Embedded Files
Information: Using forks or modified versions of Windows is strongly discouraged and should be avoided altogether. These altered versions of Windows lack proper update support, leaving your system vulnerable to potential attacks since essential security features, like Defender antivirus, may become outdated or disabled.
Secured-Core
Secured-core PCs are a class of devices designed with a focus on enhanced security by integrating hardware, firmware, and software protections. Microsoft collaborates with OEM partners and silicon vendors to create these PCs, offering a robust defense against sophisticated attacks. They are particularly valuable in sectors handling sensitive data, such as healthcare, finance, and government, where data protection is paramount.
Reinstall Windows
To ensure a clean and secure installation of Windows that removes any potential malware or corruption, it is recommended to reinstall Windows using the method on Reset Windows.
Account Type
Local To Live Microsoft Account
If you're currently using a local account on your Windows device, consider converting it into a Microsoft account. This will prevent other administrators from changing your account password without your knowledge. Go to Start > Settings > Accounts > Your info.
Windows Hello
For additional security, it is highly recommended to enable the "Require Windows Hello sign-in for Microsoft accounts" setting on the Windows device. This ensures that the user can only sign in to their Microsoft account using Windows Hello. Go to Start > Settings > Accounts > Sign-in options.
Install Kaspersky
Information: If you're in the US and prefer not to use Windows Defender, I suggest Sophos Home, as Kaspersky is banned in the US. Sophos requires minimal configuration, and the default settings are sufficient, though not as secure as a hardened Kaspersky Standard setup.
Kaspersky
Install Kaspersky Standard on your computer. Configure the scan settings to the "Extreme" option then perform a full system scan to detect and remove any potential threats.
Default Deny With Intrusion Prevention
To significantly minimize the attack surface, I ultilize the Kaspersky Security Network (KSN) to establish a whitelist through Intrusion Prevention on Kaspersky Standard. Operating on the principle of default deny, this approach blocks all actions unless trusted by the Kaspersky Security Network, effectively decreasing the potential points of vulnerability and providing robust defense against unknown and zero-day threats. This will increase the false positives for Kaspersky, and it is not recommended unless you have a clear understanding of Intrusion Prevention and the default deny policy.
Password Protection On Kaspersky
Prevent unauthorized changes to Kaspersky settings by individuals with physical computer access unless they have the password.
Triage
Triage is a malware analysis platform for testing suspicious software. Users can upload files to see if they are malware. The platform runs the files in a secure environment and provides detailed reports on their behavior, including system changes and network connections. This helps users quickly identify and understand potential threats.
Harden Browser
Microsoft Edge
Microsoft Edge can use Microsoft Defender Application Guard (MDAG) and its enhanced security mode. In this mode, Just-In-Time (JIT) execution is disabled, and several mitigations such as ACG, CIG, CFG, and CET are enabled in the renderer process, providing a more secure browsing experience.
Encrypted ClientHello
Encrypted Client Hello (ECH) is a privacy enhancement for TLS that encrypts the Server Name Indication (SNI) during the TLS handshake. This prevents intermediaries from determining which website a user is visiting. By splitting the ClientHello message into an inner encrypted part and an outer unencrypted part, ECH ensures that the actual server name remains hidden. Only the outer SNI, which is a common name like "cloudflare-ech.com," is visible, making all visits to Cloudflare-hosted sites appear identical to intermediaries. This advancement aims to close a significant privacy gap, complementing DNS over HTTPS (DoH) and other encryption protocols.
To enable Encrypted ClientHello (ECH) on Edge, update to version 105 or newer, then right-click the Edge browser icon on the desktop, select Properties, and in the Target field, enter a space followed by --enable-features=EncryptedClientHello.
Cloudflare Browser Security Check
When browsing websites, your privacy can be compromised at various points, such as by your ISP or the coffee shop owner providing your WiFi connection. This page automatically tests if your DNS queries and answers are encrypted, if your DNS resolver uses DNSSEC, which TLS version is used for the connection, and if your browser supports securing the Server Name Indication (SNI) with Encrypted Client Hello (ECH).
Install Ublock Origin (Lite)
Important: Using Ublock Origin (Lite) in conjunction with other adblockers or privacy extensions is discouraged, as it can lead to conflicts. If your browser will not transition to Manifest V3, you can stick with uBlock Origin, unlike uBlock Origin Lite, which is designed to comply with the more restrictive MV3.
Ublock Origin (Lite) is a CPU and memory efficient browser extension that blocks ads, trackers, and malware.
