Security Guide

The Complete Windows Security Hardening Guide for 2026

A step-by-step guide to hardening your Windows 10 and Windows 11 systems against modern cyber threats. Covers firewall configuration, service minimization, registry hardening, and more.

By Citadel Frame Team 12 min read 1,128 words

Windows remains the most targeted operating system for cyberattacks, with over 75% of malware specifically designed for Windows endpoints. Whether you're managing a single workstation or an entire fleet, hardening your Windows installation is the single most impactful step you can take to reduce your attack surface.

This guide provides a comprehensive, step-by-step approach to hardening Windows 10 and Windows 11 systems based on CIS Benchmarks v3.0, NIST SP 800-123, and real-world incident response experience. Every recommendation includes the "why" behind it, so you can make informed decisions for your environment.

1. Windows Firewall Configuration

The built-in Windows Defender Firewall is more capable than most people realize. Properly configured, it provides enterprise-grade network segmentation at zero cost.

Enable All Three Profiles

Windows Firewall operates across three profiles — Domain, Private, and Public. All three must be enabled and configured independently. A common misconfiguration is leaving the Public profile permissive because "it's just my home network."

  • Domain Profile: Active when connected to an Active Directory domain. Apply the most permissive rules here (still restrictive by default).
  • Private Profile: For trusted home/office networks. Block inbound by default, allow established connections.
  • Public Profile: Maximum restriction. Block all inbound connections, allow only explicitly approved outbound.

Block Outbound by Default

Most administrators only configure inbound rules, but outbound filtering is critical for detecting malware callbacks, data exfiltration, and unauthorized software. Configure outbound rules to allow only known applications and services.

Citadel Frame Advantage: The Real-Time Threat Scanning module automatically audits your firewall configuration across all three profiles and flags misconfigurations with one-click remediation.

2. Service Minimization

Every running Windows service is a potential attack vector. The principle of least functionality (CIS Control 4.8) requires disabling services that aren't needed for the system's intended purpose.

Services to Disable on Workstations

  • Remote Registry (RemoteRegistry) — Allows remote modification of the registry. Almost never needed on endpoints.
  • Remote Desktop Services (TermService) — Unless actively used for remote access. If needed, require Network Level Authentication.
  • Windows Remote Management (WinRM) — Disable unless managed by enterprise tools like SCCM.
  • Xbox Services (XblAuthManager, XblGameSave) — No business justification on corporate endpoints.
  • Fax (Fax) — Legacy service with no modern use case.
  • Print Spooler (Spooler) — Disable on non-printing systems. The PrintNightmare vulnerability family demonstrated the risk.

Citadel Frame Advantage: The System Hardening Advisor scans all running services, compares them against CIS Benchmark recommendations, and generates a prioritized remediation plan.

3. Registry Hardening

The Windows Registry is the operating system's central nervous system. Hardening key registry values can prevent entire classes of attacks.

Critical Registry Hardening Settings

  • Disable LM Hash Storage: Set HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash to 1. LM hashes are trivially crackable.
  • Enable LSA Protection: Set HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to 1. Prevents credential dumping tools like Mimikatz.
  • Disable AutoRun: Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun to 255. Prevents USB-based malware propagation.
  • Enable DEP (Data Execution Prevention): Set boot configuration to OptOut mode via bcdedit /set nx OptOut.
  • Restrict Anonymous Access: Set HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous to 1.

4. Account and Password Policies

Weak authentication is the root cause of over 60% of breaches according to the Verizon DBIR. Windows provides granular controls over password complexity, account lockout, and privilege management.

Password Policy Recommendations

  • Minimum length: 14 characters (NIST SP 800-63B recommends passphrase-style)
  • Enable password history: Remember at least 24 passwords
  • Maximum password age: 365 days (NIST no longer recommends frequent rotation)
  • Account lockout: 5 invalid attempts, 30-minute lockout duration

Privilege Management

Never use an administrator account for daily work. Create a standard user account and elevate privileges only when needed via UAC (User Account Control). Set UAC to "Always notify" — the most secure setting.

