
Ask HN: How do you secure your Windows PC? - randomchars
Like the similar thread about Mac[1], how do you secure your Windows PC?<p>[1]: https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=19681270
======
hs86
Leave the Defender/Firewall untouched, don't install any additional "security"
software and increase the UAC level to the highest one [0] that even prompts
for changing important Windows settings.

Obtain all 3rd party tools from the Microsoft Store or scoop [1] or chocolatey
[2] (in that order) and not by downloading `foo.msi` from the first search
result. This way you can update all your apps in a single step and don't have
to rely on built-in updaters.

[0] [https://docs.microsoft.com/en-
us/windows/security/identity-p...](https://docs.microsoft.com/en-
us/windows/security/identity-protection/user-account-control/how-user-account-
control-works)

[1] [https://scoop.sh/](https://scoop.sh/) (enable its additional repositories
for GUI tools or all possible JDK flavors:
[https://github.com/lukesampson/scoop/wiki/Buckets](https://github.com/lukesampson/scoop/wiki/Buckets))

[2] [https://chocolatey.org/](https://chocolatey.org/)

~~~
tsujamin
Windows has some additional Local Group Policy rules that are pretty killer in
newer versions

    
    
      1. Attack Surface Reduction Rules - Blocks some commonly seen dodgy techniques
      2. Credential Guard - Moves LSASS to an isolated VM (break's VMWare etc though, see 5 if this is a dealbreaker)
      3. Application Guard (Enterprise Mode) - Transparently virtualises and isolates Microsoft Edge (same caveat as above) 
      4. Microsoft Defender MAPS and Block at First Site
      5. Run LSASS as a protected process
      6. Process creation auditing with commandline
      7. Powershell script block logging
    

Most of this is backed into an windows image I run, but maybe I'm a bit
paranoid ;)

[1] [https://docs.microsoft.com/en-us/windows/security/threat-
pro...](https://docs.microsoft.com/en-us/windows/security/threat-
protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-
guard)

[2] [https://docs.microsoft.com/en-
us/windows/security/identity-p...](https://docs.microsoft.com/en-
us/windows/security/identity-protection/credential-guard/credential-guard)

[3] [https://docs.microsoft.com/en-us/windows/security/threat-
pro...](https://docs.microsoft.com/en-us/windows/security/threat-
protection/windows-defender-application-guard/wd-app-guard-overview)

[4] [https://docs.microsoft.com/en-us/windows/security/threat-
pro...](https://docs.microsoft.com/en-us/windows/security/threat-
protection/windows-defender-antivirus/enable-cloud-protection-windows-
defender-antivirus)

[5] [https://docs.microsoft.com/en-us/windows-
server/security/cre...](https://docs.microsoft.com/en-us/windows-
server/security/credentials-protection-and-management/configuring-additional-
lsa-protection#BKMK_HowToConfigure)

[6] [https://docs.microsoft.com/en-us/windows-
server/identity/ad-...](https://docs.microsoft.com/en-us/windows-
server/identity/ad-ds/manage/component-updates/command-line-process-auditing)

[7] [https://www.fireeye.com/blog/threat-
research/2016/02/greater...](https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html)

~~~
acct1771
Curious, do you run any other OS?

~~~
tsujamin
MacOS for my primary laptop, Windows for my training/travel laptop, *nix in
various other places

------
moviuro
Install updates when asked. Delaying updates is perhaps the worst thing for
security.

Scan files you download, submit them to virustotal if unsure.

Sync data (e.g. [0] or whatever drive/dropbox/nextcloud) and keep snapshots
[1]. Only way to ensure you don't lose anything

Lying DNS server can also help for privacy and security, as well as a sinkhole
for known-bad IPs [2,3,4] (should be deployed network-wide though) (I could
use some help to test if my scripts run on WSL, as they're mostly POSIX).

[0] [https://syncthing.net](https://syncthing.net)

[1] [https://try.popho.be/securing-home.html](https://try.popho.be/securing-
home.html)

[2] [https://pi-hole.net](https://pi-hole.net)

[3] [https://try.popho.be/byeads.html](https://try.popho.be/byeads.html)

[4] [https://gitlab.com/moviuro/moviuro.bin/blob/master/lie-to-
me](https://gitlab.com/moviuro/moviuro.bin/blob/master/lie-to-me)

------
nickjj
I've been using Windows boxes as my primary work / personal machine for over
20 years and I've only gotten a handful of viruses or malware and in the times
I got them, I was going to very questionable sites back in the day.

I disable Windows defender and all built in firewalls (my router has a
firewall). I also don't run any anti-virus software. This is something I've
done from the beginning.

But I do run uBlock Origin in any browser I use.

I also make sure to Win key + L (lock) my machine when I leave it unattended.

From time to time I check the startup tab in task manager to make sure nothing
looks suspicious and occasionally look at things like CPU / memory usage to
look for anything out of place.

So far it's been working out great. My current computer runs just as fast as
it did 5 years ago when I built it and I haven't had to format a machine due
to a virus in over a decade.

I find most things like Windows defender and A / V tools to be more
destructive than most malicious software. Often times these tools will crush
I/O performance and make things run slower 100% of the time in the off chance
you get a virus. I'd rather have things run super fast all of the time and
take my chances. If I get even a hint of my machine being compromised I would
format anyways.

