Introduction
Workstations are often targeted by malicious actors using malicious websites, emails or removable media in an attempt to extract sensitive information. Hardening workstations is an important part of reducing this risk.
This publication provides recommendations on hardening workstations using Enterprise and Education editions of Microsoft Windows 10 and Windows 11. Before implementing recommendations in this publication, thorough testing should be undertaken to ensure the potential for unintended negative impacts on business processes is reduced as much as possible.
While this publication refers to workstations, most recommendations are equally applicable to servers (with the exception of Domain Controllers) using Microsoft Windows Server.
Security features discussed in this publication, along with the names and locations of Group Policy settings, are taken from Microsoft Windows 10 version 22H2 and Windows 11 version 23H2 – some differences will exist for earlier versions.
For cloud-based device managers, such as Microsoft Endpoint Manager, equivalents can be found for many of the Group Policy settings. Alternatively, there is often a function to import Group Policy settings into cloud-based device managers.
High priorities
The following recommendations, listed in alphabetical order, should be treated as high priorities when hardening Microsoft Windows 10 and Windows 11 workstations.
Application hardening
When applications are installed they are often not pre-configured in a secure state. By default, many applications enable functionality that isn’t required by any users while in-built security functionality may be disabled or set at a lower security level. For example, Microsoft Office by default allows untrusted macros in Office documents to automatically execute without user interaction. To reduce this risk, applications should have any in-built security functionality enabled and appropriately configured along with unrequired functionality disabled. This is especially important for key applications such as office productivity suites (e.g. Microsoft Office), PDF readers (e.g. Adobe Reader), web browsers (e.g. Microsoft Internet Explorer, Mozilla Firefox or Google Chrome), common web browser plugins (e.g. Adobe Flash), email clients (Microsoft Outlook) and software platforms (e.g. Oracle Java Platform and Microsoft .NET Framework). In addition, vendors may provide guidance on configuring their products securely. For example, Microsoft provides security baselines for their products on the Microsoft Security Baselines Blog. In such cases, vendor guidance should be followed to assist in securely configuring their products.
The Australian Signals Directorate also provides guidance for hardening Microsoft Office. For more information see the Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016 publication.
Application versions and patches
While some vendors may release new application versions to address vulnerabilities, others may release patches. If new application versions and patches for applications are not installed it can allow malicious actors to easily compromise workstations. This is especially important for key applications that interact with content from untrusted sources such as office productivity suites (e.g. Microsoft Office), PDF readers (e.g. Adobe Reader), web browsers (e.g. Microsoft Internet Explorer, Mozilla Firefox or Google Chrome), common web browser plugins (e.g. Adobe Flash), email clients (Microsoft Outlook) and software platforms (e.g. Oracle Java Platform and Microsoft .NET Framework). To reduce this risk, new application versions and patches for applications should be applied in an appropriate timeframe as determined by the severity of vulnerabilities they address and any mitigating measures already in place. In cases where a previous version of an application continues to receive support in the form of patches, it still should be upgraded to the latest version to receive the benefit of any new security functionality.
For more information on determining the severity of vulnerabilities and timeframes for applying new application versions and patches for applications see the Patching Applications and Operating Systems publication.
Application control
Malicious actors can email malicious code, or host malicious code on a compromised website, and use social engineering techniques to convince users into executing it. Such malicious code often aims to exploit vulnerabilities in existing applications and does not need to be installed to be successful. Application control can be an extremely effective mechanism in not only preventing malicious code from executing, but also ensuring only approved applications can be installed.
When developing application control rules, starting from scratch is a more secure method than relying on a list of executable content currently residing on a workstation. Furthermore, it is preferable that organisations define their own application control ruleset rather than relying on rulesets from application control vendors. This application control ruleset should then be regularly assessed to determine if it remains fit for purpose.
