Information: Using forks or modified versions of Windows is strongly discouraged and should be avoided altogether. These altered versions of Windows lack proper update support, leaving your system vulnerable to potential attacks since essential security features, like Defender antivirus, may become outdated or disabled.
Secured-core PCs are a class of devices designed with a focus on enhanced security by integrating hardware, firmware, and software protections. Microsoft collaborates with OEM partners and silicon vendors to create these PCs, offering a robust defense against sophisticated attacks. They are particularly valuable in sectors handling sensitive data, such as healthcare, finance, and government, where data protection is paramount.
To ensure a clean and secure installation of Windows that removes any potential malware or corruption, it is recommended to reinstall Windows using the method on Reset Windows.
If you're currently using a local account on your Windows device, consider converting it into a Microsoft account. This will prevent other administrators from changing your account password without your knowledge. Go to Start > Settings > Accounts > Your info.
For additional security, it is highly recommended to enable the "Require Windows Hello sign-in for Microsoft accounts" setting on the Windows device. This ensures that the user can only sign in to their Microsoft account using Windows Hello. Go to Start > Settings > Accounts > Sign-in options.
Important: The following three sections contain settings that will make Windows Defender significantly more aggressive, leading to a noticeable increase in the occurrence of false positives.
Information: An open-source alternative called ConfigureDefender offers similar functionality to DefenderUI. While some may favor open-source tools, I recommend using DefenderUI due to its superior user interface, additional features, and its association with the developers of VoodooShield CyberLock.
Harden Windows Defender using DefenderUI by configuring the profile to be in an Aggressive mode.
Many settings configured by DefenderUI can be reversed by malware with admin privileges. Although malware with admin privileges is already a major issue, using a third-party antivirus like Kaspersky or Sophos provides extra security. To tamper with Kaspersky or Sophos, malware would need kernel-level access, which is much harder to achieve than escalating from no admin to admin privileges.
Turn on Smart App Control. If it's not accessible, you will have to perform a Windows reinstallation as shown above.
In the Controlled Folder Access settings, include the Downloads folder as a protected folder.
There are additional use cases for CFA that can enhance application security, as shown on Controlled Folder Access.
Triage is a malware analysis platform for testing suspicious software. Users can upload files to see if they are malware. The platform runs the files in a secure environment and provides detailed reports on their behavior, including system changes and network connections. This helps users quickly identify and understand potential threats.
Microsoft Edge can use Microsoft Defender Application Guard (MDAG) and its enhanced security mode. In this mode, Just-In-Time (JIT) execution is disabled, and several mitigations such as ACG, CIG, CFG, and CET are enabled in the renderer process, providing a more secure browsing experience.
Encrypted Client Hello (ECH) is a privacy enhancement for TLS that encrypts the Server Name Indication (SNI) during the TLS handshake. This prevents intermediaries from determining which website a user is visiting. By splitting the ClientHello message into an inner encrypted part and an outer unencrypted part, ECH ensures that the actual server name remains hidden. Only the outer SNI, which is a common name like "cloudflare-ech.com," is visible, making all visits to Cloudflare-hosted sites appear identical to intermediaries. This advancement aims to close a significant privacy gap, complementing DNS over HTTPS (DoH) and other encryption protocols.
To enable Encrypted ClientHello (ECH) on Edge, update to version 105 or newer, then right-click the Edge browser icon on the desktop, select Properties, and in the Target field, enter a space followed by --enable-features=EncryptedClientHello.
When browsing websites, your privacy can be compromised at various points, such as by your ISP or the coffee shop owner providing your WiFi connection. This page automatically tests if your DNS queries and answers are encrypted, if your DNS resolver uses DNSSEC, which TLS version is used for the connection, and if your browser supports securing the Server Name Indication (SNI) with Encrypted Client Hello (ECH).
Important: Using Ublock Origin (Lite) in conjunction with other adblockers or privacy extensions is discouraged, as it can lead to conflicts. If your browser will not transition to Manifest V3, you can stick with uBlock Origin, unlike uBlock Origin Lite, which is designed to comply with the more restrictive MV3.
