One of the most common causes of a computer becoming infected with malware is the user calling up an infected file (e.g. email attachments infected with malware). However, calling up a corrupted website that delivers malware to visitors and attempts to exploit vulnerabilities in the browser, operating system or external applications (such as Java or Flash) and smuggle in harmful code also poses a great danger. Due to the high prevalence of Windows operating systems, the risk of malware and unauthorised intrusion into the IT system is comparatively high.

This information page supplements and concretises the general best practices for improving IT security with typical security requirements specifically under Windows 10 workstations (Enterprise Edition, version 1809 to 1909), with Mozilla Firefox as web browser (instead of e.g. Microsoft Edge) and Windows Defender Antivirus as real-time scanning engine against malware (instead of e.g. Sophos Antivirus), deviating from the standard configuration for this version.

Content overview

• Update and patch management
• Deactivating unnecessary functions
• Protection from malware
• Protection of credentials and sesseions
• Network compartmentalisation and connection security
• Hard drive encryption (BitLocker)
• Securing remote desktop access (forwarding to the University of Rostock).
  Note: The guide is largely general-purpose, but may contain information that does not apply to the University of Ulm.

For configuration recommendations on the topics of data protection and privacy, please refer to the "gp-pack PaT – Privacy and Telemetry" by Mark Heitbrink. The recommendations mentioned here supplement these. Many of the recommendations in the gp-pack PaT also serve IT security. It should be borne in mind that some settings, although more protective of the user's privacy, may have a detrimental effect on IT security or convenience. Therefore, the potential impact of configuration recommendations must always be critically placed in the context of one's own requirements and prerequisites. The identified, potentially problematic settings are discussed at the respective points and deviating or supplementary recommendations are made.

The specific protective measures required on a Windows 10 computer can only be determined by knowing the actual circumstances and the goals and objectives to be achieved (protection requirements). At this point, a selection of measures is suggested that are typically suitable and appropriate for this operating system. If necessary, proposed measures must still be adapted to the respective framework conditions. When reviewing the recommendations, it may become apparent that some of them are dispensable or uneconomical under the specific framework conditions. This may be the case, for example, if the corresponding hazards against which the measures are intended to protect are already effectively minimised by other measures.

Threats should be reduced to an acceptable level as far as possible by technical IT security measures. Threats that cannot be effectively averted by technical means, but where it is left to the individual behaviour and judgement of the user to make the right decisions at the right time, must be reduced by appropriate training.

Although not all of the measures described can be implemented in one's own context or additional or more restrictive measures are required in a specific case due to an increased need for protection of the processed data, these recommendations can be used as a checklist or starting point. However, they are no substitute for a precise understanding of the technical and organisational interrelationships involved in securing and operating a PC client, as their application requires in-depth knowledge. In addition, information security is to be understood as a process and requires constant vigilance and efforts to adapt the measures to any changes in the risk situation.