This is a hardening checklist that can be used in private and business environments for hardening Windows 10. The checklist can be used for all Windows versions, but in Windows 10 Home the Group Policy Editor is not integrated and the adjustment must be done directly in the registry.
The settings should be seen as security and privacy recommendation and should be carefully checked whether they will affect the operation of your infrastructure or impact the usability of key functions. It is important to weigh security against usability.
Based on Windows 10 Pro 1909
- CIS Microsoft Windows 10 Enterprise (Release 1803) Benchmark v1.5.0
- Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903
- Kernel DMA Protection for Thunderbolt 3
- BitLocker Countermeasures
- Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker
- Manage Windows Defender Credential Guard
- Reduce attack surfaces with attack surface reduction rules
- Configuring Additional LSA Protection
- Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields
- DDE registry settings
- Sysmon
- SwiftOnSecurity/sysmon-config
- Dane Stuckey - @cryps1s Endpoint Isolation with the Windows Firewall