While Hard_Configurator will save a lot of your time, it's currently not compatible with Windows 11 22H2.
ConfigureDefender (part of above) can be used and works with 22H2.
Requirements
- Minimum standards for a highly secure Windows device (Secure-Core)
- Windows up-to-date
- Microsoft Defender up-to-date
- Latest Driver and Program updates
- Only necessary programs/apps/games which you need
- avoid insecure software like 7-Zip (which lacks Anti-Exploit and MOTW support) and also Forks, Open/ LibreOffice, Firefox, True/Veracrypt, ...
- stay away from "Anti-Spying"/"Anti-Telemetry"/.. tools and use official documentation
- No "Tuning" tools (not even stuff like Ccleaner!)
- Hardware Requirements for System Guard / Hardware-based Isolation
- Hardware Requirements for Memory integrity
- Hardware Requirements for Microsoft Defender Application Guard (WDAG)
- Hardware Requirements for Microsoft Defender Credential Guard
Hardening
- Set User Account Control (UAC) to maximum
- Create a different Admin account and transform your current account to limited/restricted/standard user to reduce the attack surface enormously. Don't use administrator access for your tasks!
- Use Smart App Control
- Block all incoming connections with Microsoft Defender Firewall
- Always display file type extension
- Manage Microsoft Defender Credential Guard
- Install Microsoft Defender Application Guard (WDAG) and use it for untrusted sites
- Enable Memory Integrity (HVCI)
- Enable Network Protection (NP)
- Enable SmartScreen and enable SmartScreen Logs
- Enable Controlled Folder Access (CFA)
- Enable Attack Surface Reduction rules (ASR)
- Enable Mandatory ALSR and Bottom-Up-ALSR (Address Space Layout Randomization)
- Enable System Guard Secure Launch
- Enable cloud-delivered protection
- Enable protection against Potentially Unwanted Apps (PUA)
- Enable Bitlocker Encryption with TPM, optionally with Startup PIN & read about Countermeasures to reduce DMA threats
- Use Windows Sandbox for new/unknown binaries (you can use it with the right click menu) or enable Hyper-V for use with Microsoft's Virtual Machine Platform
- Enable sandboxing for Microsoft Defender Antivirus
- Only elevate executables which are signed and validated
- Use the only browser that natively supports hardware isolation: Edge
- Use EFS file encryption for very sensitive files - also compatible with Bitlocker
- Harden OneDrive with Windows Controlled Folder Access (CFA aka Ransomeware Protection)
- Avoid old file systems like FAT32 that do not preserve Alternative NTFS Streams (where Mark Of The Web is skipped)
- While DNS encryption isn't perfect both Quad9 and Cloudflare are recommend. AdGuard and NextDNS are another, but some users report problems like false positive filtering, stability/performance issues.
Further Hardening
- Specify the cloud-delivered protection level
- Configure Microsoft's Exploit Protection and Enforced CET
- Use Microsoft's recommended block rules
- Control USB devices and other removable media
- See UEFI Hardening aka NSA Defensive Practices Guidance and Hardware-and-Firmware-Security-Guidance
- See Hardware and Firmware Security Guidance for Windows and AMD CPUs
- Deploy Windows Security Baselines and keep it up-to-date
- Use Mandatory Integrity Control
- Use Security-ADMX custom template focused on hardening Windows 10 systems
Enterprises
- Application Control (WDAC) - Microsoft's Policy Wizard will help a lot
- Enterprise Certificate Pinning
- Block untrusted fonts in an enterprise
- Web protection
- Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
- Manage Windows Hello for Business
- Protect against DLL Search Order Hijacking
- Report vulnerable or malicious drivers to the Windows and Defender teams
- Video from Matt Soseman: Investigating Backdoor Attacks w/ Microsoft Defender ATP
- Video from Matt Soseman: Investigating a Fileless Attack w/ Microsoft Defender ATP & Exploit Protection
- Video from Matt Soseman: What is the Microsoft Cybersecurity Reference Architectures (MCRA) and why should I care?
