Hardening your OS: Windows, macOS, Linux

A CISO sends me their company’s Windows hardening baseline: 220 items, committee-approved, signed off by the CTO. Item 1: disable SMBv1. Item 47: disable PowerShell v2. Item 89: set a screensaver timeout. All correct. Except the CEO still uses their local admin account for daily work and their password is “Summer2024!”. The checklist was perfect. The security was not.

The common trap

CIS Benchmarks, Microsoft Security Baselines, ANSSI guides — these are compliance documents. They catalog a set of configurations that are known to be better than defaults. They are not threat models. Applied without thinking, they create the illusion of work done while missing the controls that actually matter.

The typical failure pattern: an organization spends three months applying 180 CIS items, during which no one verifies that automatic updates are enabled, that users don’t all have local admin rights, and that unsigned Office macros are blocked. Those three things — simple, ignored — are worth ten times more than the 180 items combined against 90% of real attacks.

What actually changes the attack surface

There are five controls that, by themselves, block the vast majority of attacks we see in practice. Everything else is useful at the margins but secondary.

1. Standard user account for daily work

This is probably the highest-impact and least-applied control. Working as admin means any malware that executes in your user context inherits your privileges. A weaponized PDF opened from an admin account installs ransomware silently. Opened from a standard account, it can at most corrupt your personal files — not the system.

On Windows: create a separate standard account for daily work, keep the admin account for installations. On macOS: same logic, though management differs slightly with sudo. On Linux: this is already the default on any serious distribution — don’t break it by granting sudo rights without timeout.

2. Automatic updates, without exception

Based on available data on real-world attack vectors, over 80% of compromises exploit vulnerabilities for which a patch had existed for more than 30 days. The average adversary is not looking for zero-days — they are looking for machines that haven’t been updated since last quarter.

Windows Update in automatic mode. macOS with “Install Automatically” checked for OS and app updates. On Linux: unattended-upgrades on Debian/Ubuntu, dnf-automatic on Fedora/RHEL.

3. Disk encryption with passphrase

See the dedicated article. In summary: FileVault or BitLocker active alone is not enough — you need a PIN or passphrase, not just TPM.

4. Application firewall active

The OS-level firewall blocks unsolicited inbound connections. That is a minimum. Beyond that, application-layer firewall tools (LuLu on macOS, Windows Firewall with outbound rules) let you see and block unauthorized outbound connections — useful for detecting malware trying to reach a command-and-control server.

5. Gatekeeper / SmartScreen in strict mode

On macOS, Gatekeeper in “App Store and identified developers” mode (the default since Catalina). Don’t disable it to install a sketchy app downloaded from a forum. On Windows, SmartScreen at its maximum settings — and don’t click “Run anyway” out of habit.

By OS: additional controls that are actually worth it

Windows

UAC at maximum level: yes, it is annoying. Yes, it protects. Always notify rather than Notify only when apps try to make changes.

Windows Defender with ASR rules enabled: Attack Surface Reduction rules are massively underused. Rules worth enabling: block child processes created by Office applications, block obfuscated scripts, block executables in temp folders. Enable via GPO or Intune.

Unsigned Office macros blocked: go into the Trust Center settings of each Office app and select “Disable all macros except digitally signed macros.” Macros in Word documents received by email remain an active attack vector in 2026.

AppLocker or Windows Defender Application Control: lets you define rules on what executables, scripts, and DLLs are allowed to run. Initial deployment in audit mode (log without blocking) for 2-3 weeks to identify false positives, then switch to enforce mode. Requires Windows Enterprise or Education.

macOS

Standard account for daily work: same logic as Windows. Create a separate admin account for installations, use a standard account for work. On macOS, admin password prompts appear for system actions even from a standard account.

Gatekeeper strict mode + SIP intact: never disable SIP (System Integrity Protection) for anything. SIP protects system directories from modification even by root. Some tutorials will ask you to “temporarily” disable it — do not.

Objective-See tools: Patrick Wardle (ex-NSA) maintains a suite of free tools specific to macOS.

