One of the most common ways of infecting a computer with malware is when users open up an infected file (e.g. an infected email attachment). Another way is when users access a corrupted website that installs malware on their devices that can take advantage of weaknesses in their browsers, operating systems or external applications (like Java or Flash). Since the Windows operating system is so widespread, the risks posed by malware and unauthorized access to the IT system are thus relatively high.

This page provides additional, more specific information on improving IT security and changing standard configurations of Windows 10 workstations (Enterprise Edition, version 1809 to 1909), using the Mozilla Firefox browser (e.g. instead of Microsoft Edge) and the Windows Defender Antivirus as a real-time engine to scan for malware.

For recommended data and privacy protection settings see Mark Heitbrink’s "gp-pack PaT – Privacy and Telemetry" (in German). The information linked below provides additional information. Many of the gp-pack PaT recommendations increase IT security, however, while some of the settings do provide increased privacy protection for users, they may have disadvantages for IT security and/or usability. Thus, users must always weigh the potential effects of these recommended settings against their own needs and requirements. You can find alternatives or supplementary recommendations on how to handle such potentially problematic settings on the relevant topic pages.

Based on your specific situation, goals and IT security requirements, you will need to decide which specific protective measures are necessary for your Windows 10 computer. Below we have listed measures that are typically suitable/suggested for this operating system, which you can adjust to fit your specific situation and needs. In individual cases, some of the measures are unnecessary or impractical for your specific situation, e.g. if the measures are intended to protect against risks that are already covered by other measures.

The risks should be reduced to an acceptable level using technical IT security measures. As not all threats can be counteracted through technical means, users must be trained appropriately to assess such situations and make the right decision when it is required.

The recommended measures serve as a checklist and a good basis for setting up suitable IT security, even if some of the measures cannot be implemented in your specific situation or you require additional, more restrictive measures. At any rate, you will need to have a precise understanding of the technical and organizational relationships between IT security and PC clients. You will also need to understand IT security as a process that requires constant vigilance and the ability to adapt measures to changing risk levels.

 

Sources and further information

  • Microsoft: "Security baseline (FINAL) for Windows 10 v1809 and Windows Server 2019", 2018, Link
  • Bundesamt für Sicherheit in der Informationstechnik (BSI): "IT-Grundschutz-Baustein SYS.2.2.3 Clients unter Windows 10", 2019, Link
  • Bundespolizei (BPOL): "SiM-08202 Client unter Windows 10", 2017, Link
  • Australian Cyber Security Centre (ACSC): "Hardening Microsoft Windows 10 version 1709 Workstations", 2019, Link
  • National Cyber Security Centre (NCSC): "End user device (EUD) security guidance - Windows 10 1809", 2018, Link
  • Bundesamt für Sicherheit in der Informationstechnik (BSI): "Analyse der 'Virtualization Based Security'-Komponenten in Windows 10", 2018, Link
  • Sami Laiho: "Black Belt Security with Windows 10", Microsoft Ignite, 2015, Link
  • Defense Information Systems Agency (DISA): "Windows 10 Security Technical Implementation Guide", 2019, Link
  • National Security Agency (NSA): "Application Whitelisting Using Microsoft AppLocker", 2014, Link
  • Bundesamt für Sicherheit in der Informationstechnik (BSI): "Sichere Nutzung von Geräten unter Microsoft Windows 10 - Empfehlungen für Privatanwender", 2017, Link
  • Bundesamt für Sicherheit in der Informationstechnik (BSI): "Themenpapier Ransomware", 2016, Link
  • Bundesamt für Sicherheit in der Informationstechnik (BSI): "Lagesdossier Ransomware", 2016, Link
  • Microsoft: "Securing privileged access", Windows Server Documentation, 2019, Link
  • Heise Zeitschriften Verlag: c't Windows (2018) - Problemlöser, 2017
  • Heise Zeitschriften Verlag: iX 6/2017, p. 114 ff., 2017