Operating system security

Securing Windows 10 Hosts

Kurt Ellzey
September 23, 2019 by
Kurt Ellzey

Introduction

Windows 10 is popular, but success has made the operating system a target for hackers and malicious coders. While Windows 10 has been focused on security since its release, Microsoft is continually working to make Windows 10 more secure for users. 

Not every user has the same security needs, but every Windows 10 host requires minimum security. Windows 10 starts secure at a basic level, then gives users the option to make nearly every aspect of their system as secure as it can be. 

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

Here is an overview of the ways Windows 10 can be configured to create secure environments for Windows 10 hosts.

Data security in Windows 10

Windows 10 data security begins with military-grade encryption called BitLocker which protects sensitive information and prevents unauthorized access. Data is then put into discrete sections, which prevents data leak to unauthorized users, websites, software and apps. Azure Information Protection then works with Windows Information Protection to add more granular classifications, share sensitive information and assign advanced permissions. 

Windows 10 authentication mechanisms

Windows 10 offers local user account authentication using traditional credentials or picture passwords, but Windows Hello is replacing the traditional login. Windows Hello begins with a two-factor verification during enrollment. From there, Microsoft has users set up a gesture — which can be biometric, a fingerprint or facial recognition or a PIN.

Beyond local user credentials, Microsoft allows authentication with a user’s Microsoft account credentials, an Active Directory Account or a Microsoft Azure Directory (Azure AD) account, which the cloud-based authentication service used for Microsoft 365 and Office 365 subscriber accounts. 

Windows 10 hardening techniques

Hardening deters, denies and delays attacks on a Windows 10 host by reducing vulnerabilities and configuring the system to function exactly as the user needs rather than remain in default settings. 

Hardening begins with a fresh install of Windows 10 from a trusted USB drive. Then any extra and unwanted programs are deleted to ensure that any software added is legitimate; this is to avoid adding malware and bloatware. BitLocker can then be used to encrypt the hard drives, making sure the Trusted Platform Module (TPM) is enabled prior to using BitLocker. 

Updating the system is a good next step. Make sure the system is caught up on all service packs, patches and updates. Then enable the device, credential, application and exploit guards. Get rid of services that are not needed but came pre-installed. Check to see if Windows Defender, the Windows antivirus solution, is turned on and working. 

Setting group policies is an important next step, especially for organizations with many users. Ransomware protection is available through Windows Defender. It should be enabled in the Virus and Threat Protection settings menu. Using Windows Hello to set up multi-factor authentication is a good last step in hardening a Windows 10 host.

Securing Windows 10 with Local Group Policy

Local Group Policy is instituted to prevent individual users from accessing and negatively affecting the whole network. 

Securing Windows 10 with Group Policy begins by accessing the Group Policy Management Editor and limiting control panel access. Windows is then set to prevent the storage of LAN manager passwords in hashes. 

Preventing access to the command prompt is the next security step, followed by disabling forced system restarts. Prevent malware infection from removable media drives by banning all removable drives. Software installations are then restricted and the guest account is disabled. Set the minimum password length to a higher number and set password age limits to a lower number. 

Finally, check to be sure the anonymous SID enumeration setting is disabled. The more secure Group Policies Object (GPO) is then applied to everyone on the network. 

Web browser security in Windows 10

Windows 10 comes with Edge as the default web browser. Edge is fortified with Windows Defender Browser Protection, which is known to provide protection from malicious sites. Windows Defender also offers the Browser Protection as an extension for Google Chrome for those users who prefer the Chrome experience. 

Users seeking more web browser security can adjust settings within the Windows Security, Apps & Browser Control menu. Windows Defender SmartScreen can be configured to block unrecognized apps and files from the web as well.

User account management in Windows 10

Windows 10 offers the classic Local User account type as well as the Domain User account. Local Users only need a username and password, plus three security questions, to set up an account, but Domain Users must be connected with an enterprise network whose domain controller is a Windows server. Before a Domain User account can be created, it must begin as local user which is then upgraded. 

Windows also breaks users into two further groups, Administrators and non-administrators. Privileges are restricted for non-administrators but Admins have full access and control over the system. 

On top of account type designation, Windows 10 employs User Account Control (UAC), which forces apps and tasks to run with permissions like non-admins unless changed by an Admin. 

