Basic security for Windows

Posted10 August 2016

Table of Contents

...Loading Table of Contents...

    Microsoft Windows is the world's most used consumer operating system, but also the most common target for malware. Read this guide to learn how to secure your Windows operating system.

    Required reading

    What you will get from this guide

    1. Introduction

    Microsoft Windows is the world's most used consumer operating system. If you are using Windows there is a chance you did not even choose it, but it was simply the system that was already installed when you bought your computer.

    Windows is considered a standard in many office environments, as is some other Microsoft software such as Microsoft Office. Some common and specialised software is only available for Windows.

    The popularity of Windows also makes it a target for malware. The majority of new malware targets vulnerabilities and insecure user practices on the Windows operating system.

    Windows is a closed-source operating system. This means that the source code of the system cannot be reviewed or verified by users or the security community. The security guarantees made by Microsoft can only be taken at face value as they cannot be independently audited.

    This guide provides some tips on how to secure your Windows operating system and it has been written on Windows 10. Most instructions also apply to Windows 7 or 8.1, however the exact appearance or titles may be slightly different. Where significant differences for earlier versions exist we have provided version-specific sections.

    1.0. Alternatives to Windows

    Many people may not even know that there are alternatives to Windows. There are two major alternative operating system choices. Mac is a line of computers manufactured exclusively by Apple and running their own operating system called Mac OS X. Then there is the UNIX-like family of operating systems, of which GNU/Linux is the most well-known. These are free and open source operating systems which can be distributed freely and with source code which can be independently audited or modified by anyone. There are many 'flavours' of GNU/Linux, some popular ones include Ubuntu, Debian, Fedora, and Mint. GNU/Linux can run on most computers which operate Microsoft Windows.

    Read our guides on Gnu/Linux Basic Security and Mac OS X Basic Security.

    2. Privacy-enhancing settings

    Windows communicates information from your computer back to Microsoft and other servers which can violate the privacy of the user. To limit (though not eliminate) these communications, there are some configuration options you can select. The process will be different if you are installing a new copy of Windows on a computer or if you are working on a computer with Windows already installed.

    2.1. How to select privacy-protecting options when installing Windows

    Step 1. While installing Windows you will be asked to accept Express Settings which contain the most invasive Microsoft-selected settings to send personal data to the company and its advertising partners.

    Figure 1: The Express Settings confirmation screen during Windows installation

    Instead of accepting Express Settings, click [Customise settings].

    Note: You may make your own decisions on each of the below options based on your own comfort level trading privacy and functionality. Below are our suggestions for the best privacy and security.

    Step 2. On the first Customise Settings screen, click on all options, they will turn to

    Figure 2: Windows installation Customise Settings page 1

    Step 3. Click to move to the next Customise Settings screen.

    Step 4. On the second Customise Settings screen leave Use SmartScreen online service to help protect against malicious content and downloads in sites loaded by Windows browsers and Store apps activated as it will enhance security. For the remaining options click to change them to .

    Figure 3: Windows installation Customise Settings page 2

    Step 5. Click and continue with Windows installation.

    2.1.1. How to select privacy-protecting options if Windows is already installed

    If you already have Windows installed, you can select privacy-protecting options through the following steps:

    Step 1. Select [Settings] through the main Windows menu bar, as illustrated below:

    Figure 1: Selecting Windows Settings

    Step 2. Click [Privacy] through your Settings screen.

    Figure 2: Selecting Windows Privacy Settings

    Through the following tabs, you can configure your settings to enhance your privacy.

    General tab

    Step 1. To limit the amount of data collected by third parties, click on all the buttons to turn them off.

    Figure 3: General privacy options

    Step 2. To limit personal ads on your browser, click the [Manage my Microsoft advertising and other personalization info] link under the privacy options. This will direct you to Microsoft's personalized ads webpage.

    Figure 4: Microsoft personalized ads webpage

    Step 3. Click the button under Personalized ads in this browser to turn it off.

    Step 4. Similarly, click the button under Personalized ads wherever I use my Microsoft account to turn it off.

    Figure 5: Configuring settings in Microsoft's personalized ads webpage

    Location tab

    Step 1. Click the button under Location to turn it off. This prevents third parties from collecting location data.

    Figure 6: Location settings

    Step 2. Scroll down to the Location history section of the Location settings. Click the [Clear] button to clear your device history.

    Figure 7: Clear history settings

    Step 3. Scroll further down to configure the location access that apps can have through your device. To limit the access of these apps to your location data, click on their respective buttons to turn them off.

