Best Hardening Practices for Windows and Linux

TL;DR:

Windows 11 requires TPM 2.0 and Secure Boot, which lays a solid hardware foundation. On many recent devices, virtualization-based security (VBS) and HVCI memory integrity are enabled by default, strengthening kernel protection. Microsoft Microsoft Learn+1
Since 24H2, SMB signing is required by default on most editions, which puts a stop to identity relays and man-in-the-middle attacks on network shares. Microsoft Learn+1
BitLocker-based disk encryption is automatically enabled on many new devices that are compatible with Device Encryption. It is not universal, but it is very common on a modern fleet. Microsoft Learn
Windows Hello for Business enables passwordless authentication with asymmetric keys protected by the TPM. Biometric data stays local. Natural integration with Microsoft Entra ID for centralized management. Microsoft Learn
Deploy ready-to-use baselines: Microsoft Security Baselines for Windows 11 and, if needed, the CIS Benchmarks. Automate with Intune, GPO, and PowerShell DSC. Reddit

1. Why Windows 11 hardening matters for Quebec SMBs

Threats evolve fast and SMBs are targeted just as much as large organizations. Windows 11 brings a more robust hardware and software foundation: TPM 2.0, Secure Boot, VBS and HVCI depending on the hardware. The result: you make life seriously harder for malware and for attackers who target the kernel or authentication. Microsoft Microsoft Learn

2. The pillars of modern security on Windows 11

TPM 2.0 and Secure Boot

TPM 2.0 is required by Windows 11 and protects cryptographic keys, boot integrity and features such as BitLocker and Hello. Enable it in the UEFI if needed. Microsoft Support Microsoft
Secure Boot prevents malicious code from loading at boot. Microsoft Support

VBS and HVCI (Memory Integrity)

VBS isolates sensitive components through the hypervisor. HVCI prevents untrusted drivers from loading into the kernel. On many recent devices, HVCI is active by default. Microsoft Learn+1
Configuration path: Windows Security > Device security > Core isolation > Memory integrity. Microsoft Learn

Credential protection

LSA Protection (RunAsPPL) hardens lsass.exe against credential theft. Enable it and check the status on your managed endpoints.

Data encryption

Device Encryption/BitLocker: on many recent devices, encryption is set up automatically. For a heterogeneous fleet, standardize and escrow the recovery keys through Intune or GPO. Microsoft Learn

3. Modern, passwordless authentication

Windows Hello for Business uses asymmetric keys protected by the TPM. Biometrics serve to unlock the local key; no fingerprint is ever sent to the server. Combined with Entra ID and, if needed, FIDO2 keys, you sharply reduce phishing and credential stuffing. Microsoft Learn

4. Network and secure protocols

SMB and legacy protocols

SMB signing required by default with 24H2 on most editions. If third-party NAS devices do not support signing, fix it on the NAS side rather than weakening Windows. Microsoft Learn+1
SMBv1 is obsolete and not installed by default on Windows 11. If it is present for compatibility, remove it.
PowerShell:
```
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
```

Reduce the local attack surface

Disable LLMNR via GPO and NetBIOS over TCP/IP via network configuration or DHCP to limit name-resolution poisoning. Tenable®Microsoft Learn

Windows Defender Firewall

Use GPOs for granular rules per network profile. Enable logging (dropped packets and successful connections) and centralize the logs. Detailed path and options below. Microsoft Learn+1

5. Deployment and automation at scale

Ready-to-use baselines

Microsoft Security Baselines for Windows 11: a solid starting point, tested by Microsoft. Apply them, then adjust based on your risks and your environment. Reddit

PowerShell DSC and Intune

DSC lets you declare the desired state and enforce it across the fleet. Combine it with Intune and GPO for policies. Microsoft Learn
Community CIS modules for DSC exist if you follow the CIS Benchmarks. Evaluate them carefully before production. powershellgallery.com

6. Monitoring and auditing

Logs and advanced auditing

Enable firewall logging and the Advanced Audit Policies to track connections, account changes and access to sensitive resources. Microsoft Learn+1
Centralize with Windows Event Forwarding or your SIEM.

Detection and response

For SMBs, Microsoft Defender for Business (included in Microsoft 365 Business Premium) delivers EDR and attack-surface reduction with a simplified console. More demanding environments will opt for Defender for Endpoint. Microsoft Learn+1

7. The Blue Fox checklist in 10 actions

Verify that TPM 2.0 is enabled and Secure Boot is on. Microsoft Support
Confirm that VBS and HVCI are active on compatible hardware. Microsoft Learn
Standardize encryption: managed Device Encryption and BitLocker, escrowed keys. Microsoft Learn
Enable Windows Hello for Business and aim for passwordless with Entra ID when it is available for the organization. Microsoft Learn
Apply the Microsoft Security Baselines for Windows 11. Reddit
Make sure SMB signing is effective everywhere; fix the NAS devices as needed. Microsoft Learn
Remove SMBv1, disable LLMNR and NetBIOS. Tenable®
Strengthen LSA Protection.
Enable and centralize firewall logging and advanced auditing. Microsoft Learn+1
Deploy a fitting EDR: Defender for Business or Defender for Endpoint. Microsoft Learn+1

Practical appendices

GPO and firewall logs

GPMC: Computer > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Properties
Domain/Private/Public tab > Logging > Customize
Default log file: %windir%\system32\logfiles\firewall\pfirewall.log Microsoft Learn

LLMNR and NetBIOS

LLMNR: GPO Computer > Administrative Templates > Network > DNS Client > Turn off multicast name resolution
NetBIOS: disable NetBIOS over TCP/IP in the IPv4 properties or via DHCP option 001. Microsoft Learn

SMB signing, quick check

Get-SmbClientConfiguration | FL RequireSecuritySignature Get-SmbServerConfiguration | FL RequireSecuritySignature

Microsoft Learn

A word from Blue Fox

At Blue Fox, we aim for security that fades into the background: strong by default, simple to manage, and documented. We work alongside you to turn these principles into concrete policies, with reproducible deployments, baselines tailored to your risk, and clean automation.

#CyberSecurity #Windows11 #SMB #Quebec #Hardening #BlueFox #TPM #BitLocker #PowerShell

Verified and useful sources

Windows 11 and TPM 2.0 requirements. Microsoft Microsoft Support
VBS and HVCI. Microsoft Learn+1
Device Encryption and BitLocker on compatible devices. Microsoft Learn
Windows Hello for Business, local key storage. Microsoft Learn
Windows 11 security baselines. Reddit
SMB signing by default in 24H2. Microsoft Learn+1
SMBv1 removed by default, disable command.
LSA Protection.
Firewall logging and GPO configuration. Microsoft Learn
Audit Policy recommendations. Microsoft Learn
DSC and the CISDSC community module. Microsoft Learn powershellgallery.com
Defender for Business and Defender for Endpoint. Microsoft Learn+1

Adobe products: privacy, licensing model and alternatives to Acrobat, Photoshop, Illustrator, InDesign