Ublock Origin (Lite) is a CPU and memory efficient browser extension that blocks ads, trackers, and malware.
Quad9 is a free DNS recursive service designed to enhance internet security and privacy. By replacing your default DNS, it blocks access to known malicious domains using real-time threat intelligence from over two dozen cybersecurity sources. This service helps protect against malware, phishing, spyware, and botnets while ensuring user privacy by not logging IP addresses and adhering to GDPR standards. Operated by the Swiss-based Quad9 Foundation, Quad9 aims to create a safer internet environment. It is easy to use, requiring no signup or personal data, and can be configured on individual devices or entire networks.
Press the Windows key on your keyboard or click on the Windows icon in the taskbar.
Type "Control Panel" in the search bar and click on the "Control Panel" app that appears.
In the Control Panel, click on "User Accounts."
Click on "User Accounts" again.
In the User Accounts section, click on "Change User Account Control settings."
Information: For guidance on launching secpol.msc or gpedit.msc, please consult the provided tips.
Requirement: Windows Pro
Requirement: Windows Pro
Navigate to Computer Configuration \ Administrative Templates \ System \ Local Security Authority.
Requirement: Windows Pro
Navigate to Computer Configuration \ Administrative Templates \ System \ Device Guard.
Important: Secure Launch requires a computer with Secured-core.
Requirement: Windows Pro
Navigate to Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption.
Requirement: Windows Pro
Navigate to Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives.
Open the Command Prompt as an administrator. You can do this by right-clicking on the Start menu button and selecting "Terminal (Admin)".
Type "manage-bde -status" in the Command Prompt window and hit Enter. This command will display the current status of BitLocker on your system.
Type "manage-bde -protectors -add C: -TPMAndPIN" and hit Enter. This command will add a TPM and PIN protector to the BitLocker-protected drive.
Enter your preferred PIN when prompted, and confirm it. Make sure your PIN is at least 6 digits long and avoid using easily guessable numbers, such as your birth year or phone number.
After setting the PIN, type "manage-bde -status" again to verify that the TPM and PIN protector has been added successfully.
Restart your computer to complete the process. When your computer restarts, it will prompt you to enter the PIN to unlock the BitLocker-protected drive.
Important: For this feature to function properly, you should always shut down or hibernate the device before it leaves the control of an authorized user.
Requirement: Windows Pro
Important: Ensure that your Bitlocker recovery key is at hand, should you surpass the number of permitted unsuccessful login attempts.
Requirement: Windows Pro
Go to the AppData folder by pressing the Windows key + R on your keyboard, then typing "%USERPROFILE%\AppData" (without quotes) in the Run box and pressing Enter.
Once you're in the AppData folder, click on the empty space. Right-click the empty space and select "Properties" from the context menu.
In the Properties window, click on the "Advanced" button located at the bottom of the General tab.
In the Advanced Attributes window, check the box next to "Encrypt contents to secure data", and then click on the "OK" button.
You'll be prompted to choose whether you want to encrypt just the folder or the folder and its contents. Select "Apply changes to this folder, subfolders and files", then click on the "OK" button.
If you have files in the folder that are currently in use by other programs, you'll be prompted to close those programs before proceeding with the encryption process. Close any programs that are using files in the folder, and then click on the "Retry" button.
Click on the "Apply" button in the Properties window to start the encryption process. Depending on the size of the folder and its contents, this process may take some time to complete.
Once the encryption process is complete, the folder and its contents will be protected with AES-256 encryption algorithm. Only users who have the original account password will be able to access the encrypted data.
Right-click on the user folder that you want to encrypt, and then select "Properties" from the context menu that appears.
In the Properties window, click on the "Advanced" button located at the bottom of the General tab.
In the Advanced Attributes window, check the box next to "Encrypt contents to secure data", and then click on the "OK" button.
You'll be prompted to choose whether you want to encrypt just the folder or the folder and its contents. Select "Apply changes to this folder, subfolders and files", then click on the "OK" button.
