Hard_Configurator is highly recommended and will save a lot of your time.

Requirements

• [x] Standards for a highly secure Windows device
• [x] System up2date with latest Windows stable version
• [x] (default activated) and Up2date internal Microsoft Defender protection instead of external "Security" solutions
• [x] Latest Driver and Program updates
• [x] No "Tuning" tools (not even stuff like Ccleaner!)
• [x] Only necessary programs / apps / games which you realy need
• [x] avoid insecure software like 7-Zip (which e.g. lacks Anti-Exploit and MOTW support), Open/ LibreOffice, Firefox, True/Veracrypt, ...
• [x] stay away from "Anti-Spying"/ "Anti-Telemetry"/.. tools and use official documentation
• [x] Hardware Requirements for System Guard / Hardware-based Isolation
• [x] Hardware Requirements for Memory integrity
• [x] Hardware Requirements for Microsoft Defender Application Guard (WDAG)
• [x] Hardware Requirements for Microsoft Defender Credential Guard

Hardening

• [x] set User Account Control (UAC) to maximum
• [x] create another Admin account and transform your current one to limited/ restricted/ standard user account to reduce the attack surface enormously. Don't use Admin account for your tasks!
• [x] use Software Restriction Policies (SRP) with a default-deny mode
• [x] execute/ open new files with one-day-delay because after one day, the malware is not 0-day anymore
• [x] block all incoming connections with Microsoft Defender Firewall
• [x] Always display file type extension
• [x] Manage Microsoft Defender Credential Guard
• [x] Install Microsoft Defender Application Guard (WDAG)
• [x] Enable Memory integrity (HVCI)
• [x] Enable Network Protection (NP)
• [x] Enable SmartScreen and enable SmartScreen Log
• [x] Enable Controlled Folder Access (CFA)
• [x] Enable Attack Surface Reduction rules (ASR)
• [x] Harden Address Space Layout Randomization (ASLR)
• [x] Enable System Guard Secure Launch
• [x] Enable cloud-delivered protection
• [x] Activate Potentially unwanted applications (PUA) protection
• [x] Enable Bitlocker Encryption with TPM, optionally with Startup PIN & read about Countermeasures and reduce DMA threats
• [x] Use Windows Sandbox for unknown/ untrusted binarys - you can use it with right click menu - or use Virtual Machine with Hyper-V
• [x] Enable sandboxing for Microsoft Defender Antivirus
• [x] Only elevate executables which are signed and validated
• [x] use the only browser on Windows that natively supports hardware isolation: Edge
• [x] use EFS file encryption for very sensitive files - also compatible with Bitlocker
• [x] (if OneDrive is used), harden it with Windows CFA (Control Folder Access aka Ransomware Protection)
• [x] avoid old file systems like FAT32 as such format does not preserve Alternative NTFS Streams (Mark Of The Web is skipped)
• [x] While DNS encryption isn't perfect both Quad9 and AdGuard are recommend. Quad9 provide a easy solution with Apple signed profiles. NextDNS is another service, but it struggles with stability/performance and support issues.

Further Hardening

• [ ] Specify the cloud-delivered protection level
• [ ] Configure Exploit Protection, like Edge 90+ with enforced CET
• [ ] Microsoft recommended block rules
• [ ] Control USB devices and other removable media
• [ ] UEFI Hardening (NSA Defensive Practices Guidance) PDF & Hardware-and-Firmware-Security-Guidance
• [ ] Hardware and Firmware Security Guidance for Windows & AMD CPUs - you will find more in the overview
• [ ] Deploy Windows Security Baselines and keep it up2date
• [ ] use Mandatory Integrity Control
• [ ] Custom ADMX template focused on hardening Windows 10 systems

Enterprise level

• [ ] Application Control (WDAC) - Microsoft's Policy Wizard will help a lot
• [ ] Enterprise Certificate Pinning
• [ ] Block untrusted fonts in an enterprise
• [ ] Web protection
• [ ] Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
• [ ] Manage Windows Hello for Business
• [ ] Protect against DLL Search Order Hijacking
• [ ] report a vulnerable or malicious driver to the Windows and Defender teams
• [ ] Video from Matt Soseman: Investigating Backdoor Attacks w/ Microsoft Defender ATP
• [ ] Video from Matt Soseman: Investigating a Fileless Attack w/ Microsoft Defender ATP & Exploit Protection
• [ ] Video from Matt Soseman: What is the Microsoft Cybersecurity Reference Architectures (MCRA) and why should I care?
• [ ] Microsoft Defender ATP secure score
  