    Figure 8: Limiting app access to location data

    Camera tab

    Step 1. Click the button under Let apps use my camera to turn it off.

    Figure 9: Camera privacy options

    Step 2. To restrict apps from accessing your camera, click on their respective buttons to turn them off.

    Microphone tab

    Step 1. Click the button under Let apps use my microphone to turn it off.

    Figure 10: Microphone privacy options

    Step 2. To restrict apps from accessing your microphone, click on their respective buttons to turn them off.

    Speech, inking, & typing tab

    Step 1. To limit Microsoft from collecting information like your contacts, typing history, calendar events, speech and handwriting patterns, do not click on [Get to know me] button and ensure that any eventual dials on this screen are turned off.

    Figure 11: Speect, inking, & typing tab

    Account info tab

    Step 1. Click the button under Let apps access my name, picture and other account info to turn it off and to limit apps from accessing your account information.

    Figure 12: Account info tab

    Contacts tab

    Step 1. To restrict apps from accessing your contacts, click on their respective buttons to turn them off.

    Figure 13: Contacts tab

    Calendar tab

    Step 1. Click the button under Let apps use my calendar to turn it off.

    Figure 14: Calendar privacy options

    Step 2. To restrict apps from accessing your calendar, click on their respective buttons to turn them off.

    Call History tab

    Step 1. Click the button under Let apps use my call history to turn it off.

    Figure 15: Call history privacy options

    Step 2. To restrict apps from accessing your call history, click on their respective buttons to turn them off.

    Email tab

    Step 1. Click the button under Let apps access and send email to turn it off.

    Figure 16: Email privacy options

    Step 2. To restrict apps from accessing and sending email, click on their respective buttons to turn them off.

    Messaging tab

    Step 1. Choose apps that can read or send messages by clicking on their respective buttons (to turn them on or off).

    Figure 17: Messaging options

    Radios tab

    Step 1. Click the button under Let apps control radios to turn it off.

    Figure 18: Radios options

    Other devices tab

    Step 1. To prevent your apps from automatically sharing and syncing information with other wireless devices, click the button to turn it off.

    Figure 19: Syncing with other devices

    Feedback & diagnostics tab

    Here you can choose how and whether you would like to send device feedback back to Microsoft Windows for diagnostics. We recommend choosing that you should Never be asked for feedback and sending Basic diagnostic information:

    Figure 20: Feedback & diagnostics options

    Background apps

    Here you can choose which apps you want to run in the background (receiving information, sending notifications, and staying up-to-date). To disable apps from running in the background, click on their respective buttons to turn them off. We recommend switching all (or as many as you can) of the apps off. You can start by switching all of them off and then attend to those which need to be switched on.

    Figure 21: Background apps options

    2.2. User Account Password

    Password-protecting your and all other user accounts and using unique user accounts for each person accessing the computer are basic security requirements.

    2.2.1. How to check if your Windows account is password protected

    Step 1. Press + L. which is the shortcut to lock your screen. If you have a password on your user account you will need to enter it here. If you do not have a password you will be able to access your desktop again without entering a password.

    Note: The Windows key is a key located on most windows computers between the Ctrl and Alt keys, it should either have a or icon on it.

    Figure 1: Windows lock screen with password-protected user account

    2.2.2. How to password-protect a Windows user account

    Step 1. Click to open the Windows Start menu then click to open the settings panel.

    Step 2. Click [Accounts] then select [Sign-in options] from the left-hand menu.

    Figure 1: Account sign-in page when there is no user password set

    Step 3. Click [ADD] to add a new password.

    Step 4. Enter your new password under New password and Reenter password. Be mindful that you do not reveal too much about your password in the Password hint field. For guidance on how to create strong passwords see our tactics guide How to create and maintain secure passwords

    Figure 2: Windows account password creation screen

    Step 5. Click [Next] to apply your new password. Revisit this process if you wish to change your password.

    2.2.3. How to add new Windows user accounts or a guest account

    To add new Windows user accounts or a guest account, follow the steps below:

    Step 1. Select [Accounts] through your Settings menu.

    Figure 1: Selecting Accounts through the Windows Settings menu

    Step 2. Select the [Family & other users] tab on the left side of the Account Settings window.

    Figure 2: Family & other users tab of the Account Settings window

    Step 3. Click the plus sign next to [Add someone else to this PC] under Other users.

    Step 4. Through the following window, click on the [I don't have this person's sign-in information] link.

    Figure 3: Adding a new user account without sign-in information

    Step 5. Click the [Add a user without a Microsoft account] link through the following window.

