Windows Workstation Hardening
Hardening Windows workstations reduces the attack surface available to adversaries who gain or attempt to gain access to your environment. This guide applies a layered defence strategy aligned with CIS Benchmarks Level 1 & 2, NIST SP 800-171, and Microsoft Security Baselines for Windows 11.
Principle: No single control is sufficient. Layer prevention, detection, and response controls to contain the impact of any individual failure.
1. Full-Disk Encryption (BitLocker)
Every workstation must have BitLocker enabled. If a device is lost or stolen, encryption is the last line of defence protecting your data.
Configuration
- Algorithm: AES-256 (not the default AES-128 on some configurations)
- Protector: TPM 2.0 + PIN โ TPM-only is insufficient for high-security environments
- Recovery keys: Stored in Active Directory / Entra ID only โ never on the same device
- Suspension: Require admin approval; alert on any BitLocker suspension event
Group Policy Path
Computer Configuration โ Administrative Templates โ
Windows Components โ BitLocker Drive Encryption โ Operating System Drives
Key settings:
- Require additional authentication at startup: Enabled (require PIN with TPM)
- Choose drive encryption method and cipher strength: AES-256
- Store BitLocker recovery information in AD DS: Enabled, require backup before BitLocker is enabled
2. Credential Protection
Credential theft is the primary lateral movement vector in modern attacks. These controls directly counter tools like Mimikatz and DCSync.
Local Administrator Password Solution (LAPS)
Without LAPS, a single compromised local admin password gives attackers admin access to every workstation. With LAPS, each machine has a unique, automatically rotated password.
- Deploy Microsoft LAPS (built into Windows Server 2022 and Windows 11 22H2+)
- Set rotation to every 30 days
- Restrict read access to LAPS passwords via AD delegation
- Audit all LAPS password reads
Windows Credential Guard
Isolates NTLM hashes and Kerberos tickets in a virtualization-based secure (VBS) enclave. Even a SYSTEM-level process cannot read credentials from LSASS.
Requirements: TPM 2.0, UEFI Secure Boot, 64-bit CPU with virtualization extensions
Computer Configuration โ Administrative Templates โ
System โ Device Guard โ Turn On Virtualization Based Security
Set Credential Guard Configuration to Enabled with UEFI lock (prevents easy disabling via registry).
Additional Credential Hardening
| Setting | Value | Rationale |
|---|---|---|
| WDigest Authentication | Disabled | Prevents cleartext passwords in LSASS memory |
| LAN Manager authentication level | NTLMv2 only | Prevents downgrade to weak NTLM protocols |
| Minimum session security | Require NTLMv2 + 128-bit encryption | Encrypts NTLM sessions |
| Restrict NTLM | Audit then restrict | Facilitates migration to Kerberos |
3. Application Control
Preventing unauthorised code from executing is one of the highest-value controls against malware, ransomware, and commodity attacks.
Microsoft Defender Application Control (WDAC)
WDAC operates at the kernel level and cannot be bypassed by a local admin. It is more robust than AppLocker.
Deployment approach:
- Audit mode (2โ4 weeks) โ log all binaries that execute, identify legitimate software inventory
- Policy refinement โ build allow rules for signed Windows components and managed software
- Enforce mode โ block any unsigned or unapproved binary
Baseline block rules (always deny):
- Living-off-the-land binaries:
mshta.exe,wscript.exe,cscript.exe,regsvr32.exe psexec,psexesvc- Dual-use offensive tools: Mimikatz, Cobalt Strike artefacts
AppLocker (Legacy Alternative)
If WDAC cannot be deployed, configure AppLocker:
- Executable rules: Allow from
%PROGRAMFILES%and%WINDIR%only - Script rules: Block scripts in user-writable paths
- DLL rules: Enable with care (performance impact)
4. Attack Surface Reduction (ASR) Rules
ASR rules are Defender for Endpoint behavioural controls targeting specific techniques used by malware.
| Rule Name | Mode | Impact |
|---|---|---|
| Block Office apps from creating child processes | Enforce | High โ stops macro malware chains |
| Block Office VBA from writing executable content | Enforce | High |
| Block credential stealing from LSASS | Enforce | Critical โ stops Mimikatz |
| Block process creation from PSExec and WMI | Audit โ Enforce | May affect legitimate admin tools |
| Block untrusted / unsigned processes from USB | Enforce | Stops BadUSB / autorun |
| Use advanced protection against ransomware | Enforce | Behavioural ransomware detection |
| Block JS and VBS from launching downloaded executables | Enforce | Stops drive-by execution |
# Enable an ASR rule
Set-MpPreference `
-AttackSurfaceReductionRules_Ids "d4f940ab-401b-4efc-aadc-ad5f3c50688a" `
-AttackSurfaceReductionRules_Actions Enabled
5. PowerShell Hardening
PowerShell is the most abused administrative tool in post-exploitation. Comprehensive logging is essential.
