A security baseline is a recommendation of configured settings applied to every end-point, device, network, in effort to increase its protection. It’s likely that every organization will have their own way of hardening their networks and end points based off their needs, but many also follow a standard guide such as Microsoft’s security baseline guide or NIST.
I know there is much more in depth ways to harden an endpoint, but this is for POC, and showcasing a beginners way applying the most basic protections for a Windows 11 environment for a new machine and/or new user.
This beginner baseline guide will show how to:
- Enable Automatic Windows Updates (for the most up-to-date security updates)
- Verify Windows Defender is Enabled (anti-virus threat protection)
- Enable Windows Firewall (we want to block bad incoming traffic and enable good outgoing)
- Set a lock Screen Policy (for personal security hygiene)
- Remove Local Admin (Least Privilege)
- Enable BitLocker (For data encryption at rest)
- Enable SmartScreen (helps prevent phishing attempts, malicious sites, and malicious software)
Enabling Automatic Windows Updates
Go to Settings > Windows Updates
Check for immediate updates, if any are available apply them and restart
Next go to advanced options and turn on automatic updates:
Ensuring Windows Defender is Enabled
Go to Windows Security > Virus and Threat Protection
- Real-time protection = ON
- Cloud protection = ON
- Tamper protection = ON
Enable Windows Firewall
Go to Windows Security > Firewall and Network Protection
- Domain Network = ON
- Private Network = ON
- Public Network = ON
Setting a Lock Screen Policy
Go to Settings > Accounts > Sign-In Options
- Under ‘Additional Settings’ select ‘When PC wakes from sleep’
Next, go to Settings > System > Power
- Screen, sleep, and hibernation timeouts
- Select Turn off my screen after = 5 minutes
- Select Make my device sleep = 10 minutes
Remove Local Admin (least privilege)
Go to Computer Management > Local Users > Groups > Administrators
- Remove any user that is not Administrator
Enable BitLocker (Windows Pro, Server, or Enterprise editions only)
Go to Control Panel > System and Security > BitLocker Drive Encryption
- Be sure to save the Recovery Key in a safe place!
Enable SmartScreen
Go to Windows Security > App and Browser Control
- Enable Smartscreen for Apps
- SmartScreen for Edge
Recap
We learned how to enable protections on our Windows 11 endpoints to help make them a little less vulnerable than they otherwise would be without these basic protections applied. We hardened an endpoint via:
- Applying automatic patching, ensuring we have the most up-to-date security updates.
- Made sure our anti-virus was enabled, helping us prevent signature-based viruses getting on to our machine.
- Enabled our firewall, while only the default settings are enabled for now, this is certainly better then having no protection at all.
- We set up a lock screen policy, practicing good security hygiene.
- We applied the principle of least privilege by removing any local users who had admin access, we can give that access on as-needed basis.
- BitLocker was enabled, ensuring data is protected via encryption.
- Lastly, we enabled a feature within Windows called SmartScreen, an added protection against untrusted apps.