Windows 11 has many different features pertaining to functionality and security. It has several in-place and pre-installed policies and tools that can be used to make it secure, both over the internet as well as unauthorized physical access. However, simply installing Windows 11 won’t implement the security policies needed to make sure that your computer and data are safe.
Even if your computer is placed within a secure environment, such as within an organizational domain, you are still prone to attacks, especially insider attacks. Insider attacks are harder to identify and when they are, it is probably too late.
Therefore, you need to “harden” your Windows computer. Hardening refers to the configurations put in place to make it more secure by reducing the attack surface, making it less and less possible for any hackers/attackers to penetrate it.
If you have a personal PC or within an organization, you can harden your Windows 11 computer using the detailed guide below. Here, we share the best-recommended tips and techniques that will make your computer impenetrable.
Table of Contents
How to Enhance Windows 11 Security
There are many things you can do to ensure that your system is secure. This includes some practices which will reduce the chances for a person to physically access your PC, as well as any hacking attempts over the internet.
Install Windows 11 Security Baseline
A Security Baseline is an additional set of security enhancements that can be added to the original security protocols already in place in Windows. This is especially useful for companies and organizations that prefer to take more control of their virtual security, but individuals can also install them on their home computers.
The Windows 11 Security Baseline has been released as a component of Microsoft Security Compliance Toolkit 1.0. Here is how you can download and install Windows 11 Security Baseline:
-
Open the Microsoft Security Compliance Toolkit page and click Download.
-
Check the box next to “Windows 11 Security Baseline.zip” and click Next.
-
Windows 11 Security Baseline will now download. Since it is only 1.2 MB, it should be downloaded instantly. Extract the content of the zip file to a folder.
-
Now navigate to the extracted folder using File Explorer and open the Scripts sub-folder. Here you will find 3 PowerShell ISE files. Right-click “Baseline-LocalInstall” and then click Run with PowerShell from the context menu.
The script will now run automatically. Wait for the PowerShell window to close on its own.
The recommended security settings from Microsoft will already be implemented when the Security Baseline will be installed.
Lock Account with Complex Password
First things first; you must put a lock on your Windows user account so that no one can use it in your absence. People often tend to use Windows Hello features and use a small PIN to lock their accounts, but fewer characters mean less security for your account.
Therefore, we recommend that you implement a complex password that includes special characters, numbers, and a combination of both lower-case and upper-case alphabets.
Here are the steps to configure your password on a Windows 11 PC:
-
Navigate to the following:
Settings app >> Accounts >> Sign-in Options
-
Click on Password to expand it, and then click Add.
-
Now enter a new, complex password, confirm it, enter a hint in case you forget your password, and then click Next.
-
On the next window, click Finish.
You will now be asked to log into your account using this password.
You can then continue to set up other complex sign-in options, such as a security key, fingerprint, or facial recognition so that only you can sign into your account.
Use a Password Manager
If you use many different passwords and credentials for different accounts and websites, then we recommend that you use a password manager. Password managers are software that store your credentials which you can access in case you forget any. Of course, these managers also need a password for you to log in.
That said, we recommend that you use an offline password manager that does not use internet connectivity, ensuring that no data will be shared over the internet whatsoever.
Of course, you will then need to secure the password manager with your life since it will contain all your credentials. However, this way, you will only need to remember one password; which will be for the password manager.
Our top picks for password managers for Windows are the following:
Disable Automatic Login
When you first install Windows, the primary account created is set to log in automatically. This can be dangerous as anyone who uses your computer will be automatically logged into your account.
Thankfully, this feature can be disabled. However, in Windows 11, this option is missing by default. It can be enabled by making manual edits to the Windows Registry. Here is how:
Note: Misconfiguration of critical values in the system’s registry could be fatal for your operating system. Therefore, we insist that you create a system restore point before proceeding forward with the process.
-
Open the Registry Editor by typing in regedit in the Run Command box.
