Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How do you secure your Windows PC?
76 points by randomchars on April 19, 2019 | hide | past | favorite | 71 comments
Like the similar thread about Mac[1], how do you secure your Windows PC?

[1]: https://news.ycombinator.com/item?id=19681270

Leave the Defender/Firewall untouched, don't install any additional "security" software and increase the UAC level to the highest one [0] that even prompts for changing important Windows settings.

Obtain all 3rd party tools from the Microsoft Store or scoop [1] or chocolatey [2] (in that order) and not by downloading `foo.msi` from the first search result. This way you can update all your apps in a single step and don't have to rely on built-in updaters.

[0] https://docs.microsoft.com/en-us/windows/security/identity-p...

[1] https://scoop.sh/ (enable its additional repositories for GUI tools or all possible JDK flavors: https://github.com/lukesampson/scoop/wiki/Buckets)

[2] https://chocolatey.org/

Windows has some additional Local Group Policy rules that are pretty killer in newer versions

  1. Attack Surface Reduction Rules - Blocks some commonly seen dodgy techniques
  2. Credential Guard - Moves LSASS to an isolated VM (break's VMWare etc though, see 5 if this is a dealbreaker)
  3. Application Guard (Enterprise Mode) - Transparently virtualises and isolates Microsoft Edge (same caveat as above) 
  4. Microsoft Defender MAPS and Block at First Site
  5. Run LSASS as a protected process
  6. Process creation auditing with commandline
  7. Powershell script block logging
Most of this is backed into an windows image I run, but maybe I'm a bit paranoid ;)

[1] https://docs.microsoft.com/en-us/windows/security/threat-pro...

[2] https://docs.microsoft.com/en-us/windows/security/identity-p...

[3] https://docs.microsoft.com/en-us/windows/security/threat-pro...

[4] https://docs.microsoft.com/en-us/windows/security/threat-pro...

[5] https://docs.microsoft.com/en-us/windows-server/security/cre...

[6] https://docs.microsoft.com/en-us/windows-server/identity/ad-...

[7] https://www.fireeye.com/blog/threat-research/2016/02/greater...

Not that I've used it yet, but there's also the "Hardening Windows 10 Workstations" guide from the ACSC (it might be a bit overkill though)

[1] https://www.cyber.gov.au/sites/default/files/2019-03/hardeni...

Curious, do you run any other OS?

MacOS for my primary laptop, Windows for my training/travel laptop, *nix in various other places

It's interesting - and good - to see that so many others also like Defender/Firewall.

I stopped using 3rd party products a good few years ago and haven't looked back.

I've seen certain "enterprise" solutions absolutely cripple the performance of Windows PCs, and I'm not sold on that they do a better job either.

Does chocolatey verify all packages now? It seemed very sketchy when anyone could package anyone else's software.

Install updates when asked. Delaying updates is perhaps the worst thing for security.

Scan files you download, submit them to virustotal if unsure.

Sync data (e.g. [0] or whatever drive/dropbox/nextcloud) and keep snapshots [1]. Only way to ensure you don't lose anything

Lying DNS server can also help for privacy and security, as well as a sinkhole for known-bad IPs [2,3,4] (should be deployed network-wide though) (I could use some help to test if my scripts run on WSL, as they're mostly POSIX).

[0] https://syncthing.net

[1] https://try.popho.be/securing-home.html

[2] https://pi-hole.net

[3] https://try.popho.be/byeads.html

[4] https://gitlab.com/moviuro/moviuro.bin/blob/master/lie-to-me

I've been using Windows boxes as my primary work / personal machine for over 20 years and I've only gotten a handful of viruses or malware and in the times I got them, I was going to very questionable sites back in the day.

I disable Windows defender and all built in firewalls (my router has a firewall). I also don't run any anti-virus software. This is something I've done from the beginning.

But I do run uBlock Origin in any browser I use.

I also make sure to Win key + L (lock) my machine when I leave it unattended.

