When it comes to Windows 10, there are a number of features that can be set to make it more secure. There are many versions to Windows 10 which include: 1507, 1511, 1607, 1703, 1709, 1803, 1809 and 1903, but 1903 is considered to be the latest of the Windows 10 operating system there is. Securing systems are not always simple that is why many people choose not to or have someone else do it for them. Securing multiple systems could require the use of group policy and systems being on a network because it’s just easier and less work to do it that way, plus it reduce manpower which in turns saves the organization tons of money depending on how many systems they have to make these changes to.
Settings to change when it comes to securing Windows 10 include: configuring new App privacy, disable multicast, restricting NetBT Node, correct the Domain Controller, changing Windows Defender setting, changing admin local account information, renaming the admin account, turning off tracking and location, turn off Cortana, ditching the Microsoft account, change app permissions, control and delete diagnostic data, use the Microsoft Privacy Dashboard and much more. Using these features along with others from CIS Benchmarks will really help secure Windows 10 overall.
Ways to secure Windows 10 include:
Configure the new app privacy settings one must know that it allows them to prevent users from communicating with other application using speech recognition while the system is locked. By using the new App Privacy setting that can prevent the communication from occurring.
Disabling multicast name resolution (LLMNR) will help reduce server spoofing threats (requires group policy changes).
Restricting the NetBT Node Type to R-node prevents the system from broadcasting and mitigates server spoofing threats (requires changes in the registry).
Correcting the Domain Controller baseline allows auditing settings for Kerberos authentication services to be activated for better monitoring purposes (group policy).
Disabling the password expiration policies that require periodic password changes.
Change the Windows Defender Exploit Protection XML configuration to allow Groove.exe to launch the child processes in order to initiate for parent processes.
Administrators can also choose to disable local administration accounts and only use domain accounts to reduce the exposure of administrative access.
Activate only one administrator account per computer
Ensure passwords are using local admin password solutions (LAPS) because they are more random and strong
Rename the admin account through group policy to help mitigate threats
Turn off ad tracking to prevent the browser from gathering data. Action to take: Privacy->General->Change privacy options
Turn off location tracking. Action to take: Privacy->Location->Click off (This allows access to location to be turned off)
Turn off timeline. Action to take: Settings->Privacy->Activity history and uncheck the boxes next to “store my activity history on the device” and “send my activity history in Microsoft”
Turn off Cortana to help reduce privacy concerns related to your home address, place of work, routes with times and other things. Actions to take: Click “Manage the information Cortana can access from this device” and turn off location or as a group policy type in “gpetit.msc-> computer configuration->administrative templates->Windows components-> search->allow Cortana->set to disable
Don’t use the Microsoft Account option, use the local account option because it prevents the Microsoft Store from gathering information bout you. Action to take: Settings->Account-> select “sign in with local account instead”
Change App permissions to prevent apps from accessing your camera, location, microphone, pictures and videos. Actions to take: Settings->Privacy->App permissions->turn off (based on what you do not want on)
Control and delete diagnostics data to prevent it from gathering information about you. Actions to take: Settings->Privacy->Diagnostics and Feedback->set to “Basic” (Basic sends information about your device and full sends information about your device and much more). Also, perform a “delete diagnostics data” to delete out any information stored on your device.
Use the Microsoft Privacy Dashboard by going to https://account.microsoft.com/privacy. This dashboard allows one to delete your history from various sources within your device such as your histories, activities and more
Overall using most, if not all of these features allows one to become more aware of what information is available to others in various places like Microsoft. By reducing the need for them to gain information from your device(s) increases your privacy level. Users/administrators should consider which features work best for them and adjust them as needed. Users have the ability to turn features off and on as needed such as the microphones, camera, location, pictures and videos. Only system/network administrators have the capability of turning on certain features in groups by using group policy but it is up to their discretion to make that determination for the organization as a whole. No matter how private and secure one would like their device to be no device can be 100% secure unless they take it offline.