Leave the Defender/Firewall untouched, don't install any additional "security" software and increase the UAC level to the highest one [0] that even prompts for changing important Windows settings.
Obtain all 3rd party tools from the Microsoft Store or scoop [1] or chocolatey [2] (in that order) and not by downloading `foo.msi` from the first search result. This way you can update all your apps in a single step and don't have to rely on built-in updaters.
Windows has some additional Local Group Policy rules that are pretty killer in newer versions
1. Attack Surface Reduction Rules - Blocks some commonly seen dodgy techniques
2. Credential Guard - Moves LSASS to an isolated VM (break's VMWare etc though, see 5 if this is a dealbreaker)
3. Application Guard (Enterprise Mode) - Transparently virtualises and isolates Microsoft Edge (same caveat as above)
4. Microsoft Defender MAPS and Block at First Site
5. Run LSASS as a protected process
6. Process creation auditing with commandline
7. Powershell script block logging
Most of this is backed into an windows image I run, but maybe I'm a bit paranoid ;)
Install updates when asked. Delaying updates is perhaps the worst thing for security.
Scan files you download, submit them to virustotal if unsure.
Sync data (e.g. [0] or whatever drive/dropbox/nextcloud) and keep snapshots [1]. Only way to ensure you don't lose anything
Lying DNS server can also help for privacy and security, as well as a sinkhole for known-bad IPs [2,3,4] (should be deployed network-wide though) (I could use some help to test if my scripts run on WSL, as they're mostly POSIX).
I've been using Windows boxes as my primary work / personal machine for over 20 years and I've only gotten a handful of viruses or malware and in the times I got them, I was going to very questionable sites back in the day.
I disable Windows defender and all built in firewalls (my router has a firewall). I also don't run any anti-virus software. This is something I've done from the beginning.
But I do run uBlock Origin in any browser I use.
I also make sure to Win key + L (lock) my machine when I leave it unattended.
From time to time I check the startup tab in task manager to make sure nothing looks suspicious and occasionally look at things like CPU / memory usage to look for anything out of place.
So far it's been working out great. My current computer runs just as fast as it did 5 years ago when I built it and I haven't had to format a machine due to a virus in over a decade.
I find most things like Windows defender and A / V tools to be more destructive than most malicious software. Often times these tools will crush I/O performance and make things run slower 100% of the time in the off chance you get a virus. I'd rather have things run super fast all of the time and take my chances. If I get even a hint of my machine being compromised I would format anyways.
Most viruses back in the day just slammed you with a billion popups and added suspicious files to certain areas of your file system. You could easily see if you were infected or not.
Also, in the past, I've on occasion scanned my machine using malware bytes and other tools and they always came up clean.
Of course that doesn't mean I'm in the clear but if an A / V tool doesn't detect it, then what point is there to run that A / V tool? Truthfully, it's really really easy to write a malicious tool and not have it be detected by any type of software. That's why you should be careful with downloading and running unknown software (which I am very careful of).
If it has no noticeable effect - my life is completely identical - it's hard for me to see it as something negative. If something has absolutely zero effect on my life whatsoever - not even a single advert on my screen - calling it a virus or malware seems unwarranted.
I suppose if my personal data was somehow used to damage someone else, that would warrant calling it malware.
Your stolen personal data could be used to empty your bank account or to commit a crime in your name which could cause permanent damage to your reputation, even if you were exonerated.
I leave the firewall and Windows Defender etc on constantly, I haven't experienced any of the issues with speed/IO etc you seem to have.
How old is your machine? On a modern computer with a decent processor, a decent amount of RAM and an SSD you really shouldn't notice Windows Defender. Maybe you have more viruses than you think?
> How old is your machine? On a modern computer with a decent processor, a decent amount of RAM and an SSD you really shouldn't notice Windows Defender. Maybe you have more viruses than you think?
It's an i5 3.2ghz quad core with 16GB of RAM and an SSD. Windows defender cripples WSL performance. It's a known issue.
Right now most things open nearly instantly and I have no complaints with performance, even when doing very demanding tasks like running a few virtual machines while running test suites and simultaneously recording 1080p video while having 15 tmux sessions running in the background, etc..
> Windows defender cripples WSL performance. It's a known issue.
Hmph. I have a similar setup at home. I haven't noticed anything odd about WSL, but I just use it for development (editing and compiling), but not any heavy-duty processing.
My main set up is to run Docker for Windows, connect to it through WSL and volume mount code from a drive into Docker to do active development (Rails, Flask, Phoenix apps mostly).
While I never ran Windows defender personally, a bunch of my students (I run a Docker course) who had Windows defender enabled said volume performance was disappointing on Windows. After they disabled defender, things were really good. If you Google around there's a lot of people who mention that. Improvements are being made, but I still don't want a tool actively scanning files while I'm trying to use my machine.
I'm with you. The overhead of AV scanning is something you have to put up with 100% of the time for the off chance that you get infected with something, and they aren't very reliable detectors of malware anyway. It's much better to turn that crap off and use other, more effective, mitigation strategies.
For the most part default Windows 10 is fairly hard to break into if updated. Leave everything on and don't open new holes in it and its probably fine. I went to a demonstration on hacking into machines with Kali Linux and Metasploit and my Surface was on the Wi-Fi. I told him to go right ahead and let me know what he could do.
He admitted defeat quickly. ;)
For the most part, problems with computers are ones we create ourselves by shutting off security protections or adding services that open up holes in the security of a system. Sometimes its necessary of course, but you need to understand the risks you take when you do and mitigate them.
- Don't disable Secure Boot, Windows Defender and Windows Firewall
- If you really think updates are annoying shift the monthly updates by one month BUT always confirm the security updates
- If you have a PRO license give a try to VBS [0] and Controlled Folder access [1] (spoiler: this will be a little annoying at the beginning but will became almost perfect with a well configured whitelist)
- Also from the next (major) patch you should use Windows Sandbox [2] to run untrusted software(still a PRO feature)
I only use Windows in a VM now, but for years I ran Windows with no AV outside of whatever Windows set up on it's own. I only got two viruses in my life, and both times I was asking for it (downloading sketchy looking things off of Kazaa when that was a thing).
Sounds simple, and it actually is, and this served me well for the past 20 years or so. I think. Did take me some 'practice' though, i.e. got bitten once only then knew better than to trust random executables. (Now if I really want that I just fire up a VM.) And back then there wasn't even Defender and now I still turn it off usually, sometimes it wrecks performance. On the other hand: for all I know my machines are all infected..
Yep, same. Sometimes I’ll spin up a VM if I’m visiting a site that I’m suspect of or installing something random (even if it’s open source because I didn’t build these binaries and I haven’t audited the code), but as I used to say when I was doing desktop support “you don’t get malware by visiting CNN”.
I have to barge in here and mention that doing totally reasonable things can result in getting malware installed on your systems.
The most glaring case was the early Windows XP era, when it was enough to plug in the Ethernet cable during installation to get malware. I had to download the service pack and install it offline before plugging in the network.
Today, I'd point out that ad networks' code is barely scrutinized, and they can hit unpatched vulnerabilities all right (sorry for not providing examples).
What exactly is meant here by secure? Windows in its default state contains spyware that you cannot disable or remove, or at the very least you cannot expect laymen to do. It is essentially covered in their terms of service and privacy statement. Then there is Intel ME, AMD PSP, etc.
Short answer is that you simply do not secure your Windows PC. You may eliminate some of the spyware, but it does not make it secure. Can you make anything fully secure? Perhaps only secure enough, but then you need to specify what is meant by enough.
I'd be careful running any tools to clean up Windows 10. While I haven't used this one before, I've used others that do basically the same thing. The telemetry features are so baked in to Windows 10 that running these tools can break Windows if you're not careful. And since every major update of Windows 10 changes so much with no regard to user preferences, even if your clean-up works today, it might break in the future.
Abandoned project due to malware suspicious and other drama. Possibly a fork somewhere. But as you say why break your OS when you can switch over to something else?
I keep the silly Windows in a virtual machine or a few.
