Sergey Nivens - Fotolia
Microsoft makes much ado about Windows 10 from a security standpoint, and the company often claims it's the most secure of all the Windows clients so far.
Be that as it may, there are still plenty of things savvy Windows admins can do to further harden Windows 10 against attacks, especially when constructing reference or canonical Windows images for desktop deployments. Apply a small set of basic security principles to crafting such an image, and the result will be more secure than what Microsoft provides out of the box.
Applying basic security principles to Windows image construction
Windows admins often use tools such as Sysprep, Microsoft's System Preparation tool, to create a reference Windows image for later desktop deployment. The relevant security principles to keep in mind when doing this begin with understanding OS hardening.
Hardening an installation is about securing the OS and the applications that a system -- in this case, a Windows 10 client -- will use. The fundamental idea is to eliminate or reduce attack surfaces to repel or impede attackers. Thus, key goals for Windows hardening must include all the available means to deny, deter or delay attacks of any kind.
To harden Windows, the best approach begins with turning off or disabling any feature in Windows that isn't being used. This ensures that, if a feature isn't present or isn't active, it presents no attack surface for an attacker to exploit.
Applying the principle of least privilege further protects hardened systems from attack. In security circles, the principle of least privilege means providing access rights and privileges that permit users to do their jobs, and nothing more. This starts with establishing an account policy that requires all users to log into standard user accounts to perform ordinary tasks.
Admins themselves should log in with administrative privileges only when they need to perform administrative tasks, and should stay logged in that way only long enough to complete them. In fact, administrative tasks that can be automated should be to minimize the amount of time administrators are logged in with administrative privileges. Administrative tasks can include installing programs; configuring systems, services and networks; and performing system maintenance tasks, such as backups, updates, patches and configuration or system management.
If admins look at what they do with Windows 10 with these principles in mind, they'll understand what they must do to harden Windows 10 or other clients against attack.
Initial approach to Windows hardening
Building a hardened system image is different from a typical installation. An administrator would normally disconnect the workstation on which such an image is to be created from the network -- either by disconnecting the wired network cable in conventional Ethernet networks or by disabling Wi-Fi on devices connecting through a wireless internet connection.
The next step is to use a bootable USB installer to perform an upgrade install, if modifying an existing image, or a clean install, if creating a new image. Supplying an OS may be skipped during the initial image creation, or a file named PID.TXT can be inserted in the …\Sources directory of the USB installer that includes the volume license key to be used for all applicable client installations.
For more details about the process, see sidebar.
Changing Settings to Harden Windows 10
Once the initial installation is complete, open the Settings app in Windows 10 to lock down or turn off key elements. Some typical settings to change during this exercise include, but are not limited to:
- Speech: Choose Time & language > Speech > No microphone setup.
- Speech, inking & typing: Choose Time & language > Speech > Speech, inking & typing privacy settings > Stop getting to know me.
- Advertising ID: Type advertising into the Find a setting box, select Choose if apps can use your advertising ID and turn off the setting.
- Let Skype help you connect: Turn off if users do not use Skype.
- Location: If users don't need location data for searching and access, search for location and turn off Find My Device. Then, search for location settings and turn off the service that allows Windows, apps and services to use the device's location.
- Hotspots: Search for change Wi-Fi settings and turn off Automatically connect to suggested hotspots and Automatically connect to hotspots temporarily.
- Diagnostic info: Limit the amount of data sent to Microsoft, unless it is necessary. In the Settings app, choose Privacy > Feedback & diagnostics, and then select Basic in the Send your device data to Microsoft drop-down menu (in the Diagnostic and usage data section).
- Use page prediction: Turn off this Microsoft Edge setting to speed information lookup and to silence predictive algorithms.
- Get updates and Send updates to other PCs on the Internet: Turn off both settings. To turn off updates, mark the internet connection as "metered." To stop sending (or grabbing) updates from other PCs on the internet, choose Update & security > Windows Update, and then select Advanced options to disable upgrade delivery from PCs on the internet or to turn off delivery from any other PCs -- even if they are on the same local network.
It's generally a good idea to work through the full battery of Windows settings and ask whether or not users need them enabled, partially locked down or turned off entirely based on their usage requirements. Next, apply all the tested and approved security updates that apply to the Windows 10 version branch being used -- though most users will be using the Current Branch for Business.
Finally, make sure all the device drivers for any devices users are authorized to use are installed, working and up to date. When this excludes devices, the safest course of action is to disable or uninstall the corresponding drivers in the reference image.
When all these activities are complete -- and not before -- take a snapshot of the reference image for potential deployment and use in the field. Call this "Windows 10 base, version xxxx," where "xxxx" reflects the current version branch number.
Customizing the Windows 10 image
The next step for Windows hardening is to customize the base Windows 10 image in Audit Mode using Sysprep. When the Settings dialog box appears during the final phase of Windows 10 installation, instead of choosing Customize or Express Settings, hold down the CTRL and SHIFT keys and then press the F3 function key. Windows will reboot in Audit Mode and display the Sysprep dialog box. There are a few other tasks to finish before using Sysprep, so press Cancel to close this dialog box and continue.
The next task is installing the Windows Assessment and Deployment Kit, which provides access to the Windows System Image Manager (SIM). Use SIM to create and modify the answer file for Sysprep to create an image customized to your specifications, and then complete and customize a reference Windows image. Call this "Windows 10 base, version xxxx," where "xxxx" reflects the current version branch number.
Maintaining a hardened Windows image
Over time, the base image will need to be updated and amended as requirements evolve and software is updated. This requires that you repeat the same steps described for customizing a base image.
For example, when Windows 10 changes build numbers (such as upgrading from 1511 to 1607), it is necessary to start over from scratch. Otherwise, you can start your update with the base image (to which updates may be applied), and then rebuild the Sysprep file to update any applications, settings or account information.
Always use an explicit file-naming convention, and create new files when making changes. That way, it's possible to return to the previous base and apps versions should a mistake be made or should any problems arise during image creation or the modification/customization processes.
Remember to apply the basic Windows hardening principles described in the introduction to this article so you'll never stray too far off the path of keeping your Windows systems safe and secure. When in doubt, ask how your contemplated changes meet one or more of those principles before making them permanent. If you can't make a good argument as to why or how a planned change or introduction keeps Windows secure, the change is probably not worth introducing.
Find out more about using Docker securely on Windows or Linux systems
Learn about the top 10 most popular admin tips for Windows Server 2016
Read frequently asked questions about Windows Server hardening