• LuLu: an application firewall that prompts you when a new outbound connection is attempted. Blocks malware phoning home.
• BlockBlock: monitors common persistence mechanisms (LaunchAgents, LaunchDaemons, cron) and alerts when something tries to install itself.
• KnockKnock: inventory of everything configured to run at startup. Run it after installing software to see what was added.

Lockdown Mode for high-risk profiles: this mode disables or restricts a set of features that have been exploited in targeted attacks (Pegasus and similar). Concretely: disables WebKit JIT (slows browsing), restricts link previews in iMessage, blocks wired connections to unknown devices when locked, disables certain WebRTC APIs. Real ergonomic cost — some web apps become slower, a few features disappear. Appropriate for journalists, activists, executives, or anyone who believes they have a targeted espionage threat profile.

Linux

Linux security depends heavily on the distro, the desktop environment, and who administers the machine.

sudo with short timeout: by default, sudo retains privileges for 15 minutes after authentication. Reduce to 5 minutes or disable the cache with Defaults timestamp_timeout=0 in /etc/sudoers.

AppArmor / SELinux active: do not disable them. Debian/Ubuntu distributions use AppArmor by default. RHEL/Fedora use SELinux. These mandatory access control systems are one of the reasons Linux resists local exploits better than Windows in many configurations.

Auto-updates: unattended-upgrades on Ubuntu with security package notification. Test the config with unattended-upgrades --dry-run before enabling.

Things people do that don’t actually help

Disabling Bluetooth “for security”: Bluetooth has had serious vulnerabilities (BlueBorne, BIAS, etc.). Disabling it when you don’t need it is a reasonable surface reduction measure. It is not a magic security control — a determined attacker with physical or network access won’t be stopped by the absence of Bluetooth.

VPN always on “for security”: a VPN protects your traffic on untrusted networks (public Wi-Fi, hotel). On your home or corporate network, it does nothing against the threats you’re imagining it covers. See the dedicated VPN article.

Renaming the admin account: security by obscurity. An attacker with system access reads the account list in two seconds. Renaming “Administrator” to “JohnSmith” delays no one.

Disabling PowerShell: PowerShell is a legitimate administration tool. Disabling it creates administration problems without blocking attackers — they will use cmd.exe, WScript, or something else. The right approach is constrained language mode or script signing, not disabling.

Qubes OS: who is it actually for?

Qubes OS is an operating system based on Xen (a hypervisor) that runs all applications in isolated VMs — one VM for the browser, one for email, one for sensitive documents. A compromise in one VM does not give access to the others.

It is architecturally the most solid workstation solution available. It is also the most demanding: a real learning curve, limited hardware compatibility (not all laptops), some apps refuse to run or are difficult to integrate, reduced performance. Appropriate for investigative journalists, security researchers, or people with a very high threat profile who have the time to invest in adoption.

Common mistakes

Using the admin account for daily work: still. We see this in 70% of workstation audits. It is the simplest to fix and the most frequent.

CIS benchmark applied without a threat model: disabling SMBv1 on a laptop that never does network sharing accomplishes nothing. Applying a baseline without understanding why each item is there produces false confidence.

Manual updates “when I get around to it”: in practice, never within 30 days. Automatic updates are the simplest and highest-impact control.

Ignoring Gatekeeper / SmartScreen alerts: “I know what I’m doing, I’ll ignore the warning.” One too many “Run anyway” clicks is all it takes.

• N1 Use a standard user account for daily work (not admin)
• N1 Enable automatic OS and application updates
• N1 Verify FileVault or BitLocker is active with PIN/passphrase
• N1 Enable the OS firewall (macOS firewall, Windows Defender Firewall)
• N2 Install LuLu (macOS) or configure Windows Firewall with outbound rules
• N2 Block unsigned Office macros
• N2 Enable Windows Defender ASR rules (Office child processes, obfuscated scripts)
• N2 Install BlockBlock + KnockKnock for macOS persistence monitoring
• N2 Deploy AppLocker in audit mode first, then enforce on sensitive Windows machines
• N3 Enable Lockdown Mode on iPhone and Mac for high-risk profiles
• N3 Evaluate Qubes OS for highly exposed profiles with the technical skills to use it
• N3 Audit sudo usage and AppArmor/SELinux on Linux workstations