- Microsoft Defender ATP secure score
Test Config
- Validate connections between your network and the Microsoft Defender Antivirus cloud service
- Verify client connectivity to Microsoft Defender ATP service URLs
- Validate Microsoft Defender Tamper protection
- Confirm and validate that Defender "Block at First Sight" (BAFS) is enabled
- Microsoft Defender Testground
- Microsoft Defender SmartScreen Testground
- Validate your Kernel DMA Protection for Thunderbolt
- Test your Antimalware Scan Interface (AMSI your Network protection
- Changelogs for Defender security intelligence updates
- Check if your Bitlocker is safe against Bitleaker: Blog
- Use Process Monitor (tool from Microsoft) with this filter for finding privilege escalation vulnerabilities in Windows
- Check out winchecksec to perform static detection of common Windows security features
- Sysmon configuration file template with default high-quality event tracing
Reading Material:
- Defender Firewall with Advanced Security
- https://github.com/frizb/Windows-Privilege-Escalation
- https://github.com/LOLBAS-Project/LOLBAS
- https://github.com/api0cradle/UltimateAppLockerByPassList
- https://trustedwindows.wordpress.com/
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware
- https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
- https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10
- https://docs.microsoft.com/en-us/windows/security/
- a picture about Microsoft Defender local and cloud script protection
- a picture about Attack Surface Reduction (ASR) Rules
- Security Unlocked - The Microsoft Security Podcast
- How the hell WD works on Windows Home & Pro documentation from AndyFul
- Windows AppContainer Isolation - what it does? from AndyFul
- Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection
- Windows Defender Application Control (WDAC) Resources / PowerShell script
- Why UAC is important at maximum (not default) level: 1, 2, 3, 4
- Testing DLL Search Order Hijacking against security features from AndyFul
- Some info about training AMSI machine learning models from AndyFul
- Cheap sandboxing with AppContainers Blog
- Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs Blog
- Complete W^X implementation in Windows with ACG
- Understanding Hardware-enforced Stack Protection (CET)
- Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode Blog
- Security Unlocked - The Microsoft Security Podcast about Below the OS: UEFI Scanning in Defender
- How the (Powershell) Constrained Language Mode is enforced Blog
- Application Control denies execution of randomly generated PowerShell PS1 files Blog
- Applocker and PowerShell: how do they tightly work together? Blog
- PowerShell 5.0 and Applocker. When security doesn't mean security Blog
- German BSI - SiSyPHuS Win10: Study on System Integrity, Logging, Hardening and Security relevant Functionality in Windows 10
- rc3 event - Breaking Thunderbolt 3 Security
- CIS Security Benchmark
- NIST Security Technical Implementation Guide
- AppLocker and WDAC help Blog
- Microsoft Defender Attack Surface Reduction (ASR) recommendations
- Adventures in Extremely Strict Device Guard (WDAC) Policy Configuration Blog
- Building a Simple, Secure Windows-only WDAC Policy Blog
- Application Control on Windows 10 Home
- Windows Hello - Why a PIN is better than a password
- Battle of the SKM and IUM: How Windows 10 Rewrites OS Architecture (blackhat USA 2015 talk)
- Defender (with ConfigureDefender tool) vs fileless malware
- Offense and Defense – A Tale of Two Sides: Bypass UAC
- Microsoft Windows Antimalware Scan Interface (AMSI) Bypasses
- Windows security book in web doc form
- Video from Matt Soseman: Smartscreen in Edge (& Chrome) to block phishing & malicious websites
- Video from Matt Soseman: Block at First Sight (BAFS): Windows Defender blocking malware in SECONDS!
- Video from Matt Soseman: How Controlled Folder Access (CFA) works in Windows
- Video from Matt Soseman: Block Potentially Unwanted Applications (PUA) in Microsoft Defender Antivirus
- Video1, Video2 from Matt Soseman: Attack Surface Reduction (ASR) in Windows
- Video from Matt Soseman: Hardware Isolated Browsing w/ Microsoft Defender Application Guard
- what is meant by "User Space"
- what the feature "Allow apps from the store only" does