If you have files in the folder that are currently in use by other programs, you'll be prompted to close those programs before proceeding with the encryption process. Close any programs that are using files in the folder, and then click on the "Retry" button.
Click on the "Apply" button in the Properties window to start the encryption process. Depending on the size of the folder and its contents, this process may take some time to complete.
Once the encryption process is complete, the folder and its contents will be protected with AES-256 encryption algorithm. Only users who have the original account password will be able to access the encrypted data.
Information: To access additional details about the security measures implemented by Bitwarden, please refer to the Bitwarden Security FAQ, Is Bitwarden Audited, and Bitwarden Security Whitepaper.
Bitwarden ensures robust security for your passwords through several key measures. Being open source, its code is transparent and continuously reviewed by the community. It undergoes regular audits by third-party security firms and independent researchers. Bitwarden employs end-to-end encryption, meaning your passwords are encrypted on your device before being stored on Bitwarden servers, ensuring that only you can decrypt and access them. Even if Bitwarden's servers were compromised, your data remains protected due to strong encryption practices. The company’s compliance with GDPR, CCPA, HIPAA, SOC 2 Type 2, and SOC 3 further underscores its commitment to security and privacy. Additionally, users can opt for self-hosting for complete control over their data.
If you haven't signed in yet, open the OneDrive application and sign in. Follow the on-screen instructions to set up OneDrive. I recommend keeping the OneDrive folder in its default location without any changes. Do not use OneDrive's built-in method to sync user folders like "Downloads" or "Documents." Instead, follow the more effective method for syncing user folders described below.
Open File Explorer by pressing the Windows key + E.
Navigate to your OneDrive folder.
Create a new folder inside your OneDrive folder and name it "PC".
Inside the "PC" folder, create five subfolders and name them "Documents", "Downloads", "Pictures", "Music", and "Videos".
To change the location of your original user folders, right-click on each folder (such as "Documents" or "Pictures") in the left pane of File Explorer and select "Properties".
In the Properties window, click the "Location" tab and then click the "Move" button.
Navigate to the corresponding folder you just created in your OneDrive folder ("PC/Documents" for "Documents", for example) and select it.
Click "Apply" to confirm and then "OK" in the Properties window to save the changes.
Repeat these steps for each user folder you want to sync with OneDrive.
Everything in those folders will now be synced to your OneDrive, including any new files you add or changes you make.
To further protect your files, you may want to consider encrypting the whole OneDrive folder with Encrypting File System (EFS).
Requirement: Windows Pro
Right-click on the OneDrive folder in File Explorer and select "Properties".
Click the "Advanced" button and then check the box for "Encrypt contents to secure data".
Click "OK" to save the changes.
Information: It’s advisable to secure your highly sensitive data using encryption before uploading it to OneDrive.
Cryptomator is a simple, open-source encryption tool that ensures the security of your data when stored in cloud services. It encrypts both files and filenames using AES with 256-bit key length, allowing you to maintain control over your encryption keys. Unlike many cloud providers, Cryptomator provides client-side encryption, meaning that only you have access to the decryption keys. This prevents unauthorized access, even if the cloud service itself is compromised. With its easy setup and seamless integration, Cryptomator creates a virtual encrypted drive on your device, automatically encrypting data as you move it into the vault.
Open an elevated command prompt by right-clicking the Windows Start button and selecting "Terminal (Admin)."
In the command prompt, type "reagentc /disable" and press Enter. This command disables Windows Recovery.
Restart your computer and enter the BIOS or UEFI settings by pressing the appropriate key during startup.
Password protect your computer's BIOS or UEFI settings. Look for the security or password section of the BIOS/UEFI settings, and follow the prompts to set a password.
Disable other booting methods, such as booting from CD/DVD, USB drives, or external hard drives. This prevents unauthorized users from booting the computer with a different operating system or bootable device.
Set the boot sequence to boot only from the hard drive that contains the operating system.
Save the settings and restart your computer. Your computer will now be more secure, as unauthorized users will not be able to boot from external devices or modify the BIOS/UEFI settings without the password.