Hardening Your Windows PC and Creating a Rescue Toolkit

Windows has detected you do not have a keyboard. Press ‘F9" to continue.

Occasionally, despite you take all necessary precautions, your system could crash (a buggy update) or it could become infected and locked by a virus or malware that prevents it from starting normally.

Hardening workstations is an important part of reducing this risk. By following these hardening best practices, you can significantly improve the security of your Windows systems and protect against a wide range of cyber threats.

1. Create a rescue USB drive that combines a bootable Windows recovery drive, system backup, and multiple rescue utilities on one stick.

2. If you have a computer or laptop with important, private, or sensitive files, data, and information, you should encrypt your entire drive. Basically, encryption is a method of making your data unreadable, so that only authorized parties can access and read it. Enable BitLocker encryption: Settings, Privacy & security, Device encryption, toggle it on. Alternatively, Control Panel, System and Security, BitLocker drive encryption, and smash the Turn on BitLocker option.   Next, select how to save the recovery key: Save to your Microsoft account (it is convenient, but not safe. If your Microsoft account is compromised, attackers can decrypt your drive), Save to a file/USB drive, print it, or use a trusted password manager like KeePass or Bitwarden (offline storage). You will be prompted to choose how much of your drive you want to encrypt (Encrypt entire drive) and encryption mode (Compatible mode), click the Run BitLocker system check option and smash the Continue button.

3. Malware Protection & Windows Security.

4. Privacy Settings & Management.

5. Create a System Restore Point in Windows 11.

6. Clone Your Windows 11 Disk to an NTFS Drive Using Clonezilla.

7. Remove Unnecessary Software and use portable apps when possible. Disable unused services and uninstall software that’s not needed, reducing potential vulnerabilities.

8. Enforce secure passwords. Use password managers to store and manage all your passwords.

9. Regularly apply security patches and updates to address known vulnerabilities.

10. Disable Remote Access: If remote access isn’t needed, disable it to reduce the potential for unauthorized access.

Malware Protection & Windows Security

The Windows Security app is a built-in tool in Windows that helps manage your device’s security. Let’s leverage Windows built-in tools to safeguard your system against malware and unauthorized access. Press Win + S (Start menu) and search for Windows Security. Review the dashboard for security status at a glance. Address any items marked with yellow or red warnings.

Microsoft Defender is an anti-malware component of Microsoft Windows. It is one of the most effective software when it comes to eliminating threats and viruses in your computer. Enable it: Settings, Privacy & Security, Windows Security, Virus and Threat Protection, Virus and Threat Protection - Manage settings, and turn on the Real-time protection switch.

Let me insist, ensure real-time protection is enabled. Virus & Threat Protection settings, Manage settings, toggle on Real-time protection, cloud-delivered protection (provides increased and faster protection with access to the latest protection data in the cloud), and Tamper protection to prevent security settings changes (Prevent others -malware- from tampering with important security features, e.g., disabling protections).

The Device Security section in Windows Security helps manage built-in security features. Includes Core Isolation (it helps keep your device safe by protecting the Windows Kernel), Memory Integrity, and Secure Boot. Go to Settings, navigate to Privacy & security, Windows Security, Device security.

Activate Ransomware Protection. Blocks ransomware from encrypting critical folders (e.g., Documents, Pictures). Go to Settings, Privacy & Security, Windows Security, Virus and Threat Protection, Manage Ransomware Protection, and toggle on Controlled folder access (it blocks unfriendly apps to modify your files and data), and make sure that you add all your important files and directories by clicking on Protected Folders. Besides, add allow apps you trust that need access (e.g., backup software) to modify any controlled folder: Allow an app through Controlled folder access, Add an allowed app.  

Reputation-based protection is a security feature that helps safeguard your PC from potentially unwanted applications and malicious software. It works by evaluating the reputation of apps, downloads, and websites using Microsoft’s extensive threat intelligence network. Go to Settings, navigate to Privacy & security, Windows Security, App & browser control, click on Reputation-based protection settings and toggle on the settings to enable Potentially unwanted app blocking.

