX Filtering.
• Set IE to use Protected Mode for all zones. Gear icon > Internet options >Security tab > click each icon ( Internet, Local Intranet, Trusted sites, Restricted sites ),check mark Enable Protected Mode for each.
• Set IE to use Enhanced protected Mode for all users. Control Panel > Internet Options > Advanced; scroll the Settings list to Security section, checkmark "Enable 64 bit Processes for Enhanced Protected Mode" and 'Enable Enhanced Protect Mode'
• Set Windows to not use the compromisable TLS 1.0 and TLS 1.1: Control Panel > Internet Options > Advanced; scroll to Security > Uncheck use TLS 1.0, uncheck TLS 1.1.
• Run Acrobat Reader ( if you have installed it ) to setup security for each account
  • Edit > Preferences
  • Javascript, uncheckmark "Enable Acrobat Javascript".
  • Security Enhanced. Protected View : All Files
  • Security Enhanced: Create Protected Mode Log File.
  • Security Enhanced: Uncheckmark Automatically Trust Sites from my Win OS Security Zones.
  • Trust Manager: Uncheckmark Allow Opening of Non-PDF file attachments
  • Trust Manager: Internet Access from PDF outside the web browser Change Settings button, select Block PDF file access to all web sites. This one is optional, some times you need to click on an internet link inside a PDF document.
• Run Java in Control Panel (if you have installed it). Go to Security tab, uncheckmark 'enable Java content in browser'.

• Control Panel > Flash >
  • Block all sites from storing...
  • Block all sites Camera & Microphone
  • Block peer assist...

• set cortana icon to hidden
• set Show People on taskbar to off

You want to be able to see all files and folders in Windows. If you do not do this step, hackers can hide their installed tools from you. Although the attacker can also install a rootkit which also hides their files, they may not be able to get that far into your system to do so.

Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab

• Always show menus
• Display the full path in the title bar
• Show hidden files, folders and drives
  

• hide empty drives
• hide folder merge conflicts
• hide extensions for known file types
• hide protected operating system files
  

• checkmark File Name Extensions
• checkmark Hidden Files

Copy this html file to \users\public\documents and login to each of your other accounts and perform the configurations per account. Search for "New Accounts to do"

OneDrive

Onedrive lets you keep your documents, pictures and PC settings on the net, ready for syncing to all of your PCs. However, your personal files are sitting there on the internet 24x365 waiting for someone to crack your password. This is not secure to say the least

Enable DEP

Data Execution Prevention is a technology that foils some types of attacks when they are coded in a certain way. By default, this feature is enabled but protects only Windows executables. You want to enable it to protect all programs, like your Firefox, Opera, Acrobat Reader and others.

Settings / System / About / Advanced System Settings

/Performance Settings button/ Data Execution Prevention Tab

  Select "Turn on DEP for all programs ..."

Disable dump file creation

Dump files are memory dumps, and everything in memory are saved to a file. This is used for debugging problems when your system crashes. However, passwords and all confidential stuff that are running currently are also saved to this file. You should enable this feature only when you are experiencing problems and need to debug.

Settings > System > About > Advanced System Settings > Startup and Recovery Settings - settings button

Write debugging info: None.

Disallow Remote Assistance

Remote assistance allow a helper to control your PC with complete desktop, keyboard and mouse access. This is not a attacker favorite as there is built in protection that allow only the invited to take control. However, there are phone scams that lure users into giving them remote access, and you will want to protect your users and prevent them from compromising your computer.

Settings > System > About > Advanced System settings > Remote tab

Un-checkmark allow remote assistance

Let Windows make more Restore Points available

System Restore can be a life saver when you encounter system errors. Setting it to use more disk space and making more restore points is good policy

Settings > System > About > Advanced System settings > System Protection tab > Configure > create bigger system restore cache

.

Enable Visibility into Windows hidden files

You want to be able to see all files and folders in Windows. If you do not do this step, hackers can hide their installed tools from you. Although the attacker can also install a rootkit which also hides their files, they may not be able to get that far into your system to do so.

Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab

• Always show menus
• Display the full path in the title bar
• Show hidden files, folders and drives
  

• hide empty drives
• hide folder merge conflicts
• hide extensions for known file types
• hide protected operating system files
  

• checkmark File Name Extensions
• checkmark Hidden Files

Configure Lock Screen

Unattended PCs are obvious security risks. But many people fail to take care of this via this simple setting. Most larger companies that are security aware have strict rules to enable this and not to leave PCs logged in and unattended.

Go to Settings > Personalize > Lock Screen > Screen Time out settings, configure it to wait 10 minutes.

Least Privilege part 2

If you look at \Windows\System32 folder, you will see a lot of exe programs. Some of them are Windows' GUI components and needed by the system. And some are command line programs used to administrate Windows. A Standard user account doing daily work has little use for these command line programs, as they are intended for IT administrators. In accordance with Least Privilege, these command line admin tools should be partitioned away from the User group.

Attackers aim to get use of three accounts, the admin account, the "Administrator" account, and the System account. The admin account is needed for configuring the system, so it needs full access to command line tools and we cannot avoid this. The 'Administrator' account is by default disabled. And the System account is used by some services. In testing, it is revealed that the System account cannot be constricted or else our Restore BAT wouldn't work. So in the provided configuration file, command line tools are set so that only members of the administrators group and 'TrustedInstaller' can invoke them. (The System account gets inherited rights)  Also, in line with layers of security, the command line admin programs are denied execution by low integrity processes. 

As an example, few people are aware that there is a command line FTP program, as most people use their browsers to download. This program is used mainly by attackers who need to bring over their tools once they gained command prompt or powershell access.

Software Installation Admin Account

Role Based Access Control means setting up accounts to do what it is only necessary for the job role. Hence an accountant would be set up so that he can run the accounting program, and not others like our hardening scripts. This is in accordance to the Least Privilege principle.

When we analyze our security posture, the weakest point of defense is when we are using our admin account. Sometimes, a program installer needs Software Restriction Policy turned off; because it writes to and then executes a temporary exe from within the temp folder. And we must use the admin account to install software. Sometimes the install program needs to download components online, and the downloading portion maybe vulnerable. And if the account houses our hardening scripts as well as other important documents, there is a lot to lose. Installing a new program usually takes time, may be a good half hour or more to configure, test and so on. So in this hour we are essentially running an insecure semi-hardened box. This calls for a role called the Installation Admin.

In the Configuration Pack, the Dual Admin BAT creates an installation admin (you choose the actual account name) and restricts it from running admin command line tools, and administration GUI apps. In addition, it removes ordinary user accounts from accessing admin command line tools. After configuration, the command line administrative tools ( plus regedit, regedt32 and tasksched ) can only be accessed from a full admin account using an elevated command prompt. Also, only the full admin account has take ownership right. Right click on the BAT file and choose Run as Admin.

Note: the dual admin BAT script does not assign a password to the Install Admin. Sign on into the Install Admin account and give it a passphrase.

Very often, an attacker will install a Remote Access Tool/Trojan (RAT) to monitor the victim. This program is just like an ordinary program that provides remote access like Window's own Remote Desktop or the commercial program TeamViewer. It can view our screens, see what we type and control the PC by running any program. They are very hard to detect, especially if the attacker does not make any changes to your system and just watches you. And anti-malware programs usually fail to identify them, because there are legit remote admin tools too. The goal is to hamper this RAT. The RAT will get all the permissions of the account that you sign into and require an online connection. So here is the second step; we will make our full privilege admin account go offline when used. This will buy us time to find and eliminate the RAT.

Now we create several scheduled tasks, one for the full admin, and the rest for non-admins. The first one is for the full admin sign in to disconnect the network adapter. Ensure that you are signed in as the full admin.

Note: Scheduled Tasks action line reference the network adapter name. In the majority of cases, they are called Ethernet and Wi-Fi. But if you have multiple network adapters, then the names will be different and the network adapter name needs to be changed, from 'Ethernet' and 'Wi-Fi' and replace them with what you have. The adapter names you currently have is shown at Control Panel > Network and Sharing Center > Change Adapter Settings.

