Warning: This blog is old and deprecated. It may be wrong or misleading, and it does not represent the author's current positions.
How important is your computer’s security? From the IT professional to the typical consumer (like you) hardening Windows 10 is a must, so don’t miss it out. Here, learn the vital tips you’ll wish you knew sooner!
insert_linkWhat Is Windows 10 Hardening and Why Should I Care?
In this day and age, cyber-security is an ever-present issue—and one not to be taken lightly. Accordingly, you would be wise to harden your Windows 10 computer against security vulnerabilities.
(Of those running older versions of Windows, I ask the majority to move on and "get with the times.")
You may be asking, however:
"But wait! I'm sure Microsoft is a big company and they know how to deal with them cyber-space threats, no?"
While Microsoft does go to plenty of effort to keep the latest version of Windows 10 secure, it's not perfect. For example, the built-in security application—Windows Defender—is good, albeit substantially better alternatives can be found for free.
In fact, there is ample free software available on the Internet that will help with your Windows 10 hardening efforts. Boasting (not necessarily all of the time) better security, paid solutions also exist.
insert_linkThe Consequences of a "Soft" System
Hardening Windows 10 against malware, intrusions, as well as any other form of that frightening unauthorised access prevents cases of:
- Your computer being slowed by unwelcome, resource-Zucking malware, or rather, in the worst case being rendered completely useless.
- A loss of precious data, with sufficient gratitude given to the likes of ransomware.
-
Unauthorised access to your data (including super-sensitive information),
- Hence unauthorised access to your bank account, potentially
- Hence unauthorised access to things such as your webcam (scary stuff, right?)
- This can include entire control and full-on monitoring of your system.
- Sneaky cyber-criminals may feel like it is Illegally-Logging-Into-Victim's-Instagram-Account-Thursday.
- Identity theft.
- Data collected about you and how you act being sold on to dirty advertisers (the filthy types, you know) etc.
- Just about any other unexpected behaviour and inconvenience.
Evidently, adequate security is the essence of life; you jump out of your seat, scratching and squirming, and you leap for the monitor, exclaiming:
"Give me more wise cyber-security/Windows 10 hardening advice, please!"
insert_link1. Everybody's Necessity: An Effective Anti-Virus (Anti-Malware)
Of course, we shouldn't need to talk too much about the obvious: an effective, high-quality anti-virus/anti-malware.
And, no, I am not talking about McAfee.
No, I am not talking about Norton.
These two abominations are far from effective, yet they suck up—give or take—67389% of your computer's resources. Therefore, you can safely classify these applications as bloatware.
Free your computer: Naughty Windows 10 Bloatware: How to Protect Yourself
On the contrary, you want a cost-effective (or free) solution that builds upon Windows' built-in Defender.
insert_linkWhat is "Anti-Malware" Software?
Throughout the cyber-space, it's not uncommon to come across the term, "anti-virus". It's purely a program that keeps your computer safe from viruses, right?
But what's a virus?
A virus is a single type of malicious software—or, rather, "malware". Moreover, malware is the umbrella term for software with a malicious intent (i.e. the bad stuff).
So, does this mean that anti-virus software only protects against that small slice of malware? Absolutely not!
For you see, software marketed as "anti-virus" software is usually an "anti-malware", really. With this in mind, I prefer to use the term, "anti-malware".
insert_linkMalwarebytes Anti-Malware: Complementary (or Complete) Security
An unmissable step for hardening Windows 10's security for the typical consumer or professional: install Malwarebytes Anti-Malware, a must-have to harden your Windows 10 computer.
Why am I recommending this to you? Well, it is no secret that Malwarebytes possesses one of the highest malware-detection rates in the cyber-security industry.
What's more, it effectively picks up on PUPs (potentially unwanted programs)—programs that aren't exactly malicious, but you wouldn't want them on your computer.
At no cost, you can take advantage of its exceptional scanning abilities.
Malwarebytes does not scan automatically, though, so remember to run a scan regularly (once per week, say).