From time to time I check the startup tab in task manager to make sure nothing looks suspicious and occasionally look at things like CPU / memory usage to look for anything out of place.

So far it's been working out great. My current computer runs just as fast as it did 5 years ago when I built it and I haven't had to format a machine due to a virus in over a decade.

I find most things like Windows defender and A / V tools to be more destructive than most malicious software. Often times these tools will crush I/O performance and make things run slower 100% of the time in the off chance you get a virus. I'd rather have things run super fast all of the time and take my chances. If I get even a hint of my machine being compromised I would format anyways.

" I've only gotten a handful of viruses or malware "

This is a variation of the bad toupee fallacy. You won't notice viruses and malware, almost by definition.

Most viruses back in the day just slammed you with a billion popups and added suspicious files to certain areas of your file system. You could easily see if you were infected or not.

Also, in the past, I've on occasion scanned my machine using malware bytes and other tools and they always came up clean.

Of course that doesn't mean I'm in the clear but if an A / V tool doesn't detect it, then what point is there to run that A / V tool? Truthfully, it's really really easy to write a malicious tool and not have it be detected by any type of software. That's why you should be careful with downloading and running unknown software (which I am very careful of).

If a virus or malware has no noticeable effect - does nothing that affects me - is it still a virus or malware?

So quietly exfiltrating your personal data is OK then?

If it has no noticeable effect - my life is completely identical - it's hard for me to see it as something negative. If something has absolutely zero effect on my life whatsoever - not even a single advert on my screen - calling it a virus or malware seems unwarranted.

I suppose if my personal data was somehow used to damage someone else, that would warrant calling it malware.

Your stolen personal data could be used to empty your bank account or to commit a crime in your name which could cause permanent damage to your reputation, even if you were exonerated.

That sounds like something I would notice, and is thus outside the scope of this discussion.

I leave the firewall and Windows Defender etc on constantly, I haven't experienced any of the issues with speed/IO etc you seem to have.

How old is your machine? On a modern computer with a decent processor, a decent amount of RAM and an SSD you really shouldn't notice Windows Defender. Maybe you have more viruses than you think?

> How old is your machine? On a modern computer with a decent processor, a decent amount of RAM and an SSD you really shouldn't notice Windows Defender. Maybe you have more viruses than you think?

It's an i5 3.2ghz quad core with 16GB of RAM and an SSD. Windows defender cripples WSL performance. It's a known issue.

Right now most things open nearly instantly and I have no complaints with performance, even when doing very demanding tasks like running a few virtual machines while running test suites and simultaneously recording 1080p video while having 15 tmux sessions running in the background, etc..

> Windows defender cripples WSL performance. It's a known issue.

Hmph. I have a similar setup at home. I haven't noticed anything odd about WSL, but I just use it for development (editing and compiling), but not any heavy-duty processing.

My main set up is to run Docker for Windows, connect to it through WSL and volume mount code from a drive into Docker to do active development (Rails, Flask, Phoenix apps mostly).

While I never ran Windows defender personally, a bunch of my students (I run a Docker course) who had Windows defender enabled said volume performance was disappointing on Windows. After they disabled defender, things were really good. If you Google around there's a lot of people who mention that. Improvements are being made, but I still don't want a tool actively scanning files while I'm trying to use my machine.

Interesting, I use WSL as well, when I get a chance I'll turn it off and see if WSL speeds up!

I'm with you. The overhead of AV scanning is something you have to put up with 100% of the time for the off chance that you get infected with something, and they aren't very reliable detectors of malware anyway. It's much better to turn that crap off and use other, more effective, mitigation strategies.

For the most part default Windows 10 is fairly hard to break into if updated. Leave everything on and don't open new holes in it and its probably fine. I went to a demonstration on hacking into machines with Kali Linux and Metasploit and my Surface was on the Wi-Fi. I told him to go right ahead and let me know what he could do.

He admitted defeat quickly. ;)

For the most part, problems with computers are ones we create ourselves by shutting off security protections or adding services that open up holes in the security of a system. Sometimes its necessary of course, but you need to understand the risks you take when you do and mitigate them.

