Obtain all 3rd party tools from the Microsoft Store or scoop  or chocolatey  (in that order) and not by downloading `foo.msi` from the first search result. This way you can update all your apps in a single step and don't have to rely on built-in updaters.
 https://scoop.sh/ (enable its additional repositories for GUI tools or all possible JDK flavors: https://github.com/lukesampson/scoop/wiki/Buckets)
1. Attack Surface Reduction Rules - Blocks some commonly seen dodgy techniques
2. Credential Guard - Moves LSASS to an isolated VM (break's VMWare etc though, see 5 if this is a dealbreaker)
3. Application Guard (Enterprise Mode) - Transparently virtualises and isolates Microsoft Edge (same caveat as above)
4. Microsoft Defender MAPS and Block at First Site
5. Run LSASS as a protected process
6. Process creation auditing with commandline
7. Powershell script block logging
I stopped using 3rd party products a good few years ago and haven't looked back.
I've seen certain "enterprise" solutions absolutely cripple the performance of Windows PCs, and I'm not sold on that they do a better job either.
Scan files you download, submit them to virustotal if unsure.
Sync data (e.g.  or whatever drive/dropbox/nextcloud) and keep snapshots . Only way to ensure you don't lose anything
Lying DNS server can also help for privacy and security, as well as a sinkhole for known-bad IPs [2,3,4] (should be deployed network-wide though) (I could use some help to test if my scripts run on WSL, as they're mostly POSIX).
I disable Windows defender and all built in firewalls (my router has a firewall). I also don't run any anti-virus software. This is something I've done from the beginning.
But I do run uBlock Origin in any browser I use.
I also make sure to Win key + L (lock) my machine when I leave it unattended.
From time to time I check the startup tab in task manager to make sure nothing looks suspicious and occasionally look at things like CPU / memory usage to look for anything out of place.
So far it's been working out great. My current computer runs just as fast as it did 5 years ago when I built it and I haven't had to format a machine due to a virus in over a decade.
I find most things like Windows defender and A / V tools to be more destructive than most malicious software. Often times these tools will crush I/O performance and make things run slower 100% of the time in the off chance you get a virus. I'd rather have things run super fast all of the time and take my chances. If I get even a hint of my machine being compromised I would format anyways.
This is a variation of the bad toupee fallacy. You won't notice viruses and malware, almost by definition.
Also, in the past, I've on occasion scanned my machine using malware bytes and other tools and they always came up clean.
Of course that doesn't mean I'm in the clear but if an A / V tool doesn't detect it, then what point is there to run that A / V tool? Truthfully, it's really really easy to write a malicious tool and not have it be detected by any type of software. That's why you should be careful with downloading and running unknown software (which I am very careful of).
I suppose if my personal data was somehow used to damage someone else, that would warrant calling it malware.
How old is your machine? On a modern computer with a decent processor, a decent amount of RAM and an SSD you really shouldn't notice Windows Defender. Maybe you have more viruses than you think?
It's an i5 3.2ghz quad core with 16GB of RAM and an SSD. Windows defender cripples WSL performance. It's a known issue.
Right now most things open nearly instantly and I have no complaints with performance, even when doing very demanding tasks like running a few virtual machines while running test suites and simultaneously recording 1080p video while having 15 tmux sessions running in the background, etc..
Hmph. I have a similar setup at home. I haven't noticed anything odd about WSL, but I just use it for development (editing and compiling), but not any heavy-duty processing.
While I never ran Windows defender personally, a bunch of my students (I run a Docker course) who had Windows defender enabled said volume performance was disappointing on Windows. After they disabled defender, things were really good. If you Google around there's a lot of people who mention that. Improvements are being made, but I still don't want a tool actively scanning files while I'm trying to use my machine.
He admitted defeat quickly. ;)
For the most part, problems with computers are ones we create ourselves by shutting off security protections or adding services that open up holes in the security of a system. Sometimes its necessary of course, but you need to understand the risks you take when you do and mitigate them.
- If you really think updates are annoying shift the monthly updates by one month BUT always confirm the security updates
- If you have a PRO license give a try to VBS  and Controlled Folder access  (spoiler: this will be a little annoying at the beginning but will became almost perfect with a well configured whitelist)
- Also from the next (major) patch you should use Windows Sandbox  to run untrusted software(still a PRO feature)
I only use Windows in a VM now, but for years I ran Windows with no AV outside of whatever Windows set up on it's own. I only got two viruses in my life, and both times I was asking for it (downloading sketchy looking things off of Kazaa when that was a thing).
