Windows Security From The Ground Up
[Article last reviewed 2019-05-25]
This page will walk you through configuring a Windows computer from the ground up for security and stability. This configuration will make you virtually impervious to viruses you don't actively try to install yourself, and will help constrain any malicious code that does get on your computer.
Section A: The Ground Up
The best thing to do is start from the bare hardware and install Windows 10 from scratch with UEFI, TPM, and SecureBoot turned on. If you don't want to do that, skip to Section B. Any retail computer purchased with Windows 8.1 will already have these turned on.
1.) Update BIOS
For best compatibility and security you should update your computer's BIOS. A modern BIOS (really UEFI) is a full operating system that runs below and at the same time as Windows, and needs patches too! People who built computers in the early 2000's will tell you BIOS updates are risky - and they were - but not anymore. These updates deliver fixes, features, and security updates you won't ever hear on the news.
Even new computers/motherboards need updates. If you're starting from scratch, do the BIOS update after installing Windows 10.
You can find the BIOS update tool on your manufacturer's driver page for your computer model. You will need to reboot for it to take effect. If you have a Surface, BIOS updates are delivered through Windows Update.
2.) Prepare Windows Bootable Media
Make sure everything is backed up before proceeding. The following changes will wipe your Windows installation.
3.) Configure BIOS
This part is important and is something nobody ever talks about.
From the boot of your computer, press the setup hotkey. It may be F1, F2, F8, F10, Del, or something else to get into SETUP mode. Again BACKUP YOUR COMPUTER.
In the BIOS:
Set a setup password. Make it simple, this is only to prevent malicious modification by someone in front of the computer or by a program trying to corrupt it.
Change boot to/prioritize UEFI. Disable everything except UEFI DVD, UEFI HDD, and USB UEFI if you plan on using a USB stick to install Windows.
Disable 1394 (FireWire) and ExpressCard/PCMCIA (if you're on a laptop) as a layer to further mitigate DMA attacks. This isn't as important anymore, but if you don't use them you might as well turn it off.
If you want - and if the computer offers it - you can enable a System and HDD password. We will be using BitLocker to protect the disk, but this is an extra layer you can add if you want. I don't do this.
If you don't use the webcam or microphone, you may be able to turn them off in the BIOS.
Save settings and shut down.
4.) Install Windows 10
Insert your DVD/USB. Boot the computer and use the boot menu hotkey to boot to your UEFI DVD or UEFI USB. The hotkey is often F10 or F12. Search the web if you can’t figure out how to get to the boot menu.
Follow the prompts and install Windows. If it gives you an option of where to install Windows to, and there's already a partition, delete the partition first.
Section B: Into The Breach
5.) Update Windows 10
In Start > Settings > Update, continue updating and rebooting Windows until there's nothing left. I usually wait until this is done before I start installing stuff.
6.) Set UAC to full
Listen to me. UAC is a critical security control that has vast impacts you can't see. It is not computer bubblewrap. It exists for very important reasons. You aren't cool for turning it off.
Follow these instructions to set UAC to the highest option, "Always notify me." Anything less allows any malware to instantly elevate to administrator level permissions. UAC isn't magic, but it's a layer you want to use.
7.) Enable Drive Encryption
If you have Windows 10 Home:
Start > Settings > System > About
Look for the "Device encryption" setting at the bottom of the About pane. If it's not there, your computer does not support the limited encryption feature that Home supports. You should upgrade to Windows 10 Pro or set a HDD password in your BIOS if your computer supports it. Depending on model of drive, HDD password will provide less protection than BitLocker.
If you have Windows 10 Pro:
Right-click on Start > Control Panel > BitLocker Drive Encryption > Turn on BitLocker
If it says you don't have a TPM, here's how to use BitLocker without a TPM.
Why not use TrueCrypt/Veracrypt?
With SecureBoot, before your computer boots to Windows it verifies the OS hasn't been corrupted with a bootkit that modifies Windows that lets a virus run hidden. 3rd party encryption tools break this chain of trust that flows from UEFI to Windows bootloader to BitLocker. This chain of trust is critical for preventing an entire category of attack against Windows. This is not theoretical, this stops real-life attacks.
Section C: The Browser Is Your OS
This section is dedicated to installing and configuring a 3rd-party browser. Chrome remains the premiere browser with impressive security. On the open-source side, Mozilla spent years completely revamping the security model and reliability code of Firefox, and in 2019 it’s a secure, extremely fast choice.
A new version of Microsoft Edge, based on Chrome, is in development. It’s too early to recommend that for general use.
I use both Chrome and Firefox. You should choose what you prefer. Either is a great choice.
8.1) Install Google Chrome x64
Until recently, installing Chrome the normal way would give you a per-user install. This means the Chrome executables and shortcuts are in your user profile and can be modified by a malicious program without elevation. Additionally, although Chrome should have auto-updated to the much more resilient 64-bit version of Chrome automatically, but it’s a good idea to make sure both of these things are fixed.
On this page, click "Chrome MSI for Windows 64‑bit" and install.
You don't have to uninstall what you're running right now, everything will be silently ported over.
8.2) Install Firefox x64
Again, Firefox is a great choice for a browser. You should ensure you’re using Firefox 64-bit.
9.) Content blocker: uBlock Origin
The majority of threats to users come through malicious advertisements displayed on mainstream websites. Or someone you care about could get a false pop-up saying their computer is infected, and get tricked into calling a scam tech support company.
uBlock Origin is the fastest, most complete, and most reputable “ad-blocking” software available.
Section D: Securing Other Software
Adobe Reader DC
Adobe Reader is actually pretty safe if you have the full suite of security settings turned on. In the case of Adobe Reader DC, there's just one setting you need to change:
Edit > Preferences > Security (Enhanced) > Protected View > Files from potentially unsafe locations
Section P: Piracy
Don't steal software. That's how idiots get viruses. Especially don't try to steal antivirus. That makes you a double idiot. Maybe even a triple idiot. I’m completely serious about this.
2017-05-08: Removed sections I never finished
2019-05-25: Now recommend Firefox as a browser in addition to Chrome. GlassWire is now subscription-only.