In addition, you're going to have to pay for real-time protection, including ransomware, exploit, and web protection. To clarify, real-time protection is when the software proactively stops the malware before it has a chance to harm your system.
Along with the added security benefits, I would recommend paying for this if you want utmost peace-of-mind.
On the other hand, you could be frugal, like me, in which case Malwarebytes works perfectly fine alongside our next contestant. (Keep Malwarebytes, too, for its better scanning performance.)
insert_linkAvast Anti-Virus: Cryptic Butter's Top Pick for Free Real-Time Protection
Because not all of us have money to shovel out at security software, Avast does many things you'll want for free.
Trust me, I've been all around the block with real-time anti-malware protection and I've finally settled on Avast; in my opinion, it offers the best security and the least pain with no reduction of your bank account's size. Minimal resource usage, too.
That being said, remember that it is free.
Privacy issues, as well as the occasional pop-up, may be a concern to you. Albeit, there is a way to mute pop-ups and reduce the amount of data collected.
Speaking of data collection, Avast has a broad user base, thus you can be confident in Avast to pin down the latest threats.
Another caveat: when installing it, make sure to alter the advanced settings such that you don't install any of the "driver update", "software updater", or clean-up stuff. You only need the essential security components as a non-paid customer, and we'll get to the updater stuff later.
For more information about configuring Avast, see this section of the Windows 10 setup guide.
Tweak your PC to perfection: Ultimate Checklist for the Best Initial Windows 10 Setup 2018
insert_linkCybereason RansomFree: Ransomware Protection for The Peasant
Again, you may not be willing to pay for Malwarebytes, thus Cybereason RansomFree a perfect addition to harden Windows 10.
This is, essentially, a simple, set-and-forget affair, wherein all you need to do is install the application and you're done.
Also, expect some funnily-named files and folders appearing in your filesystem—they merely act like dummies. So, when ransomware goes to encrypt those files first, the software has time to stop the ransomware before it moves on to your super-precious files (hopefully).
Silent but deadly—in the eyes of the grimy ransomware.
insert_link2. Additional Firewall Controls (For the More Paranoid)
Although I wouldn't go as far as to say this step is necessary, it's definitely a consideration.
A firewall, for the less enlightened, is basically a barrier between your computer and the Internet; it is intended to block (or reduce the likelihood of) any unwanted intrusions and other network communications.
Personally, I use Comodo Firewall (without the anti-virus component), since it is the most feature-rich firewall for free. Despite this, I've found it to have minimal impact on my CPU and RAM usage (surprisingly).
Note: when installing, make sure to disallow Yahoo and other offers, or just follow this trick first.
Unfortunately, I cannot recommend it to everyone because it can be quite complicated and inconvenient to operate.
And not just inconvenient to operate—but inconvenient to use other applications: especially during and after installing new apps, Comodo Firewall can get a bit trigger-happy with the permission-asking pop-ups.
Other times, it will full-on block certain applications without your knowledge or consent.
Better safe than sorry, is that not true?
While I truly appreciate how it grants me finer control over my computer, it's not for those who prefer a set-and-forget solution.
TinyWall is another consideration, however, I have not tried it out myself.
insert_link3. Encrypt Your Data—Keep It Safe
[caption id="attachment_3194" align="aligncenter" width="781"] You can encrypt your external USB drives as well (or, rather, the individual partitions).[/caption]
Another form of security—Windows 10 hardening—is making sure your files can't be read by spiteful people.
How do we do this? Full-drive encryption, of course, where we encrypt your entire storage drive.
There are multiple ways to go about achieving secure encryption.
Firstly, my preferred method, BitLocker is a fast and secure way to encrypt your files on Windows. Unfortunately, though, this is only relevant to a select few people who use Windows 10 Pro (not Home).
In order to verify whether you have BitLocker available, press the [keybt]Windows[/keybt] key and type
bitlocker
; see if the Control Panel option appears.
Secondly, better for most people, you can download and install VeraCrypt which also allows full-drive encryption, amongst other types.
It's cross-platform to boot—not exclusively available on Windows.
