10 NIST Secrets to Lock Down Windows PC
Table of Contents
- Introduction
- Why Security Benchmarks Matter
- What is NIST and Its Standards?
- Steps to Lock Down Your Windows PC
- Operating System Settings
- Account Lockout and Password Policies
- User Rights Assignments
- Security Options Settings
- Audit Policy Settings
- Administrative Templates - System Settings
- Administrative Templates - Network Settings
- Administrative Templates - Windows Components
- Administrative Templates - Other Settings
- Conclusion
Introduction
In today's digital age, cyber threats are becoming increasingly sophisticated, targeting vulnerabilities that many users are unaware of. While firewalls and antivirus software are essential, they are no longer sufficient to protect against all types of attacks. Locking down your Windows computer according to the National Institute of Standards and Technology (NIST) guidelines is a proactive way to enhance your system's security. In this comprehensive guide, we unveil 10 NIST secrets to help you secure your Windows PC effectively.
Why Security Benchmarks Matter
Security benchmarks provide a standardized set of configurations that minimize vulnerabilities and reduce the attack surface of your system. Many current threats bypass traditional security measures like firewalls and antivirus programs. By adhering to security benchmarks, you proactively harden your system against potential exploits. This approach is crucial for preventing unauthorized access, data breaches, and other cyber threats.
What is NIST and Its Standards?
The National Institute of Standards and Technology (NIST) is a U.S. federal agency that develops technology, metrics, and standards to drive innovation and economic competitiveness. NIST provides comprehensive guidelines for securing information systems, including detailed configurations for operating systems like Windows 10. Following NIST standards ensures that your computer adheres to federal security requirements and best practices.
Steps to Lock Down Your Windows PC
Below are detailed steps to lock down your Windows computer according to NIST standards. These steps cover various settings, including operating system configurations, password policies, user rights assignments, and more. Implementing these changes will significantly enhance your system's security posture.
1. Operating System Settings
Configuring your operating system correctly is the first step toward a secure computer. Here are the key settings you need to adjust:
- Use Windows 10 Enterprise Edition 64-bit: Ensure your system runs the 64-bit version of Windows 10 Enterprise for advanced security features.
- Enable BitLocker Encryption: Use BitLocker to encrypt all disks, protecting the confidentiality and integrity of your data at rest.
- Maintain Supported Servicing Level: Keep your system updated with the latest patches and updates to mitigate vulnerabilities.
- Format Local Volumes with NTFS: Use the NTFS file system for better security features compared to FAT32 or exFAT.
- Configure Password Expiration: Set accounts to require password changes regularly to reduce the risk of compromised credentials.
- Uninstall Unnecessary Services: Remove services like Internet Information Services (IIS), Simple Network Management Protocol (SNMP), Simple TCP/IP Services, Telnet Client, TFTP Client, and Windows PowerShell 2.0 to reduce potential attack vectors.
- Disable SMB v1 Protocol: Disable the outdated SMB v1 protocol on both the client and server sides to prevent exploitation.
- Disable Secondary Logon Service: Turn off the Secondary Logon service to prevent unauthorized privilege escalation.
- Configure Data Execution Prevention (DEP): Set DEP to at least OptOut to protect against memory-based attacks.
2. Account Lockout and Password Policies
Strong password policies and account lockout settings are essential to prevent unauthorized access:
- Set Account Lockout Duration: Configure the account lockout duration to at least 15 minutes after multiple failed login attempts.
- Limit Bad Logon Attempts: Set the threshold for allowed bad logon attempts to 3 or fewer.
- Reset Lockout Counter: Configure the lockout counter to reset after 15 minutes.
- Enforce Password History: Remember at least the last 24 passwords to prevent password reuse.
- Set Maximum Password Age: Require passwords to be changed every 60 days or less.
- Define Minimum Password Age: Set a minimum password age of at least 1 day to prevent rapid password changes.
- Enforce Password Length: Require passwords to be at least 14 characters long.
- Enable Password Complexity: Use the built-in Microsoft password complexity filter to enforce strong passwords.
- Disable Reversible Password Encryption: Ensure that passwords are not stored with reversible encryption.
3. User Rights Assignments
Properly assigning user rights minimizes the risk of privilege abuse:
- Restrict Sensitive Rights: Do not assign rights like "Act as part of the operating system," "Create a token object," or "Debug programs" to any groups or accounts except Administrators.
- Define Access Permissions: Assign "Access this computer from the network" only to Administrators and Remote Desktop Users.
- Limit Logon Locally Rights: Assign "Allow log on locally" only to Administrators and Users groups.