- Don't disable Secure Boot, Windows Defender and Windows Firewall

- If you really think updates are annoying shift the monthly updates by one month BUT always confirm the security updates

- If you have a PRO license give a try to VBS [0] and Controlled Folder access [1] (spoiler: this will be a little annoying at the beginning but will became almost perfect with a well configured whitelist)

- Also from the next (major) patch you should use Windows Sandbox [2] to run untrusted software(still a PRO feature)

[0] https://www.microsoft.com/security/blog/2018/06/05/virtualiz...

[1] https://docs.microsoft.com/en-us/windows/security/threat-pro...

[2] https://techcommunity.microsoft.com/t5/Windows-Kernel-Intern...

Leave Windows Defender/Firewall on as default and stay away from dodgy sites. Simple as that really.


I only use Windows in a VM now, but for years I ran Windows with no AV outside of whatever Windows set up on it's own. I only got two viruses in my life, and both times I was asking for it (downloading sketchy looking things off of Kazaa when that was a thing).

Sounds simple, and it actually is, and this served me well for the past 20 years or so. I think. Did take me some 'practice' though, i.e. got bitten once only then knew better than to trust random executables. (Now if I really want that I just fire up a VM.) And back then there wasn't even Defender and now I still turn it off usually, sometimes it wrecks performance. On the other hand: for all I know my machines are all infected..

Eset has a nice online scanner (and the best 3rd party AV IMHO): https://www.eset.com/us/home/online-scanner/

Vipre has a nice offline scanner you can download. They used to update it daily, but I haven't used it in awhile since I mostly manage Linux now. https://www.vipreantivirus.com/vipre-rescue-virus-removal-to...

Yep, same. Sometimes I’ll spin up a VM if I’m visiting a site that I’m suspect of or installing something random (even if it’s open source because I didn’t build these binaries and I haven’t audited the code), but as I used to say when I was doing desktop support “you don’t get malware by visiting CNN”.

>"you don't get malware by visiting CNN"

Sometimes you do: https://www.symantec.com/connect/blogs/malvertising-campaign...

Run an adblocker and up to date Windows 10.

For anyone doing tech support over the Easter long weekend: https://decentsecurity.com/#/holiday-tasks/

> “you don’t get malware by visiting CNN”

I have to barge in here and mention that doing totally reasonable things can result in getting malware installed on your systems.

The most glaring case was the early Windows XP era, when it was enough to plug in the Ethernet cable during installation to get malware. I had to download the service pack and install it offline before plugging in the network.

Today, I'd point out that ad networks' code is barely scrutinized, and they can hit unpatched vulnerabilities all right (sorry for not providing examples).

Be fair to yourself, they're intentionally not easy to track names of, etc.

That's why it's so important to discuss & combat conceptually, not specifically.

Windows 10 is getting a new Sandbox feature so soon you’ll be able to use that instead

What exactly is meant here by secure? Windows in its default state contains spyware that you cannot disable or remove, or at the very least you cannot expect laymen to do. It is essentially covered in their terms of service and privacy statement. Then there is Intel ME, AMD PSP, etc.

Short answer is that you simply do not secure your Windows PC. You may eliminate some of the spyware, but it does not make it secure. Can you make anything fully secure? Perhaps only secure enough, but then you need to specify what is meant by enough.

In any case, for Windows 10: https://github.com/Nummer/Destroy-Windows-10-Spying

Note: it may break your system as some services are deeply embedded into it, and may require them to remain intact to function properly.

I'd be careful running any tools to clean up Windows 10. While I haven't used this one before, I've used others that do basically the same thing. The telemetry features are so baked in to Windows 10 that running these tools can break Windows if you're not careful. And since every major update of Windows 10 changes so much with no regard to user preferences, even if your clean-up works today, it might break in the future.

I try to avoid Windows 10 whenever possible.

