This publication provides guidance on how to securely configure Microsoft Windows 10 version 1709 workstations. It is also applicable to servers using Microsoft Windows Server version 1709 and Microsoft Windows Server 2016.
First published 2017; Latest version April 2019
Workstations are often targeted by an adversary using malicious web pages, emails with malicious attachments and removable media with malicious content in an attempt to extract sensitive information. Hardening workstations is an important part of reducing this risk.
This document provides guidance on hardening workstations using Enterprise and Education editions of Microsoft Windows 10, version 1709. Some Group Policy settings used in this document may not be available or compatible with Professional, Home or S editions of Microsoft Windows 10, version 1709.
While this document refers to workstations, most Group Policy settings are equally applicable to servers (with the exception of domain controllers) using Microsoft Windows Server, version 1709, or Microsoft Windows Server 2016. The names and locations of Group Policy settings used in this document are taken from Microsoft Windows 10, version 1709; some differences exist for earlier versions of Microsoft Windows.
Before implementing recommendations in this document, thorough testing should be undertaken to ensure the potential for unintended negative impacts on business processes is reduced as much as possible.
This document is intended for information technology and information security professionals within organisations looking to undertake risk assessments or vulnerability assessments as well as those wishing to develop a hardened standard operating environment for workstations.
Organisations or individuals with questions regarding this advice can contact the ACSC by emailing email@example.com