Vipre has a nice offline scanner you can download. They used to update it daily, but I haven't used it in awhile since I mostly manage Linux now.
Sometimes you do: https://www.symantec.com/connect/blogs/malvertising-campaign...
Run an adblocker and up to date Windows 10.
For anyone doing tech support over the Easter long weekend: https://decentsecurity.com/#/holiday-tasks/
I have to barge in here and mention that doing totally reasonable things can result in getting malware installed on your systems.
The most glaring case was the early Windows XP era, when it was enough to plug in the Ethernet cable during installation to get malware. I had to download the service pack and install it offline before plugging in the network.
Today, I'd point out that ad networks' code is barely scrutinized, and they can hit unpatched vulnerabilities all right (sorry for not providing examples).
That's why it's so important to discuss & combat conceptually, not specifically.
Short answer is that you simply do not secure your Windows PC. You may eliminate some of the spyware, but it does not make it secure. Can you make anything fully secure? Perhaps only secure enough, but then you need to specify what is meant by enough.
In any case, for Windows 10: https://github.com/Nummer/Destroy-Windows-10-Spying
Note: it may break your system as some services are deeply embedded into it, and may require them to remain intact to function properly.
I try to avoid Windows 10 whenever possible.
I think this definitely needs to be taken into consideration when running these sort of tools, I agree.
> I try to avoid Windows 10 whenever possible.
Good advice. I second it.
Also standard hygiene applies such as opening files and attaching unknown media in a burner VM, not mixing banking, documents and entertainment, disabling autoplay and media icons if the previous options are inapplicable.
Staying away from dodgy sites helps too.
I generally do not have to keep the firewall or defender active as the routing (or lack thereof) is more effective.
Also skip the automatic that pins everyone, such as remote device detection.
On the anecdotal side - keeping software up to date and being highly suspicious of all software seems to have kept me safe from issues for over a decade.
I've only been hit with malware twice in the 25 years I've been using Windows. Once was me running a sketchy exe from a torrent site (that's on me) and once when I wasn't running an ad blocker.
For Windows I do all of the things shared below (plus a few other tweaks) which are good enough a medium security risk level. The combination of all of them represent a significant barrier to non-state actors;
-Upgrade to Windows Pro
-Change computer name to something nondescript
-Use a local login account (no email address)
-Create a separate Admin and Standard account
-Install favourite Anti-Virus and Firewall
-Enable Exploit Protection (CFG, DEP, Mandatory ASLR, Bottom-up ASLR, High-entropy ASLR, SEHOP and Heap Integrity)
-Enable Windows Defender Application Guard and Core isolation memory integrity
-Install preferred VPN
-Install trusted password manager
-Crank UAC to the highest setting
-Use an encrypted Virtual Drive for files
-Disable AutoPlay for all devices
-Activate all privacy toggles in Windows Settings
-Reduce telemetry to the minimum allowed
-Ensure cloud clipboard is disabled (!)
-Defer feature updates but allow quality (security) updates
-Receive updates directly from Microsoft and not third-parties
-Run PowerShell script to remove any pre-installed, non-Microsoft, junkware
-Enable BitLocker with triple factor authentication (TPM + Enhanced PIN + USB)
-Activate BitLocker 256-bit encryption in XTS-AES mode
-Disable BitLocker recovery key
-Require Secure Boot and Additional Authentication at -Startup
-Enable device lockout after X number of invalid login attempts
-Disable NTLM and SMB
-Disable debugging logs
-Disable Sleep Mode
-Disable Hide extensions for known file types
-Enable Show hidden files, folders and drives
-Harden web browser by disabling all unnecessary features
-Install content blockers into web browser
At the risk of being off-topic: Even if that were true (which I doubt but it has been better-debated elsewhere) ... 1) that list would be much-changing over time, and 2) it seems like Debian (or Devuan) stays on top of things reasonably well, especially if you add a firewall (I've liked the "arno-iptables-firewall" one though it doesn't seem to auto-start any more except on Devuan).
Also, the length and changeability of that list illustrate why I use OpenBSD: it is more secure by default (as a key goal), and then when you make changes to the default config you can consider the security implications of each change. They put a lot of attention into auditing and making good design choices.
Having said all that, many people simply won't like the feel of bsd or linux, and prefer a more commercial experience (for lack of a better term). (Edit: more of my thoughts on that, hopefully lightweight and skimmable, at http://lukecall.net/e-9223372036854587380.html )
But thanks for posting that list, as it could help someone.
