Johnny Matthews | Securing Windows, kinda...

I’ll start this off by saying that Windows is not a secure operating system. This is mostly due to the fact that it trusts the user to know what’s going on. It also gives apps and features far more access to the system than it should. However, there are a few simple steps that users can take to increase their security posture. This was written on 31st of August 2023.

Create a Standard User

Most folks running Windows right now are logged in as an admin. This is a problem since admins can do anything they want to the system: install and remove programs, change the registry, edit firewall settings, and turn off security features. So, by extension, an attacker who gets access to an admin account can do whatever they want. This is what is know in the industry as “a bad thing”.

Benefits of a Standard Account

Using a standard account instead of an admin account offers several benefits:

Reduced Attack Surface

Admin accounts have the highest possible privileges, meaning any malware or malicious software that gains access to your system through your account also has those privileges. A standard account massively limits the damage that malware can do by restricting its access.

User Account Control (UAC)

Windows will prompt you for permission before making system changes when using an admin account. This is known as User Account Control (UAC). However, if you’re already using a standard account, UAC prompts become much more meaningful as they indicate potentially risky actions. The UAC pop-up also requires you enter your admin password, forcing you to actually do something in order for the process to continue.

Separation of Privileges

The principle of least privilege states that users should only have the minimum level of access necessary to do what they need to do. Unless you’re frequently installing and uninstalling apps, you don’t need admin privileges for your day-to-day tasks.

Hardentools

Hardentools is a tool designed to improve security on Windows 10 and 11 (although you really shouldn’t be using W10 anymore). Essentially, it disables certain features that are often exploited by attackers to execute malicious code. Disabling these features reduces the attack surface of your machine.

It’s important to not, though, that Hardentools is not an antivirus software. It does not block, identify, or remove any malware. It also does not prevent all risky features from being abused, nor does it prevent the changes it implements from being reverted. Hardentools cannot stop malicious code intended to restore admin privs.

Install and Harden

The easiest way to use Hardentools is to use the GUI:

  1. Head to GitHub and download the latest hardentools.exe file.
  2. Save the file somewhere handy. Sometimes you’ll need to undo the changes that Hardentools does, so having a shortcut to the application is useful.
  3. Open the .exe file with Admin privileges.
  4. Click Harden!.
  5. The app will take a few minutes to disable things and then check that they’re actually disabled.
  6. Done!

Un-harden

If you run into a situation where you need to revert the actions performed by Hardentools, you can undo everything by using the app.

  1. Open the hardentools.exe app.
  2. Confirm that you want to run this app as an Admin.
  3. Click Restore and follow the on-screen prompts.
  4. Perform whatever action you need, and then re-harden your system by following the Install and harden steps again.
  5. Done!