Encryption is only effective with a long password (or private key), and when your drives have not been unlocked. For example, if you've fully encrypted your USB drive, the files cannot be accessed, read, or deleted.
Also, note that only having a single file containing encrypted data prevents your data from being read. It does not prevent it from being deleted by ransomware, for instance.
Furthermore, once you've unlocked your encrypted drive with a password (at this point it is accessible by you) your files are just as vulnerable as without encryption.
Thus, the primary purpose of encryption is to maintain confidentiality if your device gets into the wrong hands—physically.
insert_link4. Regularly Back-Up Your Precious Data
Equally, we'd want to make sure to reduce the probability of our data being forever lost for whatever reason.
This requires us to regularly back-up our data to somewhere safe, where it can't be touched by the evil forces.
Backing up to an external drive is a good idea, meanwhile, this idea suffers as backed-up data can be destroyed by malware when plugged into your computer.
An offline copy of your data (untouchable by your computer) is, accordingly, a safer idea. In essence, this means not having your backup drive constantly plugged in.
And for even better reliability, use an external SSD because they are less vulnerable to "unintentional" physical abuse. We don't like physical abuse.
Next, get yourself some backup software such as EaseUS Todo Backup Free to automate the otherwise laborious process.
Now:
Having this data in your hand is undoubtedly wise—smart move, I appreciate that one, Fred.
In spite of this:
Storing data "in the cloud" is an additional, secure method of keeping your data safe (for when your hand fails).
There are many options in this domain, so make sure to do your research before committing to a regular subscription! Perhaps some offer software to help you back-up your data conveniently.
Google Drive is an example of cloud storage to which you can back-up but remember—it's Google.
Google? No thanks! Complete Windows 10 Privacy Guide: How to Protect Your Data
insert_link5. Maintain Strong Passwords with a Password Manager
What do you think is one of the most important barriers between your accounts and hackers? Passwords!
Secure passwords increase security (obviously) and secure passwords come mainly with length. Having varied passwords between accounts is an invaluable practice as well.
Remembering all of these passwords, though, can be more challenging than melting butter with ice; Hence why I'm dedicating a section to getting a password manager.
Password managers only require you to remember one password, since they store all other passwords securely.
Additionally, they may be able to generate a strong password upon creating an account. Henceforth, you will be able to auto-fill login details on websites without even knowing them.
By avoiding typing the password yourself, it's not going to be picked up by a keylogger.
My preference is LastPass (best for free use), which stores all your passwords—securely encrypted—on their servers. Moreover, the browser extension makes life a breeze, and you can even use two-factor authentication to log into LastPass.
Maximum security.
Dashlane is a similar app and includes a desktop app if you're that sort of person.
As a final note, password managers aren't just more secure, they're immensely more convenient.
insert_link8. Don't Use Passwords. Use Windows Hello
Better yet for hardening Windows 10 against intruders: utilise Windows Hello's biometric authentication.
After all, biometrics is one of the best types of security because hackers can't get a hold of your face!
Oh, and did I mention that you don't need a Windows Hello compatible device to reap its benefits?
That's right—with the aid of USB devices, you can log in to your Windows 10 computer securely. Not to mention, this is considerably more convenient with quality hardware.
In order to delve deeper, take a look at this extract from my Windows 10 setup guide:
Windows Hello can rightfully be considered secure due to the fact that biometrical data is only stored locally. That is to say, your face or fingerprint etc never leaves the dusty realms of your computer.
(By the way, suffering from dust? I came across this extremely successful and effective solution that I'm using.)
If you, on the other side of chance, have a device supporting Windows Hello natively, you're good. Simply navigate to the Settings, Accounts, then Sign in Options.
On the other hand, those without a supported device can go with external solutions. These include Windows Hello compatible webcams in addition to compatible fingerprint readers.
This will ensure nobody else but you can gain access to your precious computer.
Indeed, take a compatible webcam or fingerprint reader and then you'll be laughing!
insert_link7. Harden Windows 10 Against Itself (Privacy)
The seventh Windows 10 hardening tip involves securing it against its overlord: Big Microsoft. Microsoft loves to collect your data, and they love to do this a little bit too much.
