First I will preface this with that fact I am using a Windows 10 Enterprise

LTSC 2021 base install as my normal Windows machine for this exercise. We are

also going to focus more on the security of the average user.

We are going to grab a few tools to assist us, as most people will not be

comfortable diving into the Registry and making changes, there are a few

settings that will require us to use the Registry or the Group Policy Editor

(if your not on Home Editions).

:: Software

• Firewall (Tinywall)

• Tweaking Tool (WinAero Tweaker)

• Waterfox / Firefox (Browser)

+- SponsorBlock (Plugin)

+- uBlock Origin (Plugin)

+- HTTPS Everywhere (Plugin)

+- Clear URLs (Plugin)

• Virtual Machines (VirtualBox)

:: Do Not Disable UAC (Running as Local Admin)

The UAC prompts can get annoying after some time, but if you do end up turning

off UAC, always remember to turn the function back on. You don't need to run

every program as Administrator just as you do not need to prefix every command

with "sudo" in Linux.

UAC is a huge step in security for any Windows system.

:: Who Are Admins

If you have multiple accounts on a machine or share a machine with others,

check to see who is a Local Admin on the machine and change users who do not

need Local Admin rights. This is usually the case with a child that uses the

machine, and goes on a spree installing all the latest Minecraft/Robolox/Other

viruses and malware.

Also, most local Windows installs (not those associated with business or

connected to Active Directory) allow accounts without passwords.

Make sure all accounts have passwords, and local Administrator accounts have

strong passwords.

:: Passwords

Although not a direct Windows relation; Get and use a password manager.

Personally I have setup a self-hosted Nextcloud instance which I discuss how

to setup in another article.

You are going to want to use very strong passwords and store them in an

encrypted password manager. Which one really does not matter, but the more

control you have over it the better.

You will want to start using passwords that are strong, and most password

managers can do this for you using generated passwords, for example

"@nd07h�r5F@ctWe�ksHo1ding" is a password I just had my plugin create.

Most online services should be able to accept these passwords, and those that

do not accept them you can usually modify the password to remove the special

characters that the server does not accept.

You can use the service Have I Been Pwned to check various breaches and such.

Although I am aware that your submitting data to a service that might have a

target on it's back.

:: Two Factor Authentication

Again not directly related to Windows; Use a 2FA option on every service that

allows it. Some services like Banks tend to lean to the SMS authentication,

while others use a TOTP/Google Auth/Authy code. The TOTP codes can be

generated using any 2FA Application. Since my work place uses Office 365, I

lean to the Microsoft Authenticator (Android) as I can use that to handle all

my 2FA needs. You can choose to enable backups of the codes to Microsoft

servers or not; that's up to you.

:: Firewall (Tinywall)

After installing Tinywall, you will lose all network connectivity. Do not

install Tinywall over an RDP connection unless you have physical or console

access to the system.

Right click on the system tray icon for Tinywall and enable "Unblock LAN

Traffic". This will enable Tinywall to perform internet traffic blocking only.

Right click the icon again and click "Manage". You can choose the options you

want on the General tab, and then click over to the Application Exceptions

tab.

Here I like to start with nothing, by Removing All entries. I do not use Edge

or the Microsoft Store at all, so those defaults are not wanted. Under Special

Exceptions tab you can choose what you want to enable or disable. I usually

leave all of the Recommended checked except Windows Network Discovery and

Windows Store Update. Under optional, for most normal users you won't need

anything here.

Click Apply to save the settings.

You can always right click the tray icon and select "Show Connections", then

at the bottom only select the check boxes for "Show Blocked Apps" to see what

programs are communicating out to the internet. Here is where you will allow

specific programs, one by one that you are aware of and want to allow.

Do not blindly allow programs to talk to the internet, there should be a good

reason these need to communicate to the world. Internet games, browsers, and

other applications will require internet access. "System" does not need

internet access, nor does "wermgr.exe" or "lsass.exe". There are quite a few

background Windows processes that will be trying to talk to servers that will

work fine without it.