Also standard hygiene applies such as opening files and attaching unknown media in a burner VM, not mixing banking, documents and entertainment, disabling autoplay and media icons if the previous options are inapplicable.
Staying away from dodgy sites helps too.
I generally do not have to keep the firewall or defender active as the routing (or lack thereof) is more effective.
Also skip the automatic that pins everyone, such as remote device detection.
Being facetious but I gave up on Windows on my computers just over a decade ago due to this very reason. I was sick up constantly needing to upgrade every 2-4 years and having serious security issues. I went full Linux and I don't consider myself a free software zealot.
I found this[1] a while back and have followed it on my Windows PC. I don't go so far as to install GlassWire, but the other suggestions it makes are reasonable for me.
On the anecdotal side - keeping software up to date and being highly suspicious of all software seems to have kept me safe from issues for over a decade.
I mostly stick to open source or well known commercial software, run Windows Defender, and I run uBlock Origin. I'm of the opinion the biggest risk of malware comes from rogue ads.
I've only been hit with malware twice in the 25 years I've been using Windows. Once was me running a sketchy exe from a torrent site (that's on me) and once when I wasn't running an ad blocker.
I too believe that for most people Windows 10 out-of-the-box is more secure than most Linux distros. Sure you can lock-down an Arch build but it's difficult (even for the technically inclined), time-consuming and needs constant monitoring and sometimes manual updating/reconfiguration.
For Windows I do all of the things shared below (plus a few other tweaks) which are good enough a medium security risk level. The combination of all of them represent a significant barrier to non-state actors;
> I too believe that for most people Windows 10 out-of-the-box is more secure than most Linux distros.
At the risk of being off-topic: Even if that were true (which I doubt but it has been better-debated elsewhere) ... 1) that list would be much-changing over time, and 2) it seems like Debian (or Devuan) stays on top of things reasonably well, especially if you add a firewall (I've liked the "arno-iptables-firewall" one though it doesn't seem to auto-start any more except on Devuan).
Also, the length and changeability of that list illustrate why I use OpenBSD: it is more secure by default (as a key goal), and then when you make changes to the default config you can consider the security implications of each change. They put a lot of attention into auditing and making good design choices.
Having said all that, many people simply won't like the feel of bsd or linux, and prefer a more commercial experience (for lack of a better term). (Edit: more of my thoughts on that, hopefully lightweight and skimmable, at http://lukecall.net/e-9223372036854587380.html )
But thanks for posting that list, as it could help someone.
Simple. I assume that my PC is compromised and do not do any financial transactions on it. Still run dubious software in a VM but have a separate cheap netbook for banking/online purchases.
Nothing more than speculation but...I suspect if you aren't using an open source OS, it's possible the NSA has a backdoor into the machine. The lack of open source is partly why the EternalBlue exploit existed across decades of windows releases.
I was really disappointed with MalwareBytes. It seemed great, so I paid for it, and every other week it would de-activate itself without warning. I would only notice this when explicitly checking the control panel, to find it had been turned off, and I needed to re-enter the license key.
Maybe they've improved it? I should give it another shot!
Most things already mentioned in the comments here, plus:
- Disabling Windows Script Host
- Enabling 'Memory integrity' feature under Core Isolation. This however uses Hyper-V so it is enabled on my laptop but not on my workstation as Hyper-V only supports enhanced sessions with Ubuntu.
Firefox + uMatrix to block all JS by default, and judiciously enable domains until things work to my satisfaction, or go elsewhere. Maybe open it in Chrome + uBlockOrigin if I think the hipsters who run the website don't know how to make a website.
Pi-hole.
Don't click ads. (hardly any remain by this point)
Stay behind a router.
Don't run/install every little piece of software that you come across.
Install updates.
Look for and verify hashes of downloads.[0]
Examine CPU/RAM usage, startup processes, and services regularly.
This depends entirely on what you are protecting against. Being hacked (someone stealing data for example) or data loss, such as getting a ransom Trojan? I worry only about the latter. I don’t have secrets on my machine that I would be upset if someone got hold of. That makes protection easier.
Use a good backup software with write only snapshots (not mirrors).
Apply updates quickly. Don’t disable any built in protections and don’t add any third party ones.