Logging Configuration
| Setting | GPO Path |
|---|---|
| Script Block Logging | Administrative Templates โ Windows Components โ Windows PowerShell |
| Module Logging | Same path โ captures pipeline execution |
| Transcription | Same path โ records full session text to a central share |
Constrained Language Mode
Restrict PowerShell capabilities for standard users. Prevents access to .NET types and COM objects commonly used in attacks.
# Applied via WDAC policy or system-wide:
[System.Environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine')
Disable PowerShell v2
PowerShell v2 bypasses all modern logging. Remove it:
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
6. Windows Defender / MDE
| Control | Setting |
|---|---|
| Real-time protection | Always on โ enforce via Tamper Protection |
| Cloud-delivered protection | Enabled โ MAPS Advanced |
| Automatic sample submission | Enabled |
| Tamper Protection | Enabled โ prevents malware from disabling Defender |
| Network protection | Enabled (block mode) |
| Controlled folder access | Enabled โ ransomware protection |
| PUA protection | Enabled (block) |
Critical: Enable Tamper Protection before deploying other Defender controls.
7. User Account Control (UAC)
| Setting | Recommended Value |
|---|---|
ConsentPromptBehaviorAdmin |
2 โ Prompt for credentials on secure desktop |
ConsentPromptBehaviorUser |
0 โ Deny elevation requests from standard users |
EnableLUA |
1 โ UAC enabled |
PromptOnSecureDesktop |
1 โ Use secure desktop for prompts |
Best practice: Users should operate as standard users day-to-day. Privileged access should be a separate account used only when needed.
8. Windows Firewall
- Ensure Windows Firewall is enabled on all three profiles (Domain, Private, Public)
- Default posture: block all inbound connections, allow established outbound
- Log all dropped packets and ship to SIEM
# Verify all profiles are active
Get-NetFirewallProfile | Select Name, Enabled, DefaultInboundAction
# Block inbound SMB on Public profile
New-NetFirewallRule `
-DisplayName "Block SMB Inbound (Public)" `
-Direction Inbound -Protocol TCP -LocalPort 445 `
-Action Block -Profile Public
9. Audit Policy and Logging
| Category | Setting |
|---|---|
| Account Logon โ Credential Validation | Success + Failure |
| Account Management โ User Account Management | Success + Failure |
| Detailed Tracking โ Process Creation | Success |
| Logon/Logoff โ Logon | Success + Failure |
| Policy Change โ Audit Policy Change | Success + Failure |
| Privilege Use โ Sensitive Privilege Use | Failure |
| System โ Security System Extension | Success |
Enable command-line logging for Process Creation (Event 4688):
Computer Configuration โ Administrative Templates โ
System โ Audit Process Creation โ
Include command line in process creation events: Enabled
Forward all Security event logs to a SIEM with minimum 90-day hot retention.
10. Patch Management
| Vulnerability Severity | Patching Deadline |
|---|---|
| Critical (CVSS 9.0+) | 48โ72 hours |
| High (CVSS 7.0โ8.9) | 14 days |
| Medium (CVSS 4.0โ6.9) | 30 days |
| Low | 90 days |
Hardening Checklist
| Control | Priority | Verify With |
|---|---|---|
| BitLocker AES-256 + TPM+PIN | Critical | manage-bde -status |
| LAPS deployed and rotating | Critical | AD attribute check |
| Credential Guard enabled | High | msinfo32 โ VBS Services Running |
| WDAC policy in enforce mode | High | Event ID 3076 (block events) |
| ASR rules enabled | High | Get-MpPreference |
| PowerShell Script Block Logging | High | Registry / GPO audit |
| Defender Tamper Protection on | High | Windows Security app |
| UAC at credential-prompt level | Medium | Registry: ConsentPromptBehaviorAdmin = 2 |
| Firewall on all profiles | High | Get-NetFirewallProfile |
| Advanced audit policy configured | High | auditpol /get /category:* |
| Critical CVE patched within 72h | Critical | Patch compliance report |
| PowerShell v2 removed | Medium | Get-WindowsOptionalFeature |