So, I heavily advise that you take the necessary steps to privatise your Windows 10 installation.
Firstly, you can banish Microsoft from your system with this bit of wisdom.
Secondly, make sure you're using a web browser that isn't owned by a gargantuan advertising company (Google). Firefox is most likely the best choice for you in this regard.
Thirdly, add more privacy—in addition to security—to your web-browsing experience with these extensions.
As a matter of fact, you're probably better off just reading the entire thing.
insert_link9. Secure and Privatise Your Internet Traffic
Whilst on the topic of web-browsing, let us find ways to further our online anonymity, privacy, and security.
At a minimum, you should certainly use different DNS servers—no doubt. To explain, this is what's used to determine where to go when you try to visit a domain name (put as simply as I can).
Cloudflare's 1.1.1.1 DNS is perhaps the best option for the masses, offering reduced latency and increased privacy. (Seeing that setup is not straightforward, acknowledge that setup instructions are available at the linked website.)
As a result of using 1.1.1.1, you should find that you're able to access web pages faster. On top of that, your ISP won't be snooping on what news sites you visit whilst you eat your breakfast.
Alternatively, you could set yourself up with a privacy-centred, fast VPN. These utilise their own DNS servers—so don't worry about that.
Trust me, if privacy means anything to you, investing in a VPN is worth it. Do you take advantage of online banking? Further your Windows 10 hardening and take advantage of a secure VPN, as you'll be crazy not to.
Again, catch me linking to that privacy guide if you can (I'm simply too fast for you)!
Currently, I recommend three VPNs depending on your circumstances and requirements. If you really wish to know which one I am using right now, NordVPN is the answer.
But wait! Make sure to consider the options before committing!
Which is best for you: Private Internet Access vs NordVPN? The Best Deal (2018)
insert_link10. Hardening Windows 10 Against Exploits
Problems in software can expose vulnerabilities in your Windows 10 system, subsequently being exploited by hackers and malware etc. Therefore, we need to define some precautions against exploits to harden Windows 10 to that greater extent.
As we've already discussed, the premium version of Malwarebytes is excellent for Windows 10 hardening. This is due to its built-in exploit protection.
Malwarebytes is the hero, meanwhile, vulnerable software is the hostage.
Let it save you; let it take you away like an angel carrying you from your shoulders!
Can't pay for that? Then, the least you can do is ensure that all the software you have is kept nicely up-to-date. (And, yes, that includes Windows 10 itself.)
Actually, allow me to clarify: you should be updating your software anyway.
Helping you with this goal, DUMo and SUMo detect if any of your drivers or other software, respectively, have newer versions available.
insert_link11. Hardening Your Inbox
You don't want your colleagues in the cubicle next to you snooping on your in-tray…
Likewise, I would expect many of us here to realise that, no, we don't want our email going public!
Assuming you're in agreement with me here, you would also appreciate a hardened inbox—one with chains around it. Anyhow, a mail client possessing ample security is important.
For this, I use Thunderbird because—while I feel it could be better—frankly, it does the job fine.
Eliminating the need to store email on your computer altogether, rely solely on a mail client! But you shouldn't stop there.
Go that extra mile: benefit from encrypted mail as featured by ProtonMail (brought to you for free by scientists at CERN). We don't want outsiders seeing our mail, indeed.
ProtonMail is brilliant, especially if you choose any of the paid plans which provide you with the option of a custom domain. For example, your custom domain email might be "[email protected]" as opposed to "[email protected]".
insert_linkOr You Could Simply Do This…
Technology is taking over our lives and here I am teaching about hardening Windows 10.
Why don't we just stop using the technomancies, hence living off the grid?
Yo, I'll send you a fax real-quick—no complications there; it will be easy, no doubt.
You could run away forever—be free—perhaps live in the jungle somewhere…
Somewhere warm…
"I think he's finally lost the plot."
"Of course he has; why do you think he wrote about how Windows phones were better?"