Windows 11 Hardening Guide

Windows 11 Hardening The Ultimate GuideWindows 11 Hardening The Ultimate Guide

Windows 11 has many different features pertaining to functionality and security. It has several in-place and pre-installed policies and tools that can be used to make it secure, both over the internet as well as unauthorized physical access. However, simply installing Windows 11 won’t implement the security policies needed to make sure that your computer and data are safe.

Even if your computer is placed within a secure environment, such as within an organizational domain, you are still prone to attacks, especially insider attacks. Insider attacks are harder to identify and when they are, it is probably too late.

Therefore, you need to “harden” your Windows computer. Hardening refers to the configurations put in place to make it more secure by reducing the attack surface, making it less and less possible for any hackers/attackers to penetrate it.

If you have a personal PC or within an organization, you can harden your Windows 11 computer using the detailed guide below. Here, we share the best-recommended tips and techniques that will make your computer impenetrable.

How to Enhance Windows 11 Security

There are many things you can do to ensure that your system is secure. This includes some practices which will reduce the chances for a person to physically access your PC, as well as any hacking attempts over the internet.

Install Windows 11 Security Baseline

A Security Baseline is an additional set of security enhancements that can be added to the original security protocols already in place in Windows. This is especially useful for companies and organizations that prefer to take more control of their virtual security, but individuals can also install them on their home computers.

The Windows 11 Security Baseline has been released as a component of Microsoft Security Compliance Toolkit 1.0. Here is how you can download and install Windows 11 Security Baseline:

  1. Open the Microsoft Security Compliance Toolkit page and click Download.

  2. Check the box next to “Windows 11 Security Baseline.zip” and click Next.

    Select Security Baseline
    Select Security Baseline
  3. Windows 11 Security Baseline will now download. Since it is only 1.2 MB, it should be downloaded instantly. Extract the content of the zip file to a folder.

    Extract files
    Extract files
  4. Now navigate to the extracted folder using File Explorer and open the Scripts sub-folder. Here you will find 3 PowerShell ISE files. Right-click “Baseline-LocalInstall” and then click Run with PowerShell from the context menu.

    Run with PowerShell
    Run with PowerShell

    The script will now run automatically. Wait for the PowerShell window to close on its own.

The recommended security settings from Microsoft will already be implemented when the Security Baseline will be installed.

Lock Account with Complex Password

First things first; you must put a lock on your Windows user account so that no one can use it in your absence. People often tend to use Windows Hello features and use a small PIN to lock their accounts, but fewer characters mean less security for your account.

Therefore, we recommend that you implement a complex password that includes special characters, numbers, and a combination of both lower-case and upper-case alphabets.

Here are the steps to configure your password on a Windows 11 PC:

  1. Navigate to the following:

    Settings app >> Accounts >> Sign-in Options
  2. Click on Password to expand it, and then click Add.

    Add password
    Add password
  3. Now enter a new, complex password, confirm it, enter a hint in case you forget your password, and then click Next.

    Set new password
    Set new password
  4. On the next window, click Finish.

You will now be asked to log into your account using this password.

You can then continue to set up other complex sign-in options, such as a security key, fingerprint, or facial recognition so that only you can sign into your account.

Use a Password Manager

If you use many different passwords and credentials for different accounts and websites, then we recommend that you use a password manager. Password managers are software that store your credentials which you can access in case you forget any. Of course, these managers also need a password for you to log in.

That said, we recommend that you use an offline password manager that does not use internet connectivity, ensuring that no data will be shared over the internet whatsoever.

Of course, you will then need to secure the password manager with your life since it will contain all your credentials. However, this way, you will only need to remember one password; which will be for the password manager.

Our top picks for password managers for Windows are the following:

Disable Automatic Login

When you first install Windows, the primary account created is set to log in automatically. This can be dangerous as anyone who uses your computer will be automatically logged into your account.

Thankfully, this feature can be disabled. However, in Windows 11, this option is missing by default. It can be enabled by making manual edits to the Windows Registry. Here is how:

Note: Misconfiguration of critical values in the system’s registry could be fatal for your operating system. Therefore, we insist that you create a system restore point before proceeding forward with the process.

  1. Open the Registry Editor by typing in regedit in the Run Command box.

    regedit
    Open Registry Editor
  2. Now paste the following in the navigation bar at the top for quick navigation:

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device
    Quick navigation in Registry Editor
    Quick navigation in Registry Editor
  3. Here, double-click the DWORD “DevicePasswordLessBuildVersion,” change its Value Data to 0, and then click Ok.

    Change Value Data
    Change Value Data

Now, proceed to perform the following steps to disable automatic login:

  1. Open the User Accounts applet by typing in netplwiz in the Run Command box.

    netplwiz
    Open User Accounts applet
  2. In the Users tab inside the applet, check the box next to “Users must enter a user name and password to use this computer,” and then click Apply and Ok.

