Apply foundational security controls: disable unnecessary services, configure Windows Firewall, enforce least privilege, and audit system access. Security isn't a feature — it's a posture.
Security hardening is the process of reducing the attack surface of a system by eliminating unnecessary access, services, and vulnerabilities. Every default Windows installation has features enabled that most users don't need — each one is a potential entry point for attackers.
Hardening doesn't mean locking everything down until the system is unusable. It means applying the principle of least privilege: users and systems should have exactly the access they need to do their job, and nothing more.
| Hardening Category | What It Covers | Why It Matters |
|---|---|---|
| Account Security | Password policies, admin rights, MFA | Compromised credentials are the #1 attack vector |
| Service Reduction | Disable unused services and features | Every running service is a potential exploit target |
| Firewall Configuration | Block unnecessary inbound/outbound ports | Limits lateral movement and data exfiltration |
| Patch Management | Keep OS and applications updated | Most exploits target known, unpatched vulnerabilities |
| Audit & Logging | Enable event logging for key actions | Logs are required for incident investigation |
| Encryption | BitLocker, HTTPS, encrypted credentials | Renders stolen data unreadable |
The principle of least privilege (PoLP) is the most important security concept in IT. Every account should have the minimum access required to perform its function. No more. A user who only needs to read files should not have write access. An application service account should not have admin rights.
| Violation | Risk | Correct Approach |
|---|---|---|
| User running as local admin daily | Malware gets admin rights automatically | Standard user account; separate admin account for admin tasks |
| Service accounts with Domain Admin | One compromised service = full domain compromise | Grant only the specific permissions the service needs |
| Everyone has write access to a shared drive | Ransomware encrypts all files instantly | Read-only for those who don't need to write |
| No account expiry on contractor accounts | Former contractors retain access indefinitely | Set expiry dates on all temporary accounts |
Many organizations let users run as local administrators "because it's easier." This is one of the most dangerous practices in IT. When a user clicks a malicious email link, the malware inherits the user's admin rights and can install anything, modify the registry, disable antivirus, and create new accounts. Standard user accounts limit the blast radius of every infection.
| Control | What It Does | Where to Configure |
|---|---|---|
| Windows Firewall | Blocks unauthorized inbound/outbound connections | Windows Security → Firewall & network protection |
| BitLocker | Full-disk encryption; renders stolen drives unreadable | Control Panel → BitLocker Drive Encryption |
| UAC | Prompts for elevation before admin actions | Control Panel → User Account Control Settings |
| Windows Update | Patches known vulnerabilities | Settings → Windows Update |
| Audit Policies | Logs account logins, privilege use, file access | secpol.msc → Local Policies → Audit Policy |
| AppLocker / Software Restriction | Controls which applications can run | Group Policy → Application Control Policies |
| Disable SMBv1 | Removes legacy file-sharing protocol used by WannaCry | PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol |
Use this procedure when deploying or auditing a Windows workstation or server for baseline security compliance. Test in a non-production environment before applying to live systems. Document all changes with before/after states.
Open Settings → Windows Update → Check for updates. Apply all pending updates including optional and driver updates. Reboot as required. Confirm the OS version and patch level meets your organization's minimum requirement. Unpatched systems negate all other hardening controls.
Open Computer Management → Local Users and Groups → Users. Disable or delete any accounts not actively used. Ensure the built-in Guest account is disabled (it is by default but verify). Rename or disable the built-in Administrator account if your policy requires it. Document all accounts that exist and their purpose.
Confirm the user's daily account is a Standard User, not Administrator. In Computer Management → Local Users and Groups → Groups → Administrators — the daily user account should NOT be listed. If it is, remove it and create a separate admin account for administrative tasks. This is critical for limiting malware blast radius.
Open Windows Security. Verify: Real-time protection is On, Definition updates are current (within 24 hours), Cloud-delivered protection is On, and no threats are currently detected. If Defender is disabled by policy (third-party AV is in use), verify the third-party AV is active and reporting to a management console.
