Hardening Windows 10: A Personal Project

It’s that time again: I need to blow away my old computer, reconfigure its RAID, and start with a fresh install of Windows. Since I’m coming from Windows 7, I wanted to move to 10 in the “right” way. Given its controversies, the “right” way involves a heavy dose of security.

My goal is to create a reasonably secure version of Windows 10 using the CIA triad as the basis for its configuration. The target audience for this series are fellow power users (read: geeks) like me- gamers, sysadmins, etc. The scope is being kept to Windows 10 Professional. Even though I live and die by Microsoft AppLocker (found only in Windows 10 Enterprise), I want this project to apply to as many users possible.

So, the CIA triad, huh? It stands for Confidentiality, Integrity, and Availability. And computer security is always a balancing act, moving between these three pillars vs. maintaining usability.

My focus is Confidentiality. “Confidentiality prevents the unauthorized disclosure of data” (Gibson, 2014).  As this is a home system I choose to be less concerned with integrity or availability. It’s really for gaming, casual web browsing, and experimenting with tools inside VMs. Plus I plan on being the only user. So I’m not worried about multiple users mistakenly/maliciously changing files (example of Integrity) and I’m not installing a generator or setting up a cold site for a gaming rig (that’d be availability).

The best thing about the CIA triad is that you can choose what to emphasize- where you spend your resources. Again, since this is for personal use I’m focusing on Confidentiality. If this system needed to stand up in the court of law or was part of an enterprise environment then I’d place way more emphasis on integrity and availability than how I handle it here.

There’s several ways one can go about hardening. And there’s some great resources already out there (huge fan of DISA’s STIGS- Windows OS STIGs found here). But my first step is fact-finding. I’m going to install Windows 10 Professional with no Internet connection and see what a default install looks like: its services, its firewall config, etc.

My next post (hopefully next week) will be a report/analysis of said default install. What we find will shape how I approach hardening.

Source(s):

Gibson, D. (2014). CompTIA Security get certified get ahead SYO-401 study guide. North Charleston, SC: CreateSpace.