Ask HN: Current Best Practice for Securing Windows?

solardev · on Feb 24, 2024

Can you make them a standard (non admin) user account and then either keep the admin account to yourself (with remote desktop, probably) or at least call it something really clear like "this is dangerous" with a hard to type password, so they really have to think twice before using it?

It makes it harder for them to accidentally install rootkits and certain kinds of spyware and ransomware. It also makes it harder to install some software globally, but that's the point.

If you want to go a step further you can try to set it up in some kind of kiosk mode, but that's probably too restrictive for day to day use.

Of course you should explain why it's set up this way. Something like "In day to day use, your standard user account lets you run the programs you already have, create new documents, send emails, etc. All the day to day stuff is taken care of and should work the same as always have. And it protects from you bad software and people trying to hack your machine. In the rare cases you need to install some new program, you should double check to make sure it's safe and legit first, like Googling for its official source and calling me if you're not sure. Then if you're it's safe, you use this other special account I left on this post it under your desk. Use it sparingly and only when you absolutely need to!"

mikewarot · on Feb 24, 2024

Set up a backblaze backup, and check the default excludes carefully, or some important home movies and things might not be backed up.

It's saved my bacon more than once.

bruce511 · on Feb 24, 2024

Windows out the box is pretty secure. Make sure they are behind a NAT router and sll incoming connections are blocked.

AV is built in and works well.

Of course it's not Windows you should be worried about. It's about programs that they download and run, or come via email. That's best solved with education, and frankly applies to phones as well as desktop.

A healthy amount of fear when it comes to new software, or opening docs is no bad thing.

And please don't foister things like Libre Office on them. They are a poor solution to those used to Office. It sounds like you've tried that before :)

Only techies care about mundane things like license and freedoms etc. Regular people just want working software, that they are used to, which just works. These days that means Windows or Mac, or whatever they had before.

russfink · on Feb 24, 2024

Must it be windows? A senior family member has a Chromebook and it works well as their daily driver.

seusscat · on Feb 24, 2024

Unfortunately, yes. Despite (or maybe because) my best efforts to get them to use anything else, they're staunchly set on Windows.

I've already taken a massive hearing for trying to get them to use LibreOffice. Windows and MS Office is absolutely non negotiable.

ungreased0675 · on Feb 24, 2024

This is partially a joke, but maybe use a STIG hardened image?

seusscat · on Feb 24, 2024

Partly a joke, but with a grain of good advice. However, it doesn't really work. I live in a different country, and hence am not available for in-person troubleshooting when something goes wrong. I'm really looking for a set up and forget option.

Just something like, have Windows Defender set up, make these sensible changes and for the most part it'll be fine.

To be clear, I don't need to protect them from standard call center scams, egregious phishing attempts or so. They seem to be good enough at identifying those very obvious ones.

austin-cheney · on Feb 24, 2024

I was about to say the same thing. If users are elderly and not self sufficient remove their ability to run executables not in a trust list.

pestatije · on Feb 24, 2024

let windows auto update and backup user files to another drive regularly...that should be it