5. Attack Surface Reduction (ASR) Rules

Windows Defender includes Attack Surface Reduction rules that block common attack techniques at the OS level. These are among the most powerful — and most underutilized — security controls available.

Essential ASR Rules to Enable

  • Block executable content from email client and webmail
  • Block all Office applications from creating child processes
  • Block JavaScript or VBScript from launching downloaded executable content
  • Block execution of potentially obfuscated scripts
  • Block Win32 API calls from Office macros
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block process creations originating from PSExec and WMI commands

Citadel Frame Advantage: Our Compliance Engine includes pre-built ASR rule profiles mapped to CIS Controls v8 and NIST CSF 2.0, with one-click deployment and continuous monitoring.

6. BitLocker and Storage Encryption

Full-disk encryption is mandatory for any system that could be physically stolen — which includes every laptop and most workstations. BitLocker provides transparent encryption with minimal performance impact.

  • Enable BitLocker on all fixed drives
  • Require TPM 2.0 + PIN for pre-boot authentication
  • Use XTS-AES 256-bit encryption for operating system drives
  • Store recovery keys in Active Directory or Azure AD (never local-only)

7. Network Hardening

Even with a properly configured firewall, additional network-level hardening reduces your exposure to network-based attacks.

  • Disable NetBIOS over TCP/IP: Prevents name resolution poisoning attacks (LLMNR/NBT-NS)
  • Disable LLMNR: Via Group Policy under Computer Configuration > Administrative Templates > Network > DNS Client
  • Enable SMB Signing: Prevents man-in-the-middle attacks on file shares
  • Disable SMBv1: The protocol behind WannaCry and NotPetya. No modern software requires it.

Citadel Frame Advantage: The Network Connection Monitor provides real-time visibility into all network connections with protocol analysis and anomaly detection.

8. Audit and Logging

You can't detect what you don't log. Configure comprehensive audit policies to capture security-relevant events.

  • Enable Advanced Audit Policy Configuration (not basic audit policy)
  • Log account logon events (success and failure)
  • Log privilege use (sensitive and non-sensitive)
  • Log object access for sensitive directories
  • Log process creation with command-line logging enabled
  • Forward logs to a central SIEM or monitoring tool

Automate Your Hardening

Manual hardening is time-consuming and error-prone. Citadel Frame automates the entire hardening process with CIS Benchmark and NIST-aligned profiles. Run a single scan to identify gaps, then apply one-click remediation across your entire system.

The full feature suite includes real-time threat scanning, breach monitoring, ransomware protection, and compliance reporting — everything you need to maintain a hardened security posture over time.

Download Citadel Frame free and run your first hardening scan in under 3 minutes.

Related Articles

Security Guide
What is a DNS Firewall and Why You Need One
DNS firewalls block malicious domains before they can connect to your system. Learn how DNS-level protection works and why it's your first line of defense against phishing and malware.
Technology
How AI is Transforming Threat Detection in Endpoint Security
Artificial intelligence is revolutionizing how we detect and respond to cyber threats. From behavioral analysis to predictive defense, learn how AI-powered security works.
Threat Intelligence
The State of Cybersecurity in South Africa: 2026 Report
South Africa ranks among the most targeted countries for cybercrime. Explore the latest threat statistics, emerging attack vectors, and what organizations can do to protect themselves.

Dig deeper

Compliance · Guide
POPIA for SMBs
POPIA isn't optional and isn't just for banks. This is the shortest honest path to compliance for a South African small business.
Threat Defence · Guide
Ransomware Defence
Defending Windows endpoints against modern ransomware requires five layers. Here they are, in priority order.
Comparison
Citadel Frame vs Built-in Windows AV
Built-in baseline antivirus vs. full next-gen defence platform.
Comparison
Citadel Frame vs Legacy Suite
Legacy mega-suite vs. focused next-gen defence platform.