{"id":6280,"date":"2019-02-26T09:45:12","date_gmt":"2019-02-26T15:45:12","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=6280"},"modified":"2019-02-15T12:34:50","modified_gmt":"2019-02-15T18:34:50","slug":"how-to-strengthen-security-on-windows-10-networks","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/how-to-strengthen-security-on-windows-10-networks\/","title":{"rendered":"How to Strengthen Security on Windows 10 Networks"},"content":{"rendered":"

By Des Nnochiri<\/span><\/strong><\/span><\/p>\n

\u00a0<\/p>\n

The Windows 10 operating system has had a reputation for poor design and lax practices on information privacy and security for some time. It\u2019s debatable exactly how bad the OS actually is or isn\u2019t in this regard. In this article, we\u2019ll be exploring some methodologies and best practices for <\/span>hardening the security status<\/a><\/span> of your Windows 10 workstations and network configuration. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Disable Server Message Block (SMB) Version 1<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

Server Message Block (SMB) is an internet standard protocol which has been used on top of the TCP\/IP protocol for many years by Windows systems. SMB enables Windows 10 to share files, printers, and serial ports. Version 1 of the protocol (SMB v1) has been around since Windows 95 and remains in use to this day. As you might expect, within that time, several exploits and abuses of SMB have been developed. Blended attacks combining ransomware with other strains of malware are most common\u2014and any Windows 10 network still deploying this early version of the standard is very much at risk.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

If you\u2019re familiar with editing the Windows 10 registry, then group policy with a registry key may be used to disable SMB v1 on any hardware that\u2019s running it. Alternatively, you may follow the guidelines in Microsoft\u2019s KB2696547 security update to detect if SMB v1 is present on a system and use the specified procedure to disable it.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Windows 10 allows you to use PowerShell to determine if SMB v1 has been enabled. PowerShell will return the currently-enabled SMB state of a machine when you type the following syntax:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

command Get-WindowsOptionalFeature \u2013Online \u2013FeatureName SMB1Protocol <\/span><\/p>\n

\u00a0\"\"<\/a><\/span><\/p>\n

\u00a0<\/span><\/p>\n

(Image Source: <\/span>CSO Online<\/a><\/span>)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

SMB v1 can also be blocked at the firewall and internet levels of your network. Most firewalls will do this by default, blocking all versions of SMB at the network boundary via TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Copiers, printers, and network-accessible storage devices on older systems may still rely on SMB v1 for their functionality. Having assessed the potential risk of allowing these devices to continue using the protocol, you may need to contact the vendors to find out if there\u2019s a firmware upgrade available that supports a more recent version of SMB. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Later versions of the Server Message Block protocol offer greater protection, particularly in the strength of data encryption and user authentication that they provide. If you must use SMB on your Windows 10 network, then be sure to upgrade any existing installations to SMB version 3.0 or above.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Adjust Your Firewall and Proxy Settings<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

As with any computer network, certain pieces of hardware and software may be the standard for maintaining security. Antivirus or anti-malware suites, intrusion detection\/prevention mechanisms, and system-monitoring devices would be examples. Firewalls would also come into this category, and unless your network employs independent or third-party firewall protection, your Windows 10 security regime will need to take the proper configuration of the operating system\u2019s native firewall into account.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

\"\"<\/a><\/p>\n

\u00a0<\/p>\n

(Image Source: <\/span>Microsoft<\/a><\/span>)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

The Windows 10 firewall now supports Windows Subsystem for Linux processes. So if you\u2019re hosting Linux in virtual machines, you can add exceptions in the firewall for Linux processes such as SSH or web servers like Nginx.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Adjust Your Privacy Settings<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

As previously suggested, Windows 10 has been accused of serving as a data harvesting tool, giving Microsoft and its affiliates access to names, contact data, demographics, location, usage statistics, payment credentials, and other sensitive information. And the first stage in configuring Windows 10 for privacy is to go through the privacy policy and terms of service associated with the OS.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Armed with this knowledge, you can then use Start > Settings > Privacy to access the Privacy settings area of Windows 10. Options available generally allow you to either turn a feature on or off, or to leave it on \u2013 and then specify which apps or processes it should apply to.<\/span><\/p>\n

\u00a0<\/p>\n

\"\"<\/a><\/p>\n

\u00a0<\/p>\n

(Image Source: <\/span>Heimdal Security<\/span><\/a><\/span>)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

In particular, you should pay attention to the following:<\/span><\/p>\n

\u00a0<\/span><\/p>\n