- Configure Deny Rights: Use "Deny access" rights to prevent access from unauthorized or highly privileged domain accounts.
- Manage System Privileges: Assign system privileges like "Back up files and directories," "Load and unload device drivers," and "Restore files and directories" only to the Administrators group.
- Restrict Delegation Rights: Do not assign "Enable computer and user accounts to be trusted for delegation" to any groups or accounts.
- Control Impersonation: Assign "Impersonate a client after authentication" only to Administrators, Service, Local Service, and Network Service.
4. Security Options Settings
Adjust security options to enforce stricter security policies:
- Disable Built-in Accounts: Disable the built-in Administrator and Guest accounts, and rename them to prevent brute-force attacks.
- Restrict Blank Passwords: Prevent local accounts with blank passwords from accessing the system over the network.
- Enable Audit Policy: Use subcategories for audit policies to gain detailed logging capabilities.
- Secure Channel Traffic: Configure the system to encrypt and sign outgoing secure channel traffic whenever possible.
- Enforce Machine Account Passwords: Do not prevent the computer account password from being reset and set the maximum age for machine account passwords to 30 days or less.
- Configure Session Key Strength: Require a strong session key to enhance security during authentication processes.
- Set Machine Inactivity Limit: Configure the system to lock after 15 minutes of inactivity using a screensaver.
- Limit Cached Logons: Limit the caching of logon credentials to reduce the risk if the system is compromised.
- Enforce Smart Card Removal Behavior: Configure the system to force logoff or lock the workstation when a smart card is removed.
- Configure SMB Settings: Require SMB packet signing and disable unencrypted passwords to third-party SMB servers.
- Restrict Anonymous Access: Prevent anonymous enumeration of SAM accounts and shares, and restrict anonymous access to named pipes and shares.
- Enforce NTLM Restrictions: Prevent NTLM from falling back to a Null session and set the LanMan authentication level appropriately.
- Disable Unnecessary Authentication Protocols: Disable PKU2U authentication using online identities and prevent the storage of LAN Manager hashes.
- Enable FIPS-compliant Algorithms: Configure the system to use FIPS-compliant algorithms for encryption, hashing, and signing.
- Configure User Account Control (UAC): Enable UAC and configure it to prompt for consent on the secure desktop, automatically deny elevation requests for standard users, and only elevate UIAccess applications installed in secure locations.
5. Audit Policy Settings
Implementing comprehensive audit policies helps in monitoring and detecting suspicious activities:
- Configure Account Logon Auditing: Audit both successes and failures for credential validation and account lockout events.
- Audit Account Management Events: Monitor user account and security group management activities.
- Enable Detailed Tracking: Audit process creation events to track application executions.
- Monitor Logon/Logoff Events: Audit logon successes and failures, logoffs, and special logons.
- Audit Object Access: Monitor file share access and other object access events for both successes and failures.
- Track Policy Changes: Audit policy change events, including audit policy, authentication policy, and authorization policy changes.
- Audit Privilege Use: Monitor sensitive privilege use to detect potential privilege escalation attempts.
- Audit System Events: Configure auditing for system integrity, security state changes, and other system events.
- Protect Event Logs: Set appropriate permissions for the Application, Security, and System event logs to prevent unauthorized access.
6. Administrative Templates - System Settings
Adjust system settings through administrative templates to enhance security:
- Include Command Line Data in Events: Enable logging of command line data in process creation events for better forensic analysis.
- Configure Early Launch Anti-Malware: Set the boot-start driver initialization policy to prevent boot drivers that could be malicious.
- Force Group Policy Reprocessing: Ensure Group Policy objects are reprocessed even if they haven't changed to maintain consistent policy application.
- Disable Unnecessary Features: Prevent downloading of print driver packages over HTTP, and disable web publishing and online ordering wizards.
- Disable Printing Over HTTP: Turn off the ability to print over HTTP to reduce network exposure.
- Enable Device Authentication: Attempt device authentication using certificates whenever possible.
- Hide Network Selection UI: Do not display the network selection UI on the logon screen to prevent unauthorized network connections.
- Prevent User Enumeration: Do not enumerate local users on domain-joined computers to reduce information disclosure.
- Require Password on Wakeup: Prompt users for a password when resuming from sleep or hibernation.
- Disable Remote Assistance: Do not allow Solicited Remote Assistance to prevent unauthorized remote access.
- Enable Kernel DMA Protection: Protect against Direct Memory Access (DMA) attacks by enabling Kernel DMA Protection.
