10 NIST Secrets to Lock Down Windows PC

Introduction
Why Security Benchmarks Matter
What is NIST and Its Standards?
Steps to Lock Down Your Windows PC

Operating System Settings
Account Lockout and Password Policies
User Rights Assignments
Security Options Settings
Audit Policy Settings
Administrative Templates - System Settings
Administrative Templates - Network Settings
Administrative Templates - Windows Components
Administrative Templates - Other Settings

Conclusion

Introduction

In today's digital age, cyber threats are becoming increasingly sophisticated, targeting vulnerabilities that many users are unaware of. While firewalls and antivirus software are essential, they are no longer sufficient to protect against all types of attacks. Locking down your Windows computer according to the National Institute of Standards and Technology (NIST) guidelines is a proactive way to enhance your system's security. In this comprehensive guide, we unveil 10 NIST secrets to help you secure your Windows PC effectively.

Why Security Benchmarks Matter

Security benchmarks provide a standardized set of configurations that minimize vulnerabilities and reduce the attack surface of your system. Many current threats bypass traditional security measures like firewalls and antivirus programs. By adhering to security benchmarks, you proactively harden your system against potential exploits. This approach is crucial for preventing unauthorized access, data breaches, and other cyber threats.

What is NIST and Its Standards?

The National Institute of Standards and Technology (NIST) is a U.S. federal agency that develops technology, metrics, and standards to drive innovation and economic competitiveness. NIST provides comprehensive guidelines for securing information systems, including detailed configurations for operating systems like Windows 10. Following NIST standards ensures that your computer adheres to federal security requirements and best practices.

Steps to Lock Down Your Windows PC

Below are detailed steps to lock down your Windows computer according to NIST standards. These steps cover various settings, including operating system configurations, password policies, user rights assignments, and more. Implementing these changes will significantly enhance your system's security posture.

1. Operating System Settings

Configuring your operating system correctly is the first step toward a secure computer. Here are the key settings you need to adjust:

Use Windows 10 Enterprise Edition 64-bit: Ensure your system runs the 64-bit version of Windows 10 Enterprise for advanced security features.
Enable BitLocker Encryption: Use BitLocker to encrypt all disks, protecting the confidentiality and integrity of your data at rest.
Maintain Supported Servicing Level: Keep your system updated with the latest patches and updates to mitigate vulnerabilities.
Format Local Volumes with NTFS: Use the NTFS file system for better security features compared to FAT32 or exFAT.
Configure Password Expiration: Set accounts to require password changes regularly to reduce the risk of compromised credentials.
Uninstall Unnecessary Services: Remove services like Internet Information Services (IIS), Simple Network Management Protocol (SNMP), Simple TCP/IP Services, Telnet Client, TFTP Client, and Windows PowerShell 2.0 to reduce potential attack vectors.
Disable SMB v1 Protocol: Disable the outdated SMB v1 protocol on both the client and server sides to prevent exploitation.
Disable Secondary Logon Service: Turn off the Secondary Logon service to prevent unauthorized privilege escalation.
Configure Data Execution Prevention (DEP): Set DEP to at least OptOut to protect against memory-based attacks.

2. Account Lockout and Password Policies

Strong password policies and account lockout settings are essential to prevent unauthorized access:

Set Account Lockout Duration: Configure the account lockout duration to at least 15 minutes after multiple failed login attempts.
Limit Bad Logon Attempts: Set the threshold for allowed bad logon attempts to 3 or fewer.
Reset Lockout Counter: Configure the lockout counter to reset after 15 minutes.
Enforce Password History: Remember at least the last 24 passwords to prevent password reuse.
Set Maximum Password Age: Require passwords to be changed every 60 days or less.
Define Minimum Password Age: Set a minimum password age of at least 1 day to prevent rapid password changes.
Enforce Password Length: Require passwords to be at least 14 characters long.
Enable Password Complexity: Use the built-in Microsoft password complexity filter to enforce strong passwords.
Disable Reversible Password Encryption: Ensure that passwords are not stored with reversible encryption.

3. User Rights Assignments

Properly assigning user rights minimizes the risk of privilege abuse:

Restrict Sensitive Rights: Do not assign rights like "Act as part of the operating system," "Create a token object," or "Debug programs" to any groups or accounts except Administrators.
Define Access Permissions: Assign "Access this computer from the network" only to Administrators and Remote Desktop Users.
Limit Logon Locally Rights: Assign "Allow log on locally" only to Administrators and Users groups.
Configure Deny Rights: Use "Deny access" rights to prevent access from unauthorized or highly privileged domain accounts.
Manage System Privileges: Assign system privileges like "Back up files and directories," "Load and unload device drivers," and "Restore files and directories" only to the Administrators group.
Restrict Delegation Rights: Do not assign "Enable computer and user accounts to be trusted for delegation" to any groups or accounts.
Control Impersonation: Assign "Impersonate a client after authentication" only to Administrators, Service, Local Service, and Network Service.