• Sign in to the account you want to make offline.
• Go to Start > Windows Administrative Tools > Task Scheduler.
• Right click on Task Scheduler Library, select Create Task
• Name the task 'Full Admin logon no network', click Next
• Checkmark Run with highest privileges
• For Trigger tab, click New button, select Begin the Task 'At Logon', click Next
• Settings: Specific User; Full Admin account
• For Action, click New button
• select 'Start a program', click Next
• Paste in "netsh interface set interface name="Ethernet" admin=disabled" , click OK
• Yes
• click New button
• select 'Start a program', click Next
• Paste in "netsh interface set interface name="Wi-Fi" admin=disabled" , click OK
• Yes
• Click Finish
• Click OK

• Right click on Task Scheduler Library, select Create Task
• Name the task 'Non-Admin sign in', click Next
• Checkmark Run with highest privileges
• For Trigger tab, click New button, select Begin the Task 'At Logon', click Next
• Settings: Specific User; non admin account
• For Action, click New button
• select 'Start a program', click Next
• Paste in "netsh interface set interface name="Ethernet" admin=enabled" , click OK
• Yes
• click New button
• select 'Start a program', click Next
• Paste in "netsh interface set interface name="Wi-Fi" admin=enabled" , click OK
• Yes
• Click Finish
• Click OK

The whole set of scheduled tasks is designed to disconnect the network adapter for the full admin, when he signs in. And we reconnect the network adapter when he signs in to a non-admin account.

To test the Install Admin account's ability to properly run install programs, the following programs were tested:

• Avast antivirus free
• AVG antivirus free
• Avira antivirus free
• BitDefender antivirus free
• Voodoo Shield free
• Zone Alarm free
• Libre Office
• VLC media player

It is known that security programs requires additional rights to set themselves up, that is why security programs were tested among other programs. Avira, BitDefender, Voodoo Shield failed to install. . They require the usage of the full privilege admin account. Ordinary installation programs like VLC typically don't require as many rights. The aim is to reduce usage of the full admin account and lessen the risk. For normal programs, use the install admin account first, then if it fails, use the full admin account. To enable your full admin account's internet access, right click on the internet icon in the systray, select 'open network and sharing center', click on 'Change adapter settings'. Then right click on the adapter and choose Enable.

New to ver 4 of Dual Admin, it is now possible to run the following networking commands in the Install Admin account:

• netstat
• nslookup
• ipconfig
• ping
• tracert
• pathping
• nbtstat

Further Protecting your Data

The Documents folder has 3 ACL rules allowing access for System, YOU, and the Administrators group. If you right click on the Documents folder and choose Properties > Security tab, you will see this.

The System account is present in almost all files and folders, but it doesn't need to be as far it can be determined. Attackers also can use escalation of privilege attacks to get to use the System account because it is as powerful as an admin. You can choose Edit and Remove to take the right away.

However, the Configuration Pack BAT files need System to work, that is, if you unzipped the Configuration Pack into Documents. To work around this, you can create a Security folder under your Users\<YourAccount>\ folder and extract the files there. Just remember to move the contents back to the Documents folder when you're done.

The Administrators group is present so that any admin can access your files in an emergency. This can be removed to ensure that the Install Admin can't get at your files. Because the Install Admin has internet access, a RAT (Remote Access Trojan) can use that account to get your files if access is granted for the Administrators group. Removing the ACL entry will ensure that your data stays private. The downside of this is when you need to remove this account using Start > Settings > Accounts > Family and Other People, the Documents folder can not be deleted and will be orphaned. If the account will never be removed, or if you can remember to re-instate the Administrators group, then this rule can be deleted.

Protecting the Confidentiality of your Data in Preparation for a Breach

The files you save in Documents, Pictures and Videos are private. In event of a hacker attack, she will explore those folders in depth. Again, don't put those files in an account you surf with. And encrypt your data. Use the downloaded VeraCrypt.

