S
Home Endpoint Security ยท Updated 2026-07-08

Windows Workstation Hardening

Hardening Windows workstations reduces the attack surface available to adversaries who gain or attempt to gain access to your environment. This guide applies a layered defence strategy aligned with CIS Benchmarks Level 1 & 2, NIST SP 800-171, and Microsoft Security Baselines for Windows 11.

Principle: No single control is sufficient. Layer prevention, detection, and response controls to contain the impact of any individual failure.


1. Full-Disk Encryption (BitLocker)

Every workstation must have BitLocker enabled. If a device is lost or stolen, encryption is the last line of defence protecting your data.

Configuration

  • Algorithm: AES-256 (not the default AES-128 on some configurations)
  • Protector: TPM 2.0 + PIN โ€” TPM-only is insufficient for high-security environments
  • Recovery keys: Stored in Active Directory / Entra ID only โ€” never on the same device
  • Suspension: Require admin approval; alert on any BitLocker suspension event

Group Policy Path

Computer Configuration โ†’ Administrative Templates โ†’
  Windows Components โ†’ BitLocker Drive Encryption โ†’ Operating System Drives

Key settings:

  • Require additional authentication at startup: Enabled (require PIN with TPM)
  • Choose drive encryption method and cipher strength: AES-256
  • Store BitLocker recovery information in AD DS: Enabled, require backup before BitLocker is enabled

2. Credential Protection

Credential theft is the primary lateral movement vector in modern attacks. These controls directly counter tools like Mimikatz and DCSync.

Local Administrator Password Solution (LAPS)

Without LAPS, a single compromised local admin password gives attackers admin access to every workstation. With LAPS, each machine has a unique, automatically rotated password.

  • Deploy Microsoft LAPS (built into Windows Server 2022 and Windows 11 22H2+)
  • Set rotation to every 30 days
  • Restrict read access to LAPS passwords via AD delegation
  • Audit all LAPS password reads

Windows Credential Guard

Isolates NTLM hashes and Kerberos tickets in a virtualization-based secure (VBS) enclave. Even a SYSTEM-level process cannot read credentials from LSASS.

Requirements: TPM 2.0, UEFI Secure Boot, 64-bit CPU with virtualization extensions

Computer Configuration โ†’ Administrative Templates โ†’
  System โ†’ Device Guard โ†’ Turn On Virtualization Based Security

Set Credential Guard Configuration to Enabled with UEFI lock (prevents easy disabling via registry).

Additional Credential Hardening

Setting Value Rationale
WDigest Authentication Disabled Prevents cleartext passwords in LSASS memory
LAN Manager authentication level NTLMv2 only Prevents downgrade to weak NTLM protocols
Minimum session security Require NTLMv2 + 128-bit encryption Encrypts NTLM sessions
Restrict NTLM Audit then restrict Facilitates migration to Kerberos

3. Application Control

Preventing unauthorised code from executing is one of the highest-value controls against malware, ransomware, and commodity attacks.

Microsoft Defender Application Control (WDAC)

WDAC operates at the kernel level and cannot be bypassed by a local admin. It is more robust than AppLocker.

Deployment approach:

  1. Audit mode (2โ€“4 weeks) โ€” log all binaries that execute, identify legitimate software inventory
  2. Policy refinement โ€” build allow rules for signed Windows components and managed software
  3. Enforce mode โ€” block any unsigned or unapproved binary

Baseline block rules (always deny):

  • Living-off-the-land binaries: mshta.exe, wscript.exe, cscript.exe, regsvr32.exe
  • psexec, psexesvc
  • Dual-use offensive tools: Mimikatz, Cobalt Strike artefacts

AppLocker (Legacy Alternative)

If WDAC cannot be deployed, configure AppLocker:

  • Executable rules: Allow from %PROGRAMFILES% and %WINDIR% only
  • Script rules: Block scripts in user-writable paths
  • DLL rules: Enable with care (performance impact)

4. Attack Surface Reduction (ASR) Rules

ASR rules are Defender for Endpoint behavioural controls targeting specific techniques used by malware.