    Figure 4: Adding a user without a Microsoft account

    Step 6. Type the user name for the new account under the Who's going to use this PC? section.

    Figure 5: Adding account information for the new user

    Step 7. Type the password for the new account under the Make it secure section.

    Step 8. Re-type the password for the new account under the section under it.

    Step 9. Type something in the last section which will help you remember the password, if you ever forget or lose it.

    Step 10. Click [Next] to proceed.

    If you return to the Family & other users section of your Account Settings, you will see the new user account that you have just created.

    Figure 6: New user account created

    2.3. Screen Lock

    To prevent third parties from physically accessing your computer, you should be able to lock access to your machine when you are not working on it and the screen should automatically lock itself after a period of inactivity. The sections below explain how you can do so.

    2.3.1. How to set a time-out screen lock when your computer is inactive

    If you step away from your computer and forget to lock your screen, your computer should automatically lock itself after several minutes of inactivity.

    Step 1. Click the Start button and search for Change screen saver

    Step 2. Select On resume, display logon screen to activate the screen lock timeout.

    Step 3. Set the number of minutes of inactivity your computer should wait before locking the screen. We suggest a fairly short time period such as 3 minutes.

    Figure 1: Screen saver settings page with preferred settings

    Step 4. Click [OK] to apply the screen saver settings.

    3. Security

    3.1. System updates [Windows 7 - 8.1]

    Windows 10 automatically downloads and installs Windows updates for you, keeping you protected agains the latest software exploitation. This section of the guide is for Windows Visa, 7, 8, and 8.1 users.

    Step 1. Click the Start button and search for Windows Update.

    Step 2. Your operating system may not be automatically updating itself. If automatic updates are disabled you will see the below screen. Click to activate automatic updates.

    Figure 1: Windows 7 Windows Update screen with automatic updating disabled

    Step 3. Click [Change Settings] from the Windows Update side panel.

    Step 4. Change the time under Install new updates: Every day at 3:00 AM to a daytime hour such as 5:00 PM.

    Step 5. Check the check boxes next to Give me recommended updates the same way I receive important updates, Allow all users to install updates on this computer, and Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows. These settings will improve the frequency and ease of updates and also update Microsoft Office suite products which are also frequent targets for software exploitations.

    Figure 2: Windows 7 Update screen

    Step 6. Click [OK] to save your update settings.

    3.2. Windows Firewall

    Ensuring that your system's firewall is turned on at all times is essential, as it is designed to protect your operating system from unauthorised access to your computer through the Internet based on a set of predetermined security rules.

    To turn on your Windows firewall or to check that it is on, follow the steps below:

    Step 1. Type Firewall in your system's search panel to find the Windows Firewall Control Panel.

    Figure 1: Searching for Windows Firewall

    Step 2. Click on the [Turn Windows Firewall on or off] link.

    Figure 2: Windows Firewall Control Panel

    Step 3. Select the [Turn on Windows Firewall] option under Private network settings (if it's not already selected).

    Figure 3: Turning the Windows Firewall on

    Step 4. Select the [Turn on Windows Firewall] option under Public network settings (if it's not already selected).

    3.3. Removing Bloatware

    Many PC manufacturers include additional software with Windows when you purchase a new computer. These manufacturers are paid by the software vendors to include this software and the bundled software may not benefit and may even harm the interest of the consumer. One high profile case was the Superfish adware pre-installed on Lenovo computers which actively broke internet security processes in order to serve advertisements to users.

    Such software is known as bloatware: software which bloats your computer. Best practice is to install a fresh copy of Windows on a new computer using a disk provided by Microsoft, however this may often be impractical or expensive. The next best option is to uninstall the extra software that comes with your computer.

    Step 1. Click the Start button and search for Add or Remove Programs.

    Step 2. Review your installed programs. If you have a new computer this will be simpler than if you have been using it for long with many additional software installed. Look for programs you do not recognise and especially for programs not made by Microsoft. If you do not recognise a program try to research it online to understand its function and reputation. Also beware of software without a publisher name, meaning the software is not signed by a recognised software company.

    Step 3. If you identify programs you would like to remove, click on it then click Uninstall and follow the program-specific uninstallation instructions.

    4. Avoiding malware on Windows

    4.1. Windows SmartScreen

    The Microsoft Windows operating system includes SmartScreen, which is designed to protect users from malware and phishing attacks by scanning URLs accessed by the user against a blacklist of websites containing known threats.

    To configure SmartScreen, follow the steps below:

    Step 1. Type Control Panel in your system search panel on the bottom of the screen, click on it to open Control Panel.