1. Create Volume button
2. Create an Encypted File Container
3. Standard Veracrypt volume
4. Select File button, and enter a path and file name for the "volume"
5. AES and SHA512
6. enter a volume size that enables it to hold the files you want to protect
7. enter the password to access the encrypted files
8. move your mouse around randomly until progress bar reaches the end, to help generate the encryption key
9. Format button

To use the volume:
• Select a drive letter
• Select File button to locate the encrypted file container location
• Mount button
• Now use File Explorer to access the drive you created

Look through your documents folder now. Decide which files need to be segregated into the separate encrypted volume or to an offline machine. You MUST categorize your data files. What you don't know is what you don't know. And without looking through your documents, you will be storing important files along side your trivial document files.

Passwords list for your web sites need to physically written down into a notebook, not stored in a Notepad text file. Hackers know to look for such files.

Turn on File History

File History saves your documents, pictures, music, contacts and IE favorites every hour to a removable drive ( or USB key ). It does it every hour by default and keeps versions of the files as they change. This is a very convenient method of performing backups and should be used. Just remember to unplug the USB key when you shut down the computer and carry it with you, or else your attackers will gain access to all your files.

Go to Settings > Update & Security >Backup and click on "Add a drive"

Browsers and Security

Browsers are a major attack vector - you connect out to the internet with it and attackers know to use that same path to gain entry to your machine. Firewalls are useless against these kinds of attacks because you have an allow outbound rule for them. Browsers have new security vulnerabilities every month, and their rapid pace of new release doesn't help. New releases fixes the old vulnerabilities but introduce new ones. This is evident from their release notes if you follow them. These invariably lead to Driveby Downloads, which require No Interaction from you, the malware just downloads and runs. The safest way is to use ESR ( extended support release ) for FireFox, or Extended stable channel for Google Chrome. These versions don't add new features often, and receive security patches. On most browsers, you navigate to [menu] Help > About and it will fetch the latest version. Using a sandbox program like Sandboxie helps.

Copy and paste the following into a filo named user.js and copy it to the C:\Users\<yourAccountName>\AppData\Roaming\Mozilla\Firefox\Profiles\91yzyij5.default-release\ folder.

//Firefox 105.0.1 22H2-A
• user_pref("browser.contentblocking.category", "strict");
• user_pref("dom.security.https_first", true);
• user_pref("dom.security.https_only_mode", true);
• user_pref("dom.security.https_only_mode_ever_enabled", true);
• user_pref("dom.security.sanitizer.enabled", true);
• user_pref("dom.security.sanitizer.logging", true);
• user_pref("javascript.options.mem.max", 50);
• user_pref("javascript.options.mem.nursery.max_kb", 50);
• user_pref("javascript.options.mem.nursery.min_kb", 32);
• user_pref("javascript.options.throw_on_asmjs_validation_failure", true);
• user_pref("javascript.options.throw_on_debuggee_would_run", true);
• user_pref("network.dnsCacheEntries", 0);
• user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", true);
• user_pref("privacy.trackingprotection.enabled", true);
• user_pref("privacy.trackingprotection.socialtracking.enabled", true);
• user_pref("toolkit.telemetry.pioneer-new-studies-available", false);
• user_pref("browser.download.useDownloadDir", false;
• user_pref("dom.disable_window_move_resize", true);
• user_pref("dom.events.dataTransfer.protected.enabled", true);
• user_pref("dom.popup_maximum", 1);
• user_pref("gfx.downloadable_fonts.enabled", false);
• user_pref("media.autoplay.default", 0);
• user_pref("network.dns.disablePrefetch", true);
• user_pref("privacy.globalprivacycontrol.enabled", true);
• user_pref("privacy.globalprivacycontrol.functionality.enabled", true);
• user_pref("privacy.resistFingerprinting", true);
• user_pref("security.dialog_enable_delay", 50);
• user_pref("security.insecure_field_warning.ignore_local_ip_address", false);
• user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", false);
• user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
• user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
• user_pref("security.ssl3.rsa_aes_128_sha", false);
• user_pref("security.tls.enable_post_handshake_auth", true)
• user_pref("services.sync.prefs.sync.media.autoplay.default", false);
• user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
• user_pref("browser.newtabpage.activity-stream.telemetry", false);
• user_pref("browser.ping-centre.telemetry", false);
• user_pref("dom.security.unexpected_system_load_telemetry_enabled", false);
• user_pref("network.trr.confirmation_telemetry_enabled", false);
• user_pref("privacy.trackingprotection.origin_telemetry.enabled", false);
• user_pref("security.app_menu.recordEventTelemetry", false);
• user_pref("security.certerrors.recordEventTelemetry", false);
• user_pref("security.identitypopup.recordEventTelemetry", false);
• user_pref("security.protectionspopup.recordEventTelemetry", false);
• user_pref("toolkit.telemetry.archive.enabled", false);
• user_pref("toolkit.telemetry.bhrPing.enabled", false);
• user_pref("toolkit.telemetry.cachedClientID", "");
• user_pref("toolkit.telemetry.firstShutdownPing.enabled", false);
• user_pref("toolkit.telemetry.newProfilePing.enabled", false);
• user_pref("toolkit.telemetry.pioneer-new-studies-available", false);
• user_pref("toolkit.telemetry.shutdownPingSender.enabled", false);
• user_pref("toolkit.telemetry.updatePing.enabled", false);