-
Now paste the following in the navigation bar at the top for quick navigation:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device
-
Here, double-click the DWORD “DevicePasswordLessBuildVersion,” change its Value Data to 0, and then click Ok.
Now, proceed to perform the following steps to disable automatic login:
-
Open the User Accounts applet by typing in netplwiz in the Run Command box.
-
In the Users tab inside the applet, check the box next to “Users must enter a user name and password to use this computer,” and then click Apply and Ok.
Now all user accounts on your computer will need to enter their credentials to log in.
Enable Windows Firewall
Windows Firewall is a piece of software that filters all data and packets coming in and going out from your computer through the network. Disabling it would mean that all sorts of packets can come and go without being detected.
Although this is enabled by default, you must ensure that it is not disabled. Here are the steps to enable Windows Firewall:
-
Open Windows Firewall by typing in firewall.cpl in the Run Command box.
-
Click “Turn Windows Defender Firewall on or off” on the left.
-
Here, select “Turn on Windows Defender Firewall” for all network profiles and then click Ok.
Disable Remote Desktop
Remote Desktop is a Windows feature that allows other computers on your network to access your PC (or vice versa) remotely. This also opens network ports on your computer, making it vulnerable to attacks. Therefore, we suggest that you disable it. Here is how:
-
Navigate to the following:
Settings app >> System >> Remote Desktop
-
Toggle the slider in front of Remote Desktop into the Off position.
-
When asked for a confirmation, click Confirm.
Remote Desktop will now be disabled and you will no longer be able to access this computer remotely.
Keep Windows Updated
Another important factor people often overlook is keeping their Windows OS up to date. This means that you must install the Windows updates as they are published.
Windows updates include security patches that address both known and unknown security vulnerabilities so that they could not be exploited. When an exploit is made public, hackers can use it to exploit it and gain unauthorized to a system. If your system does not have the right updates installed, it will be prone to attacks.
Although Windows 11 installs Windows updates automatically, it may be possible that you have paused/disabled them. If you have, we suggest that you enable them right away by clicking Check for updates from the following location:
Settings apps >> Windows Update
Enable Encryption
Windows 11 comes with a built-in encryption mechanism known as BitLocker. It encrypts the data on your hard drive/partition and can only be accessed with a security key. Even if your hard drive is accessed by another computer or physically connected to another PC, the information on it won’t be accessible without its key.
Each partition needs to be encrypted separately. Therefore, we suggest that you encrypt all of the partitions to harden your Windows 11 PC as much as possible.
Here are the steps to enable and configure BitLocker on a volume/partition:
Note: Before you begin, you must have an available partition that is not being encrypted, where the Recovery Key will be stored. In case your system does not have one, you can connect an external, unencrypted USB drive to store the key.
-
Open File Explorer and right-click on the partition to encrypt. From the context menu, click Turn on BitLocker.
-
The BitLocker wizard will now launch. Check the box next to “Use a password to unlock the drive,” and then enter and confirm a password. Click Next when done.
-
On the next screen, click Save to a file.
-
A browsing window will now open. Save the key at a location different from the drive you are currently encrypting, and then return to the BitLocker wizard and click Next.
-
Now select “Encrypt used disk space only (faster and best for new PCs and drives)” and then click Next.
-
Now select “New encryption mode (best for fixed drives on this device)” and then click Next.
Note: You can select “Compatible mode” if you plan on connecting this drive to another PC in the future with an older OS than Windows 10.
-
Finally, click Start Encryption.
-
You will now see the drive encrypting.
When it completes, close the window.
Note: If you are encrypting the OS drive/boot drive, then you will be asked to restart the computer. If so, reboot the PC and the OS drive (usually drive C) will encrypt after the reboot.
Manage App Permissions
Various native and third-party applications need access to different components and permissions to function. However, some apps ask for permissions they don’t need, or you don’t want to share. For those, you can restrict their access by disallowing access to certain things, such as mic, location, etc.
To manage application permissions, navigate to the following:
Settings app >> Privacy & security
Here, scroll down and click on the different permissions you want to manage.
