Windows 11 Hardening for High-Risk Offensive Security Workstations

A compromised pentester workstation is a regulatory nightmare: client SSH keys, captured credentials, signed payloads and NDA-bound reports all share the same disk. At Basilisk OffSec we treat every Windows 11 laptop as a hostile endpoint until proven otherwise. This note documents the baseline we have been running in production since March 2026: ASR rules in block mode, Credential Guard with reinforced VBS, AppLocker for the user-mode perimeter and WDAC for the kernel. It is not pretty to configure, but it measurably shrank the attack surface we mapped in AMSI and ETW Bypass for Defensive Research: What Blue Teams Should Know during our own internal exercises.

We start with hardware. We require active TPM 2.0, Secure Boot with custom keys, DMA protection enabled and firmware running Intel Boot Guard or AMD Platform Secure Boot depending on the vendor. Without that foundation, any software policy is theater. The standard laptop is a ThinkPad P14s Gen 5 or Surface Laptop 7, both with SSDs encrypted in XTS-AES 256 via BitLocker and a pre-boot PIN of at least 8 digits. The recovery key lives in an offline team vault, never in a Microsoft account. If you want to compare this with Linux, we wrote Linux Server Hardening: Applying CIS Benchmark Without Breaking Production using the same operational standard.

Credential Guard and VBS are the first software layer we enable through Group Policy: Device Guard, Virtualization Based Security, Secure Launch and HVCI are mandatory. In parallel, LSASS runs as PPL with RunAsPPL=1 in the registry and access auditing on. In internal testing this broke vanilla mimikatz, comgost and comsvcs.dll dumps without needing an EDR. LSA Protection blocked 100 percent of injection attempts we replayed from Windows Persistence: 10 Documented Techniques and Their Countermeasures. The cost: about 4 percent CPU overhead on heavy Rust compile workloads, measured against our custom Sliver build pipeline.

ASR (Attack Surface Reduction) comes next and is where most teams hesitate. We enable all 16 rules in block, not audit. Yes, this breaks Office macros, WMI child processes, obfuscated script execution and untrusted USB. We keep a separate OU called 'OffSec-Tools' where some rules stay in audit for the lab box of researchers running Caldera, as described in Adversary Emulation with Caldera and MITRE ATT&CK in a Corporate Lab. For the rest of the fleet, rule D4F940AB-401B-4EFC-AADC-AD5F3C50688A (block Office child processes) alone killed 73 percent of the initial access vectors we simulated via Simulated Initial Access: Macros, LNK and ISO in an Isolated Windows 11 Lab.

AppLocker and WDAC sit in different layers. AppLocker controls user-mode with publisher and path allowlists, ideal for blocking the suspicious ZIP a user just dropped into Downloads. WDAC controls kernel and drivers through a signed policy using our EV certificate, with the Microsoft Recommended Block Rules imported in January 2026. We generate the base policy with New-CIPolicy in audit mode for 30 days, collect event IDs 3076 and 3077, refine and only then promote to enforce. The result: vulnerable drivers cataloged on loldrivers.io, including those used in evasion routines we covered in EDR Evasion for Research: Direct Syscalls Explained Without the Hype, simply do not load. Only binaries signed by MS, Lenovo and our internal hashes run.

Defender goes in as the last layer with Tamper Protection, Cloud Block Level high, PUA on block, Network Protection enabled and Controlled Folder Access covering Documents, Desktop and the reports directory. We pipe the events into our Sigma plus Elastic pipeline described in Threat Hunting with Sigma and Elastic: From Indicator to Detection Rule, focused on alerts for WDAC policy modification, service creation via sc.exe and LSASS handle access with 0x1010. Over 90 days running this stack on 47 workstations we had zero confirmed compromises and 12 high-signal alerts, two of which were real drive-by attempts during bug bounty engagements.

Practical takeaway: do not try to flip every switch at once. Run 30 days in audit, ship the logs to a SIEM, tune minimal exclusions and only then move to block. Document each exclusion with a ticket, an owner and a quarterly review date. Hardening that nobody revisits rots in six months. If you are starting from scratch today, enable in this order: BitLocker with PIN, Credential Guard, LSA PPL, ASR in block, AppLocker, WDAC audit, WDAC enforce. Each step on its own already pays for the work.