- Set UAC to lowest level (Too annoying to leave on high)
I think it's just better to leave it in default position.
- Use Umatrix and Ublock Origin
Firefox already has tracking blocking and I've done tests to check: Firefox is way faster and stable without any extensions. Ublock Origin removes ad page blocks, but actually adds more resources to the program + slows page loads. Just try to turn it off and recheck.
This exactly my list (except with different software for 4)). Have been running Windows since Win3.1, and haven't 'caught' anything bad yet; worst was adware that somehow escaped detection inside installer for an old version of Delphi.
Despite the fear-mongering, a lot of it comes down to common sense; don't click on links in dodgy emails, use adblockers for torrent sites etc. Most people get trapped by fairly basic stuff that more experienced computer / Windows users sidestep effortlessly, IMO and IME.
My educated guess is that Windows will never be secure, because as I see it it is an un-designed un-principled heap of low-quality software. Therefore I keep Windows enclosed and strictly locked down in a virtual machine. If I need to do anything I feel is dubious I branch to a new timeline in a snapshot and roll back when I’m done.
This also eliminates the hazard of Windows being unavailable for work due to the slow and uncontrollable update process; Just hop back to the last working snapshot. Update later.
—
Edit: To downvoters: Please note that this is a factual and sincere answer to the question “how do you secure your Windows PC?”. This is literally how I do that.
In the comment, my opinion is clearly framed as my opinion, and the rest is a description of a technical workflow, its premise, and its implications. Therefore this is a better candidate for discussion than for downvoting if you disagree. In my opinion. I’m not attached to the fate of my comment, but I prefer the society we are building here to work that way. And that is, I believe, the premise.
I think this is an outdated view of things. AFAIK, Windows is commonly regarded as more secure than Linux out of the box.
Having used Windows for over 20 years and never gotten bit by any malware, I think the quality of Windows security has always been a bit overrated. Being the biggest target for malware has its advantages I guess.
I'd love to see a source for windows being more secure? An out-of-the box install of windows is generally years out of date, Linux installs are usually only 6 months old.
I personally haven’t got the feeling that Windows is now considered more secure than Linux. I see a consensus that Windows is more secure than it was, but my perspective is that the design foundations are the same as before, and that they are hard to reason about and that the interactions are complex, so I personally will not be placing faith in Windows being as secure, as securable, and as known to be securable as an OS could be.
I base the opinion on decades of extensive Windows, Linux, and macOS use as well as software development on all platforms. I have a BSc in computer science. My humble and earnest opinion is that Windows is poorly designed. The thought model behind it appears to me as inconsistent, and this also manifests in how we use it. We can do better and deserve better.
If it is your opinion that this is misinformed, where would you recommend that people with opinions on Windows similar to mine could go and could inform themselves better?
Here’s another perspective: Is it more secure, less secure, or the same, if I run Windows in an enclosed VM and roll back any action which might have side effects I don’t want? I’d think that it was hard to argue anything other than it being more secure. And that reveals my point: In a better designed system it wouldn’t matter.
Can you describe to me which elements of the thought model you find are inconsistent?
As far as where you could go to learn more, I think this book has much of the information you would be interested in, although I'm not entirely sure yet which specific elements of the operating system you're focused on. https://docs.microsoft.com/en-us/sysinternals/learn/windows-...
> if I run Windows in an enclosed VM and roll back any action which might have side effects I don’t want
I see this as a separate argument for using VMs. The stated use applies to any operating system and I agree it's more secure and a good idea. Can you do the equivalent in other operating systems with a simpler procedure? This is a genuine question, I'm ignorant to that
Obtain all 3rd party tools from the Microsoft Store or scoop [1] or chocolatey [2] (in that order) and not by downloading `foo.msi` from the first search result. This way you can update all your apps in a single step and don't have to rely on built-in updaters.
[0] https://docs.microsoft.com/en-us/windows/security/identity-p...
[1] https://scoop.sh/ (enable its additional repositories for GUI tools or all possible JDK flavors: https://github.com/lukesampson/scoop/wiki/Buckets)
[2] https://chocolatey.org/