Windows Workspace Security

A security-focused skill for hardening Windows workstations, auditing Windows security configurations, and implementing defensive measures across Windows environments.

When to Use

Choose Windows Workspace when:

• Hardening Windows workstations and servers against common attack vectors
• Auditing Group Policy settings, registry configurations, and service permissions
• Setting up secure development environments on Windows
• Implementing endpoint security monitoring and logging

Consider alternatives when:

• Working primarily with Linux systems — use Linux-specific hardening guides
• Needing Active Directory domain-level security — use domain security tools
• Performing offensive Windows penetration testing — use dedicated red team tools

Quick Start

Copy
# Quick security audit of current system
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer
Get-LocalUser | Where-Object { $_.Enabled -eq $true } | Select-Object Name, LastLogon
Get-Service | Where-Object { $_.StartType -eq 'Automatic' -and $_.Status -eq 'Running' }

Copy
# Security configuration baseline check
function Get-SecurityBaseline {
    $results = @()

    # Check Windows Firewall status
    $fw = Get-NetFirewallProfile | Select-Object Name, Enabled
    foreach ($profile in $fw) {
        $results += [PSCustomObject]@{
            Check    = "Firewall - $($profile.Name)"
            Status   = if ($profile.Enabled) { "PASS" } else { "FAIL" }
            Detail   = "Enabled: $($profile.Enabled)"
        }
    }

    # Check Windows Defender status
    $defender = Get-MpComputerStatus
    $results += [PSCustomObject]@{
        Check  = "Real-Time Protection"
        Status = if ($defender.RealTimeProtectionEnabled) { "PASS" } else { "FAIL" }
        Detail = "Signatures: $($defender.AntivirusSignatureLastUpdated)"
    }

    # Check BitLocker status
    $bl = Get-BitLockerVolume -MountPoint "C:" -ErrorAction SilentlyContinue
    $results += [PSCustomObject]@{
        Check  = "BitLocker Encryption"
        Status = if ($bl.ProtectionStatus -eq "On") { "PASS" } else { "FAIL" }
        Detail = "Volume C: $($bl.ProtectionStatus)"
    }

    # Check audit policy
    $audit = auditpol /get /category:* 2>$null
    $logonAudit = $audit | Select-String "Logon" | Select-Object -First 1
    $results += [PSCustomObject]@{
        Check  = "Logon Auditing"
        Status = if ($logonAudit -match "Success and Failure") { "PASS" } else { "WARN" }
        Detail = $logonAudit
    }

    return $results
}

Get-SecurityBaseline | Format-Table -AutoSize

Core Concepts

Windows Security Layers

Layer	Components	Key Settings
Authentication	Local accounts, Credential Guard	Password policy, MFA
Authorization	ACLs, UAC, AppLocker	Least privilege, SRP
Network	Windows Firewall, IPSec	Inbound/outbound rules
Encryption	BitLocker, EFS, TLS	Drive encryption, certificates
Monitoring	Event Log, Sysmon, ETW	Audit policies, log forwarding
Updates	Windows Update, WSUS	Patch management cadence

Essential Hardening Script

Copy
# Disable unnecessary services
$disableServices = @(
    "RemoteRegistry", "TelnetClient",
    "SNMP", "WinRM"
)
foreach ($svc in $disableServices) {
    Set-Service -Name $svc -StartupType Disabled -ErrorAction SilentlyContinue
    Stop-Service -Name $svc -Force -ErrorAction SilentlyContinue
}

# Configure password policy
net accounts /minpwlen:14 /maxpwage:90 /minpwage:1 /uniquepw:12

# Enable advanced audit logging
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Object Access" /success:enable /failure:enable

# Restrict PowerShell execution
Set-ExecutionPolicy RemoteSigned -Scope LocalMachine -Force
# Enable PowerShell script block logging
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
New-Item -Path $regPath -Force | Out-Null
Set-ItemProperty -Path $regPath -Name "EnableScriptBlockLogging" -Value 1

Configuration

Option	Description	Default
enforce_password_policy	Enforce minimum password length and complexity	true
min_password_length	Minimum password character count	14
enable_bitlocker	Enforce BitLocker drive encryption	true
firewall_default_action	Default action for inbound connections	"block"
audit_categories	Event log audit categories to enable	["Logon","Process Creation"]
disable_guest_account	Disable built-in Guest account	true
uac_level	UAC notification level (1-4)	4
auto_update_policy	Windows Update configuration	"notify_download"

Best Practices

1. Enable Sysmon with a well-tuned configuration like the SwiftOnSecurity template to capture process creation, network connections, and file modifications that the default Windows event logs miss entirely
2. Implement application whitelisting with AppLocker on workstations handling sensitive data — this prevents unauthorized executables from running even if they pass antivirus checks
3. Use separate admin accounts for elevated tasks rather than running daily work as a local administrator; Credential Guard helps protect cached credentials from tools like Mimikatz
4. Forward event logs to a central SIEM so that local log tampering by an attacker does not destroy evidence; prioritize Security, PowerShell, and Sysmon event channels
5. Maintain a documented baseline configuration and use Group Policy or DSC to enforce it consistently across all workstations, checking for drift regularly

Common Issues

PowerShell execution policy bypasses: The execution policy is not a security boundary and can be trivially bypassed by attackers. Rely on Constrained Language Mode and script block logging for actual security instead, and use AppLocker rules to restrict which scripts can execute from specific directories.

Legacy application compatibility: Older applications often require administrative privileges or disable security features to function. Use application compatibility shims, run legacy apps in isolated VMs or containers, and document every security exception with a compensating control.

Event log overflow and gaps: Default Windows event log sizes are small and rotate quickly, creating gaps in forensic coverage. Increase log sizes to at least 1 GB for Security logs, enable log forwarding to a central collector, and set up alerts for Event Log service stoppages.