> running these tools can break Windows if you're not careful

I think this definitely needs to be taken into consideration when running these sort of tools, I agree.

> I try to avoid Windows 10 whenever possible.

Good advice. I second it.

Abandoned project due to malware suspicious and other drama. Possibly a fork somewhere. But as you say why break your OS when you can switch over to something else?

I keep the silly Windows in a virtual machine or a few.

Also standard hygiene applies such as opening files and attaching unknown media in a burner VM, not mixing banking, documents and entertainment, disabling autoplay and media icons if the previous options are inapplicable.

Staying away from dodgy sites helps too.

I generally do not have to keep the firewall or defender active as the routing (or lack thereof) is more effective.

Also skip the automatic that pins everyone, such as remote device detection.

Being facetious but I gave up on Windows on my computers just over a decade ago due to this very reason. I was sick up constantly needing to upgrade every 2-4 years and having serious security issues. I went full Linux and I don't consider myself a free software zealot.

I found this[1] a while back and have followed it on my Windows PC. I don't go so far as to install GlassWire, but the other suggestions it makes are reasonable for me.

On the anecdotal side - keeping software up to date and being highly suspicious of all software seems to have kept me safe from issues for over a decade.

[1] https://decentsecurity.com/#/securing-your-computer/

I mostly stick to open source or well known commercial software, run Windows Defender, and I run uBlock Origin. I'm of the opinion the biggest risk of malware comes from rogue ads.

I've only been hit with malware twice in the 25 years I've been using Windows. Once was me running a sketchy exe from a torrent site (that's on me) and once when I wasn't running an ad blocker.

I too believe that for most people Windows 10 out-of-the-box is more secure than most Linux distros. Sure you can lock-down an Arch build but it's difficult (even for the technically inclined), time-consuming and needs constant monitoring and sometimes manual updating/reconfiguration.

For Windows I do all of the things shared below (plus a few other tweaks) which are good enough a medium security risk level. The combination of all of them represent a significant barrier to non-state actors;

-Upgrade to Windows Pro

-Change computer name to something nondescript

-Use a local login account (no email address)

-Create a separate Admin and Standard account

-Install favourite Anti-Virus and Firewall

-Enable Exploit Protection (CFG, DEP, Mandatory ASLR, Bottom-up ASLR, High-entropy ASLR, SEHOP and Heap Integrity)

-Enable Windows Defender Application Guard and Core isolation memory integrity

-Install preferred VPN

-Install trusted password manager

-Crank UAC to the highest setting

-Use an encrypted Virtual Drive for files

-Disable AutoPlay for all devices

-Activate all privacy toggles in Windows Settings

-Reduce telemetry to the minimum allowed

-Ensure cloud clipboard is disabled (!)

-Defer feature updates but allow quality (security) updates

-Receive updates directly from Microsoft and not third-parties

-Run PowerShell script to remove any pre-installed, non-Microsoft, junkware

-Enable BitLocker with triple factor authentication (TPM + Enhanced PIN + USB)

-Activate BitLocker 256-bit encryption in XTS-AES mode

-Disable BitLocker recovery key

-Require Secure Boot and Additional Authentication at -Startup

-Enable device lockout after X number of invalid login attempts

-Disable NTLM and SMB

-Disable debugging logs

-Disable Sleep Mode

-Disable Hide extensions for known file types

-Enable Show hidden files, folders and drives

-Harden web browser by disabling all unnecessary features

-Install content blockers into web browser

> I too believe that for most people Windows 10 out-of-the-box is more secure than most Linux distros.

At the risk of being off-topic: Even if that were true (which I doubt but it has been better-debated elsewhere) ... 1) that list would be much-changing over time, and 2) it seems like Debian (or Devuan) stays on top of things reasonably well, especially if you add a firewall (I've liked the "arno-iptables-firewall" one though it doesn't seem to auto-start any more except on Devuan).

Also, the length and changeability of that list illustrate why I use OpenBSD: it is more secure by default (as a key goal), and then when you make changes to the default config you can consider the security implications of each change. They put a lot of attention into auditing and making good design choices.

