Searching for the best way to secure Windows 10? Here are eight expert tips.
A guy walks into a bar full of nerds and says, "how do I secure my Windows 10 PC?" and the nerds reply, "install Linux." Funny, but not that helpful for the vast majority of people who are quite happy with their Windows 10 computer but want to make it a bit more secure. Thankfully, it's not that hard to accomplish. All you have to do is follow these eight easy steps. No nerds required.
What's the problem with Windows 10 anyway?
Love it or loathe it, Microsoft Windows has been the most common non-smartphone operating system since before many of you reading this even owned your first computer. That's just a simple fact. It's also a fact that Windows in general, and that includes Windows 10, has had more than its fair share of security scares. During 2019 I have reported on "devious and evil" malware that can bypass Windows 10 security software, a hidden backdoor being used by APT attack groups, critical zero-day threats to Windows 10 users, a Windows threat that even the U.S. Government warned about and, yes, the seemingly never-ending stream of Windows 10 update problems.
Yet, and I'm risking the wrath of Windows XP or Windows 7 aficionados who will no doubt beg to differ, Windows 10 is almost certainly the most secure version of the OS to date. In which case, why do you need a guide to secure it? Good question and the simple answer is that you can always improve on what you've got when it comes to securing a Windows computer. Be it fresh out of the box when you'll need to get the security configurations right, or after years of ownership when you may well have tweaked those settings in a less secure direction.
I asked a bunch of security experts to share their top tips for securing Windows 10, in all flavors from Windows 10 Home through to Pro and beyond. Here's the sum of that hard-earned knowledge distilled down to eight easy steps to secure Windows 10; some are aimed more at business users, others at consumers but most apply to everyone.
Think of this as a Windows 10 security tips pick and mix.
Step 1. Enable BitLocker
"It's absolutely essential that you turn on disk encryption," Richard Henderson, head of global threat intelligence at Lastline, says. While both Windows 10 Pro and Windows 10 Enterprise include BitLocker, Windows 10 Home doesn't. That said, "all versions of Windows include some version of disk encryption," Henderson says, "and there are many free options out there online as well." Enabling full disk encryption minimizes the chance that data on your computer will ever be misused. Once you have enabled BitLocker, or whatever full disk encryption solution you choose, remember to "keep the recovery key securely locked away on both USB storage and paper," says Matt Aldridge, principal solutions architect at Webroot.
Step 2. Use a "local" login account
"Use a local login account, not your Windows account, to log onto your machine," Ciaran Byrne, head of platform Operations at Edgescan, says. Although Windows 10 Home will default to your Windows account, as this makes it easier to log in across all devices with one account, Byrne says, "the problem is that if, say, your Hotmail credentials were compromised, then your machine would also be compromised."
Step 3. Enable Controlled Folder Access
Consider enabling Controlled Folder Access, Chris Doman, a security researcher for AT&T Alien Labs, says, "to limit the damage caused by ransomware. This is available in all editions of Windows 10."
Step 4. Turn on Windows Hello
"Turn on Windows Hello," Joe Morley, a future workplace consultant at SoftwareONE, says, "one of the simplest ways for small businesses to secure Windows 10 is by turning on the Windows Hello feature." This enables users to unlock devices with facial recognition and fingerprint readers, bypassing passwords which are more likely to be hacked or stolen. "Of course, pins can still be held for backup," Morley says, "but Windows Hello provides a method of logging in that is not only faster but more secure."
Step 5. Enable Windows Defender
"Enable Windows Defender," Ciaran Byrne, head of platform Operations at Edgescan, says, "this is as good as any paid-for antivirus on the market and is maintained by the people who should know Windows 10 better than anyone else." It's good to enable the built-in firewall as well, to block any unwanted intrusions. "Block, block, block and unblock piece by piece later if you encounter any problems due to firewall rules," Byrne says. Enable the Windows Defender real-time protection and set up virus and threat protection scanning. "If you have inadvertently downloaded a malicious file," Byrne says, "having the proper protection in place can help remove these before your system is compromised and a hacker takes control."
Step 6. Don't use the admin account
"Set up separate user accounts and don't use ones with Administrator privileges for your day-to-day needs," says Ken Underhill, a master instructor at Cybrary, "unless your day-to-day requires it, of course." Matt Aldridge, the principal solutions architect at Webroot, says the ideal is to have one admin account that you "only use for installing new software or updates," while keeping an unprivileged user account for everything else. "Obviously, ensure unique and secure passwords are used for both accounts," Aldridge says. If admin privileges are required when installing software, say, you won't have to swap accounts as Windows 10 will pop up a box asking for the admin password if you want to proceed. Simple and secure, just the way I like it.
Step 7. Keep Windows 10 updated automatically
"Keep Windows 10 updated automatically," Joe Morley, a future workplace consultant at SoftwareONE, says, "Windows 10 is delivered ‘as-a-service’ so it updates continually." This may be a controversial suggestion to some, given the warnings that have flowed regarding the Windows Update Assistant and Windows updates borking things including Windows Defender on occasion. Yet I agree with Morley; your computer is far more secure with Windows updates applied than without them. Businesses should "deploy upgrades in test environments initially to ensure safety," David Higgins, technical director (EMEA) at CyberArk, says, "because it allows security teams to check and verify that patches are safe to roll out to the entire business." For everyone else, though, instant access to security fixes is the trump card of automatic updating.
Step 8. Backup
Backing up your data should be part of every security strategy for if things do go wrong. "Use a trusted cloud backup service to continuously backup your data, Matt Aldridge, principal solutions architect at Webroot, says, "and keep an offline copy of your critical files locally, ideally in a fire safe." You should also ensure that System Restore is enabled, and that restore points are being successfully created. "This is advice that people typically ignore until it happens to them, but it's still sage advice," Richard Henderson, head of global threat intelligence at Lastline, says, "and it's equally applicable to home and office users." Having a "cold" (offline) backup "ensures that you're triple-protected against a ransomware attack, a hardware failure, or the theft of your device," Henderson says, "an ounce of prevention is worth a pound of cure."