~~~
32032141
" I've only gotten a handful of viruses or malware "

This is a variation of the bad toupee fallacy. You won't notice viruses and
malware, almost by definition.

~~~
EliRivers
If a virus or malware has no noticeable effect - does nothing that affects me
- is it still a virus or malware?

~~~
ansible
So quietly exfiltrating your personal data is OK then?

~~~
EliRivers
If it has no noticeable effect - my life is completely identical - it's hard
for me to see it as something negative. If something has absolutely zero
effect on my life whatsoever - not even a single advert on my screen - calling
it a virus or malware seems unwarranted.

I suppose if my personal data was somehow used to damage someone else, that
would warrant calling it malware.

~~~
Zuider
Your stolen personal data could be used to empty your bank account or to
commit a crime in your name which could cause permanent damage to your
reputation, even if you were exonerated.

~~~
EliRivers
That sounds like something I would notice, and is thus outside the scope of
this discussion.

------
ocdtrekkie
For the most part default Windows 10 is fairly hard to break into if updated.
Leave everything on and don't open new holes in it and its probably fine. I
went to a demonstration on hacking into machines with Kali Linux and
Metasploit and my Surface was on the Wi-Fi. I told him to go right ahead and
let me know what he could do.

He admitted defeat quickly. ;)

For the most part, problems with computers are ones we create ourselves by
shutting off security protections or adding services that open up holes in the
security of a system. Sometimes its necessary of course, but you need to
understand the risks you take when you do and mitigate them.

------
_zeta
\- Don't disable Secure Boot, Windows Defender and Windows Firewall

\- If you _really_ think updates are annoying shift the monthly updates by one
month BUT __always __confirm the security updates

\- If you have a PRO license give a try to VBS [0] and Controlled Folder
access [1] (spoiler: this will be a little annoying at the beginning but will
became almost perfect with a well configured whitelist)

\- Also from the next (major) patch you should use Windows Sandbox [2] to run
untrusted software(still a PRO feature)

[0]
[https://www.microsoft.com/security/blog/2018/06/05/virtualiz...](https://www.microsoft.com/security/blog/2018/06/05/virtualization-
based-security-vbs-memory-enclaves-data-protection-through-isolation/)

[1] [https://docs.microsoft.com/en-us/windows/security/threat-
pro...](https://docs.microsoft.com/en-us/windows/security/threat-
protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-
guard)

[2] [https://techcommunity.microsoft.com/t5/Windows-Kernel-
Intern...](https://techcommunity.microsoft.com/t5/Windows-Kernel-
Internals/Windows-Sandbox/ba-p/301849)

------
benbristow
Leave Windows Defender/Firewall on as default and stay away from dodgy sites.
Simple as that really.

~~~
chrismeller
Yep, same. Sometimes I’ll spin up a VM if I’m visiting a site that I’m suspect
of or installing something random (even if it’s open source because I didn’t
build these binaries and I haven’t audited the code), but as I used to say
when I was doing desktop support “you don’t get malware by visiting CNN”.

~~~
rhn_mk1
> “you don’t get malware by visiting CNN”

I have to barge in here and mention that doing totally reasonable things can
result in getting malware installed on your systems.

The most glaring case was the early Windows XP era, when it was enough to plug
in the Ethernet cable during installation to get malware. I had to download
the service pack and install it offline before plugging in the network.

Today, I'd point out that ad networks' code is barely scrutinized, and they
can hit unpatched vulnerabilities all right (sorry for not providing
examples).