Secure Sign-In Options. Prevent unauthorized account access. Open Settings, go to Accounts. Click on Sign-in options. Review Windows Hello settings, set up facial recognition, fingerprint, or a PIN. Enable Dynamic lock (Allow Windows to automatically lock your Bluetooth device when you’re away).

Firewall & Network Protection. Block unauthorized inbound/outbound traffic.

1. Enable Firewall for All Networks. Settings, Privacy & Security, Windows Security, Firewall & network protection, ensure Domain, Private, and Public networks are protected. If you don’t have any other firewall running in your system, you should turn on the Windows Defender’s firewall. If the firewall is off, you will see a red x icon, click the Turn on button to turn on the firewall. The red x icon will turn into a green check.  
2. Allow an app through firewall. Click Allow an app through firewall and customize permissions for specific applications, e.g., barrier Open source KVM software service, Private and Public, Path: C:\Program Files\Barrier\barriers.exe.
3. Use Windows Defender Firewall with Advanced Settings to create custom inbound/outbound rules.

Additional Best Practices.

1. Regular Scans. Run Quick Scan daily or weekly and Full Scan monthly under Windows Security, Virus & Threat Protection, Scan Options.
2. Check for updates under Windows Security, Virus & Threat Protection updates for latest malware signatures. You should read Security intelligence is up to date.
3. Review Account Permissions in Settings, Accounts, Family. Remove unused account and enforce Standard User roles for daily use.

Privacy Settings & Management

1. Disable/Enable Location Services: Open Settings, navigate to Privacy & security, Location. Toggle Location services on/off to control global location access. Under the same Location settings, scroll down to Let apps access your location to manage permissions for individual applications.
2. Camera & Microphone Access. Open Settings, navigate to Privacy & Security, Camera. Toggle Camera access on/off to control system-wide access. Below this toggle, manage individual app permissions under Let apps access your camera. Similarly, open Settings, navigate to Privacy & Security, Microphone. Toggle Microphone access on/off to control system-wide access. Below this toggle, manage individual app permissions under Let apps access your microphone.
3. Audio Device Management. To set default devices: Open Settings, navigate to System, Sound to select your preferred Output and Input devices. For advanced options, click More sound settings.
4. Control data collection for personalized features. Open Settings, navigate to Privacy & Security, Search Permissions, under History, toggle off Search history on this device to stop Windows from storing your search history locally. Under Search history in the cloud, click Privacy dashboard. Sign in to your Microsoft account to control what activity data Microsoft collects across all your devices
5. Delete diagnostic data. Open Settings, navigate to Privacy & Security, diagnostic & feedback, set Diagnostic data and Send optional diagnostic data to off. Finally, Delete diagnostic data, Delete to remove data that has already been collected.
6. App Permissions. Open Settings, navigate to Privacy & Security, App permissions. Review each category and revoke unnecessary permissions.
7. Advertising Preferences. Open Settings, navigate to Privacy & Security, toggle off Recommendations & offers and Inking & typing personalization.

How to Create a System Restore Point in Windows 11

System Restore is a feature in Windows that allows you to revert your computer's state (including system files, installed applications, Windows Registry, and system settings) to that of a previous point in time where your computer was working fine.