4. Security Options Settings

Adjust security options to enforce stricter security policies:

Disable Built-in Accounts: Disable the built-in Administrator and Guest accounts, and rename them to prevent brute-force attacks.
Restrict Blank Passwords: Prevent local accounts with blank passwords from accessing the system over the network.
Enable Audit Policy: Use subcategories for audit policies to gain detailed logging capabilities.
Secure Channel Traffic: Configure the system to encrypt and sign outgoing secure channel traffic whenever possible.
Enforce Machine Account Passwords: Do not prevent the computer account password from being reset and set the maximum age for machine account passwords to 30 days or less.
Configure Session Key Strength: Require a strong session key to enhance security during authentication processes.
Set Machine Inactivity Limit: Configure the system to lock after 15 minutes of inactivity using a screensaver.
Limit Cached Logons: Limit the caching of logon credentials to reduce the risk if the system is compromised.
Enforce Smart Card Removal Behavior: Configure the system to force logoff or lock the workstation when a smart card is removed.
Configure SMB Settings: Require SMB packet signing and disable unencrypted passwords to third-party SMB servers.
Restrict Anonymous Access: Prevent anonymous enumeration of SAM accounts and shares, and restrict anonymous access to named pipes and shares.
Enforce NTLM Restrictions: Prevent NTLM from falling back to a Null session and set the LanMan authentication level appropriately.
Disable Unnecessary Authentication Protocols: Disable PKU2U authentication using online identities and prevent the storage of LAN Manager hashes.
Enable FIPS-compliant Algorithms: Configure the system to use FIPS-compliant algorithms for encryption, hashing, and signing.
Configure User Account Control (UAC): Enable UAC and configure it to prompt for consent on the secure desktop, automatically deny elevation requests for standard users, and only elevate UIAccess applications installed in secure locations.

5. Audit Policy Settings

Implementing comprehensive audit policies helps in monitoring and detecting suspicious activities:

Configure Account Logon Auditing: Audit both successes and failures for credential validation and account lockout events.
Audit Account Management Events: Monitor user account and security group management activities.
Enable Detailed Tracking: Audit process creation events to track application executions.
Monitor Logon/Logoff Events: Audit logon successes and failures, logoffs, and special logons.
Audit Object Access: Monitor file share access and other object access events for both successes and failures.
Track Policy Changes: Audit policy change events, including audit policy, authentication policy, and authorization policy changes.
Audit Privilege Use: Monitor sensitive privilege use to detect potential privilege escalation attempts.
Audit System Events: Configure auditing for system integrity, security state changes, and other system events.
Protect Event Logs: Set appropriate permissions for the Application, Security, and System event logs to prevent unauthorized access.

6. Administrative Templates - System Settings

Adjust system settings through administrative templates to enhance security:

Include Command Line Data in Events: Enable logging of command line data in process creation events for better forensic analysis.
Configure Early Launch Anti-Malware: Set the boot-start driver initialization policy to prevent boot drivers that could be malicious.
Force Group Policy Reprocessing: Ensure Group Policy objects are reprocessed even if they haven't changed to maintain consistent policy application.
Disable Unnecessary Features: Prevent downloading of print driver packages over HTTP, and disable web publishing and online ordering wizards.
Disable Printing Over HTTP: Turn off the ability to print over HTTP to reduce network exposure.
Enable Device Authentication: Attempt device authentication using certificates whenever possible.
Hide Network Selection UI: Do not display the network selection UI on the logon screen to prevent unauthorized network connections.
Prevent User Enumeration: Do not enumerate local users on domain-joined computers to reduce information disclosure.
Require Password on Wakeup: Prompt users for a password when resuming from sleep or hibernation.
Disable Remote Assistance: Do not allow Solicited Remote Assistance to prevent unauthorized remote access.
Enable Kernel DMA Protection: Protect against Direct Memory Access (DMA) attacks by enabling Kernel DMA Protection.
Disable Convenience PIN: Turn off the convenience PIN sign-in to enforce stronger authentication methods.