~~~
acct1771
Be fair to yourself, they're intentionally not easy to track names of, etc.

That's why it's so important to discuss & combat conceptually, not
specifically.

------
johnisgood
What exactly is meant here by secure? Windows in its default state contains
spyware that you cannot disable or remove, or at the very least you cannot
expect laymen to do. It is essentially covered in their terms of service and
privacy statement. Then there is Intel ME, AMD PSP, etc.

Short answer is that you simply do not secure your Windows PC. You may
eliminate some of the spyware, but it does not make it secure. Can you make
anything fully secure? Perhaps only secure enough, but then you need to
specify what is meant by enough.

In any case, for Windows 10: [https://github.com/Nummer/Destroy-
Windows-10-Spying](https://github.com/Nummer/Destroy-Windows-10-Spying)

Note: it may break your system as some services are deeply embedded into it,
and may require them to remain intact to function properly.

~~~
tvanantwerp
I'd be careful running any tools to clean up Windows 10. While I haven't used
this one before, I've used others that do basically the same thing. The
telemetry features are so baked in to Windows 10 that running these tools can
break Windows if you're not careful. And since every major update of Windows
10 changes so much with no regard to user preferences, even if your clean-up
works today, it might break in the future.

I try to avoid Windows 10 whenever possible.

~~~
johnisgood
> running these tools can break Windows if you're not careful

I think this definitely needs to be taken into consideration when running
these sort of tools, I agree.

> I try to avoid Windows 10 whenever possible.

Good advice. I second it.

------
AstralStorm
I keep the silly Windows in a virtual machine or a few.

Also standard hygiene applies such as opening files and attaching unknown
media in a burner VM, not mixing banking, documents and entertainment,
disabling autoplay and media icons if the previous options are inapplicable.

Staying away from dodgy sites helps too.

I generally do not have to keep the firewall or defender active as the routing
(or lack thereof) is more effective.

Also skip the automatic that pins everyone, such as remote device detection.

------
larrydag
Being facetious but I gave up on Windows on my computers just over a decade
ago due to this very reason. I was sick up constantly needing to upgrade every
2-4 years and having serious security issues. I went full Linux and I don't
consider myself a free software zealot.

------
artimaeis
I found this[1] a while back and have followed it on my Windows PC. I don't go
so far as to install GlassWire, but the other suggestions it makes are
reasonable for me.

On the anecdotal side - keeping software up to date and being highly
suspicious of all software seems to have kept me safe from issues for over a
decade.

[1] [https://decentsecurity.com/#/securing-your-
computer/](https://decentsecurity.com/#/securing-your-computer/)

------
ducttape12
I mostly stick to open source or well known commercial software, run Windows
Defender, and I run uBlock Origin. I'm of the opinion the biggest risk of
malware comes from rogue ads.

I've only been hit with malware twice in the 25 years I've been using Windows.
Once was me running a sketchy exe from a torrent site (that's on me) and once
when I wasn't running an ad blocker.

------
sumtotal
I too believe that for most people Windows 10 out-of-the-box is more secure
than most Linux distros. Sure you can lock-down an Arch build but it's
difficult (even for the technically inclined), time-consuming and needs
constant monitoring and sometimes manual updating/reconfiguration.

For Windows I do all of the things shared below (plus a few other tweaks)
which are good enough a medium security risk level. The combination of all of
them represent a significant barrier to non-state actors;

-Upgrade to Windows Pro

-Change computer name to something nondescript

-Use a local login account (no email address)

-Create a separate Admin and Standard account

-Install favourite Anti-Virus and Firewall

-Enable Exploit Protection (CFG, DEP, Mandatory ASLR, Bottom-up ASLR, High-entropy ASLR, SEHOP and Heap Integrity)

-Enable Windows Defender Application Guard and Core isolation memory integrity

-Install preferred VPN

-Install trusted password manager

-Crank UAC to the highest setting

-Use an encrypted Virtual Drive for files

-Disable AutoPlay for all devices

-Activate all privacy toggles in Windows Settings

-Reduce telemetry to the minimum allowed

-Ensure cloud clipboard is disabled (!)