    Users must enter password
    Users must enter a password

Now all user accounts on your computer will need to enter their credentials to log in.

Enable Windows Firewall

Windows Firewall is a piece of software that filters all data and packets coming in and going out from your computer through the network. Disabling it would mean that all sorts of packets can come and go without being detected.

Although this is enabled by default, you must ensure that it is not disabled. Here are the steps to enable Windows Firewall:

  1. Open Windows Firewall by typing in firewall.cpl in the Run Command box.

    firewall
    firewall
  2. Click “Turn Windows Defender Firewall on or off” on the left.

    Turn Firewall on off
    Turn Firewall on or off
  3. Here, select “Turn on Windows Defender Firewall” for all network profiles and then click Ok.

    Turn on Windows Firewall
    Turn on Windows Firewall

Disable Remote Desktop

Remote Desktop is a Windows feature that allows other computers on your network to access your PC (or vice versa) remotely. This also opens network ports on your computer, making it vulnerable to attacks. Therefore, we suggest that you disable it. Here is how:

  1. Navigate to the following:

    Settings app >> System >> Remote Desktop
  2. Toggle the slider in front of Remote Desktop into the Off position.

    Disable Remote Desktop
    Disable Remote Desktop
  3. When asked for a confirmation, click Confirm.

    Confirm action
    Confirm action

Remote Desktop will now be disabled and you will no longer be able to access this computer remotely.

Keep Windows Updated

Another important factor people often overlook is keeping their Windows OS up to date. This means that you must install the Windows updates as they are published.

Windows updates include security patches that address both known and unknown security vulnerabilities so that they could not be exploited. When an exploit is made public, hackers can use it to exploit it and gain unauthorized to a system. If your system does not have the right updates installed, it will be prone to attacks.

Although Windows 11 installs Windows updates automatically, it may be possible that you have paused/disabled them. If you have, we suggest that you enable them right away by clicking Check for updates from the following location:

Settings apps >> Windows Update
check for updates Windows 11
Check and install pending updates

Enable Encryption

Windows 11 comes with a built-in encryption mechanism known as BitLocker. It encrypts the data on your hard drive/partition and can only be accessed with a security key. Even if your hard drive is accessed by another computer or physically connected to another PC, the information on it won’t be accessible without its key.

Each partition needs to be encrypted separately. Therefore, we suggest that you encrypt all of the partitions to harden your Windows 11 PC as much as possible.

Here are the steps to enable and configure BitLocker on a volume/partition:

Note: Before you begin, you must have an available partition that is not being encrypted, where the Recovery Key will be stored. In case your system does not have one, you can connect an external, unencrypted USB drive to store the key.

  1. Open File Explorer and right-click on the partition to encrypt. From the context menu, click Turn on BitLocker.

    Turn on BitLocker
    Turn on BitLocker
  2. The BitLocker wizard will now launch. Check the box next to “Use a password to unlock the drive,” and then enter and confirm a password. Click Next when done.

    Create password
    Create password
  3. On the next screen, click Save to a file.

    Save the key
    Save the key
  4. A browsing window will now open. Save the key at a location different from the drive you are currently encrypting, and then return to the BitLocker wizard and click Next.

    Click Next
    Click Next
  5. Now select “Encrypt used disk space only (faster and best for new PCs and drives)” and then click Next.

    Encrypt only used space
    Encrypt only used space
  6. Now select “New encryption mode (best for fixed drives on this device)” and then click Next.

    New encryption mode
    New encryption mode

    Note: You can select “Compatible mode” if you plan on connecting this drive to another PC in the future with an older OS than Windows 10.

  7. Finally, click Start Encryption.

    Begin encryption
    Begin encryption
  8. You will now see the drive encrypting.

    Encryption in process
    Encryption in process

    When it completes, close the window.

    Note: If you are encrypting the OS drive/boot drive, then you will be asked to restart the computer. If so, reboot the PC and the OS drive (usually drive C) will encrypt after the reboot.

Manage App Permissions

Various native and third-party applications need access to different components and permissions to function. However, some apps ask for permissions they don’t need, or you don’t want to share. For those, you can restrict their access by disallowing access to certain things, such as mic, location, etc.

To manage application permissions, navigate to the following:

Settings app >> Privacy & security

Here, scroll down and click on the different permissions you want to manage.

Manage app permissions
Manage app permissions

From each option, you can select which applications will have these permissions and which won’t.

Manage which apps to allow permissions
Manage which permissions to give to applications

Increase User Account Control (UAC) Settings

The User Account Control is a safety feature in Windows that prompts a user when they are making changes to system settings or launching an app that could potentially make those changes. It is like an added step that asks you “Are you sure you want to continue?”

