The Complete Windows Security Hardening Guide for 2026

By Citadel Frame Team · March 15, 2026 · Security Guide · 12 min read

Windows remains the most targeted operating system for cyberattacks, with over 75% of malware specifically designed for Windows endpoints. Whether you're managing a single workstation or an entire fleet, hardening your Windows installation is the single most impactful step you can take to reduce your attack surface.

This guide provides a comprehensive, step-by-step approach to hardening Windows 10 and Windows 11 systems based on CIS Benchmarks v3.0, NIST SP 800-123, and real-world incident response experience. Every recommendation includes the "why" behind it, so you can make informed decisions for your environment.

1. Windows Firewall Configuration

The built-in Windows Defender Firewall is more capable than most people realize. Properly configured, it provides enterprise-grade network segmentation at zero cost.

Enable All Three Profiles

Windows Firewall operates across three profiles — Domain, Private, and Public. All three must be enabled and configured independently. A common misconfiguration is leaving the Public profile permissive because "it's just my home network."

  • Domain Profile: Active when connected to an Active Directory domain. Apply the most permissive rules here (still restrictive by default).
  • Private Profile: For trusted home/office networks. Block inbound by default, allow established connections.
  • Public Profile: Maximum restriction. Block all inbound connections, allow only explicitly approved outbound.

Block Outbound by Default

Most administrators only configure inbound rules, but outbound filtering is critical for detecting malware callbacks, data exfiltration, and unauthorized software. Configure outbound rules to allow only known applications and services.

Citadel Frame Advantage: The Real-Time Threat Scanning module automatically audits your firewall configuration across all three profiles and flags misconfigurations with one-click remediation.

2. Service Minimization

Every running Windows service is a potential attack vector. The principle of least functionality (CIS Control 4.8) requires disabling services that aren't needed for the system's intended purpose.

Services to Disable on Workstations

  • Remote Registry (RemoteRegistry) — Allows remote modification of the registry. Almost never needed on endpoints.
  • Remote Desktop Services (TermService) — Unless actively used for remote access. If needed, require Network Level Authentication.
  • Windows Remote Management (WinRM) — Disable unless managed by enterprise tools like SCCM.
  • Xbox Services (XblAuthManager, XblGameSave) — No business justification on corporate endpoints.
  • Fax (Fax) — Legacy service with no modern use case.
  • Print Spooler (Spooler) — Disable on non-printing systems. The PrintNightmare vulnerability family demonstrated the risk.

Citadel Frame Advantage: The System Hardening Advisor scans all running services, compares them against CIS Benchmark recommendations, and generates a prioritized remediation plan.

3. Registry Hardening

The Windows Registry is the operating system's central nervous system. Hardening key registry values can prevent entire classes of attacks.

Critical Registry Hardening Settings

  • Disable LM Hash Storage: Set HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash to 1. LM hashes are trivially crackable.
  • Enable LSA Protection: Set HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to 1. Prevents credential dumping tools like Mimikatz.
  • Disable AutoRun: Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun to 255. Prevents USB-based malware propagation.
  • Enable DEP (Data Execution Prevention): Set boot configuration to OptOut mode via bcdedit /set nx OptOut.
  • Restrict Anonymous Access: Set HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous to 1.

4. Account and Password Policies

Weak authentication is the root cause of over 60% of breaches according to the Verizon DBIR. Windows provides granular controls over password complexity, account lockout, and privilege management.

Password Policy Recommendations

  • Minimum length: 14 characters (NIST SP 800-63B recommends passphrase-style)
  • Enable password history: Remember at least 24 passwords
  • Maximum password age: 365 days (NIST no longer recommends frequent rotation)
  • Account lockout: 5 invalid attempts, 30-minute lockout duration

Privilege Management

Never use an administrator account for daily work. Create a standard user account and elevate privileges only when needed via UAC (User Account Control). Set UAC to "Always notify" — the most secure setting.

5. Attack Surface Reduction (ASR) Rules

Windows Defender includes Attack Surface Reduction rules that block common attack techniques at the OS level. These are among the most powerful — and most underutilized — security controls available.

Essential ASR Rules to Enable

  • Block executable content from email client and webmail
  • Block all Office applications from creating child processes
  • Block JavaScript or VBScript from launching downloaded executable content
  • Block execution of potentially obfuscated scripts
  • Block Win32 API calls from Office macros
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block process creations originating from PSExec and WMI commands

Citadel Frame Advantage: Our Compliance Engine includes pre-built ASR rule profiles mapped to CIS Controls v8 and NIST CSF 2.0, with one-click deployment and continuous monitoring.

6. BitLocker and Storage Encryption

Full-disk encryption is mandatory for any system that could be physically stolen — which includes every laptop and most workstations. BitLocker provides transparent encryption with minimal performance impact.

  • Enable BitLocker on all fixed drives
  • Require TPM 2.0 + PIN for pre-boot authentication
  • Use XTS-AES 256-bit encryption for operating system drives
  • Store recovery keys in Active Directory or Azure AD (never local-only)

7. Network Hardening

Even with a properly configured firewall, additional network-level hardening reduces your exposure to network-based attacks.

  • Disable NetBIOS over TCP/IP: Prevents name resolution poisoning attacks (LLMNR/NBT-NS)
  • Disable LLMNR: Via Group Policy under Computer Configuration > Administrative Templates > Network > DNS Client
  • Enable SMB Signing: Prevents man-in-the-middle attacks on file shares
  • Disable SMBv1: The protocol behind WannaCry and NotPetya. No modern software requires it.

Citadel Frame Advantage: The Network Connection Monitor provides real-time visibility into all network connections with protocol analysis and anomaly detection.

8. Audit and Logging

You can't detect what you don't log. Configure comprehensive audit policies to capture security-relevant events.

  • Enable Advanced Audit Policy Configuration (not basic audit policy)
  • Log account logon events (success and failure)
  • Log privilege use (sensitive and non-sensitive)
  • Log object access for sensitive directories
  • Log process creation with command-line logging enabled
  • Forward logs to a central SIEM or monitoring tool

Automate Your Hardening

Manual hardening is time-consuming and error-prone. Citadel Frame automates the entire hardening process with CIS Benchmark and NIST-aligned profiles. Run a single scan to identify gaps, then apply one-click remediation across your entire system.

The full feature suite includes real-time threat scanning, breach monitoring, ransomware protection, and compliance reporting — everything you need to maintain a hardened security posture over time.

Download Citadel Frame free and run your first hardening scan in under 3 minutes.