Initial System Setup – Security Hardening

A step-by-step walkthrough of hardening a Windows system — from updates and drive encryption to endpoint protection, account hygiene, and logging.

Step 1: Check Updates, Firmware, and Boot Trust

The very first best practice to run through prior to system setup and configuration is running all available updates straight away.

Running all available Windows updates & security patches, system updates, drivers, and any available firmware update listed under Optional Updates within Windows Settings > Updates.

After getting all of those run through, I run these PowerShell commands to verify secure boot is enabled and confirm the BIOSFirmwareType that is being worked with on the given system prior to enabling BitLocker for drive encryption.

Updates and firmware step 1 Updates and firmware step 2 Updates and firmware step 3 Updates and firmware step 4

Step 2 – Disk & Device Protection

In this step, I'm going to go through how to enable BitLocker encryption for two different partitions C: System and D: Data on a single SSD drive, and securely backup the recovery keys.

In this example, I'm going to enable BitLocker on both disk partitions with the use of PowerShell to implement drive protection.

Get-Tpm Enable BitLocker step 2 Enable BitLocker step 3 Add Recovery Key Get BitLocker Volume Enable BitLocker on D Enable Auto Unlock Enable BitLocker Volume Get BitLocker Volume final

Step 3 – Endpoint Protection Strategy

In this step, I'm going to install and setup the commercial BitDefender antivirus solution.

Install & Setup BitDefender

BitDefender setup step 1 BitDefender setup step 2 BitDefender setup step 3 BitDefender setup step 4 BitDefender setup step 5 BitDefender setup step 6 BitDefender setup step 7 BitDefender setup step 8 BitDefender setup step 9 BitDefender setup step 10 BitDefender setup step 11 BitDefender setup step 12 BitDefender setup step 13 BitDefender setup step 14 BitDefender setup step 15 BitDefender setup step 16 BitDefender setup step 17 BitDefender setup step 18 BitDefender setup step 19

Step 4 – Account & Privilege Hygiene

In a previous step a standard, non-admin regular user account was created for daily operations. This is one of the best practices any technician can implement on their individual computer system.

With that in place, the system has this account & privilege configuration:

  • Daily user is standard, not admin
  • Separate local admin account exists
  • Default Administrator renamed or disabled
  • UAC left at default or higher

Step 5 – OS-Level Platform Security

Windows Security has quite a few uniquely built-in security features that are indeed worth taking advantage of. This goes an extra mile on the OS-Level Platform Security with BitDefender and Microsoft Defender Antivirus all running.

Security at a Glance

Enable any applicable features.

Windows Security at a glance 1 Windows Security at a glance 2

Virus & Threat Detection

Here we have BitDefender Antivirus set to take precedence over Microsoft Defender Antivirus.

Virus and threat detection

Firewall & Network Protection

Ensure the OS-Level Firewall is enabled for Domain, Private, and Public networks.

Firewall and network protection

App & Browser Control

App and browser control

Device Security

Core isolation and Memory Integrity.

Device security core isolation Device security memory integrity

Device Performance & Health

Device performance and health

Step 6 – Network Exposure Reduction

Reduce lateral movement opportunities.

  • Windows Defender Firewall enabled
  • Inbound connections blocked by default
  • RDP added to authorized admin group only
Network exposure reduction step 1 Network exposure reduction step 2 Network exposure reduction step 3

Step 7 – Logging & Visibility

For logging and visibility this out-of-the-box security hardening setup & implementation is limited on enterprise tooling to monitor and detect for threats, so I engineered visibility with what Windows already provides out-of-the-box — PowerShell.

Here I have some lightweight PowerShell scripts that run on a daily schedule to check for any suspicious IP connections, run port scans, local IP scans, and generate a daily logon and special privilege report.

While there is no specialized tooling, this allows the use of PowerShell scripting and automation to examine the frequent things that bring threats — suspicious connections, open ports, new IPs on the network, and a logon report that monitors successful and failed logon attempts, and special assigned permissions with a given identity (e.g., system user account).

BitDefender Vulnerability Scan

BitDefender vulnerability scan 1 BitDefender vulnerability scan 2 BitDefender vulnerability scan 3 BitDefender vulnerability scan 4 BitDefender vulnerability scan 5

Daily Logon Report

Daily logon report 1 Daily logon report 2 Daily logon report 3 Daily logon report 4 Daily logon report 5 Daily logon report 6 Daily logon report 7

IP Monitoring

IP monitoring 1 IP monitoring 2 IP monitoring 3 IP monitoring 4 IP monitoring 5 IP monitoring 6 IP monitoring 7 IP monitoring 8 IP monitoring 9

Local IP Scan

Local IP ICMP scan 1 Local IP ICMP scan 2 Local IP TCP fallback scan 3 Local IP TCP fallback scan 4 Local IP TCP fallback scan 5

Port Scanning

Port scanner 1 Port scanner 2 Port scanner 3 Port scanner 4 Port scanner 5 Port scanner 6 Port scanner 7

Post Security Controller Script

Automates all of the above activities at once.

Security controller script 1 Security controller script 2 Security controller script 3