This content is part of the Essential Guide: Windows 10 security guide to fortify your defenses

How to create an ideal Windows 10 security setup

As with any OS, security in Windows 10 is crucial. IT must emphasize third-party software patching, malware protection and more to create truly resilient Windows 10 devices.

As more organizations upgrade from Windows 7, the time is right to think about how to create the perfect Windows 10 security setup.

To some, a secure Windows 10 means defense against malware, but to others it means full-disk encryption, limited user rights and extensive logging. IT administrators must think about the level of security they need on their Windows 10 devices. They may have enterprise desktop security standards in place, but they can't secure what they don't know about. Security starts with determining the risks, understanding compliance and contractual requirements, and figuring out how to make conditions ideal for their specific needs.

Windows 10 devices running on business networks for some time generally have predictable weaknesses involving passwords, network shares and missing patches, especially around third-party software. Even so, the built-in security features admins have at their disposal are not always good enough, so admins should take precautions to create a truly resilient Windows 10 security setup.

Where to start

Many Windows 10 devices, especially laptops, are not connected to a domain which makes it more difficult to rein in their systems and sensitive information, because admins cannot manage them with Group Policy Objects (GPOs). As a result, the first step toward a secure Windows 10 setup is for admins to connect the devices to a Windows domain so they can push out and enforce the necessary GPOs. Admins should fully monitor Windows 10 device OS, application and security logs.

Encryption is crucial

Two problems can break an otherwise solid Windows 10 security setup.

BitLocker or other third-party full disk encryption is also key to a quality Windows 10 security setup. Admins should enable encryption on all drives, especially if users work with laptops.

From a compliance standpoint admins should be sure they can show they encrypted every endpoint in the event of an incident or breach. They can do so with a centrally-managed disk encryption system such as Microsoft BitLocker Administration and Monitoring or a third-party product. If they can prove encryption they can save a tremendous amount of time, money and effort because they don't have to send out compliance-related breach notifications.

Passwords and lock screens

Encryption does not get admins out of the woods completely. Two problems can break an otherwise solid Windows 10 security setup: weak passwords and unlocked screens. The latter happens either because users fail to lock their screens or screensavers don't timeout and lock the screens automatically.

Fortunately both problems are fairly easy to solve. First admins should enforce strong password practices, including setting minimum password length and complexity standards. They should also use multifactor authentication for the OS or at least for critical business applications and systems. Next admins should enable secure sign-in on users' Windows 10 devices. With secure sign-in, users must enter Ctrl+Alt+Delete before signing into their desktops, which prevents them from turning the lock screen off.

Test your knowledge of Windows security features

How much do you know about securing Active Directory and Microsoft Azure? This quiz will test your knowledge of the best tools to protect Windows.

Protect critical data

Admins must protect personally identifiable information (PII) and intellectual property. As much as users want to believe they don't have anything of value on their Windows 10 devices, there's plenty of gold for hackers to mine. In fact, the files users store on their devices are often the only copies that exist, which is not good, especially if a hard drive fails or ransomware gets into their systems. As a result admins must ensure that proper backups are in place.

Next admins must protect all the information going out to the cloud. They can combine data loss prevention and PII discovery and management software such as the Spirion Data Platform line of products with cloud access security brokers from vendors such as Skyhigh Networks to protect users' most sensitive records.

Don't overlook third-party software

Third-party patches must be under control. Too many shops rely on Windows Server Update Services and System Center Configuration Manager for patching but ignore third-party software such as Java and Adobe Reader. That's a core reason criminal hackers have the upper hand. To fight back admins should invest in a patch management tool that can patch all the software.

Look for more than Windows Defender

Strong malware protection beyond the built-in Windows Defender is often the missing link in a Windows 10 security setup. Microsoft's product is good and often catches problems that would go undetected, but third-party products such as the cloud-based Webroot antimalware and Carbon Black's whitelisting can create extremely resilient Windows 10 devices that can stand up to advanced malware and the worst user decisions.

Next Steps

Strengthen Windows 10 security with hardening

Navigate the Windows 10 security patch waters

Explore virtualization-based Windows 10 security

Dig Deeper on Windows 10