A “Hardened Windows” Configuration

Requires reliable AV/AM protection, at minimum two partitions/logical drives (a “%SystemDrive%”, and a Data drive), and two removable external drives. All data must be kept separate from the operating system, out of harm’s way, on a separate partition/logical drive.

Data should be duplicated (copied or imaged) to an external drive, cloud storage, or both — at least daily. Having two separate HDDs/SSDs for this separation is better than partitioning a single large drive, though this is not always possible on a laptop or micro-PC. The external drives (via drive dock, eSATA, or USB) are necessary to keep your images offline and secure. Connect an external drive only for backup, and disconnect it when backups are complete.

Two external drives are required for redundancy to achieve full “Hardened Windows” status. Both should be connected only during backups, then disconnected. A library of images going back at least three months is recommended. For maximum security, disconnect your broadband modem during imaging and reconnect afterward.

Data Management & User Folders

Windows 10/11 allows relocating the contents of most user folders to another logical drive. Right-click a folder → Properties. If a Location tab appears, the folder is movable. For my primary system, I created all necessary folders in the Users logical drive, then used each folder’s Location tab to point to the new path (Windows can auto-create folders, but I preferred to create them manually).

Moving most programs and user data off the system drive allows Windows to run comfortably in a 100GB partition. Avoid running routinely as an Administrator — use a Standard User account daily, and sign into the Administrator profile only when necessary.

Security & Stealth

Visit ShieldsUp at Gibson Research to test your machine’s online vulnerabilities. Both my desktop and NAS achieve a perfect “TruStealth” rating:

“Not a single packet — solicited or otherwise — was received from your system… your system ignored and refused to reply to repeated Pings. From the standpoint of passing probes, this machine does not exist on the Internet.”

To facilitate total stealth during imaging, disconnect your modem before imaging, then reconnect after completion. Storing at least one backup off-site is highly recommended.

My Backup Schedule

Every Saturday night, I disconnect my router from the modem. At 2:00 AM Sunday, Task Scheduler creates drive images on a dedicated 1TB internal drive. At 4:00 AM, RoboCopy copies those images to my NAS (which remains online but offline from user access). On Sunday morning, I:

  • Connect a 3TB HDD to the dock on my NAS,
  • Remote into the NAS and copy the images to that external drive,
  • Swap it with a second 3TB drive, and repeat.

These two external drives are then stored safely away. My system maintains:

  • Four weeks (28 days) of images on the desktop’s internal 1TB drive,
  • Eight weeks on the NAS,
  • Twelve weeks on the rotating external drives.

Automation & Software

A system image should be created at least monthly — ideally weekly, early Sunday mornings — and stored externally. Imaging software can be automated via Task Scheduler. I use Terabyte’s Image for Windows (commercial), which supports scheduled imaging natively. Macrium Reflect Free also supports scheduling and background imaging.

Most tools can generate a rescue/boot USB/CD (required for OS restore, since the OS can’t be restored while running). Terabyte’s tool can integrate into the Windows Recovery Environment, enabling restore even if Windows boots but is compromised.

Optimizing System Drive Size

While not essential for hardening, a third partition for Program Files reduces system drive size and imaging time. Many programs (excluding Office and a few others) allow installation to a non-system drive.

My OS partition is only 100GB and images in under 6 minutes — restored in under 3.

Trust & Validation

If you lack full confidence in your imaging software, your system isn’t hardened. Trust is built only through successful restoration. Mounting and viewing an image is insufficient — only restoring it proves reliability.

A “Hardened Windows” setup requires faith that your imaging tool will perform flawlessly when needed — including downloading and installing updates without hesitation.