Rule Name Mode Impact
Block Office apps from creating child processes Enforce High โ€” stops macro malware chains
Block Office VBA from writing executable content Enforce High
Block credential stealing from LSASS Enforce Critical โ€” stops Mimikatz
Block process creation from PSExec and WMI Audit โ†’ Enforce May affect legitimate admin tools
Block untrusted / unsigned processes from USB Enforce Stops BadUSB / autorun
Use advanced protection against ransomware Enforce Behavioural ransomware detection
Block JS and VBS from launching downloaded executables Enforce Stops drive-by execution
# Enable an ASR rule
Set-MpPreference `
  -AttackSurfaceReductionRules_Ids "d4f940ab-401b-4efc-aadc-ad5f3c50688a" `
  -AttackSurfaceReductionRules_Actions Enabled

5. PowerShell Hardening

PowerShell is the most abused administrative tool in post-exploitation. Comprehensive logging is essential.

Logging Configuration

Setting GPO Path
Script Block Logging Administrative Templates โ†’ Windows Components โ†’ Windows PowerShell
Module Logging Same path โ€” captures pipeline execution
Transcription Same path โ€” records full session text to a central share

Constrained Language Mode

Restrict PowerShell capabilities for standard users. Prevents access to .NET types and COM objects commonly used in attacks.

# Applied via WDAC policy or system-wide:
[System.Environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine')

Disable PowerShell v2

PowerShell v2 bypasses all modern logging. Remove it:

Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

6. Windows Defender / MDE

Control Setting
Real-time protection Always on โ€” enforce via Tamper Protection
Cloud-delivered protection Enabled โ€” MAPS Advanced
Automatic sample submission Enabled
Tamper Protection Enabled โ€” prevents malware from disabling Defender
Network protection Enabled (block mode)
Controlled folder access Enabled โ€” ransomware protection
PUA protection Enabled (block)

Critical: Enable Tamper Protection before deploying other Defender controls.


7. User Account Control (UAC)

Setting Recommended Value
ConsentPromptBehaviorAdmin 2 โ€” Prompt for credentials on secure desktop
ConsentPromptBehaviorUser 0 โ€” Deny elevation requests from standard users
EnableLUA 1 โ€” UAC enabled
PromptOnSecureDesktop 1 โ€” Use secure desktop for prompts

Best practice: Users should operate as standard users day-to-day. Privileged access should be a separate account used only when needed.


8. Windows Firewall

  • Ensure Windows Firewall is enabled on all three profiles (Domain, Private, Public)
  • Default posture: block all inbound connections, allow established outbound
  • Log all dropped packets and ship to SIEM
# Verify all profiles are active
Get-NetFirewallProfile | Select Name, Enabled, DefaultInboundAction

# Block inbound SMB on Public profile
New-NetFirewallRule `
  -DisplayName "Block SMB Inbound (Public)" `
  -Direction Inbound -Protocol TCP -LocalPort 445 `
  -Action Block -Profile Public

9. Audit Policy and Logging

Category Setting
Account Logon โ€” Credential Validation Success + Failure
Account Management โ€” User Account Management Success + Failure
Detailed Tracking โ€” Process Creation Success
Logon/Logoff โ€” Logon Success + Failure
Policy Change โ€” Audit Policy Change Success + Failure
Privilege Use โ€” Sensitive Privilege Use Failure
System โ€” Security System Extension Success

Enable command-line logging for Process Creation (Event 4688):

Computer Configuration โ†’ Administrative Templates โ†’
  System โ†’ Audit Process Creation โ†’
  Include command line in process creation events: Enabled

Forward all Security event logs to a SIEM with minimum 90-day hot retention.


10. Patch Management

Vulnerability Severity Patching Deadline
Critical (CVSS 9.0+) 48โ€“72 hours
High (CVSS 7.0โ€“8.9) 14 days
Medium (CVSS 4.0โ€“6.9) 30 days
Low 90 days

Hardening Checklist

Control Priority Verify With
BitLocker AES-256 + TPM+PIN Critical manage-bde -status
LAPS deployed and rotating Critical AD attribute check
Credential Guard enabled High msinfo32 โ†’ VBS Services Running
WDAC policy in enforce mode High Event ID 3076 (block events)
ASR rules enabled High Get-MpPreference
PowerShell Script Block Logging High Registry / GPO audit
Defender Tamper Protection on High Windows Security app
UAC at credential-prompt level Medium Registry: ConsentPromptBehaviorAdmin = 2
Firewall on all profiles High Get-NetFirewallProfile
Advanced audit policy configured High auditpol /get /category:*
Critical CVE patched within 72h Critical Patch compliance report
PowerShell v2 removed Medium Get-WindowsOptionalFeature
The Security Architecture Site โ€” for internal reference use. Back to contents