Microsoft\u2019s revised hardware specifications for the upcoming Windows 11 release on October 5 don\u2019t change the fact that I\u2019m stuck on Windows 10 for most of the machines in my network. Microsoft has expanded its testing application\u00a0to include a few more processors that support Windows 11 (Intel Core X-series, Xeon W-series, and some Intel Core 7820HQ), but the end result is the same: We will have a mixed network of Windows 10 and Windows 11 machines going forward.I\u2019m used to tracking no more than two sets of patches: Windows 10 for the bulk of the network and a few isolated Windows 7 Extended Security updates for older machines kept for specific purposes. I will have to get used to patching and maintaining more operating systems.It might require years of infrastructure upgrades before we can take advantage of Windows 11\u2019s many security features, but the idea that we are missing out is a bit presumptuous. Windows 11 protections like virtualization-based security, Hypervisor-protected code integrity, and Secure Boot enabled by default might need new hardware and specific licensing to be fully implemented. They might also need Active Directory or Azure Active Directory infrastructure that your network is not ready for.Upgrading your way to the latest security features never was a good idea. It\u2019s best to have a plan of attack and a plan for upgrading. Upgrades can be done over time with a risk-based process, not merely aging out hardware as we did in the past. Consider taking these steps now to protect your network from attacks.Review default browser and web application dependenciesIf you still rely on Java Script or cannot perform updates that remove Adobe Flash from your browsers because of video presentation applications that rely on it, evaluate why you rely on older browser technologies that put your workstations at risk. Review internal applications and their reliance on older browser technologies and focus your resources on removing dependencies on older browser technologies.If your internal web apps still rely on Internet Explorer, it\u2019s time to review and possibly redesign them. Rather than spending money on Windows 11 hardware upgrades, consider internal web applications upgrades first.Review how you deploy Windows 10Review Microsoft\u2019s security baseline recommendations or Microsoft 365 Secure Score options. Test if you can deploy workstations that block Link-Local Multicast Name Resolution (LLMNR), NetBIOS, Web Proxy Auto-Discovery (WPAD), and LM Hash by default. Legacy applications might need these outdated name resolution standards. Test to see if you can disable these older, less secure methods. If you cannot disable them now, make it a goal to do so soon. Attackers can use these legacy lookups to harvest authentication credentials by forcing machines to send NTLMv2 password hashes. Additionally, if you don\u2019t have SMB signing enabled, attackers can relay SMB connections.Disable LLMNR by using Group Policy or Intune in more modern deployments. Open gpedit.msc and then go to \u201cComputer Configuration\u201d then to \u201cAdministrative Templates\u201d then to \u201cNetwork\u201d then to \u201cDNS Client\u201d. Set \u201cTurn Off Multicast Name Resolution\u201d to \u201cEnabled\u201d.NetBIOS can\u2019t be disabled directly via Group Policy but you can use a PowerShell script to deactivate it.The WPAD protocol is a method used by clients to locate the URL of a configuration file using DHCP or DNS discovery method. To disable WPAD, turn off the automatic proxy configuration settings option in Internet Explorer. In Group Policy, expand \u201cUser Configuration\u201d then go to \u201cAdministrative Templates\u201d then to \u201cWindows Components\u201d then to \u201cInternet Explorer\u201d then to \u201cDisable changing Automatic Configuration\u201d settings. Alternatively, you can configure WPAD, as this will make poisoning the entry impossible.Review Active Directory forest levelEnsure that it has been raised to Server 2008 or higher. If you are on a lower forest level, you may still have LM Hash values stored in your network. Once again in Group Policy, expand \u201cComputer Configuration\u201d then go to \u201cWindows Settings\u201d then to \u201cSecurity Settings\u201d then to \u201cLocal Policies\u201d then to \u201cSecurity Options\u201d then to \u201cNetwork security: Do not store LAN Manager hash value on next password change\u201d.Review your password policy length and increase the password policy to at least 12 and preferably 16 characters or more. Urge users to use a password manager program in their personal password management process as well as offer a firm-wide tool for your internal processes. Too often we reuse the same passwords across many websites and attackers can crack a password in one database and then reuse the hash value in another database.Review macro useAdjust the macro settings in your Office deployments accordingly. Macros introduce great risk into a network and only users who need should have the ability enabled. CISecurity.org recommends using Group Policy to disable Office macros when the role is not needed.Review two-factor authentication for internal processes and external applicationsEspecially if you are still using on-premises workstations and servers, two-factor solutions\u00a0can add protection and keep your network more secure.Bottom line, relying on and waiting for Windows 11 to better secure your network will result in your network being at risk. Review what you can do now to better secure your network.