The default setting for UAC in Windows 11 is medium. But to harden your OS, you must increase this to the maximum. Here is how:

  1. Navigate to the following:

    Control panel >> System and Security >> Security and Maintenance
  2. Here, click Change User Account Control settings on the left of the window.

    Change UAC settings
    Change UAC settings
  3. From the UAC wizard, drag the slider all the way to the top (Always notify) and then click Ok.

    Increase UAC notification
    Increase UAC notification

Enable Memory Integrity

Windows Security, which is a built-in security software in Windows, has a feature called Memory Integrity, which blocks driver installations that have been deemed vulnerable by Microsoft. Blocking these drivers will ensure that your system is not compromised by weak drivers.

Follow these steps to enable Memory Integrity:

  1. Navigate to the following:

    Settings app >> Privacy & security >> Windows Security >> Device Security
    
  2. Here, click on Core isolation details under “Core isolation.”

    Core isolation details
    Core isolation details
  3. Here, toggle the switch into the On position beneath Memory Integrity.

    Toggle on memory intergrity 1
    Toggle on memory integrity
  4. Now restart your computer for the changes to take effect.

Close Listening Ports

Network ports are used by Windows services and applications to send and receive data over the network. Open ports are often deemed dangerous because hackers can exploit them if the service or application the ports are associated with are unpatched or lack basic security protocols. Therefore, it is recommended to close any listening network ports that your system isn’t using.

Before you begin, you must first find out which ports are open. To do so, follow these steps:

  1. Open Command Prompt with elevated privileges.

  2. Now run the following cmdlet:

    netstat -ab
    Check for listening ports
    Check for listening ports

You should now be able to see the listening ports, as in the image above. Once that is established, you can close the port(s) you are not using.

To close them use these steps:

  1. Open Windows Firewall by typing in firewall.cpl in the Run Command box

    firewall
    Open Firewall
  2. Now click Advanced settings from the left side of the window.

    Firewall advanced settings
    Firewall advanced settings
  3. Now click Inbound Rules from the left pane, and then click New Rule from the right pane.

    New inbound rule
    New inbound rule
  4. The New Rule wizard will now launch. Select Port and then click Next.

    Create rule for port
    Create rules for port
  5. On the next screen, select the type of port determined through the Command Prompt earlier, and then enter the port number you want to close in front of Specific local ports. Click Next when done.

    specify ports
    specify the port(s)
  6. Now select “Block the connection” and then click Next.

    Block connection
    Block connection
  7. Now leave all profiles selected and click Next.

    Select all network profiles
    Select all network profiles
  8. Finally, assign a name for this new rule and click Finish.

    Assign name to rule
    Assign a name to rule

This way your listening ports will be blocked and attackers won’t be able to exploit them.

Closing Words

Windows hardening is not done by many individuals, since they think that no one would want to access their computer anyways. In enterprise networks, security protections and protocols are usually in place, which is why employees tend not to secure their PCs at the lowest levels.

Since these are common practices, hackers are able to exploit these weak points and gain unauthorized access to computers and data. Therefore, we emphasize that you secure your Windows computers as much as possible using the given tips and guides above.

Frequently Asked Questions (FAQs)

How to reduce the attack surface on Windows?

The Attack surface can be reduced in several ways. You can disable any listening ports that are not being used and enable your firewall. Moreover, you can use port-forwarding and NATing to distribute your public IP address onto the private IP addresses, reducing the total number of IPs being used.

How to make Windows 11 secure?

You can secure your Windows PC by doing the following:
-Enable firewall
-Close listening ports
-Use a complex and secure user account password
-Perform occasional system scans using Windows Security
-Enable BitLocker encryption
-Keep Windows updates
-Enable Memory Integrity
-Disable automatic login

If you liked this post, Share it on:
Subhan Zafar is an established IT professional with interests in Windows and Server infrastructure testing and research, and is currently working with Itechtics as a research consultant. He has studied Electrical Engineering and is also certified by Huawei (HCNA & HCNP Routing and Switching).

4 comments

  • ZX

    It takes more than just right-click run to use Baseline-LocalInstall. Open a terminal window and try running it yourself. It shows red, meaning there was an error

  • Victor M
    Victor M

    Did you even read the scripts in the Baseline? The 3rd script disables all settings, and you are telling people to run all three.

  • Azhar Ali Buttar
    Azhar Ali Buttar

    Its a very good article but seems like its missing the main purpose which is mentioning prevention of insider attack in the opening paragraph.

    • Subhan Zafar
      Subhan Zafar

      Thank you for the valuable feedback. We have iterated this post to include your concern. Hopefully, this will make our audience better understand the purpose of Windows hardening.

Get Updates in Your Inbox

Sign up for the regular updates and be the first to know about the latest tech information

Talk to us now

Talk to us straight and get your questions answered right away

Tell Us About Your Project
Web Dev Service Contact Form (Popup)