-Defer feature updates but allow quality (security) updates

-Receive updates directly from Microsoft and not third-parties

-Run PowerShell script to remove any pre-installed, non-Microsoft, junkware

-Enable BitLocker with triple factor authentication (TPM + Enhanced PIN + USB)

-Activate BitLocker 256-bit encryption in XTS-AES mode

-Disable BitLocker recovery key

-Require Secure Boot and Additional Authentication at -Startup

-Enable device lockout after X number of invalid login attempts

-Disable NTLM and SMB

-Disable debugging logs

-Disable Sleep Mode

-Disable Hide extensions for known file types

-Enable Show hidden files, folders and drives

-Harden web browser by disabling all unnecessary features

-Install content blockers into web browser

~~~
lcall
> I too believe that for most people Windows 10 out-of-the-box is more secure
> than most Linux distros.

At the risk of being off-topic: Even if that were true (which I doubt but it
has been better-debated elsewhere) ... 1) that list would be much-changing
over time, and 2) it seems like Debian (or Devuan) stays on top of things
reasonably well, especially if you add a firewall (I've liked the "arno-
iptables-firewall" one though it doesn't seem to auto-start any more except on
Devuan).

Also, the length and changeability of that list illustrate why I use OpenBSD:
it is more secure by default (as a key goal), and then when you make changes
to the default config you can consider the security implications of each
change. They put a lot of attention into auditing and making good design
choices.

Having said all that, many people simply won't like the feel of bsd or linux,
and prefer a more commercial experience (for lack of a better term). (Edit:
more of my thoughts on that, hopefully lightweight and skimmable, at
[http://lukecall.net/e-9223372036854587380.html](http://lukecall.net/e-9223372036854587380.html)
)

But thanks for posting that list, as it could help someone.

Edit: I also posted here some things I do on any system, for safer browsing:
[https://yro.slashdot.org/comments.pl?sid=13803908&cid=584646...](https://yro.slashdot.org/comments.pl?sid=13803908&cid=58464622)
(part of: [https://yro.slashdot.org/story/19/04/19/2345227/incognito-
mo...](https://yro.slashdot.org/story/19/04/19/2345227/incognito-mode-isnt-
really-private-try-browser-compartmentalization) ).

------
jocoda
Simple. I assume that my PC is compromised and do not do any financial
transactions on it. Still run dubious software in a VM but have a separate
cheap netbook for banking/online purchases.

------
kernelPan1c
Full-disk encryption. [https://www.howtogeek.com/234826/how-to-enable-full-
disk-enc...](https://www.howtogeek.com/234826/how-to-enable-full-disk-
encryption-on-windows-10/)

Nothing more than speculation but...I suspect if you aren't using an open
source OS, it's possible the NSA has a backdoor into the machine. The lack of
open source is partly why the EternalBlue exploit existed across decades of
windows releases.

------
drexlspivey
I use this to monitor network activity
[https://www.glasswire.com/](https://www.glasswire.com/)

------
Delmania
In addition to leaving Defender alone, I also recommend people install the
free version of MalwareBytes and turn on Bitlocker.

~~~
MagicPropmaker
I’d recommend the paid version of Malware Bytes

~~~
jmkni
I was really disappointed with MalwareBytes. It seemed great, so I paid for
it, and every other week it would de-activate itself without warning. I would
only notice this when explicitly checking the control panel, to find it had
been turned off, and I needed to re-enter the license key.

Maybe they've improved it? I should give it another shot!

------
arboghast
Most things already mentioned in the comments here, plus:

\- Disabling Windows Script Host

\- Enabling 'Memory integrity' feature under Core Isolation. This however uses
Hyper-V so it is enabled on my laptop but not on my workstation as Hyper-V
only supports enhanced sessions with Ubuntu.

------
theandrewbailey
Keep Windows Defender + Firewall on.

Don't visit sketchy sites.

Firefox + uMatrix to block all JS by default, and judiciously enable domains
until things work to my satisfaction, or go elsewhere. Maybe open it in Chrome
+ uBlockOrigin if I think the hipsters who run the website don't know how to
make a website.

Pi-hole.

Don't click ads. (hardly any remain by this point)

Stay behind a router.

Don't run/install every little piece of software that you come across.

Install updates.

Look for and verify hashes of downloads.[0]

Examine CPU/RAM usage, startup processes, and services regularly.

Use a password manager. (KeePassXC)

[0]
[http://implbits.com/products/hashtab/](http://implbits.com/products/hashtab/)

------
alkonaut
This depends entirely on what you are protecting against. Being hacked
(someone stealing data for example) or data loss, such as getting a ransom
Trojan? I worry only about the latter. I don’t have secrets on my machine that
I would be upset if someone got hold of. That makes protection easier.

Use a good backup software with write only snapshots (not mirrors).

Apply updates quickly. Don’t disable any built in protections and don’t add
any third party ones.

------
noja
Have a separate admin account. Use a Pi Hole.

------
Tangokat
\- Update Windows and associated programs always

\- Leave Windows Defender alone (no hassle anymore)

\- Set UAC to lowest level (Too annoying to leave on high)

\- Use Firefox and always update

\- Use Umatrix and Ublock Origin

\- Use Bitlocker and Truecrypt/Veracrypt for especially sensitive stuff

\- Use Keepass for passwords \- Never run any file you don't know what is
outside of a VM