You can type "about:config" into the address bar and set the following options if you want.

Firefox Extreme Hardened settings
• dom.script_loader.bytecode_cache.enabled;false
• dom.events.async.clipboard; false
• dom.event.clipboardeventsEnabled: false

Next, go here:

If using Sandboxie: \Users\<yourSurfingAccount>\AppData\Local\Mozilla\Firefox\Profiles\

• Right click on xxxxxx.default-release, choose Properties
• Security tab
• Advanced button
• Checkmark "replace all child object permissions ..."
• Disable Inheritance button
• Convert inherited permissions into explicit permissions on this object
• Apply > OK
• Advanced button
• highlight <yourSurfingAccount> , click Edit
• UnCheck Full Control, Modify, Read and Execute
• Click 'Show Advanced Permissions'
• Checkmark 'Delete subfolders and files' and 'Delete'
• OK, OK, OK

Do this for all accounts

If you have the Configuration Pack, you can copy the USER.JS file to C:\Users\<yourAccountName>\AppData\Roaming\Mozilla\Firefox\Profiles\91yzyij5.default-release\. First rename any existing user.js file. The file contains all the above settings and it will append or override the default settings. A lot of sites like gmail and financial sites require javascript = true and dom.storage.enabled = true. If you are under attack, set both to false. The settings above includes these 2 settings, and I keep a tab open to about:config to toggle them as when required.

In general, the less unecessary connections you make the better. Automatic connections that always happen can be used against you. An attacker can spoof that auto connect address and launch an attack if Firefox is vulnerable in it's receptors. The author has experienced denial of service attacks where a crafted packet was sent to some telemetry component and it always closes Firefox. The telemetry features are turned off for you above. You should set the following settings manually:

• Options > Home > Home page: blank
• Options > Home > New Tab page: blank
• Add-ons > Plug-ins > Gear > Update addons automatically: UnCheck
• Options > Sync : do not turn on

Opera, starting with version 56.0.3051.104 together with Windows 10 v1809b supports Windows Defender Exploit Protections.

• Menu > Settings:
• AutoFill
  • Offer to save passwords: off. Passwords saved in browsers are easily readable by attackers.
  • Auto Sign-in: off
  • Payment methods
    • Save and fill payment methods: off. Saved info includes your credit card number and expiration date, and are easily readable by attackers.
  • Addresses and more
    • Save and fill addresses: off. Saved info includes your cell phone number, and is easily readable by attackers.

• Privacy and Security
  Security
  • Enhanced Protection
  • Site Settings
    • Location : block
    • Camera : block
    • Microphone : block
    • Notifications: block
    • Javascript : block
    • Pop ups and redirects : block (default)
    • Background sync : off
• Downloads: Ask where to save each file ... : Enabled
• System
  • Continue running background apps when Google Chrome is closed: Disable
  • Use hardware acceleration: off

• I don't recommend people to modify chrome://flags anymore. The settings are all experimental and are developer controlled, and it is unclear what the 'Default' setting mean. When a particular feature is stable, it will be moved into the main code base. Google is now recommending enterprise admins to stay away from setting flags.

