Windows Security Settings: A Complete Hardening Guide

Why Windows Hardening Matters

Windows is the most widely used desktop operating system, which makes it the most targeted by malware, ransomware, and cyberattacks. Out of the box, Windows provides reasonable default security, but many protective features are either not enabled by default or configured at a minimum level. Taking 30 minutes to harden your Windows installation dramatically reduces your exposure to common threats.

This guide covers the essential security settings every Windows user should configure, whether you are running Windows 10 or Windows 11. Each setting addresses a specific attack vector, and together they create a robust defensive posture.

Windows Security App Configuration

Virus and Threat Protection

Windows Defender (now called Microsoft Defender Antivirus) is a capable built-in antivirus that has improved significantly in recent years. Open Windows Security and navigate to Virus and Threat Protection. Ensure that real-time protection is turned on, cloud-delivered protection is enabled (this gives Defender access to the latest threat intelligence), and automatic sample submission is enabled.

Under Virus and Threat Protection Settings, enable tamper protection. This prevents malware from silently disabling Defender. Also configure the controlled folder access feature, which prevents unauthorized applications from modifying files in protected folders like Documents, Pictures, and Desktop. This is a powerful defense against ransomware.

Reputation-Based Protection (SmartScreen)

SmartScreen Filter checks websites, downloads, and applications against Microsoft's database of known threats. Navigate to App and Browser Control and ensure that SmartScreen for Microsoft Edge, SmartScreen for Microsoft Store apps, and Potentially Unwanted App blocking are all enabled. SmartScreen catches a significant percentage of phishing sites and malicious downloads before they can cause harm.

Exploit Protection

Windows includes built-in exploit protection that applies mitigations against common attack techniques. Navigate to App and Browser Control, then Exploit Protection Settings. The system-level settings should include Control Flow Guard (CFG), Data Execution Prevention (DEP), Force randomization for images (ASLR), Randomize memory allocations, and Validate heap integrity. These settings are enabled by default on most systems but are worth verifying.

BitLocker Drive Encryption

BitLocker encrypts your entire hard drive so that a lost or stolen computer's data cannot be read by an attacker. Without BitLocker, someone who steals your laptop can remove the hard drive, connect it to another computer, and read all your files without needing your Windows password.

To enable BitLocker, open Control Panel, navigate to System and Security, then BitLocker Drive Encryption. Select your operating system drive and click Turn on BitLocker. You will be prompted to choose how to unlock the drive (TPM is recommended) and where to save your recovery key.

Save your recovery key to your Microsoft account and print a physical backup. If you lose both your recovery key and your Windows password, your data is permanently inaccessible. Store the printed recovery key in a physically secure location, separate from your computer. Use a strong Windows account password generated by our password generator.

Note: BitLocker is available on Windows 10/11 Pro and Enterprise editions. Windows Home users can use Device Encryption if their hardware supports it, or third-party alternatives like VeraCrypt.

Windows Firewall Configuration

Windows Defender Firewall controls which applications can send and receive network traffic. Navigate to Windows Security, then Firewall and Network Protection. Ensure the firewall is enabled for all three profiles: Domain network, Private network, and Public network.

For advanced configuration, open Windows Defender Firewall with Advanced Security. Review the inbound rules and disable any that allow incoming connections for applications you do not use or recognize. Pay particular attention to rules that allow connections from any remote address. Common rules to review include remote desktop (disable if not used), file and printer sharing (disable on public networks), and network discovery (disable on public networks).

User Account Control Settings

User Account Control (UAC) prompts you for permission when a program tries to make changes to your computer. While some users disable UAC because they find the prompts annoying, this removes a critical security layer. UAC prevents malware from silently installing itself or making system-level changes without your knowledge.

Open User Account Control Settings and set the slider to the second-highest level at minimum: "Notify me only when apps try to make changes to my computer." The highest level, "Always notify," provides the most security but generates more frequent prompts.

Never run your daily Windows account as an administrator. Create a standard user account for daily use and keep a separate administrator account for when you need to install software or change system settings. This way, malware running under your standard account cannot make system-level changes without providing administrator credentials.

Windows Update Configuration

Security patches are released by Microsoft on the second Tuesday of every month, with critical patches sometimes released out of cycle. Delaying these updates leaves known vulnerabilities unpatched.

Open Settings, navigate to Windows Update, and configure active hours so that updates do not interrupt your work. Under Advanced Options, enable the toggle for receiving updates for other Microsoft products. Also ensure that the option to download updates over metered connections is enabled if you primarily use Wi-Fi, so that critical security updates are not delayed.

Check for updates manually at least weekly rather than relying solely on automatic updates. Some updates require a restart to complete installation, and pending restarts leave vulnerabilities unpatched.

Additional Hardening Measures

Disable Remote Desktop If Not Needed

Remote Desktop Protocol is one of the most commonly exploited entry points for attackers. If you do not need remote access to your computer, disable it. Navigate to Settings, then System, then Remote Desktop, and turn it off. If you do need RDP, consult our guide on remote desktop security for essential hardening steps.

Enable Secure Boot and TPM

Secure Boot prevents unauthorized operating systems and bootloaders from starting during the boot process, protecting against rootkits and boot-level malware. TPM (Trusted Platform Module) provides hardware-based security functions including BitLocker encryption keys. Verify both are enabled in your BIOS/UEFI settings.

Review Installed Applications

Periodically review your installed applications through Settings, then Apps, then Installed Apps. Remove software you no longer use. Every installed application is potential attack surface: it may contain vulnerabilities, run background services, or have been bundled with unwanted software. A leaner installation is inherently more secure.

Windows provides strong built-in security tools. The key is ensuring they are properly configured and maintained. Schedule a quarterly review of these settings to verify nothing has been changed or disabled, and your Windows installation will remain well-protected against the most common threats.