A “Hardened Windows” configuration
requires at minimum two partitions/logical drives (a “%SystemDrive%”, and a Data drive), and two removable external drives. All data must be kept separate from the operating system, out of harm’s way, on a separate partition/logical drive. Data should be duplicated (copied or imaged) to an external drive, cloud storage or both at least daily. Having two separate HDD’s/SSD’s for this separation is better than partitioning a single large HDD/SSD, but this is not always possible on a laptop or Micro-PC. The external drives (drive dock, eSATA or USB connection) are necessary in order to keep your drive images offline and secure. Connect an external drive only for backup purposes, and disconnect it when those are completed. Two external drives are for redundancy, a requirement to be considered fully Hardened Windows, and should be connected for backup purposes only, then disconnected. A library of images going back at least three months is recommended. For even greater security, one could take one's broadband modem offline during the imaging process, then reconnect after completion. Offline storage of drive images/data backups is the only storage considered truly protected.
For Users folders/files, Windows 10/11 has the option of relocating the contents of most of the User folders to a different logical drive or HDD/SSD. Right-click the folder and select Properties. If it has a location tab, the contents are moveable. For my primary installation I set up all the pertinent folders in my Users logical drive for each user, then went through each folder's location tab and navigated to the new location in my Users logical drive (Windows will create the new location folders for you, but I chose to create them myself). Moving most programs and Users data to separate logical drives allows Windows to live quite comfortably in a 100GB logical drive. I advise never run routinely as a member of the Administrators group; run routinely as a Standard User, and leave the Administrators group profile signed off except for those specific purposes which require being signed in as a member of that group.
I also advise a visit to ShieldsUp at Gibson Research to check your machine’s online vulnerabilities. Both my desktop and my NAS test out at “a perfect “TruStealth” rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to “counter-probe the prober”, thus revealing themselves. But your system wisely remained silent in every way. Very nice.” That’s comforting, but not a guarantee. To facilitate total stealth while creating drive images, first disconnect your modem from its cable/DSL input, then reconnect after all imaging tasks have been completed and your offline storage drives safely tucked away. Having one drive stored off-site is highly recommended.
Every Saturday night after I sign off, I disconnect my router from my modem. At 2:00AM Sunday morning, with my machine signed off and offline, Task Scheduler creates a set of drive images on an internal 1TB drive dedicated for image files. At 4:00AM, Task Scheduler runs a RoboCopy script to copy those drive images through my router to a folder on my signed-off NAS. On Sunday morning, I plug a 3TB HDD into the dock on top of my NAS, RDP to my NAS and initiate a RoboCopy script to copy those same image files to the docked external HDD. When that copy is finished, I remove that HDD from the dock, replace it with another 3TB HDD, and repeat. Those two external HDD’s are then stored safely away, and I can reconnect my router to my modem. I have one month (four sets) of drive images on the internal drive in my desktop, two months of drive images on my NAS, and three months of drive images on my external HDD’s.
An image of at least the system drive should be created no less than once per month, before the second Tuesday of the month (Patch Tuesday) to an external drive. Weekly drive images early Sunday morning are my preference. Drive imaging can be (and in my case is) setup via Task Scheduler for most imaging software. I use Terabyte’s Image for Windows (not free) which supports this natively. Macrium Reflect 7 Free Edition supports this as well, and I’m reasonably certain that other free imaging software can also be setup using Task Scheduler. Many also support creating a drive image in the background while the PC/laptop remains available for normal use. This can be handled by Task Scheduler as well. I emphasize Task Scheduler because I often forget things, but Task Scheduler does not. If you are using eSATA/USB drives, you can use a calendar appointment to popup and remind you when to plug it in.
A rescue/boot disc/USB thumb drive is also a requirement, as the Windows partition cannot be restored from within Windows; the operting system must be offline to restore an operating system drive image. I surmise that all free imaging software has the capability of creating bootable rescue media. Terabyte’s Image for Windows can also be incorporated into the Windows Recovery Environment partition, and I’m reasonably certain others can, as well. This allows restoring an OS image without resorting to a rescue/boot disc/USB thumb drive if the PC is still bootable but otherwise compromised by some issue.
Not absolutely necessary for hardening Windows, but facilitating ease of use, is a third partition/logical drive for Program Files. Many programs (but not Office and some others) offer the option of installation to a drive other than C:. Everything that can be moved off the system drive makes for a smaller system drive image, more quickly created/restored. My OS is in a 100GB partition. It can be imaged and validated in under six minutes, and restored in under three minutes.
In my view, if one doesn’t have complete trust in the imaging software of one’s choice, Windows isn’t fully hardened. The only way to fully establish that trust is to actually restore a drive image. Simply mounting an image, viewing it and saying, “That looks good” does not convey the same level of trust as committing to a complete restoration of an image. One must have that level of trust in order to download and install Windows Updates as soon as they are made available, without concern. Having a “Hardened Windows” installation requires complete trust that one’s imaging software will perform as advertised if needed.