Even if your computer is placed within a secure environment, such as within an organizational domain, you are still prone to attacks, especially insider attacks. Insider attacks are harder to identify and when they are, it is probably too late. Therefore, you need to “harden” your Windows computer. Hardening refers to the configurations put in place to make it more secure by reducing the attack surface, making it less and less possible for any hackers/attackers to penetrate it. If you have a personal PC or within an organization, you can harden your Windows 11 computer using the detailed guide below. Here, we share the best-recommended tips and techniques that will make your computer impenetrable.
How to Enhance Windows 11 Security
There are many things you can do to ensure that your system is secure. This includes some practices which will reduce the chances for a person to physically access your PC, as well as any hacking attempts over the internet.
Install Windows 11 Security Baseline
A Security Baseline is an additional set of security enhancements that can be added to the original security protocols already in place in Windows. This is especially useful for companies and organizations that prefer to take more control of their virtual security, but individuals can also install them on their home computers. The Windows 11 Security Baseline has been released as a component of Microsoft Security Compliance Toolkit 1.0. Here is how you can download and install Windows 11 Security Baseline: The recommended security settings from Microsoft will already be implemented when the Security Baseline will be installed. The script will now run automatically. Wait for the PowerShell window to close on its own.
Lock Account with Complex Password
First things first; you must put a lock on your Windows user account so that no one can use it in your absence. People often tend to use Windows Hello features and use a small PIN to lock their accounts, but fewer characters mean less security for your account. Therefore, we recommend that you implement a complex password that includes special characters, numbers, and a combination of both lower-case and upper-case alphabets. Here are the steps to configure your password on a Windows 11 PC: You will now be asked to log into your account using this password. You can then continue to set up other complex sign-in options, such as a security key, fingerprint, or facial recognition so that only you can sign into your account.
Use a Password Manager
If you use many different passwords and credentials for different accounts and websites, then we recommend that you use a password manager. Password managers are software that store your credentials which you can access in case you forget any. Of course, these managers also need a password for you to log in. That said, we recommend that you use an offline password manager that does not use internet connectivity, ensuring that no data will be shared over the internet whatsoever. Of course, you will then need to secure the password manager with your life since it will contain all your credentials. However, this way, you will only need to remember one password; which will be for the password manager. Our top picks for password managers for Windows are the following:
LastPass1Password
Disable Automatic Login
When you first install Windows, the primary account created is set to log in automatically. This can be dangerous as anyone who uses your computer will be automatically logged into your account. Thankfully, this feature can be disabled. However, in Windows 11, this option is missing by default. It can be enabled by making manual edits to the Windows Registry. Here is how: Note: Misconfiguration of critical values in the system’s registry could be fatal for your operating system. Therefore, we insist that you create a system restore point before proceeding forward with the process. Now, proceed to perform the following steps to disable automatic login: Now all user accounts on your computer will need to enter their credentials to log in.
Enable Windows Firewall
Windows Firewall is a piece of software that filters all data and packets coming in and going out from your computer through the network. Disabling it would mean that all sorts of packets can come and go without being detected. Although this is enabled by default, you must ensure that it is not disabled. Here are the steps to enable Windows Firewall:
Disable Remote Desktop
Remote Desktop is a Windows feature that allows other computers on your network to access your PC (or vice versa) remotely. This also opens network ports on your computer, making it vulnerable to attacks. Therefore, we suggest that you disable it. Here is how: Remote Desktop will now be disabled and you will no longer be able to access this computer remotely.
Keep Windows Updated
Another important factor people often overlook is keeping their Windows OS up to date. This means that you must install the Windows updates as they are published. Windows updates include security patches that address both known and unknown security vulnerabilities so that they could not be exploited. When an exploit is made public, hackers can use it to exploit it and gain unauthorized to a system. If your system does not have the right updates installed, it will be prone to attacks. Although Windows 11 installs Windows updates automatically, it may be possible that you have paused/disabled them. If you have, we suggest that you enable them right away by clicking Check for updates from the following location:
Enable Encryption
Windows 11 comes with a built-in encryption mechanism known as BitLocker. It encrypts the data on your hard drive/partition and can only be accessed with a security key. Even if your hard drive is accessed by another computer or physically connected to another PC, the information on it won’t be accessible without its key. Each partition needs to be encrypted separately. Therefore, we suggest that you encrypt all of the partitions to harden your Windows 11 PC as much as possible. Here are the steps to enable and configure BitLocker on a volume/partition: Note: Before you begin, you must have an available partition that is not being encrypted, where the Recovery Key will be stored. In case your system does not have one, you can connect an external, unencrypted USB drive to store the key.
Manage App Permissions
Various native and third-party applications need access to different components and permissions to function. However, some apps ask for permissions they don’t need, or you don’t want to share. For those, you can restrict their access by disallowing access to certain things, such as mic, location, etc. Note: You can select “Compatible mode” if you plan on connecting this drive to another PC in the future with an older OS than Windows 10. When it completes, close the window. Note: If you are encrypting the OS drive/boot drive, then you will be asked to restart the computer. If so, reboot the PC and the OS drive (usually drive C) will encrypt after the reboot. To manage application permissions, navigate to the following: Here, scroll down and click on the different permissions you want to manage. From each option, you can select which applications will have these permissions and which won’t.
Increase User Account Control (UAC) Settings
The User Account Control is a safety feature in Windows that prompts a user when they are making changes to system settings or launching an app that could potentially make those changes. It is like an added step that asks you “Are you sure you want to continue?” The default setting for UAC in Windows 11 is medium. But to harden your OS, you must increase this to the maximum. Here is how:
Enable Memory Integrity
Windows Security, which is a built-in security software in Windows, has a feature called Memory Integrity, which blocks driver installations that have been deemed vulnerable by Microsoft. Blocking these drivers will ensure that your system is not compromised by weak drivers. Follow these steps to enable Memory Integrity:
Close Listening Ports
Network ports are used by Windows services and applications to send and receive data over the network. Open ports are often deemed dangerous because hackers can exploit them if the service or application the ports are associated with are unpatched or lack basic security protocols. Therefore, it is recommended to close any listening network ports that your system isn’t using. Before you begin, you must first find out which ports are open. To do so, follow these steps: You should now be able to see the listening ports, as in the image above. Once that is established, you can close the port(s) you are not using. To close them use these steps: This way your listening ports will be blocked and attackers won’t be able to exploit them.
Closing Words
Windows hardening is not done by many individuals, since they think that no one would want to access their computer anyways. In enterprise networks, security protections and protocols are usually in place, which is why employees tend not to secure their PCs at the lowest levels. Since these are common practices, hackers are able to exploit these weak points and gain unauthorized access to computers and data. Therefore, we emphasize that you secure your Windows computers as much as possible using the given tips and guides above.