7. Administrative Templates - Network Settings

Secure network settings to prevent unauthorized access and data leakage:

Disable Internet Connection Sharing: Prevent users from enabling Internet Connection Sharing to reduce network risks.
Define Hardened UNC Paths: Require mutual authentication and integrity for UNC paths, especially for \\*\SYSVOL and \\*\NETLOGON shares.
Limit Simultaneous Connections: Restrict simultaneous connections to the Internet or a Windows domain to prevent network conflicts.
Block Non-Domain Networks: Prevent connections to non-domain networks when connected to a domain-authenticated network.
Disable Wi-Fi Sense: Turn off Wi-Fi Sense to prevent automatic sharing of Wi-Fi networks.
Disable Insecure Logons: Prevent insecure logons to an SMB server to enhance network security.

8. Administrative Templates - Windows Components

Configure Windows components to reduce vulnerabilities:

Prevent Data Collection: Disable the Application Compatibility Program Inventory and limit diagnostic data to the minimum required.
Turn Off Autoplay: Disable Autoplay for all drives to prevent automatic execution of malicious code.
Enhance Anti-Spoofing: Enable enhanced anti-spoofing for facial recognition if applicable.
Disable Consumer Experiences: Turn off Microsoft consumer experiences to reduce unwanted applications.
Restrict Administrator Enumeration: Do not enumerate administrator accounts during elevation to prevent privilege escalation attempts.
Configure Windows Update: Prevent Windows Update from obtaining updates from other PCs on the Internet.
Enable SmartScreen Filters: Activate Windows Defender SmartScreen for Explorer and Microsoft Edge to block malicious content.
Configure Edge Browser Settings: Disable password manager and prevent certificate error overrides in Microsoft Edge.
Disable Game Recording: Turn off Windows Game Recording and Broadcasting to reduce unnecessary background processes.
Set Minimum PIN Length: Require a minimum PIN length of six characters or more if using PIN authentication.
Secure Remote Desktop: Prevent saving passwords in the Remote Desktop Client, disallow local drive sharing, and require secure RPC communications.
Manage Event Log Sizes: Configure the Application, Security, and System event logs to have sufficient size (e.g., 32768 KB or greater) to prevent loss of audit data.
Enable PowerShell Logging: Enable PowerShell script block logging and transcription for enhanced monitoring.
Configure WinRM Security: Ensure the Windows Remote Management (WinRM) client and service do not use Basic authentication or allow unencrypted traffic.

9. Administrative Templates - Other Settings

Implement additional security settings to further protect your system:

Disable Lock Screen Slide Shows: Prevent slide shows on the lock screen to avoid unnecessary resource usage.
Configure IPv6 Source Routing: Set IPv6 source routing to the highest protection level.
Prevent IP Source Routing: Disable IP source routing to protect against routing-based attacks.
Ignore ICMP Redirects: Prevent ICMP redirects from overriding Open Shortest Path First (OSPF) generated routes.
Block NetBIOS Name Release Requests: Configure the system to ignore NetBIOS name release requests except from WINS servers.
Filter Privileged Tokens: Ensure local administrator accounts have their privileged tokens filtered to prevent elevated privileges over the network.
Disable WDigest Authentication: Turn off WDigest Authentication to prevent storing plain-text passwords in memory.
Remove Run as Different User: Eliminate the "Run as different user" option from context menus to reduce privilege escalation risks.
Prompt for Password on Wakeup: Require users to enter a password when resuming from sleep, both on battery and when plugged in.
Restrict Unauthenticated RPC Clients: Limit unauthenticated RPC clients from connecting to the RPC server.
Enforce Microsoft Accounts for Apps: Enable settings that make Microsoft accounts optional for modern style apps.
Enable SEHOP: Turn on Structured Exception Handling Overwrite Protection (SEHOP) to guard against certain types of exploits.

Conclusion

Securing your Windows PC is an ongoing process that requires attention to detail and adherence to best practices. By following the NIST guidelines outlined in this guide, you significantly reduce your system's vulnerability to cyber threats. Implement these settings carefully, and consider using tools like the local group policy editor or registry editor to apply the configurations. Always back up your system before making significant changes, and test the configurations in a controlled environment if possible.

Remember, a proactive approach to security is the best defense against the ever-evolving landscape of cyber threats. Stay informed, stay vigilant, and keep your systems up to date to ensure maximum protection.

Previous Blog Posts:

myTech.Today

My Tech On Wheels

kyle@mytech.today

(847) 767-4914

Schedule an appointment today!

