Hardening · Guide

The Complete Windows Hardening Guide for 2026

Most Windows breaches are the result of unchanged defaults, not sophisticated zero-days. This guide walks you through the CIS-aligned baseline every endpoint should have, what each control actually defends against, and how to automate the lot.

By Citadel Frame Team · March 2, 2026 · 14 min read

1. Start with the threat model

Before changing a single setting, write down what you are defending against. For most users in 2026 the top three are ransomware, credential theft, and supply-chain script execution. Map every hardening decision back to one of these.

2. Patch cadence that actually works

Enable Windows Update for Business with quality updates set to zero days deferral and feature updates to 30 days. Pair it with a weekly reboot window. Missing patches cause more incidents than any single misconfiguration.

3. Credential hygiene

Enforce 16-character minimums, disable NTLMv1, turn on Credential Guard where hardware permits, and require Windows Hello for sign-in. Back it with breach monitoring so stolen credentials trigger rotation automatically.

4. Application control

Use Windows Application Control (WDAC) or AppLocker to block execution from %TEMP%, %APPDATA%, and Downloads. This single change stops most commodity malware in its tracks.

5. Script engines

Set PowerShell to Constrained Language Mode outside administrative workflows, disable Windows Script Host, and block Office macros from internet-originated documents. Fileless malware depends on these engines.

6. Network posture

Disable SMBv1, enforce SMB signing, turn LLMNR and NetBIOS over TCP/IP off, and put a DNS firewall in front of the resolver. DNS-layer filtering stops exfiltration before the TLS handshake.

7. Ransomware-specific layers

Enable Controlled Folder Access, deploy honeypot files in user document roots, set shadow-copy retention to 14 days, and protect critical folders with an allow-list of processes.

8. Telemetry and response

Forward Security, Sysmon, and PowerShell logs to a central collector. Write five detection rules before buying any tool: suspicious child of winword.exe, lsass.exe dump access, scheduled task creation by non-admin, new service install from user profile, and wmic process call create.

9. Automate it

Hand-tuning one laptop is fine. Fleet hardening needs GPO, Intune, or a purpose-built tool like Citadel Frame's Hardening Advisor that applies CIS-aligned profiles and tracks drift over time.

FAQ

Is Windows 11 harder to compromise than Windows 10?

Yes. Windows 11 enables VBS, HVCI, and TPM 2.0 by default and has stricter driver signing. Hardening still matters — the defaults remove easy wins but not targeted attacks.

Will these changes break line-of-business apps?

Some will. Roll out hardening in rings: pilot, early, broad. Start with controls that never cause user impact (NTLMv1 disable, SMBv1 disable) and finish with script engine restrictions.

Does Citadel Frame apply these automatically?

Yes. The Hardening Advisor compares your system to the CIS baseline, explains each gap in plain English, and applies fixes on request with rollback support.

Put this into practice

Citadel Frame automates most of what you just read — hardening advisor, ransomware honeypots, breach monitoring, POPIA compliance profile, and AI-assisted triage, all in one Windows app.

Download free See pricing

More guides

Threat Defence

Ransomware Defence

Defending Windows endpoints against modern ransomware requires five layers. Here they are, in priority order.

 Compliance

POPIA for SMBs

POPIA isn't optional and isn't just for banks. This is the shortest honest path to compliance for a South African small business.

 Identity

Breach Monitoring

The marketing is murky. Here's what breach monitoring actually does — and doesn't.

How Citadel Frame compares

Comparison

vs Legacy Suite

Legacy mega-suite vs. focused next-gen defence platform.

 Comparison

vs Foreign-Jurisdiction AV

Detection-strong but geopolitically risky vs. neutral SA-based platform.