1. Ensure System Protection is Enabled. Click the Start button, type create a restore point and click on the Create a restore point result from the Control Panel. Under Protection Settings, look at your system drive (e.g., Local Disc C: System).
2. Create a System Restore Point. Open System Properties. under the System Protection tab, ensure your system drive (e.g., Local Disc C: System) has “Protection” set to On. Click the Create… button, and give it a description to help you identify the restore point W11InitialSetup,

How to Clone Your Windows 11 Disk to an NTFS Drive Using Clonezilla

1. Requirements. A bootable USB drive with Clonezilla, your Windows 11 system disk, and an external hard disk or USB stick formatted as NTFS and enough space to hold the image.
2. Prepare BIOS Settings, disable Secure Boot (Lenovo ThinkStation P3 Ultra Mini). Press the power button, then immediately start pressing F1 to enter BIOS Setup. Navigate to Security, Secure Boot, and set it to Disabled. Optionally, go to Boot, Boot Mode and set it to Legacy Support or CMS Enabled if available. Save changes and exit (F10).
3. Boot Into Clonezilla. Power on your computer, immediately press F12 to open the Boot Menu, and select your USB flash drive to boot from.

   Your laptop or desktop may use a key other than F12. Try escape, delete, F1 or even F9.

4. Boot menu of Clonezilla live. Boot the machine by the Clonezilla live CD/USB and choose Clonezilla live (VGA 800x600). Select language (e.g., en_US.UTF-8 English) and keyboard layout: Change keyboard layout?, keep. The default keyboard layout is US keyboard. Then, Start Clonezilla or enter login shell (command line)?, select Start Clonezilla.
5. Choose device-image to save the disk as an image file because we do not want direct disk-to-disk clone.
6. Mount the NTFS External Drive so Clonezilla can use it to store the image. When prompted, select the device where the Clonezilla image will be saved. It will be mounted as /home/partimag. Choose local_dev to use a local device (e.g., external drive, USB drive) as the image storage location. Plug in your NTFS-formatted external drive (e.g., sda Samsung SSD M.2 500GB) if not already connected. Clonezilla will scan for devices. Once you see the device you have inserted shown on the status, press Ctrl-C to exist this windows. Select the correct partition (e.g., sda1 | ntfs | BackupWindows to mount a device as /home/partimag). Before mounting the device sda1, it allows you to do a file system check: no-fsck Skip checking/reparing the file system before mounting. and confirm mounting point (/dev/sda1).
7. Choose Image Location. Choose the directory where you want to store the image, e.g., Current selected dir name: “/”. Path on the resource: /dev/sda1 [/].
8. Choose the mode to run the following wizard about advanced parameters. Beginner mode: Accept the dafault options is recommended for most users.
9. Opensource Clone System: Select mode. Choose savedisk Save_local_disk_as_an_image – the whole disk- and type the name for the saved image, e.g., W11_2025_image.
10. Select the Source Disk (Choose local disk as source, meaning Your Windows 11 disk) for full disk back up, e.g., nvme0n1 | SKHynixHFS001… where nvme0n1 is my primary NVMe (Non-Volatile Memory Express) solid-state drive installed in my Lenovo ThinkStation P3 Ultra Mini, SKHynix is a SSD manufacturer, and HFS001… is part of the model number.
11. Choose the compression option: -z9p zzstdmt_compression_(Very fast and small image like gzip for multicore/CPU).
12. Clonezilla advanced extra parameters. Choose Skip checking/repairing source file system. I typically say no to check and repair the file system. Then, Clonezilla will ask if you want to check the saved image for restorability; I usually say “Yes, check the saved image” to this because it’s useful to know if the image is going to work OK.
13. Do you want to encrypt the image? (with a passphare): Choose -senc Not to encrypt the image. It depends on your own security needs. I typically encrypt these images, but you might not feel your data requires this level of security.
14. Wait for completion, shut down, and safely remove your external disk.

PortableApps

1. Download and install PortableApps.com from its official website.
2. Start the installer and accept the terms of the agreements.
3. Install Type Choose New Install to install a new copy of the PortableApps.com Platform to your local PC, cloud drive, or portable device.
4. Install Location. Select Portable - install to a portable device (a USB stick).
5. Which portable device would you like to install to, e.g., D:\, and press click Install to start the installation. Then, check Run PortableApps.com Platform and click Finish.
6. Select the portable apps you would like to install.