Hard_Configurator is highly recommended and will save a lot of your time.
- Standards for a highly secure Windows device
- System up2date with latest Windows stable version
- (default activated) and Up2date internal Microsoft Defender protection instead of external "Security" solutions
- Latest Driver and Program updates
- No "Tuning" tools (not even stuff like Ccleaner!)
- Only necessary programs / apps / games which you realy need
- avoid insecure software like 7-Zip (which e.g. lacks Anti-Exploit and MOTW support), Open/ LibreOffice, Firefox, True/Veracrypt, ...
- stay away from "Anti-Spying"/ "Anti-Telemetry"/.. tools and use official documentation
- Hardware Requirements for System Guard / Hardware-based Isolation
- Hardware Requirements for Memory integrity
- Hardware Requirements for Microsoft Defender Application Guard (WDAG)
- Hardware Requirements for Microsoft Defender Credential Guard
- set User Account Control (UAC) to maximum
- create another Admin account and transform your current one to limited/ restricted/ standard user account to reduce the attack surface enormously. Don't use Admin account for your tasks!
- use Software Restriction Policies (SRP) with a default-deny mode
- execute/ open new files with one-day-delay because after one day, the malware is not 0-day anymore
- block all incoming connections with Microsoft Defender Firewall
- Always display file type extension
- Manage Microsoft Defender Credential Guard
- Install Microsoft Defender Application Guard (WDAG)
- Enable Memory integrity (HVCI)
- Enable Network Protection (NP)
- Enable SmartScreen and enable SmartScreen Log
- Enable Controlled Folder Access (CFA)
- Enable Attack Surface Reduction rules (ASR)
- Harden Address Space Layout Randomization (ASLR)
- Enable System Guard Secure Launch
- Enable cloud-delivered protection
- Activate Potentially unwanted applications (PUA) protection
- Enable Bitlocker Encryption with TPM, optionally with Startup PIN & read about Countermeasures and reduce DMA threats
- Use Windows Sandbox for unknown/ untrusted binarys - you can use it with right click menu - or use Virtual Machine with Hyper-V
- Enable sandboxing for Microsoft Defender Antivirus
- Only elevate executables which are signed and validated
- use the only browser on Windows that natively supports hardware isolation: Edge
- use EFS file encryption for very sensitive files - also compatible with Bitlocker
- (if OneDrive is used), harden it with Windows CFA (Control Folder Access aka Ransomware Protection)
- avoid old file systems like FAT32 as such format does not preserve Alternative NTFS Streams (Mark Of The Web is skipped)
- While DNS encryption isn't perfect both Quad9 and AdGuard are recommend. Quad9 provide a easy solution with Apple signed profiles. NextDNS is another service, but it struggles with stability/performance and support issues.
- Specify the cloud-delivered protection level
- Configure Exploit Protection, like Edge 90+ with enforced CET
- Microsoft recommended block rules
- Control USB devices and other removable media
- UEFI Hardening (NSA Defensive Practices Guidance) PDF & Hardware-and-Firmware-Security-Guidance
- Hardware and Firmware Security Guidance for Windows & AMD CPUs - you will find more in the overview
- Deploy Windows Security Baselines and keep it up2date
- use Mandatory Integrity Control
- Custom ADMX template focused on hardening Windows 10 systems
- Application Control (WDAC) - Microsoft's Policy Wizard will help a lot
- Enterprise Certificate Pinning
- Block untrusted fonts in an enterprise
- Web protection
- Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
- Manage Windows Hello for Business
- Protect against DLL Search Order Hijacking
- report a vulnerable or malicious driver to the Windows and Defender teams
- Video from Matt Soseman: Investigating Backdoor Attacks w/ Microsoft Defender ATP
- Video from Matt Soseman: Investigating a Fileless Attack w/ Microsoft Defender ATP & Exploit Protection
- Video from Matt Soseman: What is the Microsoft Cybersecurity Reference Architectures (MCRA) and why should I care?
