Skip to main content
Zentrale
Sales

Secure commissioning of a Windows PC according to BSI IT baseline protection

Note: This practical checklist is based on BSI IT Baseline Protection (Modernization) and common best practices. Adapt the items to your protection requirements assessment and your ISMS. Additionally, requirements of Regulation (EU) 2024/2847 (Cyber ​​Resilience Act) and IEC 62443 are taken into account. The operator is responsible for compliance with the applicable regulations and standards.

  • 1. Secure installation

    • Enable UEFI, enable Secure Boot, update firmware/BIOS
    • Enable TPM 2.0
    • Set a custom BIOS/UEFI administration password (do not use the default password)
    • Install the latest version of Windows (preferably from a verified, current ISO/Golden Image)
    • Install device drivers from a trusted source (signed packages)
    • Perform the first system update (Windows Update, optional quality updates)

  • 2. System hardening (basic protection SYS)

    • Local Accounts: Rename/disable the default admin account; create individual admin accounts
    • Set strong passwords/passphrases and lockout policies
    • Principle of Least Privilege; separate admin/user accounts
    • Minimize services and features: remove unnecessary roles/features, disable unnecessary services
    • Disable insecure protocols (SSLv2/v3, TLS 1.0/1.1, RC4, 3DES)
    • Remote access: Enable RDP only via gateway/VPN, enable NLA, encrypt; disable Telnet/SMBv1
    • PowerShell Remoting: Signed and restricted access only; Set script policies
      • Enable application control (AppLocker or Windows Defender Application Control) Macro and script policies: signed macros, protected view Enforce SMB signing and encryption according to policy (SMBv3) Enable firewall, restrict incoming rules to a whitelist principle Use MFA for privileged access Use BitLocker with TPM + PIN or network decryption; securely store recovery keys Consider data protection/GDPR: telemetry, log data, protection requirements, deletion concept Physical security: chassis locks, port covers, tamper-proof installation Enable Microsoft Defender Antivirus/EDR; keep signatures up to date; Cloud protection enabled Activate Attack Surface Reduction (ASR) rules Activate Exploit Protection/DEP/ASLR and Control Flow Guard Manage Windows Updates via WSUS/Intune or a central solution Patch third-party software (browser, Java, PDF, runtime) Regularly check manufacturer information regarding security updates ```

  • Further information

    • BSI IT Baseline Protection Compendium: Building Blocks for Systems (SYS), Networks (NET), Applications (APP), and Operations (OPS)
    • BSI TR-02102: Cryptographic Methods
    • BSI TR-03116: Recommendations for the Use of Transport Layer Security
    • Regulation (EU) 2024/2847 – Cyber Resilience Act (CRA), in particular Annex I and Annex II
    • Directive (EU) 2022/2555 – NIS-2 Directive
    • IEC 62443: Industrial Communication Networks – IT Security
    • Microsoft Security Baselines and CIS Benchmarks for Windows