From each option, you can select which applications will have these permissions and which won’t.
Increase User Account Control (UAC) Settings
The User Account Control is a safety feature in Windows that prompts a user when they are making changes to system settings or launching an app that could potentially make those changes. It is like an added step that asks you “Are you sure you want to continue?”
The default setting for UAC in Windows 11 is medium. But to harden your OS, you must increase this to the maximum. Here is how:
-
Navigate to the following:
Control panel >> System and Security >> Security and Maintenance
-
Here, click Change User Account Control settings on the left of the window.
-
From the UAC wizard, drag the slider all the way to the top (Always notify) and then click Ok.
Enable Memory Integrity
Windows Security, which is a built-in security software in Windows, has a feature called Memory Integrity, which blocks driver installations that have been deemed vulnerable by Microsoft. Blocking these drivers will ensure that your system is not compromised by weak drivers.
Follow these steps to enable Memory Integrity:
-
Navigate to the following:
Settings app >> Privacy & security >> Windows Security >> Device Security
-
Here, click on Core isolation details under “Core isolation.”
-
Here, toggle the switch into the On position beneath Memory Integrity.
-
Now restart your computer for the changes to take effect.
Close Listening Ports
Network ports are used by Windows services and applications to send and receive data over the network. Open ports are often deemed dangerous because hackers can exploit them if the service or application the ports are associated with are unpatched or lack basic security protocols. Therefore, it is recommended to close any listening network ports that your system isn’t using.
Before you begin, you must first find out which ports are open. To do so, follow these steps:
-
Now run the following cmdlet:
netstat -ab
You should now be able to see the listening ports, as in the image above. Once that is established, you can close the port(s) you are not using.
To close them use these steps:
-
Open Windows Firewall by typing in firewall.cpl in the Run Command box
-
Now click Advanced settings from the left side of the window.
-
Now click Inbound Rules from the left pane, and then click New Rule from the right pane.
-
The New Rule wizard will now launch. Select Port and then click Next.
-
On the next screen, select the type of port determined through the Command Prompt earlier, and then enter the port number you want to close in front of Specific local ports. Click Next when done.
-
Now select “Block the connection” and then click Next.
-
Now leave all profiles selected and click Next.
-
Finally, assign a name for this new rule and click Finish.
This way your listening ports will be blocked and attackers won’t be able to exploit them.
Closing Words
Windows hardening is not done by many individuals, since they think that no one would want to access their computer anyways. In enterprise networks, security protections and protocols are usually in place, which is why employees tend not to secure their PCs at the lowest levels.
Since these are common practices, hackers are able to exploit these weak points and gain unauthorized access to computers and data. Therefore, we emphasize that you secure your Windows computers as much as possible using the given tips and guides above.
Frequently Asked Questions (FAQs)
How to reduce the attack surface on Windows?
The Attack surface can be reduced in several ways. You can disable any listening ports that are not being used and enable your firewall. Moreover, you can use port-forwarding and NATing to distribute your public IP address onto the private IP addresses, reducing the total number of IPs being used.
How to make Windows 11 secure?
You can secure your Windows PC by doing the following:
-Enable firewall
-Close listening ports
-Use a complex and secure user account password
-Perform occasional system scans using Windows Security
-Enable BitLocker encryption
-Keep Windows updates
-Enable Memory Integrity
-Disable automatic login
4 comments
ZX
It takes more than just right-click run to use Baseline-LocalInstall. Open a terminal window and try running it yourself. It shows red, meaning there was an error
Victor M
Did you even read the scripts in the Baseline? The 3rd script disables all settings, and you are telling people to run all three.
Azhar Ali Buttar
Its a very good article but seems like its missing the main purpose which is mentioning prevention of insider attack in the opening paragraph.
Subhan Zafar
Thank you for the valuable feedback. We have iterated this post to include your concern. Hopefully, this will make our audience better understand the purpose of Windows hardening.