Verify the Windows Firewall is enabled for Domain, Private, and Public network profiles (Windows Security → Firewall & network protection). For workstations, all three should show as On. Review any custom inbound rules added by software and remove rules for programs no longer installed. Never disable the firewall entirely — create specific rules instead.
Open Control Panel → BitLocker Drive Encryption. Enable BitLocker on the C: drive. Choose the encryption method (TPM-only for workstations that never leave the office; TPM+PIN for laptops). Save the recovery key to Active Directory or a secure location before completing encryption — losing the recovery key means losing the data. Allow encryption to complete before rebooting.
Open PowerShell as Administrator and run: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol. Also open Services.msc and set the following to Disabled if not required: Remote Registry, Telnet Client, FTP Server (if installed), and SNMP Service. Each disabled service removes a potential attack vector.
Open secpol.msc → Local Policies → Audit Policy. Enable Audit account logon events (Success and Failure) and Audit logon events (Success and Failure). This creates Event Log entries for every login attempt — critical for detecting brute-force attacks and unauthorized access. Verify logs appear in Event Viewer → Windows Logs → Security after a test login.
| Control | Status Check |
|---|---|
| Windows Updates | All updates applied; no pending critical patches |
| User Accounts | Guest disabled; daily user is Standard (not Admin) |
| Windows Defender | Real-time protection on; definitions current |
| Windows Firewall | Enabled on all three profiles; no unnecessary inbound rules |
| BitLocker | Enabled on C:; recovery key saved securely |
| SMBv1 | Disabled via PowerShell |
| Audit Logging | Account logon events: Success and Failure enabled |
| Field | Your Entry |
|---|---|
| System Hardened | |
| Controls Applied | |
| Exceptions Noted | |
| Recovery Key Location | |
| Verified By |
"What is the principle of least privilege and can you give an example of why it matters?"
The principle of least privilege means giving users and systems only the access they need to perform their function — and nothing more. A real example: if a standard user runs as a local administrator and clicks a phishing link, the malware they download automatically inherits admin rights. It can install drivers, disable antivirus, modify the registry, and persist across reboots. The same user running as a standard account — the malware is constrained to that user's limited permissions, making removal far easier and limiting damage. PoLP applies to users, service accounts, applications, and network access. It's the foundation of every secure architecture.
"Why would you enable BitLocker on a workstation and what do you need to do before enabling it?"
BitLocker encrypts the entire system drive so that if a laptop is physically stolen, the data on the drive is completely unreadable without the recovery key. This is especially critical for laptops that travel. Before enabling BitLocker, the most important step is saving the recovery key to a secure location — typically Active Directory (where IT can retrieve it) or a printed copy in a secure safe. If you enable BitLocker without backing up the recovery key, a motherboard replacement or BIOS update can trigger a BitLocker recovery screen, and without the key, the data is permanently inaccessible. Never encrypt without a verified recovery key backup.
"What is SMBv1 and why should it be disabled?"
SMBv1 is an outdated version of the Server Message Block protocol used for file sharing in Windows networks. It has critical vulnerabilities that were exploited by the WannaCry and NotPetya ransomware attacks in 2017 — they used an NSA exploit called EternalBlue to spread automatically through networks via SMBv1, infecting hundreds of thousands of machines. SMBv1 has been replaced by SMBv2 and SMBv3, which are significantly more secure. Modern Windows versions don't need SMBv1, and Microsoft recommends disabling it. I disable it using Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol in an elevated PowerShell session. It's one of the fastest, most impactful hardening steps you can take.
You've completed all 9 modules across Tier 1 Help Desk and Tier 2 IT Support. You have the foundational knowledge, SOPs, and applied skills to walk into a help desk interview with confidence. Now it's time to build — go to Apply IT and start turning this into resume language.