Test Config

• Validate connections between your network and the Microsoft Defender Antivirus cloud service
• Verify client connectivity to Microsoft Defender ATP service URLs
• Validate Microsoft Defender Tamper protection
• Confirm and validate that Defender "Block at First Sight" (BAFS) is enabled
• Microsoft Defender Testground
• Microsoft Defender SmartScreen Demo Pages
• Validate your Kernel DMA Protection
• Test your Antimalware Scan Interface (AMSI)
• Test your Network protection
• Changelogs for Defender security intelligence updates
• check if your Bitlocker is safe against Bitleaker: Blog
• Process Monitor (tool from Microsoft) filter for finding privilege escalation vulnerabilities on Windows
• winchecksec performs static detection of common Windows security features
• Sysmon configuration file template with default high-quality event tracing

Reading Material:

• Defender Firewall with Advanced Security
• https://github.com/frizb/Windows-Privilege-Escalation
• https://github.com/LOLBAS-Project/LOLBAS
• https://github.com/api0cradle/UltimateAppLockerByPassList
• https://trustedwindows.wordpress.com/
• https://docs.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware
• https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
• https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10
• https://docs.microsoft.com/en-us/windows/security/
• a picture about Microsoft Defender local and cloud script protection
• a picture about Attack Surface Reduction (ASR) Rules
• Security Unlocked - The Microsoft Security Podcast
• How the hell WD works on Windows Home & Pro documentation from AndyFul
• Windows AppContainer Isolation - what it does? from AndyFul
• Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection
• Windows Defender Application Control (WDAC) Resources / PowerShell script
• Why UAC is important at maximum (not default) level: 1, 2, 3, 4, ..
• Testing DLL Search Order Hijacking against security features from AndyFul
• Some info about training AMSI machine learning models from AndyFul
• Cheap sandboxing with AppContainers Blog
• Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs Blog
• Complete W^X implementation in Windows with ACG
• Understanding Hardware-enforced Stack Protection (CET)
• Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode Blog
• Security Unlocked - The Microsoft Security Podcast about Below the OS: UEFI Scanning in Defender
• How the (Powershell) Constrained Language Mode is enforced Blog
• Application Control denies execution of randomly generated PowerShell PS1 files Blog
• Applocker and PowerShell: how do they tightly work together? Blog
• PowerShell 5.0 and Applocker. When security doesn’t mean security Blog
• German BSI - SiSyPHuS Win10: Study on System Integrity, Logging, Hardening and Security relevant Functionality in Windows 10
• rc3 event - Breaking Thunderbolt 3 Security
• CIS Security Benchmark
• NIST Security Technical Implementation Guide
• AppLocker and WDAC help Blog
• Microsoft Defender Attack Surface Reduction (ASR) recommendations
• Adventures in Extremely Strict Device Guard (WDAC) Policy Configuration Blog
• Building a Simple, Secure Windows-only WDAC Policy Blog
• Application Control on Windows 10 Home
• Windows Hello - Why a PIN is better than a password
• Battle of the SKM and IUM: How Windows 10 Rewrites OS Architecture (blackhat USA 2015 talk)
• Defender (with ConfigureDefender tool) vs fileless malware
• Offense and Defense – A Tale of Two Sides: Bypass UAC
• Microsoft Windows Antimalware Scan Interface (AMSI) Bypasses
• Windows security book in web doc form
• Video from Matt Soseman: Smartscreen in Edge (& Chrome) to block phishing & malicious websites
• Video from Matt Soseman: Block at First Sight (BAFS): Windows Defender blocking malware in SECONDS!
• Video from Matt Soseman: How Controlled Folder Access (CFA) works in Windows
• Video from Matt Soseman: Block Potentially Unwanted Applications (PUA) in Microsoft Defender Antivirus
• Video1, Video2 from Matt Soseman: Attack Surface Reduction (ASR) in Windows
• Video from Matt Soseman: Hardware Isolated Browsing w/ Microsoft Defender Application Guard
• what is meant by "User Space"
• what the feature "Allow apps from the store only" does