    Step 2. Click [System and Security] and then [Security and Maintenance] to open window below. In this window click the [Change Windows SmartScreen settings] link on the left side of the window.

    Figure 1: Security and Maintenance window

    Step 2. Select the [Get administrator approval before running an unrecognised app from the Internet (recommended)] option to use SmartScreen protection against malicious URLs. Or select [Warn before running an unrecognised app] if your system does not offer previous option.

    Figure 3: Enabling Windows SmartScreen

    4.2. Windows Defender

    Windows Defender is software designed to detect and remove malware and it is built in Windows operating systems.

    To scan your computer for malware with Windows Defender, follow the steps below:

    Step 1. Through your control panel, select [System and Security].

    Step 2. Open the [Security and Maintenance] window.

    Figure 1: Security and Maintenance window

    Step 3. Click [Scan now] under the Security section to begin scanning your computer with Windows Defender for malware.

    Figure 2: Scanning a computer with Windows Defender

    This will display whether your PC is being protected.

    Figure 3: PC status following Windows Defender scan

    Step 4. For a full scan, select [Full] and click [Scan now].

    Step 5. Click [Update] to ensure that your virus and spyware definitions are automatically updated to help protect your PC.

    Figure 4: Virus and spyware definitions

    4.3. How to make file extensions visible to avoid being tricked by malware

    File extensions are a part of the names of files which tell the operating system which type of file it is and what process or application to use to open it. For instance for the file While My Guitar Gently Weeps.mp3 the .mp3 portion of the name tells the computer that it is an MP3 music file and can be opened by your default music player. By default Windows will hide these extensions, and some malware exploits this setting by attempting to makes its files appear to be a different type than it actually is. To mitigate this threat, you can change Windows settings to view file extensions, and optionally to view hidden files and operating system files where viruses also sometimes hide.

    4.4. How to view file extensions

    Step 1. Open the File Explorer .

    Step 2. Click the View menu tab and then click Options

    Figure 1: Windows 10 File Explorer View tab

    Step 3. Click the View tab.

    Figure 2: Windows 10 Folder Options View tab

    Step 4. Uncheck the box next to [Hide extensions for known file types].

    Step 5. Click [OK].

    Note: Notice now that file extensions will be visible on all files. Beware of files which are presented to you as being media or office documents but which have extensions for an unrelated file type such as .EXE, .MSI, or .BAT. A description of potentially dangerous file types can be found here.

    Figure 3: Files with extensions visible including an example potentially malicious file

    4.5. How to view hidden and operating system files

    Some malware hides itself as well as your documents as hidden files then creates shortcuts with names identical to your original documents which, when opened, redirect to the virus file and infects your computer. This is a particularly common attack on removable flash drives. To improve your ability to recognise infected file, you may change Windows settings to view hidden and operating system files.

    Step 1. Open the File Explorer .

    Step 2. Click the View menu tab and then click Options

    Figure 1: Windows 10 File Explorer View tab

    Step 3. Click the View tab.

    Figure 2: Windows 10 Folder Options View tab

    Step 4. Select the option [Show hidden files, folders, and drives] and uncheck the box next to [Hide protected operating system files (Recommended)]. You will see a warning window:

    Figure 3: View protected operating system files warning

    Step 5. Click [YES]. Windows operating system files will now be visible and should not be tampered with. However if you see unusual hidden files in your personal documents and removable drives you may be viewing malware.

    Step 6. Click [OK].

    Note: Standard operating system and temporary files known as will now be visible to you, such as or . You may ignore these safely.

    4.6. How to disable AutoPlay to protect against malware

    By default Windows enables AutoPlay a feature where plugged in removable media (like USB drives or devices) are examined and, based on their content, such as pictures, music or video files, an appropriate application to play or display the content is launched.

    Step 1. Click the Start button and search for AutoPlay.

    Figure 1: Windows AutoPlay options screen

    Step 2. Turn off Use AutoPlay for all media and devices.

    5. Windows full-disk encryption with BitLocker

    Having a password to login to your Windows computer account is good first step but not enough to protect the files stored on this account. An attacker with physical access to the computer can read user files unless they are encrypted. BitLocker is built-in full disk encryption software offered by Microsoft in Windows 7 Enterprise, Windows 8 Pro, and most versions of Windows 10 (excluding Home version). Bitlocket can encrypt entire system disk of the computer, additional hard disks or partitions, and removable storage media.

    Important: Steps below will help you encrypt your files. Without the correct password there will be no way to recover those files. Make a secure backup of your files before encrypting the files. Follow the below steps mindfully. Maintain a copy of your recovery key in a safe location (see below).

