In May 2018 the Australian Cyber Security Center published an updated list of recommended configuration settings for hardening Windows 10 version 1709. This 50 page guide provides easily readable recommendations along with explanations of why the settings should be changed.
Among the topics covered are:
- Baseline settings for implementing AppLocker and application white-listing
- Implementing Credential Guard
- Password and Auditing recommendations
- Settings for exploit protection
- Securing Microsoft Edge browser
- Patching settings
- Bitlocker recommended settings
- Removing legacy protocols such as WPAD, NetBIOS, SMB1, and LLMNR
- Remote Desktop security settings
I highly recommend Administrators take the time to read this short guide and begin implementing the recommendations. It’s time to limit what attackers on the network can enumerate anonymously and disable protocols without authentication that can be used to redirect traffic. The workstation is the security boundary and you must assume breach. Tightening down the network will limit an attackers options for information gathering and lateral movement.
I have a copy with highlights and annotations which can be found here.