Edit: I also posted here some things I do on any system, for safer browsing: https://yro.slashdot.org/comments.pl?sid=13803908&cid=584646... (part of: https://yro.slashdot.org/story/19/04/19/2345227/incognito-mo... ).
Nothing more than speculation but...I suspect if you aren't using an open source OS, it's possible the NSA has a backdoor into the machine. The lack of open source is partly why the EternalBlue exploit existed across decades of windows releases.
Maybe they've improved it? I should give it another shot!
- Disabling Windows Script Host
- Enabling 'Memory integrity' feature under Core Isolation. This however uses Hyper-V so it is enabled on my laptop but not on my workstation as Hyper-V only supports enhanced sessions with Ubuntu.
Don't visit sketchy sites.
Firefox + uMatrix to block all JS by default, and judiciously enable domains until things work to my satisfaction, or go elsewhere. Maybe open it in Chrome + uBlockOrigin if I think the hipsters who run the website don't know how to make a website.
Don't click ads. (hardly any remain by this point)
Stay behind a router.
Don't run/install every little piece of software that you come across.
Look for and verify hashes of downloads.
Examine CPU/RAM usage, startup processes, and services regularly.
Use a password manager. (KeePassXC)
Use a good backup software with write only snapshots (not mirrors).
Apply updates quickly. Don’t disable any built in protections and don’t add any third party ones.
- Leave Windows Defender alone (no hassle anymore)
- Set UAC to lowest level (Too annoying to leave on high)
- Use Firefox and always update
- Use Umatrix and Ublock Origin
- Use Bitlocker and Truecrypt/Veracrypt for especially sensitive stuff
- Use Keepass for passwords
- Never run any file you don't know what is outside of a VM
I think it's just better to leave it in default position.
Firefox already has tracking blocking and I've done tests to check: Firefox is way faster and stable without any extensions. Ublock Origin removes ad page blocks, but actually adds more resources to the program + slows page loads. Just try to turn it off and recheck.
Available at https://www.oo-software.com/en/shutup10 or via Scoop or Chocolatey.
2) ublock origin + privacy badger
3) using brain before i click on stuff
4) keepass for logins and veracrypt for private stuff
Despite the fear-mongering, a lot of it comes down to common sense; don't click on links in dodgy emails, use adblockers for torrent sites etc. Most people get trapped by fairly basic stuff that more experienced computer / Windows users sidestep effortlessly, IMO and IME.
This also eliminates the hazard of Windows being unavailable for work due to the slow and uncontrollable update process; Just hop back to the last working snapshot. Update later.
Edit: To downvoters: Please note that this is a factual and sincere answer to the question “how do you secure your Windows PC?”. This is literally how I do that.
In the comment, my opinion is clearly framed as my opinion, and the rest is a description of a technical workflow, its premise, and its implications. Therefore this is a better candidate for discussion than for downvoting if you disagree. In my opinion. I’m not attached to the fate of my comment, but I prefer the society we are building here to work that way. And that is, I believe, the premise.
Having used Windows for over 20 years and never gotten bit by any malware, I think the quality of Windows security has always been a bit overrated. Being the biggest target for malware has its advantages I guess.
Looking at all the comments here - most people are saying that they don't do very much to secure Windows and that certainly mirrors my own experience.
why would anyone attempt to have a reasonable discussion with you when you lead with such a misinformed "opinion"
I base the opinion on decades of extensive Windows, Linux, and macOS use as well as software development on all platforms. I have a BSc in computer science. My humble and earnest opinion is that Windows is poorly designed. The thought model behind it appears to me as inconsistent, and this also manifests in how we use it. We can do better and deserve better.
If it is your opinion that this is misinformed, where would you recommend that people with opinions on Windows similar to mine could go and could inform themselves better?
Here’s another perspective: Is it more secure, less secure, or the same, if I run Windows in an enclosed VM and roll back any action which might have side effects I don’t want? I’d think that it was hard to argue anything other than it being more secure. And that reveals my point: In a better designed system it wouldn’t matter.
As far as where you could go to learn more, I think this book has much of the information you would be interested in, although I'm not entirely sure yet which specific elements of the operating system you're focused on. https://docs.microsoft.com/en-us/sysinternals/learn/windows-...
> if I run Windows in an enclosed VM and roll back any action which might have side effects I don’t want
I see this as a separate argument for using VMs. The stated use applies to any operating system and I agree it's more secure and a good idea. Can you do the equivalent in other operating systems with a simpler procedure? This is a genuine question, I'm ignorant to that