Unfortunately, the Chrome settings cannot be copied from one PC to another, so the above will have be done manually. The version above seems to have preferences for Chrome Flags and will not import a Local Settings file from from another PC.

• Go to C:\Program Files (x86)\Google\Chrome\Application
• Right click on SetupMetrics, then Properties
• Security tab
• Advanced button
• Checkmark "replace all child object permissions ..."
• Disable Inheritance button
• Convert inherited permissions into explicit permissions on this object
• Apply > OK
• Edit button
• Select "Users" on top
• Uncheck "Read and Execute" below (this will uncheck 3 items at once)
• OK

Sandboxing your Browser and Server like Apps: Sandboxie

• program stop>leader programs> chrome <or your preferred browser> so that anything that gets into this sandbox get terminated when chrome exits
• restrictions>Internet access> only chrome <or your preferred browser> so that anything that gets into this sandbox cannot access the web
• restrictions>start/run access> only chrome <or your preferred browser>
• restrictions>drop rights> checkmark 'drop rights ...'
• Applications>All Applications>Yubikey Authentication (double click)
• Applications>All Applications>Open SmartCard RPC Port (remove +)
• Applications>All Applications>Open Bluetooth RPC Port (remove +)
• Applications>All Applications>Allow direct access to Mozilla Firefox phishing database (remove +)
• Applications>All Applications>Allow direct access to Google Chrome phishing database (remove +)

Server like applications are applications that accept any connection from anybody. Like messengers. The application listens to the internet and does not restrict incoming connections. These apps are prime targets for hackers. Not to say that they are insecure - it depends if they have a vulnerability. But hackers have troves of non-public vulnerabilities and it is essential that we sandbox the application. Online games on the other hand talks only to specific game servers, and that, we can define firewall rules which specifies the app and the server ip address. If you are uncertain whether an internet based app is insecure, sandbox it.

YubiKey

YubiKey is a hardware security token. It is supported by Google's Gmail and Google Drive to replace SMS 2nd factor authentication. Without spending anything extra, SMS 2nd factor authentication is an OK security measure. (a extra logon code is sent via text messaging when you attempt to sign in). However, cell phones can be easily hacked, (especially Androids) and that 2nd factor would be useless. The token is a small USB insert and can also be used with your cell phone if your cell phone has NFC (near field communications). So you either insert the USB end into your PC or tap the token on your cell phone when navigating to gmail.com. Many sites support it, including FaceBook, Outlook, OneDrive, DropBox, Salesforce, Github, Dashlane password manager ....

You have to buy 2 tokens to register with Google Advanced Protection Program. One for daily use, and another for backup in case you lose the first one. Currently, the cheapest model is the Security Key NFC ($49 for a pair). And it is currently the best 2nd Factor authentication security measure. Highly recommended.

Yubikey Windows Login

You can make Yubikey a requirement for Windows login. Just download Yubico-Login-for-Windows from Yubico and run Yubico.Login.Config and follow the prompts.

HitmanPro Alert

HitmanPro Alert is an anti-exploit defense tool, and it primarily defends browsers. Notice that Sandboxie only protects attackers from writing to disk, thus gaining persistence. Sandboxie does not protect an attacker who uses RAM only attacks exploits. HitmanPro Alert detects many exploit coding techniques and is a good defense for your browser. It contains all the features of HitmanPro which is a good 2nd opinion AV and adds anti-exploit capability. It costs $49.97 for 1 PC and $82.50 for 3 PCs. Note that if you run it witout purchasing after the 30 day trial period, there are no anti-exploit capabilities.

You will have to add an Unrestricted Path rule to Software Restriction Policy to allow hitmanpro Alert to run it's malware detection module: C:\users\\appdata\local\temp\hitmanpro_x64.exe

Hitmanpro Alert displays a big dialog box when it detects an exploit and tries to close your browser. However, when used it conjunction with Sandboxie, it cannot close the browser - you have to manually close it upon seeing the notice. But the good thing is you know when you are hit, without it, you will be blissfully unaware that an exploit has been thrown at you. And then you can check the Sandboxie icon in the systray to see if there are still any red dots in the icon - that means that there are still processes left running in the sandbox. Then you need to right click on Sandboxie > your sandbox > Terminate Programs.

