Windows Security From The Ground Up
[Article last reviewed 2017-05-15]
This page will walk you through configuring a Windows computer from the ground up for security and stability. This configuration will make you virtually impervious to viruses you don't actively try to install yourself, and will help constrain any malicious code that does get on your computer.
Pretty much all of this is free, but any mentions of products in this guide are completely uncompensated. This site is run by my own money out of a passion to help people.
Section A: The Ground Up
The best thing to do is start from the bare hardware and install Windows 10 from scratch with UEFI, TPM, and SecureBoot turned on. If you don't want to do that, skip to Section B. Any retail computer purchased with Windows 8.1 will already have these turned on.
1.) Update BIOS
For best compatibility and security you should update your computer's BIOS. A modern BIOS (really UEFI) is a full operating system that runs below and at the same time as Windows, and it needs patches too. People who built computers in the early 2000's will tell you BIOS updates are risky, and they were, but not anymore. They deliver fixes, features, and security updates you won't hear about on the news.
Even new computers/motherboards need updates. If you're starting from scratch, do the BIOS update after installing Windows 10.
You can find the BIOS update tool on your manufacturer's driver page for your computer model. You will need to reboot for it to take effect. If you have a Surface, BIOS updates are delivered through Windows Update.
2.) Prepare Windows Bootable Media
To get ready to install Windows 10 64bit on the bare hardware, use Microsoft's Media Creation Tool to create a bootable DVD or USB stick.
Make sure everything is backed up before proceeding. The following changes will wipe your Windows installation.
3.) Configure BIOS
This is important and is something nobody talks about.
From the boot of your computer, press the setup hotkey. It may be F1, F2, F8, F10, Del, or something else to get into SETUP mode.
In the BIOS:
- Set a setup password. Make it simple, this is only to prevent malicious modification by someone in front of the computer or by a program trying to corrupt it.
- Change boot to/prioritize UEFI. Disable everything except UEFI DVD, UEFI HDD, and USB UEFI if you plan on using a USB stick to install Windows.
- Enable the TPM (if available) and SecureBoot (if available) options. This is super important.
- Disable 1394 (FireWire) and ExpressCard/PCMCIA (if you're on a laptop) as a layer to further mitigate DMA attacks. This isn't as important anymore, but if you don't use them you might as well turn it off.
- If you want, and if the computer offers it, you can enable a System and HDD password. We will be using BitLocker to protect the disk, but this is an extra layer you can add if you want. I don't.
- If you don't use webcam or microphone, you may be able to turn them off in the BIOS
Save settings and shut down.
4.) Install Windows 10
Insert your DVD/USB. Boot the computer and use the boot menu hotkey to boot to your UEFI DVD or UEFI USB. The hotkey is often F12.
Follow the prompts and install Windows. If it gives you an option of where to install Windows to, and there's already a partition, delete the partition first.
Section B: Into The Breach
5.) Update Windows 10
In Start > Settings > Update, continue updating and rebooting Windows until there's nothing left. I usually wait until this is done before I start installing stuff.
6.) Set UAC to full
Listen to me. UAC is a critical security control that has vast impacts you can't see. It is not computer bubblewrap. It exists for very important reasons. You aren't cool for turning it off.
Follow these instructions to set UAC to the highest option, "Always notify me." Anything less allows any malware to instantly elevate to administrator level permissions. UAC isn't magic, but it's a layer you want to use.
7.) Enable Drive Encryption
If you have Windows 10 Home:
Start > Settings > System > About
Look for the "Device encryption" setting at the bottom of the About pane. If it's not there, your computer does not support the limited encryption feature that Home supports. You should upgrade to Windows 10 Pro or set a HDD password in your BIOS if your computer supports it. Depending on model of drive, HDD password will provide less protection than BitLocker.
If you have Windows 10 Pro:
Right-click on Start > Control Panel > BitLocker Drive Encryption > Turn on BitLocker
If it says you don't have a TPM, here's how to use BitLocker without a TPM.
Why not use TrueCrypt/Veracrypt?
With SecureBoot, before your computer boots to Windows it verifies the OS hasn't been corrupted with a bootkit that modifies Windows that lets a virus run hidden. 3rd party encryption tools break this chain of trust that flows from UEFI to Windows bootloader to BitLocker. This chain of trust is critical for preventing an entire category of attack against Windows. This is not theoretical, this stops real-life attacks.
Section C: The Browser Is Your OS
This section is dedicated to installing and configuring Google Chrome. Chrome is the most secure browser due to its strong sandbox technology that prevents malware escape and it's very fast updating to fix problems. Firefox lacks the strong sandbox protections as it's still modernizing. Microsoft Edge is extremely impressive, but Chrome can deliver Flash and other updates faster without being mostly bound to monthly releases.
9.) Install Google Chrome x64 Machine-Wide
Installing Chrome the normal way will give you a per-user install. This means the Chrome executables and shortcuts are in your user profile and can be modified by a malicious program without elevation. If you downloaded Chrome in 2015 or before, you're also probably still on the 32bit version. In conversations with Chrome engineers, this 64-bit the version they recommend as being more resilient to attack and interference from other programs on your machine.
On this page, click "Download Chrome 64-bit MSI Package" and install.
You don't have to uninstall what you're running right now, everything will be silently ported over.
10.) Set Flash click-to-play
Adobe Flash was a technology widely required to play videos and games on the web in the early 2000's. However, it is largely phased out because it slows browsing down and is a massive security hole. Most computer attacks come through Flash. Turning it off fixes all these problems. If for some reason a website needs it, you can quickly turn it on.
How to enable click-to-play for Flash
11.) Install uBlock Origin
The majority of web attacks come through malicious advertisements purchased by criminals and displayed on mainstream websites. You don't have to be in a scummy part of the web, you can go to Forbes.com and get a malvertisement.
uBlock Origin is the fastest, most complete, and most reputable adblocking software available.
12.) Install HTTPS Everywhere
The EFF, a privacy advocacy organization, publishes a browser extension that automatically switches websites to HTTPS, which prevents people seeing what you're doing, or messing with what appears on the page. This is critical for laptop users, and even desktop users benefit.
Section D: Securing Other Software
Adobe Reader DC
Adobe Reader is actually pretty safe if you have the full suite of security settings turned on. In the case of Adobe Reader DC, there's just one setting you need to change:
Edit > Preferences > Security (Enhanced) > Protected View > Files from potentially unsafe locations
Section M: Prosumer Toolkit
These tools are not required and should only be used by prosumers with good knowledge of Windows norms.
13.) Install GlassWire Firewall
Want to get alerts when programs start communicating with the net, and find out when they change versions? This is basically impossible in a usable way, except for GlassWire. Note that it stores historical traffic history to help you manage bandwidth usage. This data stays on your computer and gets cleared after 30 days. If bandwidth history is not valuable to you, you can turn that off by going into "Incognito Mode."
I currently have a change request pending with them about excluding browser traffic history specifics for privacy reasons.
The paid version of GlassWire ($50 one-time) includes alerts if webcam and microphone are turned on.
Section P: Piracy
Don't steal software. That's how idiots get viruses. Especially don't try to steal antivirus. That makes you a double idiot. Maybe even a triple idiot.
Section X: Make It Rain
The above instructions will make you incredibly safe. However, if you want to invest in security, here are some leads.
Section Z: The NSA Is Coming For Me
Article changelog:
2017-05-08: Removed sections I never finished