If you Install Windows 11, Windows 11 is already reasonably well protected against attacks. However, there are some settings you can change after installation to prevent various attacks from being carried out.
When we think of an attack on a Windows 11 computer, we often think of an attack that attackers start from the internet. An outside attack is very likely.
What network administrators in particular must take into account is that an attack can also be carried out from within. An attack from the internal network or a domain is very common, especially in ransomware to attack.
It is therefore good to consider the following adjustments to make Windows 11 even better protected against online attacks and internal network attacks.
Tips to protect Windows 11 from attacks
Set complex password
If you log in Windows 11 with a password, set a complex password. Use a tool to generate a strong password and change password in Windows 11.
- Open the settings.
- Click on Accounts.
- Then click Login Options.
- Now click on Password and click on the change button to set a complex password.
If you have not yet set a password, set a password. Most people when an account is created in Windows 11 are automatically logged in to Windows 11.
Also read: Log in with PIN code in Windows 11.
Disable automatic login
If you are the only one who has set up a user account on a Windows 11 PC, this user account will be logged in automatically. This is not desirable from a security perspective. You can also disable automatic registration.
Open the Windows registry. Go to the next key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device
Double-click the “DevicePasswordLessBuildVersion” value and change this value to “0”. Click OK and close the Windows registry.
Now right-click on the Start button. In the menu click on Run. In the run window type: netplwiz
Enable the option “Users must provide a username and password to use this computer.” Click Apply and then OK. Close the app.
All user accounts must log in to the Windows 11 PC to use the PC. Automatic login is now disabled.
Enable Windows firewall
De Windows firewall is enabled by default. However, it is recommended to check whether the firewall is indeed enabled. The Windows firewall filters all incoming and outgoing connections. If there specific rules are set, connections will be blocked. To prevent an attack, the standard rule must be followed, so enabling the firewall is something to consider.
Right-click on the Start button. In the menu click on Run. In the run window type: firewall.cpl
Click on “Turn Windows Defender firewall on or off” on the left.
Check whether the Windows defender firewall is enabled for each type of network. If not, consider enabling the firewall. Click OK to confirm.
Also read: Block or allow apps in Windows firewall.
Disable Remote Desktop
External desktop or ("remote desktop“) is a feature on a Windows PC that allows users to log in remotely to the PC. Remote Desktop opens some ports on the PC that can be exploited in attacks. Therefore, if you do not use remote desktop, you may want to consider disabling this feature.
- Open the settings.
- Click on System on the left.
- Then click Remote Desktop.
- Change remote desktop to “off”.
- Click confirm to disable remote desktop on Windows 11 PC.
Check for new updates
Regularly checking for updates is something that should be done as standard. Of course, Windows 11 itself is provided with automatic updates, but I recommend checking every week whether new updates are available and installing them. This prevents “0-day” attacks and you are assured of new functionality.
- Open the settings.
- Click on Windows update on the left.
- Click “check for updates” to get the latest Install Windows 11 updates.
Also read: Install optional updates or drivers in Windows 11.
Microsoft Security Compliance toolkit
This set of tools allows enterprise system administrators to download, analyze, test, edit, and save Microsoft's recommended core security configurations for Windows and other Microsoft products. These can be compared to other security configurations.
Download Microsoft Security Compliance Toolkit
I encourage you to read up on what this is all about and what you can do with it.
Encrypt data with BitLocker
Windows 11 professional comes with a feature called BitLocker to encrypt data on the hard drive. If the data is encrypted, only the administrators with the key can decrypt the data.
You can encrypt a partition on your hard drive with BitLocker. Your computer must meet a number of requirements. In any case, Windows 11 professional must be installed. Windows 11 home does not offer BitLocker functionality.
In addition, the PC must have a TPM Chip.
If your computer does not have TPM. Then you can Using BitLocker without TPM.
Read more about how you Enable BitLocker and encrypt data.
Check app permissions
In Windows 11, several apps require permissions to use certain functionality. You can manage these permissions. It is advisable to check for each authorization which apps use it. Some apps may have permission for functionality that you don't use. You can then revoke this authorization.
- Open the settings.
- On the left click on “Privacy and security”.
- Navigate down to “App permissions”.
- Click on a permission, for example “Camera”.
You will now see which apps have access to manage the camera settings. You can grant or revoke this authorization per app.
You can also disable full permission. This is useful, for example, if you don't want to allow any app to use the camera at all.
In this case, camera is an example of an authorization. In the “App permissions” you will find different types of permissions, check them all if necessary.
User Account Control (UAC)
User Account Control of "UAC” (“User Account Control”) is a feature in Windows 11 that notifies users when opening apps that are going to make changes to the system. It offers the user the option to allow or block changes. Think of it as an intermediate step when opening apps or scripts.
Verify that User Account Control is set to the desired level. There are different levels of user account management, each with its pros and cons. You can read this in the settings.
Open Control Panel. Then click on “System and Security”.
Click “Change User Account Control Settings”.
Select the desired notification level for user account control by dragging the slider up for more notifications and down for fewer notifications. Click OK to confirm the level.
Enable memory integrity
Memory integrity in Windows 11 is a security feature that prevents dangerous drivers identified by Microsoft from taking over your computer. Enabling this feature protects your PC from old or potentially dangerous drivers that can be installed by potentially dangerous apps.
- Open the settings.
- Click on “Privacy and security”.
- Click on “Windows security”
- Then click on “Open Windows Security”.
- In the “Windows Security” settings, click on “Device Security”.
- In the “Core insulation” settings click on “Core insulation details”.
- Change “Memory Integrity” to “On”. The computer needs to be restarted.
Read here about Attune's core isolation in Windows 11.
Protect your computer with software
To optimally protect your computer against attacks, you need to install software. This could be a good antivirus, but also an anti-malware package. In my experience, anti-malware provides better protection against a variety of attacks. For example, with phishing websites and annoying advertising networks that try to persuade you to install malware.
A good anti-malware package, also great in combination with an antivirus package, is Malwarebytes. I recommend trying Malwarebytes. Read more about Malwarebytes.
I hope this helped you. Thank you for reading!
Also read: Make Windows 11 faster.
just downloaded windows 11. Now I get a message that I have to enable memory integrity, but when I do that the PC says that it is not possible. I don't understand, is my PC not safe now?
Hello, your computer is safe and protected by Windows defender (antivirus). Memory integrity is part of Windows Defender, but sometimes conflicts with certain installed drivers. If you cannot enable memory integrity, there is a conflict. To remove this conflict you need to uninstall the driver, this is quite technical so I wouldn't recommend it. Again, your computer is safe, there is just one particular component ("memory integrity") that is not working. Here you can read more: https://support.microsoft.com/nl-nl/windows/apparaatbescherming-in-windows-beveiliging-afa11526-de57-b1c5-599f-3a4c6a61c5e2
Success!