UBlock Origin

Ublock Origin is a anti-tracking and advertisment blocking browser extension. There is a version of it for every browser. It blocks web sites that try to track you accross websites, so it guards your privacy. Then it also blocks advertisments, which make for faster and clutter free browsing.

Why not a VPN service ?

VPN services proclaim because they encrypt your internet browsing traffic, you are secured. But the thing is, what are you protected from? The only scenario where it was useful was when you are sitting in a cafe using a WiFi hotspot, it stopped` snoopers from seeing where you were surfing to. It does not protect you from everything else far more dangerous: hackers, malware, drive-by-downloads, javascript attacks, and everything else the internet can bring.

From 2018 onwards, most web sites are almost obliged to provide https aka SSL encryption by popular demand - you see the padlock symbol to the right of the address bar of your browser. So your traffic to web sites are already encrypted without a VPN service. And the Firefox and Chrome browsers will stop transmissions whenever your traffic is being spied upon or manipulated by a man-in-the-middle attack and bring up a big warning notification.

VPN services were useful when offering https was expensive and only done by financial institutions and web stores. Now, everybody is using https, even web sites that only serve news; don't sell anything and don't have financial anything. VPN services are expensive, and your money is better left in your wallet or purse.

Mirosoft Windows 10 22H2 Security Baseline

Microsoft has a security baseline consisting of dozens of group policy settings. It is also available to Windows Pro users using GPedit. The author has reviewed the settings, and most are good to go. The baseline cannot be used on Windows Home because it does not support gpedit.msc.

Passwords

The best way to manage passwords is to use an address book. Yes, that's pen and paper. Keeping it in a file on the computer is just waiting for disaster to happen. Hackers know how lazy people get and rely on copy and paste from a password file, and they use a utility program to quickly search for a password file. Use an address book.

Many security experts recommend a password manager browser extension to keep track of online passwords. You just have to remember the master password, and the correct password will be inserted for you when you reach a login page. Some, like Lastpass can also generate a secure gibberish password for you. And some password managers support 2nd factor authentication like with Google's Authenticator cell phone app; so that you need to remember a master password and Google Authenticator will generate a 6 digit code for you to enter into LastPass, only then will it allow access to your password list. Don't use the 'remember your password' feature of the browser, that password list is not securely stored And don't forget the master password, Lastpass does not know your master password because they don't keep it; once you forget it all your passwords are lost. But then if you use your browser every day and hence the master password, there's is little chance of you forgetting it.

Enforce long password/passphrase

See Automated Configuration section.

BIOS Password

It is also prudent to password protect your BIOS, so that people cannot boot your PC. Also, you should change the boot order in the BIOS so that it boots the hard drive first, rather than the CD/DVD. If an attacker can insert a Linux Live CD and start up your PC, then they will be able to mount your hard drive and read all data from it, and all Windows security will be bypassed.

Physical Security

Physical security is very important and should not be overlooked. If someone has physical access to your PC, then they could bypass a lot of the hardening that was done.

For example, if a attacker could access your PC and boot up a Linux Live CD, he could then read and copy off all files from the Windows disk partition. Or he could remove your hard drive and put it into another PC as a secondary drive and get data off that way. Either way, Window's password security will be of no use, because the hard drive's copy of Windows was never started.

Lock your office or study room or bedroom containing your PC. And if it is on the ground floor of a house, then lock the Windows too.

A door lock serves to buy time for discovery of intrusion. It cannot be counted upon to prevent an intrusion as all police departments know, because if a lock is too difficult to pick, they can always drill it or break down the door. But then you would know after the fact and then the stealth preferred by hackers will be gone.

BitLocker Drive Encryption

BitLocker is a full disk encryption feature of Windows 10 Pro, When that is active, the whole drive is encrypted and will not be readable with other copies of Windows or Linux. This eliminates the offline attacks as mentioned above.

Intrusion Detection part 1

Security Events to Monitor for