Having said all that, many people simply won't like the feel of bsd or linux, and prefer a more commercial experience (for lack of a better term). (Edit: more of my thoughts on that, hopefully lightweight and skimmable, at http://lukecall.net/e-9223372036854587380.html )

But thanks for posting that list, as it could help someone.

Edit: I also posted here some things I do on any system, for safer browsing: https://yro.slashdot.org/comments.pl?sid=13803908&cid=584646... (part of: https://yro.slashdot.org/story/19/04/19/2345227/incognito-mo... ).

Simple. I assume that my PC is compromised and do not do any financial transactions on it. Still run dubious software in a VM but have a separate cheap netbook for banking/online purchases.

Full-disk encryption. https://www.howtogeek.com/234826/how-to-enable-full-disk-enc...

Nothing more than speculation but...I suspect if you aren't using an open source OS, it's possible the NSA has a backdoor into the machine. The lack of open source is partly why the EternalBlue exploit existed across decades of windows releases.

I use this to monitor network activity https://www.glasswire.com/

In addition to leaving Defender alone, I also recommend people install the free version of MalwareBytes and turn on Bitlocker.

I’d recommend the paid version of Malware Bytes

I was really disappointed with MalwareBytes. It seemed great, so I paid for it, and every other week it would de-activate itself without warning. I would only notice this when explicitly checking the control panel, to find it had been turned off, and I needed to re-enter the license key.

Maybe they've improved it? I should give it another shot!

I use the paid version personally, but not many people are willing to spend the $70 on it.

Most things already mentioned in the comments here, plus:

- Disabling Windows Script Host

- Enabling 'Memory integrity' feature under Core Isolation. This however uses Hyper-V so it is enabled on my laptop but not on my workstation as Hyper-V only supports enhanced sessions with Ubuntu.

Keep Windows Defender + Firewall on.

Don't visit sketchy sites.

Firefox + uMatrix to block all JS by default, and judiciously enable domains until things work to my satisfaction, or go elsewhere. Maybe open it in Chrome + uBlockOrigin if I think the hipsters who run the website don't know how to make a website.


Don't click ads. (hardly any remain by this point)

Stay behind a router.

Don't run/install every little piece of software that you come across.

Install updates.

Look for and verify hashes of downloads.[0]

Examine CPU/RAM usage, startup processes, and services regularly.

Use a password manager. (KeePassXC)

[0] http://implbits.com/products/hashtab/

This depends entirely on what you are protecting against. Being hacked (someone stealing data for example) or data loss, such as getting a ransom Trojan? I worry only about the latter. I don’t have secrets on my machine that I would be upset if someone got hold of. That makes protection easier.

Use a good backup software with write only snapshots (not mirrors).

Apply updates quickly. Don’t disable any built in protections and don’t add any third party ones.

Have a separate admin account. Use a Pi Hole.

- Update Windows and associated programs always

- Leave Windows Defender alone (no hassle anymore)

- Set UAC to lowest level (Too annoying to leave on high)

- Use Firefox and always update

- Use Umatrix and Ublock Origin

- Use Bitlocker and Truecrypt/Veracrypt for especially sensitive stuff

- Use Keepass for passwords - Never run any file you don't know what is outside of a VM

- Set UAC to lowest level (Too annoying to leave on high)

I think it's just better to leave it in default position.

- Use Umatrix and Ublock Origin

Firefox already has tracking blocking and I've done tests to check: Firefox is way faster and stable without any extensions. Ublock Origin removes ad page blocks, but actually adds more resources to the program + slows page loads. Just try to turn it off and recheck.

I use ShutUp10 to apply a lot of privacy and security settings to at least get a handle on things.

Available at https://www.oo-software.com/en/shutup10 or via Scoop or Chocolatey.

1) windows defender

2) ublock origin + privacy badger

3) using brain before i click on stuff

4) keepass for logins and veracrypt for private stuff

I do the same, plus a (heavily) modified hosts file and simplewall (https://github.com/henrypp/simplewall).