- Disable Convenience PIN: Turn off the convenience PIN sign-in to enforce stronger authentication methods.
7. Administrative Templates - Network Settings
Secure network settings to prevent unauthorized access and data leakage:
- Disable Internet Connection Sharing: Prevent users from enabling Internet Connection Sharing to reduce network risks.
- Define Hardened UNC Paths: Require mutual authentication and integrity for UNC paths, especially for \\*\SYSVOL and \\*\NETLOGON shares.
- Limit Simultaneous Connections: Restrict simultaneous connections to the Internet or a Windows domain to prevent network conflicts.
- Block Non-Domain Networks: Prevent connections to non-domain networks when connected to a domain-authenticated network.
- Disable Wi-Fi Sense: Turn off Wi-Fi Sense to prevent automatic sharing of Wi-Fi networks.
- Disable Insecure Logons: Prevent insecure logons to an SMB server to enhance network security.
8. Administrative Templates - Windows Components
Configure Windows components to reduce vulnerabilities:
- Prevent Data Collection: Disable the Application Compatibility Program Inventory and limit diagnostic data to the minimum required.
- Turn Off Autoplay: Disable Autoplay for all drives to prevent automatic execution of malicious code.
- Enhance Anti-Spoofing: Enable enhanced anti-spoofing for facial recognition if applicable.
- Disable Consumer Experiences: Turn off Microsoft consumer experiences to reduce unwanted applications.
- Restrict Administrator Enumeration: Do not enumerate administrator accounts during elevation to prevent privilege escalation attempts.
- Configure Windows Update: Prevent Windows Update from obtaining updates from other PCs on the Internet.
- Enable SmartScreen Filters: Activate Windows Defender SmartScreen for Explorer and Microsoft Edge to block malicious content.
- Configure Edge Browser Settings: Disable password manager and prevent certificate error overrides in Microsoft Edge.
- Disable Game Recording: Turn off Windows Game Recording and Broadcasting to reduce unnecessary background processes.
- Set Minimum PIN Length: Require a minimum PIN length of six characters or more if using PIN authentication.
- Secure Remote Desktop: Prevent saving passwords in the Remote Desktop Client, disallow local drive sharing, and require secure RPC communications.
- Manage Event Log Sizes: Configure the Application, Security, and System event logs to have sufficient size (e.g., 32768 KB or greater) to prevent loss of audit data.
- Enable PowerShell Logging: Enable PowerShell script block logging and transcription for enhanced monitoring.
- Configure WinRM Security: Ensure the Windows Remote Management (WinRM) client and service do not use Basic authentication or allow unencrypted traffic.
9. Administrative Templates - Other Settings
Implement additional security settings to further protect your system:
- Disable Lock Screen Slide Shows: Prevent slide shows on the lock screen to avoid unnecessary resource usage.
- Configure IPv6 Source Routing: Set IPv6 source routing to the highest protection level.
- Prevent IP Source Routing: Disable IP source routing to protect against routing-based attacks.
- Ignore ICMP Redirects: Prevent ICMP redirects from overriding Open Shortest Path First (OSPF) generated routes.
- Block NetBIOS Name Release Requests: Configure the system to ignore NetBIOS name release requests except from WINS servers.
- Filter Privileged Tokens: Ensure local administrator accounts have their privileged tokens filtered to prevent elevated privileges over the network.
- Disable WDigest Authentication: Turn off WDigest Authentication to prevent storing plain-text passwords in memory.
- Remove Run as Different User: Eliminate the "Run as different user" option from context menus to reduce privilege escalation risks.
- Prompt for Password on Wakeup: Require users to enter a password when resuming from sleep, both on battery and when plugged in.
- Restrict Unauthenticated RPC Clients: Limit unauthenticated RPC clients from connecting to the RPC server.
- Enforce Microsoft Accounts for Apps: Enable settings that make Microsoft accounts optional for modern style apps.
- Enable SEHOP: Turn on Structured Exception Handling Overwrite Protection (SEHOP) to guard against certain types of exploits.
Conclusion
Securing your Windows PC is an ongoing process that requires attention to detail and adherence to best practices. By following the NIST guidelines outlined in this guide, you significantly reduce your system's vulnerability to cyber threats. Implement these settings carefully, and consider using tools like the local group policy editor or registry editor to apply the configurations. Always back up your system before making significant changes, and test the configurations in a controlled environment if possible.
Remember, a proactive approach to security is the best defense against the ever-evolving landscape of cyber threats. Stay informed, stay vigilant, and keep your systems up to date to ensure maximum protection.