    5.1. How to encrypt the hard drive containing your operating system

    Step 1. Open This PC in the File Explorer, right-click your Local Disk (C:) and click Turn BitLocker on.

    Figure 1: Right-click menu on system drive on Windows computer with BitLocker

    Note: If you cannot find Turn BitLocker on in the menu above maybe you using a version of Windows which does not offer BitLocker. Consider upgrading your copy of Windows. Or see section 5.2. Alternatives to BitLocker below.

    Note: in this example we assume that your Windows operating system is installed on drive C:

    Important: If you see an error message This device can't use a Trusted Platform Module go to section In case of error "This device can't use a Trusted Platform Module" below.

    Step 2. You can choose how will you unlock your disk when starting the computer. You can use the password. Or you can unlock the disk with USB that you will prepare. In this guide we will use a password. Click Enter a password.

    Figure 2: BitLocker unlock method screen

    Note: If you have a TPM chip in your computer you may have more options available to choose from in this step. Each offers different protection opportunities. For example when you use a USB flash drive option you can limit access to your information to people who have 2-factors of the authentication: they have this specific USB (or it's copy) and know the password to login to your account.

    Step 3. Enter a strong password for BitLocker encryption.

    Figure 3: BitLocker Create a password to unlock this drive

    Note: If you use multiple languages on your computer and encounter password errors in following steps try using English language input method.

    Step 4. In this step you can back up an encryption recovery key, which can be used to open your files (decrypt them) without knowing your password. It is important to store a copy of your recovery key in a secure place. You may wish to use more than one of the methods available to you. Note that saving your recovery key to your Microsoft account may compromise the security of the key, however it offers advantages in case of losing backup key files. In this example we will assume that you can save the file to a separate USB drive and hide protect this drive.

    Insert a USB flash drive in your computer and click Save to a USB flash drive.

    Figure 4: BitLocker recovery key backup methods

    Step 5. Select Encrypt your entire drive and click [Next]

    Figure 5: Choose how much of your drive to encrypt

    Step 6. Select New encryption mode (in case you encrypting external drive select the other option)

    Figure 6: Select which encryption mode to use

    Step 7. Before encryption starts, you need to try that BitLocker settings will work on your computer. Leave Run BitLocker system check checked and click [Continue].

    Figure 7: Are you ready to encrypt this drive? System check

    Step 8. Restart your computer by clicking then Power then Restart.

    Step 9. After your computer restarts enter the password to unlock your disk and press Enter.

    Figure 8: Password entry screen

    Step 10. If you enter correct password your computer will start as before. Login to your account. Double-click small BitLocker icon in the system tray to check the status of your drive encryption:

    Figure 9: BitLocker drive encryption progress

    Step 11. Allow time for the encryption process to complete.

    Congratulations, you have encrypted your whole system drive!

    In case of error "This device can't use a Trusted Platform Module"

    If you encountered an error message saying This device can't use a Trusted Platform Module as shown in figure below it means that your computer does not have a Trusted Platform Module (TPM) chip that is used for encryption. However with a some configuration adjustments described below, BitLocker can still be used on computers without a TPM chip.

    Figure 10: Manager BitLocker Window with TPM Error

    Step 1. Press Start . Type gpedit.msc and press Enter. In the new window opened double-click:

    • Local Group Policy Editor
    • Computer Configuration
    • Administrative Templates
    • Windows Components
    • BitLocker Drive Encryption
    • Operating System Drives.

    Figure 11: Local Group Policy Editor screen with Operating Systems Drive folder selected

    Step 2. Then in the right-hand panel of this window, double-click Require additional authentication at startup to open new window. Note that there is also an option called Require additional authentication at startup (Windows Server 2008 and Windows Vista), ensure that you editing right option.

    Step 3. Select Enabled. Ensure that Allow BitLocker without a compatible TPM (Requires a password or a startup key on a USB flash drive) is enabled. Click [OK]

    Figure 13: BitLocker policy editor

    Step 4. Close the Local Group Policy Editor window and return to step 1 on beginning of this section "5.1. How to encrypt the hard drive containing your operating system"

    5.2. Alternatives to Bitlocker

    Since BitLocker is a closed source program its security cannot be independently verified. Additionally in some versions of Windows 10 Microsoft forces users to backup encryption recovery keys to a Microsoft online account which may compromise security of this key.

    Open source full disk encryption alternatives exist for Windows: VeraCrypt and DiskCryptor both offer full system disk encryption.

    There are programs which can encrypt specific files or folders on your computer, such as VeraCrypt, AxCrypt and GPG4Win.