~~~
0x49d1
\- Set UAC to lowest level (Too annoying to leave on high)

I think it's just better to leave it in default position.

\- Use Umatrix and Ublock Origin

Firefox already has tracking blocking and I've done tests to check: Firefox is
way faster and stable without any extensions. Ublock Origin removes ad page
blocks, but actually adds more resources to the program + slows page loads.
Just try to turn it off and recheck.

------
anotherevan
I use ShutUp10 to apply a lot of privacy and security settings to at least get
a handle on things.

Available at [https://www.oo-software.com/en/shutup10](https://www.oo-
software.com/en/shutup10) or via Scoop or Chocolatey.

------
lousken
1) windows defender

2) ublock origin + privacy badger

3) using brain before i click on stuff

4) keepass for logins and veracrypt for private stuff

~~~
baal80spam
I do the same, plus a (heavily) modified hosts file and simplewall
([https://github.com/henrypp/simplewall](https://github.com/henrypp/simplewall)).

------
omginternets
Which threat are we defending against, here?

------
stepbeek
Not sure about efficacy, but using a DNS sink like PiHole or pfblockerng gives
me some piece of mind.

------
jjallen37
Secure? As long as nobody knows my password is h __ __*2 I 'm good.

------
AnthonBerg
My educated guess is that Windows will never be secure, because as I see it it
is an un-designed un-principled heap of low-quality software. Therefore I keep
Windows enclosed and strictly locked down in a virtual machine. If I need to
do anything I feel is dubious I branch to a new timeline in a snapshot and
roll back when I’m done.

This also eliminates the hazard of Windows being unavailable for work due to
the slow and uncontrollable update process; Just hop back to the last working
snapshot. Update later.

—

Edit: To downvoters: Please note that this is a factual and sincere answer to
the question “how do you secure your Windows PC?”. This is literally how I do
that.

In the comment, my opinion is clearly framed as my opinion, and the rest is a
description of a technical workflow, its premise, and its implications.
Therefore this is a better candidate for discussion than for downvoting if you
disagree. In my opinion. I’m not attached to the fate of my comment, but I
prefer the society we are building here to work that way. And that is, I
believe, the premise.

~~~
wayneftw
I think this is an outdated view of things. AFAIK, Windows is commonly
regarded as more secure than Linux out of the box.

Having used Windows for over 20 years and never gotten bit by any malware, I
think the quality of Windows security has always been a bit overrated. Being
the biggest target for malware has its advantages I guess.

~~~
pnutjam
I'd love to see a source for windows being more secure? An out-of-the box
install of windows is generally years out of date, Linux installs are usually
only 6 months old.

~~~
wayneftw
I said it's commonly regarded as being more secure. The source would be the
comments on just about every thread anywhere it comes up.

Looking at all the comments here - most people are saying that they don't do
very much to secure Windows and that certainly mirrors my own experience.

~~~
AnthonBerg
I personally haven’t got the feeling that Windows is now considered more
secure than Linux. I see a consensus that Windows is more secure than it was,
but my perspective is that the design foundations are the same as before, and
that they are hard to reason about and that the interactions are complex, so I
personally will not be placing faith in Windows being as secure, as securable,
and as _known_ to be securable as an OS could be.

