Microsoft Windows Laptop Security: Harden These 10 Things Now

The Importance of Hardening

The following article is a discussion on configuration settings that could potentially help to improve your Microsoft Windows Laptop Security – protecting and defending your data from Malicious actors. Join the discussion below or reach out to Redbot Security for Cybersecurity Services.

What is Security Hardening?

By definition, the act of hardening is, “A process intended to eliminate a means of attack by patching vulnerabilities and turning off nonessential services. – NIST SP 800-12”. Realistically, the act of hardening is akin to wearing your seatbelt while driving. You may not be a victim of an accident; in this case a data breach, but you level of risk and potential impact for severe damage due to a compromise from a ‘drive-by’ malicious actor is high. Especially if your mobile infrastructure (laptops, cellphones, touchpads, etc.) are not effectively configured to withstand a technical attack.

Why is it Important?

Malicious actors prey on weak configurations like locusts. Microsoft, despite knowing that their operating systems, have inherent weaknesses have done little to enhance its initial security outside of remediation for publicly known vulnerabilities. Alone, Microsoft had 1,212 security vulnerabilities in 2021. 104 of them were rated at critical risk for Remote Code Execution (RCE) or privilege escalation. Most of us only really hear about the critical vulnerabilities, such as ETTERNALBLUE (MS17-010); a vulnerability that is consistently exploited on regular penetration tests. Microsoft does a ?decent? job of enforcing security patching, but other issues remain. Specifically, most security engineers and consultants would refer to these as misconfigurations, but it’s Microsoft’s approach to the balancing act that is security versus usability. Microsoft aim as giving the administrators and end users the highest usability with as little hinderance as possible, meaning that security takes the back seat. Unfortunately, these weaknesses in security settings allow hackers and other malicious actors to gain a foothold and launch more sophisticated attack techniques that will likely expose sensitive information and gain unauthorized access.

What is laptop hardening?

Laptop hardening is a process that involves taking steps to secure a laptop system against potential threats. The purpose is to reduce the system’s vulnerability to cyberattacks, unauthorized access, and data theft. Hardening a laptop essentially means tightening its security to protect sensitive data and the system’s integrity.

A hardened laptop is a computer that has been specifically configured and prepared to resist attacks and intrusions. It typically involves a combination of hardware and software modifications to make the laptop more secure against cyber threats.

Hardening & Patching

Hardening and patching are two crucial components of maintaining computer and network security. Let’s delve into what each term means:

Hardening: As previously discussed, hardening is the process of securing a system by reducing its surface of vulnerability. This process involves removing unnecessary applications, disabling unnecessary services, configuring settings securely, installing protective software, and sometimes even altering physical aspects of the system. The goal of hardening is to eliminate as many risk factors as possible and protect against potential threats.

Patching: Patching is the process of applying updates (“patches”) to software and firmware. These patches often include fixes for known bugs and vulnerabilities that could otherwise be exploited by hackers. Regular patching is an essential part of system maintenance and security. Software developers routinely release patches as they discover and resolve vulnerabilities in their software.

What is device hardening?

Device hardening is the process of securing a device by reducing its susceptibility to attacks by eliminating as many security risks as possible. This involves modifying the default configuration to close unnecessary points of access and harden security settings. Device hardening applies to any computing device, such as laptops, smartphones, tablets, routers, servers, and even IoT (Internet of Things) devices.

False Sense of Security through VPN

One mistake that Redbot Security sees on a regular basis is that network and systems administrators rely on the implementation of VPNs to control access. This is a false sense of security that; if not implemented correctly, can lead to bigger issues. But why? A VPN opens a direct tunnel to hosts and services (typically on enterprise networks) that are otherwise not directly accessible from the internet. Depending on its configuration, the VPN commonly will also redirect all internet-bound network traffic to provide a layer of security and privacy. The VPN software does this by establishing a virtual network interface and implementing routing rules. What it does not do is hide the computer from the current Local Area Network (LAN). This means that when the laptop or mobile device connects to untrusted networks, such as a coffee shop or airport Wi-Fi network, it still maintains a presence. In most non-enterprise networks, network administrators can enable network segmentation and client isolation techniques that keep users from communicating with one another. However, outside of the corporate-owned networks, administrators that allow mobile devices to connect to untrusted networks cannot enforce these policies. Furthermore, for home-based workers, personal internal networks often share a local network with devices that are truly a high-risk, such as the computers and mobile devices of children or unregulated IoT devices.

Common Attacks

Before delving into the top configurable settings to harden Windows-based laptops, let’s take a moment to discuss the understand the most common attacks techniques used by malicious actors.

Password Guessing

It’s loud, but password guessing is effective and straightforward. Furthermore, it requires little to no skill and can be fully automated by an attacker. The effectiveness preys upon users setting weak, guessable passwords. Yes, ‘123456’ and ‘Password1’ are the most common, along with ‘Season+Year’. Even with a baseline password policy of eight characters and enforced complexity, ‘Password1’ and ‘Fall2022’ meet the set criteria. This is further advanced by the fact that local administrators on Microsoft Windows operating systems do not lock out. This means that an attacker can send hundreds, if not thousands of guesses from open-sourced dictionaries with mutation rules in an incredibly short amount of time.

LLMNR

Link-Local Multicast Name Resolution (LLMNR) sounds super fancy, but it’s ultimately one of the worst protocols ever developed in the history of technology. Furthermore, it’s enabled by default and is only absolutely needed for super rare cases, such as the lack of access to DNS services. While enabled, an attacker can monitor a network for certain protocols; typically associated with authentication against network-based resources, and intercept or manipulate the authentication process to illicit an authentication request. In most cases, the intercept must be cracked offline and cannot be used in the moment for Pass-the-Hash (PTH) techniques, but it’s a start.

SMB Attacks

Direct manipulation of SMB traffic can reveal a lot about a host on the network, such as name, operating system, and even the build or patching version. In some cases, the attacker can leverage things like e-mail or access to other network resources to intercept authentication requests similar to LLMNR-based attacks.

Missing Security Patches

Pretty sure, the attack techniques surrounding missing security patching is large enough to be it’s own topic. However, to summarize this point, there are loads of Remote Code Execution (RCE) vulnerabilities that have come to light over the last 20 years and are backed by a plethora of available resources quickly discovered through internet-based searches using Google or Bing. Most also have publicly available, Proof of Concept (PoC) code or pre-compiled binaries that are similar to handing over a live grenade to the attacker with instructions on how to pull the pin.

Web Application Attacks

Without a VPN redirecting web application traffic, the user may be at risk for web-based attack techniques. These are commonly Cross-Site Scripting (XSS) and Java-derived vulnerabilities that attempt to seal session cookies, and authentication credentials, execute malicious code, or hijack browsers.

Phishing

“You won!” and “A relative you didn’t know left you their fortune when they passed.” I’m sure we’ve all seen them,… all day long. Despite advanced technology and new products every year to thwart phishing, it works and it’s here to stay. Even elementary and high schools are teaching students about how to recognize phishing emails. The problem is that just like mass marketing, it’s easy for a malicious actor to target as few as one (1) or up to 10,000 people with ease. Inevitably; despite the poor grammar and lack of spellcheck, someone will eventually click the Link of Doom.

Best security laptop 2023

Here are some of the best security laptops in the USA:

  • Librem 14 by Purism is the most secure laptop available. It comes with the PureOS operating system, which is based on Linux and has been designed with security in mind. The Librem 14 also has a number of security features, such as a hardware kill switch for the microphone and webcam, a TPM chip for storing encryption keys, and a privacy screen.
     
  • Dell XPS 13 is the best laptop for security professionals. It comes with Windows 11 Pro, which has a number of security features built-in. The XPS 13 also has a number of physical security features, such as a fingerprint reader and a Kensington lock slot.
     
  • Apple MacBook Pro is the best and most high-security laptop for pen testing. It comes with macOS, which is a very secure operating system. The MacBook Pro also has a number of physical security features, such as a Touch ID sensor and a T2 security chip.
     
  • Lenovo ThinkPad X1 Carbon is a business-class laptop that is known for its durability and security. It comes with Windows 11 Pro and a number of physical security features, such as a fingerprint reader, a TPM chip, and a spill-resistant keyboard.
     
  • Panasonic Toughbook CF-15 is a rugged laptop that is designed for use in demanding environments. It comes with Windows 11 Pro and a number of physical security features, such as a magnesium alloy case, a MIL-STD 810G rating, and a spill-resistant keyboard.
     

These are just a few of the many secure laptops available in the USA. When choosing a security laptop, it is important to consider your needs and budget. You should also make sure that the laptop comes with the latest security features and is regularly updated with security patches.

10 Configurations You Need to Apply Now

Now, on to the good stuff. Here are 10 things that and Windows Professional user or administrator can do to enhance security of their laptop (apologies to Windows Home users, Microsoft doesn’t believe in allowing you configurable access unless you pay for the upgrade).

Note: Non-domain joined (folks that own a laptop with Windows Professional), can leverage the built in Group Policy Editor (gpedit.msc), while enterprise administrators should capitalize on Microsoft’s Group Policy Objects (GPOs) for Active Directory.

  1. Change the local administrator name: This will prevent password guessing against the administrator account because the malicious actor will have to not only guess the password, but the name as well.
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Accounts: Administrator account status: Disabled
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Accounts: Rename administrator account: “Rename
  1. Disable Guest: Guest access is still access. Hackers may have to work much harder, but privilege escalation starts with initial access. Disabling the guest account is default in Windows 10 and 11.
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Accounts: Guest account status: Disabled
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Accounts: Rename guest account: “Rename
  1. Disable SMB Version 1: SMB is a primary authentication mechanism for Microsoft. Version 1 is unencrypted and should only be used when absolutely necessary and with other security controls in place.
  1. Enable SMB Signing: This setting ensures that encrypted communications between two hosts stays that way.
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network client: Digitally sign communications (always): Enabled
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network client: Digitally sign communications (if server agrees): Enabled
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network client: Send unencrypted password to third-party SMB servers: Disabled
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network server: Digitally sign communications (always): Enabled
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network server: Digitally sign communications (if client agrees): Enabled
  1. Disable LLMNR: Unless you have a specific business use case, this protocol can be disabled.
  • Local Computer Configuration > Administrative Templates > Network > DNS Client > Turn Off Multicast Name Resolution: Enable
  1. Disable MDNS: Again, like LLMNR, unless you have a specific use case, it is recommended that this protocol is disabled.
  • Using Powershell: set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name EnableMDNS -Value 0 -Type DWord
  • Using the Registry Editor: REG ADD “HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters” /v ” EnableMDNS” /t REG_DWORD /d “0” /f
  • Using Group Policy Management Console: Add “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\mDNS – Key: EnableMDNS=0” through a batch script in Local Computer Policy > Preferences > Windows Settings > Scripts > Startup
  1. Enhance Cryptographic Implementation: Despite social media’s attempts to bring back the 90’s, computers are much faster and more efficient. Get rid of antiquated cryptography. 99.999% of the time, you couldn’t possibly notice the difference between your computer using a weak RC4 versus an AES-256 bit encryption algorithm… but a hacker would.
  • Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Domain member: Require strong (Windows 2000 or later) session key: Enabled
  • Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >Network security: Configure encryption types allowed for Kerberos: AES128_HMAC_SHA1, AES256-HMAC-SHA1, Future Encryption Types
  • Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >Network security: LAN Manager authentication level: Send NTLMv2 response only. Refuse LM & NTLM
  1. Strong Password Policy: Longer passwords are inherently stronger. It doesn’t mean that the level of complexity has to be obnoxious either. As a matter of fact, the more complex the password, the more likely the user is to leverage a weak or guessable password. There have also been significant changes to the recommended password policy baselines from NIST over the last few years. However, most security professionals will agree that a minimum of eight characters is laughable. (Note: All following settings are listed under “Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Protection OR Account Lockout Policies”
  • Enforce password history: 20 passwords remembered
  • Maximum password age: 1 year
  • Minimum password age: 1 day
  • Minimum Password Length:
    • Users: 12-characters
    • Administrators: 15-characters
    • Service Accounts: 20-characters
  • Password must meet complexity length limits: Enabled
  • Relax minimum password length limits: Disabled
  • Store passwords using reversible encryption: Disabled
  • Account lockout duration: 30 minutes
  • Account lockout threshold: 5 invalid login attempts
  • Allow Administrator account lockout: Enable
  • Reset account lockout counter after 30 minutes
  1. Role separation: Do not use a computer for everyday activities, such as surf the web and checking email with an account that has privileged access (specifically, administrator). Instead, create two accounts, one for administrative functions, such as installing software, and a second for normal everyday tasks as a user.
  • This group of settings are different for every organization.
 
 
 

Note: User Rights Assignments is located in Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Please exercise extreme caution with these policies. Misconfiguration can and likely will cause a computer to crash. For that reason, Redbot Security will not be covering this section in detail. Understanding the concept of Privilege and Role Separation is the key takeaway.

 
  

  • Standalone installation of Microsoft Windows can leverage the User Accounts Management Console instead of Group Policies.

Helpful Hint: If the laptop has biometric authentication, such as a finger print reader, assign one your index finger to one account and your middle finger to the other.

  1. Full Disk Encryption and Backups: Laptops go missing regularly. Keep your data secure and do not neglect backups. It doesn’t matter if it’s classified sensitive information or pictures of your family. When your data is in someone else’s hands, lost, or exposed to the world, it’s a nightmare.

Related Articles

Cyber threat news feed

Check out the latest cybersecurity news around the globe