- Microsoft Defender ATP secure score
- Validate connections between your network and the Microsoft Defender Antivirus cloud service
- Verify client connectivity to Microsoft Defender ATP service URLs
- Validate Microsoft Defender Tamper protection
- Confirm and validate that Defender "Block at First Sight" (BAFS) is enabled
- Microsoft Defender Testground
- Microsoft Defender SmartScreen Demo Pages
- Validate your Kernel DMA Protection
- Test your Antimalware Scan Interface (AMSI)
- Test your Network protection
- Changelogs for Defender security intelligence updates
- check if your Bitlocker is safe against Bitleaker: Blog
- Process Monitor (tool from Microsoft) filter for finding privilege escalation vulnerabilities on Windows
- winchecksec performs static detection of common Windows security features
- Sysmon configuration file template with default high-quality event tracing
- Defender Firewall with Advanced Security
- https://github.com/frizb/Windows-Privilege-Escalation
- https://github.com/LOLBAS-Project/LOLBAS
- https://github.com/api0cradle/UltimateAppLockerByPassList
- https://trustedwindows.wordpress.com/
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware
- https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
- https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10
- https://docs.microsoft.com/en-us/windows/security/
- a picture about Microsoft Defender local and cloud script protection
- a picture about Attack Surface Reduction (ASR) Rules
- Security Unlocked - The Microsoft Security Podcast
- How the hell WD works on Windows Home & Pro documentation from AndyFul
- Windows AppContainer Isolation - what it does? from AndyFul
- Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection
- Windows Defender Application Control (WDAC) Resources / PowerShell script
- Why UAC is important at maximum (not default) level: 1, 2, 3, 4, ..
- Testing DLL Search Order Hijacking against security features from AndyFul
- Some info about training AMSI machine learning models from AndyFul
- Cheap sandboxing with AppContainers Blog
- Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs Blog
- Complete W^X implementation in Windows with ACG
- Understanding Hardware-enforced Stack Protection (CET)
- Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode Blog
- Security Unlocked - The Microsoft Security Podcast about Below the OS: UEFI Scanning in Defender
- How the (Powershell) Constrained Language Mode is enforced Blog
- Application Control denies execution of randomly generated PowerShell PS1 files Blog
- Applocker and PowerShell: how do they tightly work together? Blog
- PowerShell 5.0 and Applocker. When security doesn’t mean security Blog
- German BSI - SiSyPHuS Win10: Study on System Integrity, Logging, Hardening and Security relevant Functionality in Windows 10
- rc3 event - Breaking Thunderbolt 3 Security
- CIS Security Benchmark
- NIST Security Technical Implementation Guide
- AppLocker and WDAC help Blog
- Microsoft Defender Attack Surface Reduction (ASR) recommendations
- Adventures in Extremely Strict Device Guard (WDAC) Policy Configuration Blog
- Building a Simple, Secure Windows-only WDAC Policy Blog
- Application Control on Windows 10 Home
- Windows Hello - Why a PIN is better than a password
- Battle of the SKM and IUM: How Windows 10 Rewrites OS Architecture (blackhat USA 2015 talk)
- Defender (with ConfigureDefender tool) vs fileless malware
- Offense and Defense – A Tale of Two Sides: Bypass UAC
- Microsoft Windows Antimalware Scan Interface (AMSI) Bypasses
- Windows security book in web doc form
- Video from Matt Soseman: Smartscreen in Edge (& Chrome) to block phishing & malicious websites
- Video from Matt Soseman: Block at First Sight (BAFS): Windows Defender blocking malware in SECONDS!
- Video from Matt Soseman: How Controlled Folder Access (CFA) works in Windows
- Video from Matt Soseman: Block Potentially Unwanted Applications (PUA) in Microsoft Defender Antivirus
- Video1, Video2 from Matt Soseman: Attack Surface Reduction (ASR) in Windows
- Video from Matt Soseman: Hardware Isolated Browsing w/ Microsoft Defender Application Guard
- what is meant by "User Space"
- what the feature "Allow apps from the store only" does