Free 15-minute phone call evaluation

Mate: Become the Man Women Want

by Tucker Max & Geoffrey Miller PhD

The number-one best-selling pioneer of "fratire" and a leading evolutionary psychologist team up to create the dating book for guys. Whether they conducted their research in life or in the lab, experts Tucker Max and Dr. Geoffrey Miller have spent the last 20-plus years learning what women really want from their men, why they want it, and how men can deliver those qualities. The short answer: Become the best version of yourself possible, then show it off. It sounds simple, but it's not. If it were, Tinder would just be the stuff you use to start a fire. Becoming your best self requires honesty, self-awareness, hard work, and a little help. Through their website and podcasts, Max and Miller have already helped over one million guys take their first steps toward Miss Right. They have collected all of their findings in Mate, an evidence-driven, seriously funny playbook that will teach you to become a more sexually attractive and romantically successful man, the right way: No "seduction techniques" No moralizing No bullshit Just honest, straightforward talk about the most ethical, effective way to pursue the win-win relationships you want with the women who are best for you. Much of what they've discovered will surprise you, some of it will not, but all of it is important and often misunderstood. So listen up, and stop being stupid!

Business Model You: A One-Page Method For Reinventing Your Career

by Timothy Clark, Don Hagen & Alexander Osterwalder

A one-page tool to reinvent yourself and your career. The global best seller Business Model Generation introduced a unique visual way to summarize and creatively brainstorm any business or product idea on a single sheet of paper. Business Model You uses the same powerful one-page tool to teach listeners how to draw "personal business models," which reveal new ways their skills can be adapted to the changing needs of the marketplace to reveal new, more satisfying, career and life possibilities. Produced by the same team that created Business Model Generation, this audiobook is based on the Business Model Canvas methodology, which has quickly emerged as the world's leading business model description and innovation technique. This book shows listeners how to: - Understand business model thinking and diagram their current personal business model - Understand the value of their skills in the marketplace and define their purpose - Articulate a vision for change - Create a new personal business model harmonized with that vision - And most important, test and implement the new model When you implement the one-page tool from Business Model You, you create a game-changing business model for your life and career.

Crossing the Chasm, 3rd Edition: Marketing and Selling Disruptive Products to Mainstream Customers

by Geoffrey A. Moore

The bible for bringing cutting-edge products to larger markets—now revised and updated with new insights into the realities of high-tech marketing In Crossing the Chasm, Geoffrey A. Moore shows that in the Technology Adoption Life Cycle—which begins with innovators and moves to early adopters, early majority, late majority, and laggards—there is a vast chasm between the early adopters and the early majority. While early adopters are willing to sacrifice for the advantage of being first, the early majority waits until they know that the technology actually offers improvements in productivity. The challenge for innovators and marketers is to narrow this chasm and ultimately accelerate adoption across every segment. This third edition brings Moore's classic work up to date with dozens of new examples of successes and failures, new strategies for marketing in the digital world, and Moore's most current insights and findings. He also includes two new appendices, the first connecting the ideas in Crossing the Chasm to work subsequently published in his Inside the Tornado, and the second presenting his recent groundbreaking work for technology adoption models for high-tech consumer markets.

The Seventh Sense: Power, Fortune, and Survival in the Age of Networks

by Joshua Cooper Ramo

Endless terror. Refugee waves. An unfixable global economy. Surprising election results. New billion-dollar fortunes. Miracle medical advances. What if they were all connected? What if you could understand why? The Seventh Sense is the story of what all of today's successful figures see and feel: the forces that are invisible to most of us but explain everything from explosive technological change to uneasy political ripples. The secret to power now is understanding our new age of networks. Not merely the Internet, but also webs of trade, finance, and even DNA. Based on his years of advising generals, CEOs, and politicians, Ramo takes us into the opaque heart of our world's rapidly connected systems and teaches us what the losers are not yet seeing -- and what the victors of this age already know.

Wonderland: How Play Made the Modern World

by Steven Johnson

This lushly illustrated history of popular entertainment takes a long-zoom approach, contending that the pursuit of novelty and wonder is a powerful driver of world-shaping technological change. Steven Johnson argues that, throughout history, the cutting edge of innovation lies wherever people are working the hardest to keep themselves and others amused. Johnson’s storytelling is just as delightful as the inventions he describes, full of surprising stops along the journey from simple concepts to complex modern systems. He introduces us to the colorful innovators of leisure: the explorers, proprietors, showmen, and artists who changed the trajectory of history with their luxurious wares, exotic meals, taverns, gambling tables, and magic shows. In Wonderland, Johnson compellingly argues that observers of technological and social trends should be looking for clues in novel amusements. You’ll find the future wherever people are having the most fun.

Hit Makers: How to Succeed in an Age of Distraction

by Derek Thompson

Nothing “goes viral.” If you think a popular movie, song, or app came out of nowhere to become a word-of-mouth success in today’s crowded media environment, you’re missing the real story. Each blockbuster has a secret history—of power, influence, dark broadcasters, and passionate cults that turn some new products into cultural phenomena. Even the most brilliant ideas wither in obscurity if they fail to connect with the right network, and the consumers that matter most aren't the early adopters, but rather their friends, followers, and imitators -- the audience of your audience. In his groundbreaking investigation, Atlantic senior editor Derek Thompson uncovers the hidden psychology of why we like what we like and reveals the economics of cultural markets that invisibly shape our lives. Shattering the sentimental myths of hit-making that dominate pop culture and business, Thompson shows quality is insufficient for success, nobody has "good taste," and some of the most popular products in history were one bad break away from utter failure. It may be a new world, but there are some enduring truths to what audiences and consumers want. People love a familiar surprise: a product that is bold, yet sneakily recognizable. Every business, every artist, every person looking to promote themselves and their work wants to know what makes some works so successful while others disappear. Hit Makers is a magical mystery tour through the last century of pop culture blockbusters and the most valuable currency of the twenty-first century—people’s attention. From the dawn of impressionist art to the future of Facebook, from small Etsy designers to the origin of Star Wars, Derek Thompson leaves no pet rock unturned to tell the fascinating story of how culture happens and why things become popular. In Hit Makers, Derek Thompson investigates: · The secret link between ESPN's sticky programming and the The Weeknd's catchy choruses · Why Facebook is today’s most important newspaper · How advertising critics predicted Donald Trump · The 5th grader who accidentally launched "Rock Around the Clock," the biggest hit in rock and roll history · How Barack Obama and his speechwriters think of themselves as songwriters · How Disney conquered the world—but the future of hits belongs to savvy amateurs and individuals · The French collector who accidentally created the Impressionist canon · Quantitative evidence that the biggest music hits aren’t always the best · Why almost all Hollywood blockbusters are sequels, reboots, and adaptations · Why one year--1991--is responsible for the way pop music sounds today · Why another year --1932--created the business model of film · How data scientists proved that “going viral” is a myth · How 19th century immigration patterns explain the most heard song in the Western Hemisphere

The Attention Merchants: The Epic Scramble to Get Inside Our Heads

by Derek Thompson

Ours is often called an information economy, but at a moment when access to information is virtually unlimited, our attention has become the ultimate commodity. In nearly every moment of our waking lives, we face a barrage of efforts to harvest our attention. This condition is not simply the byproduct of recent technological innovations but the result of more than a century's growth and expansion in the industries that feed on human attention. Wu’s narrative begins in the nineteenth century, when Benjamin Day discovered he could get rich selling newspapers for a penny. Since then, every new medium—from radio to television to Internet companies such as Google and Facebook—has attained commercial viability and immense riches by turning itself into an advertising platform. Since the early days, the basic business model of “attention merchants” has never changed: free diversion in exchange for a moment of your time, sold in turn to the highest-bidding advertiser. Full of lively, unexpected storytelling and piercing insight, The Attention Merchants lays bare the true nature of a ubiquitous reality we can no longer afford to accept at face value.

The Art of People: 11 Simple People Skills That Will Get You Everything You Want

by Dave Kerpen

Some people think that in today’s hyper-competitive world, it’s the tough, take-no-prisoners type who comes out on top. But in reality, argues New York Times bestselling author Dave Kerpen, it’s actually those with the best people skills who win the day. Those who build the right relationships. Those who truly understand and connect with their colleagues, their customers, their partners. Those who can teach, lead, and inspire. In a world where we are constantly connected, and social media has become the primary way we communicate, the key to getting ahead is being the person others like, respect, and trust. Because no matter who you are or what profession you're in, success is contingent less on what you can do for yourself, but on what other people are willing to do for you. Here, through 53 bite-sized, easy-to-execute, and often counterintuitive tips, you’ll learn to master the 11 People Skills that will get you more of what you want at work, at home, and in life. For example, you’ll learn: · The single most important question you can ever ask to win attention in a meeting · The one simple key to networking that nobody talks about · How to remain top of mind for thousands of people, everyday · Why it usually pays to be the one to give the bad news · How to blow off the right people · And why, when in doubt, buy him a Bonsai A book best described as “How to Win Friends and Influence People for today’s world,” The Art of People shows how to charm and win over anyone to be more successful at work and outside of it.

Disclaimer

by Webmaster

As an Amazon Associate I earn from qualifying purchases.

myTech.Today

Consulting and IT Services

10 NIST Secrets to Lock Down Windows PC