Simply Windows Security Tips
The Security on most people’s home computers is relatively weak. That’s a fact. Now it’s true that hollywood has hacking all wrong. Mo one is simply able to reach across the internet, type a few commands in a terminal and have full access to your computer. As long as your computer has the latest security patches no one is remotely hacking it without first finding a serious exploit in the OS. However there are still a few ways that hackers and scammers get into computers all the time. The main two ways are malware and physical access. Now most home users don’t have some complicated threat model that they need to account for, but there are some relatively simple ways that any semi-tech savy person can implement to improve their security. In this guide I will show you some of these simple methods, with a focus on Windows. All these tricks should work on both windows 10 and 11. Any version of Windows older is End of Life and is a security risk no matter what you do. So if your still using Windows 7 or 8, just upgrade already.
The security on most people’s home computers is relatively weak. That’s a fact. Now it’s not as terrible as Hollywood would have you believe. No one is simply able to reach across the internet, type a few commands in a terminal, and have full access to your computer. As long as your computer has the latest security patches, no one is remotely hacking it without first finding a serious exploit in the OS. However, there are still a few ways that hackers and scammers get into computers all the time. The main two ways are malware and physical access. Now most home users don’t have some complicated threat model that they need to account for, but there are some relatively simple ways that any semi-tech-savvy person can implement to improve their security. In this guide I will show you some of these simple methods, with a focus on Windows. All these tricks should work on both Windows 10 and 11. Any older version of Windows is already out of support and no longer receives updates. This makes them a security risk. So if you’re still using Windows 7 or 8, just upgrade already.
Scanning files that you download
Malware is always going to be a problem for as long as computers exist. Now the best way to avoid malware is to know what you’re downloading and where it’s coming from. By making sure you’re downloading files and programs from trusted sources, you can avoid almost all malware. Always download programs from first-party sources whenever possible. Also avoid piracy if you don’t know what you’re doing. Your chance of getting malware is significantly higher if you’re pirating software. There is a simple trick, however, to reduce your chance of malware even further that most people either don’t know or don’t think about. You see, if you right-click on a file and bring up the context menu, by default on Windows, there’s an option to have Windows Defender scan the file for malware. Now anti-malware software is far from perfect, and simply scanning a file doesn’t guarantee it is free from malware, but it’s an added layer of security that generally only takes a few seconds.
Prompting for credentials with User Access Control
Many, maybe even most, people use Windows with an Administrator account. When you use an admin account, the account is in something called admin approval mode by default. This is where the prompt appears whenever a program wants admin privileges or you try to change sensitive settings. This prompt, however, only has a simple choice of yes or no buttons. The problem is that anyone can simply click yes on these buttons, potentially even a relatively cheap hotplug attack tool. It also only takes a fraction of a second for you to press yes, potentially before you’ve even checked what you’re giving access to. There is a simple solution, and most Linux distros already have it by default. Prompt for an admin password before giving anything admin privileges. In Linux it’s known as the sudo command. There’s also a way to do the same thing in Windows. First you go to the Windows Group Policy Editor. You can find this with the Windows search or open the run box win + R and type gpedit.msc and press enter. Now once you open the Group Policy Editor and accept the UAC prompt, you will need to find the correct policy to change. Don’t go changing policies unless you know what they do. The one we want is under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Once there, you want to scroll down to near the bottom and find the one labelled;User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode you then want to click on this and set it to Prompt for credentials. Once you do this, whenever something requires admin privileges, the prompt will now ask you for your password before granting them.
Full Disk or Partition Encryption
Now not everyone necessarily needs to have full disk encryption. By using full disk encryption, you can prevent anyone who steals your computer or storage drives from accessing any of the data on it, assuming you didn’t leave it lying around logged in. This includes the installed OS. The main sacrifice, however, with having proper full disk encryption, is that you require an extra password or other authentication method before your computer will boot into Windows. Since everything needs to be encrypted and decrypted as it enters or leaves the drive, there will be some overhead. With any relatively modern system, though, it won’t make a noticeable difference. Since full disk encryption is more designed to stop people with physical access to your computer, you may decide that the sacrifices aren’t worth it for your desktop but may decide it’s worth it for your laptop, since it has a higher chance of being left behind or stolen. In most corporate environments, some form of disk encryption is probably considered a must-have.
There are two different good solutions for full disk encryption on Windows, BitLocker and VeraCrypt. BitLocker comes with Windows, both Windows 10 and 11. On Windows 11 Home, you simply have to sign into a Microsoft account, and it will automatically enable device encryption. But this isn’t quite the same as full BitLocker encryption with a password before the OS even boots. It also saves the recovery key to your Microsoft account. So you’re trusting Microsoft. In another blog post of mine, I mention how I prefer using a local account and why, so obviously I don’t like this option. On Windows 10 and Windows 11 Pro, you can manually configure BitLocker, including having a password or authentication before the PC boots. You can also configure it to use hardware encryption if your device supports it. This is what I use personally at the moment.
VeraCrypt is another amazing option and is completely free. VeraCrypt will work with any version of Windows 10 or 11 and is open-source, so if you have enough experience as a developer, you can check the code yourself. VeraCrypt allows encryption with a range of different encryption standards and can also create encrypted volumes in a file if you don’t want to encrypt your whole drive or partition. However, there is very little reason to use an encryption standard at the moment that isn’t AES. Anything other than AES will likely be much slower and potentially less secure.
Since explaining the exact process to set up BitLocker and VeraCrypt would take quite a while, I will instead recommend searching up another guide for it online. There are plenty of them out there that could probably do a much better job than me.
Conclusion
This has been only a few tips to greatly improve security on your Windows PC. This is definitely far from a definitive guide, but I hope you learnt something anyway.