Application management in Windows 10

The first step in managing applications in Windows 10 from a security perspective is accessing the Apps & Features menu. Clicking on the Advanced Options link for each app brings up the settings for that app. The publisher listed should match the publisher of genuine applications. If they don’t match, the application could contain malware. 

The version number of the software is listed in the specifications. Updating applications to the most recent version keeps them current with security releases and changes. 

Within the App Permissions section, the user can turn permissions on and off. If an application isn’t responding or acts up, clicking the Terminate button will force-quit the app. When applications aren’t working correctly Windows 10 offers a Repair button; if that doesn’t fix the problem, there is a Reset button within the app’s Advanced Options. If needed, there is also an Uninstall button at the bottom of the settings page. 

Using certificates in Windows 10

Certificates, which have always been an important part of information security, are even more significant in Windows 10 as they are continually used to authenticate users. VPN connections, like the Always-On VPN, rely on frequently issued certificates to keep users continually connected and secure. 

Accessing certificates on a local machine is as easy as typing “cert” in Cortana. This will bring up the Certificate Manager where users may add (import), export, delete, modify and request new certificates. 

Windows 10 auditing features

Auditing in Windows 10 requires an auditing policy. Auditing (event) categories are disabled by default. Enabling needed auditing categories allows implementation of an auditing policy. Security audits should identify issues with, and threats to, the system. Once the audit policy is configured, events are recorded on the Security Log, giving the administrator the information needed to continue securing the system. 

Windows 10 backup and recovery options

Windows 10 incorporates several options for the backup and recovery of files. Users reviewing the Update & Security settings will find File History, which saves multiple versions of personal files so they can be recovered if the most current version of a file is lost or deleted. 

The Backup and Restore option is reintroduced in Windows 10. Backup and Restore gives users the option of creating a local backup or backing up to OneDrive and allows users to use backups from previous versions of Windows. Users can also reset their system to the factory fresh settings and are given the option to retain their files. 

If the Windows system won’t boot, users can use the Windows Recovery Environment (WinRE) to repair and troubleshoot, access the recovery system image and reset without losing data and customization, even if that data wasn’t backed up. 

Wireless security in Windows 10

Microsoft prefers users use a VPN connection profile, like the Always-On VPN, when wirelessly connecting to the internet. VPNs provide a secure wireless connection but aren’t available in every situation, so, as of May 2019, Windows 10 alerts users when they are connecting to the insecure WEP and TKIP protocols and advises them to connect to the more secure WPA2 and WPA3 wireless networks. 

On their deployment planning page, Microsoft says that future releases will disallow the old ciphers. This will force users to connect to WPA2 or WPA3 networks, which use the more secure AES ciphers. 

Remote access security in Windows 10

As more work is done outside of the office, Windows 10 stays on-trend by offering VPN connection profiles, like the Always-On VPN. This allows users to connect to their corporate network from anywhere. The Always-On VPN chooses the most secure entry point to the network, based upon the user’s geography. Then it automates connections by issuing certificates, which are continually renewed using multi-factor authentication. 

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

Conclusion

Windows 10 was designed to be secure but also to allow users the flexibility to go anywhere with their devices without being slowed down by security checkpoints. Windows 10 accomplishes this with solutions like the Always-On VPN, which gives users continual access to their accounts out in the world while operating within a secure network. 

Some users never seek a more secure environment, unaware of the risks they are exposed to. For them, Windows has created solutions like the 2019 update that warns users when they are trying to connect to an unsecured network.

Sources

  1. Features removed or planned for replacement starting with Windows 10, version 1903, Microsoft
  2. Windows 10 is now more popular than Windows 7, The Verge
  3. Recovery options in Windows 10, Microsoft
  4. Certmgr.msc or Certificate Manager in Windows 10/8/7, TheWindowsClub
  5. How to change a Windows 10 user account type and why, Windows Central
Kurt Ellzey
Kurt Ellzey

Kurt Ellzey has worked in IT for the past 12 years, with a specialization in Information Security. During that time, he has covered a broad swath of IT tasks from system administration to application development and beyond. He has contributed to a book published in 2013 entitled "Security 3.0" which is currently available on Amazon and other retailers.