:: Virtual Machines (VirtualBox)

You might be asking why I added VirtualBox to this page. There are a few very

good uses for Virtual Machines besides what a Systems Engineer or

Administrator might use them for. You can isolate software using a Virtual

Machine and keep things orderly.

I have a VM for programming, and one for testing software from random sources

as well as a VM for all web browsing and telnet/ssh clients. You can use a

Virtual Machine to load software a child might be using to keep the software

away from the system itself.

If your testing a piece of software you do not fully trust, always load it

inside a VM first.

Installation and Setup of a Virtual Machine is beyond the scope of this

specific page but there are others around, and I might get to writing one up

soon enough.

:: Tweaking Tool (WinAero Tweaker)

Although not completely security related, there are lots of options available

to you using this tool, that would normally require digging for hours through

the Registry.

There are a good amount of Quality of Life settings as well as some security

related settings. Go through the tool, one section at a time and just read.

Most settings are personal preference.

:: Drive Encryption (Basic/Bitlocker)

If you have a version of Windows that supports Bitlocker, I suggest you enable

it. Encrypt all internal hard drives, and utilize the TPM if you have one.

There are some reasons why you might not want Bitlocker, if your dual booting

or might need to move the hard drive from one machine to another but for most

people; just enable the encryption.

You will not be able to recover your data if the machine fails, but you have

backups right? You should. You will want to also backup and store your

Bitlocker recovery keys on a USB drive, or printed sheet and keep it in a

secure location that others do not have access to.

:: Drive Encryption (Advanced)

If your not one for using a Microsoft baked in Encryption of the system disk,

you can always go for a 3rd party disk encryption utility.

::https://sourceforge.net/projects/veracrypt/

VeraCrypt is a great alternative, and will also give you the option to create

and mount encrypted disk images.

:: Disable "Debug Programs Policy" (Group Policy Editor)

Group Policy Management Editor -> Windows Settings -> Security Settings ->

Local Policies -> User Rights Assignment -> Debug programs

In here you will need to remove all users and groups, and also define the

policy settings by clicking the check box at the top to do so.

::https://bbs.archaicbinary.net/blog/disable-debug-priv-0.png

:: LSA Protection (Registry)

This protection can be enabled by creating the registry key 'RunAsPPL' of type

REG_DWORD and setting the value 1 in the following registry location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

::https://bbs.archaicbinary.net/blog/lsa-protection-0.png

:: Disable PowerShell (Group Policy Editor)

On this machine I don't use or need PowerShell at all, I do all of my console

work using CMD. Some users will want to skip this if they need or use

PowerShell.

User Configuration > Administrative Templates > System

On the right side, double-click the Don't run specified Windows applications

policy.

::https://bbs.archaicbinary.net/blog/disable-powershell-0.jpg

Select the Enabled option.

Under the Option's section, click the Show button.

::https://bbs.archaicbinary.net/blog/disable-powershell-1.jpg

In the "Value" column, type "powershell.exe" to disable the PowerShell

experience.

::https://bbs.archaicbinary.net/blog/disable-powershell-2.jpg

In the "Value" column, type "powershell_ise.exe" in a new cell to disable the

PowerShell ISE interface.

In the "Value" column, type "pwsh.exe" in a new cell to disable PowerShell 7.

Click the Apply button.

Click the OK button.

Using AppLocker:

AppLocker helps you control which apps and files users can run. These include

executable files, scripts, Windows Installer files, dynamic-link libraries

(DLLs), packaged apps (aka: Microsoft Store apps), and packaged app

installers.

I won't go into depth here how to use AppLocker as you can get into complex

setups with it. I suggest reading this page to setup AppLocker correctly.

The most simple way to use AppLocker is just specifying paths that programs

are allowed to run in, instead of trying to deny all paths and future paths.

:: More Information

I have also written down a good amount of information for helping secure your

web browsing activities. Check out the article under 'Internet' named 'Web

Browsing Anonymously'