This exactly my list (except with different software for 4)). Have been running Windows since Win3.1, and haven't 'caught' anything bad yet; worst was adware that somehow escaped detection inside installer for an old version of Delphi.

Despite the fear-mongering, a lot of it comes down to common sense; don't click on links in dodgy emails, use adblockers for torrent sites etc. Most people get trapped by fairly basic stuff that more experienced computer / Windows users sidestep effortlessly, IMO and IME.

Which threat are we defending against, here?

Not sure about efficacy, but using a DNS sink like PiHole or pfblockerng gives me some piece of mind.

Secure? As long as nobody knows my password is h*2 I'm good.

My educated guess is that Windows will never be secure, because as I see it it is an un-designed un-principled heap of low-quality software. Therefore I keep Windows enclosed and strictly locked down in a virtual machine. If I need to do anything I feel is dubious I branch to a new timeline in a snapshot and roll back when I’m done.

This also eliminates the hazard of Windows being unavailable for work due to the slow and uncontrollable update process; Just hop back to the last working snapshot. Update later.

Edit: To downvoters: Please note that this is a factual and sincere answer to the question “how do you secure your Windows PC?”. This is literally how I do that.

In the comment, my opinion is clearly framed as my opinion, and the rest is a description of a technical workflow, its premise, and its implications. Therefore this is a better candidate for discussion than for downvoting if you disagree. In my opinion. I’m not attached to the fate of my comment, but I prefer the society we are building here to work that way. And that is, I believe, the premise.

I think this is an outdated view of things. AFAIK, Windows is commonly regarded as more secure than Linux out of the box.

Having used Windows for over 20 years and never gotten bit by any malware, I think the quality of Windows security has always been a bit overrated. Being the biggest target for malware has its advantages I guess.

I'd love to see a source for windows being more secure? An out-of-the box install of windows is generally years out of date, Linux installs are usually only 6 months old.

I said it's commonly regarded as being more secure. The source would be the comments on just about every thread anywhere it comes up.

Looking at all the comments here - most people are saying that they don't do very much to secure Windows and that certainly mirrors my own experience.

I personally haven’t got the feeling that Windows is now considered more secure than Linux. I see a consensus that Windows is more secure than it was, but my perspective is that the design foundations are the same as before, and that they are hard to reason about and that the interactions are complex, so I personally will not be placing faith in Windows being as secure, as securable, and as known to be securable as an OS could be.

> I see it it is an un-designed un-principled heap of low-quality software

why would anyone attempt to have a reasonable discussion with you when you lead with such a misinformed "opinion"

It is an opinion. The quotes are unnecessary.

I base the opinion on decades of extensive Windows, Linux, and macOS use as well as software development on all platforms. I have a BSc in computer science. My humble and earnest opinion is that Windows is poorly designed. The thought model behind it appears to me as inconsistent, and this also manifests in how we use it. We can do better and deserve better.

If it is your opinion that this is misinformed, where would you recommend that people with opinions on Windows similar to mine could go and could inform themselves better?

Here’s another perspective: Is it more secure, less secure, or the same, if I run Windows in an enclosed VM and roll back any action which might have side effects I don’t want? I’d think that it was hard to argue anything other than it being more secure. And that reveals my point: In a better designed system it wouldn’t matter.

Can you describe to me which elements of the thought model you find are inconsistent?

As far as where you could go to learn more, I think this book has much of the information you would be interested in, although I'm not entirely sure yet which specific elements of the operating system you're focused on. https://docs.microsoft.com/en-us/sysinternals/learn/windows-...

> if I run Windows in an enclosed VM and roll back any action which might have side effects I don’t want

I see this as a separate argument for using VMs. The stated use applies to any operating system and I agree it's more secure and a good idea. Can you do the equivalent in other operating systems with a simpler procedure? This is a genuine question, I'm ignorant to that

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact