Skip to content

Windows 11 Hardening Guideline


In order to maintain a strong cybersecurity posture and ensure the privacy of our organization’s data, we have developed a hardening guideline for using Windows 11. These guidelines must be used when deploying Windows 11.

  1. Update and patch management:
    • Ensure all Windows updates are installed promptly. This includes security patches and feature updates.
    • Enable automatic updates to maintain the latest version and protect against known vulnerabilities.
  2. User access control:
    • Implement least privilege access. Users should only have access to the resources necessary for their job function.
    • Use strong, unique passwords for all user accounts and enable multi-factor authentication (MFA) where possible.
    • Remove or disable any unnecessary user accounts, especially those with administrative privileges.
  3. Endpoint protection:
    • Install and configure an approved antivirus/endpoint protection solution.
    • Enable real-time scanning and regular system scans to detect and remove malware.
    • Enable the built-in Windows Firewall and configure it to block unauthorized inbound and outbound connections.
  4. Encryption and data protection:
    • Enable BitLocker or another approved encryption solution to encrypt all company-owned devices.
    • Encrypt all sensitive data stored on local drives and network shares.
    • Set up Data Loss Prevention (DLP) tools to monitor and protect sensitive data from unauthorized access and exfiltration.
  5. Network security:
    • Connect company-owned devices to secure, authenticated networks only.
    • Use a virtual private network (VPN) when connecting to the company network from remote locations.
    • Disable unnecessary network protocols, such as SMBv1, to reduce potential attack vectors.
  6. Application security:
    • Limit the installation and use of third-party software to approved applications.
    • Keep all installed applications up-to-date and patched.
    • Disable macros and other potentially harmful features in Microsoft Office applications.
  7. Privacy settings:
    • Adjust Windows 11 privacy settings to minimize data collection by Microsoft.
    • Disable Cortana and other built-in services that may collect personal data, if not needed for business purposes.
    • Use a privacy-focused web browser and search engine, and install ad-blockers and privacy extensions.
  8. System hardening:
    • Enable Secure Boot to ensure that only trusted, signed software is executed during startup.
    • Disable unnecessary services, ports, and features to reduce the attack surface.
    • Configure the Windows Event Log to monitor and record security-related events for auditing and incident response purposes.
  9. Employee training and awareness:
    • Train all employees on cybersecurity best practices, including recognizing and reporting phishing attempts, practicing safe browsing habits, and protecting sensitive data.
    • Encourage employees to report any suspected security incidents to the Information Security Team immediately.
  10. Regular security assessments and audits:
    • Conduct regular vulnerability assessments and penetration tests to identify and remediate security weaknesses.
    • Review and update these guidelines as needed to ensure continued effectiveness and alignment with industry best practices.

By following these guidelines, we can greatly reduce the likelihood of a successful cyber attack and protect our organization’s sensitive data. If you have any questions or concerns, please contact the Information Security Team.

Leave a Reply

Your email address will not be published. Required fields are marked *