Quad9 DNS
Quad9 is a free DNS recursive service designed to enhance internet security and privacy. By replacing your default DNS, it blocks access to known malicious domains using real-time threat intelligence from over two dozen cybersecurity sources. This service helps protect against malware, phishing, spyware, and botnets while ensuring user privacy by not logging IP addresses and adhering to GDPR standards. Operated by the Swiss-based Quad9 Foundation, Quad9 aims to create a safer internet environment. It is easy to use, requiring no signup or personal data, and can be configured on individual devices or entire networks.
User Account Control Settings
Press the Windows key on your keyboard or click on the Windows icon in the taskbar.
Type "Control Panel" in the search bar and click on the "Control Panel" app that appears.
In the Control Panel, click on "User Accounts."
Click on "User Accounts" again.
In the User Accounts section, click on "Change User Account Control settings."
Information: For guidance on launching secpol.msc or gpedit.msc, please consult the provided tips.
Harden User Account Control
Requirement: Windows Pro
Local Security Authority Protection
Requirement: Windows Pro
Force Lsass To Run As Protected Process
Navigate to Computer Configuration \ Administrative Templates \ System \ Local Security Authority.
Virtualization Based Security
Requirement: Windows Pro
Turn On Virtualization Based Security
Navigate to Computer Configuration \ Administrative Templates \ System \ Device Guard.
Information: Machine Identity Isolation and Credential Guard do not protect local accounts or Microsoft (Live) accounts. They are designed for machine and user accounts in an Active Directory (AD) environment, where authentication relies on Kerberos or NTLM. Local accounts authenticate via the Security Account Manager (SAM), and Microsoft accounts use OAuth-based cloud authentication, neither of which are secured by these features.
Kernel Mode Hardware-enforced Stack Protection
Turn On Kernel Mode Hardware-enforced Stack Protection
Enabling Kernel Mode Hardware-enforced Stack Protection through Windows Security is safer because it checks for compatibility before applying the setting, reducing the risk of boot loops or crashes.
Turn On Bitlocker
Requirement: Windows Pro
Force AES-256 Encryption On Bitlocker
Navigate to Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption.
Turn On Bitlocker
Turn On Pre-Boot Authentication
Requirement: Windows Pro
Navigate to Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives.
Important: For this feature to function properly, you should always shut down or hibernate the device before it leaves the control of an authorized user.
Open the Command Prompt as an administrator. You can do this by right-clicking on the Start menu button and selecting "Terminal (Admin)".
Type "manage-bde -status" in the Command Prompt window and hit Enter. This command will display the current status of BitLocker on your system.
Type "manage-bde -protectors -add C: -TPMAndPIN" and hit Enter. This command will add a TPM and PIN protector to the BitLocker-protected drive.
Enter your preferred PIN when prompted, and confirm it. Make sure your PIN is at least 6 digits long and avoid using easily guessable numbers, such as your birth year or phone number.
After setting the PIN, type "manage-bde -status" again to verify that the TPM and PIN protector has been added successfully.
Harden Pre-Boot Authentication
Restart your computer to complete the process. When your computer restarts, it will prompt you to enter the PIN to unlock the BitLocker-protected drive.
Account Lockout Threshold
Requirement: Windows Pro
Important: Ensure that your Bitlocker recovery key is at hand, should you surpass the number of permitted unsuccessful login attempts.
Encrypt Folder/Files With Encrypting File System (EFS)
Requirement: Windows Pro
Encrypt Appdata Folder
Go to the AppData folder by pressing the Windows key + R on your keyboard, then typing "%USERPROFILE%\AppData" (without quotes) in the Run box and pressing Enter.
Once you're in the AppData folder, click on the empty space. Right-click the empty space and select "Properties" from the context menu.
In the Properties window, click on the "Advanced" button located at the bottom of the General tab.
In the Advanced Attributes window, check the box next to "Encrypt contents to secure data", and then click on the "OK" button.
You'll be prompted to choose whether you want to encrypt just the folder or the folder and its contents. Select "Apply changes to this folder, subfolders and files", then click on the "OK" button.
If you have files in the folder that are currently in use by other programs, you'll be prompted to close those programs before proceeding with the encryption process. Close any programs that are using files in the folder, and then click on the "Retry" button.
Click on the "Apply" button in the Properties window to start the encryption process. Depending on the size of the folder and its contents, this process may take some time to complete.
Once the encryption process is complete, the folder and its contents will be protected with AES-256 encryption algorithm. Only users who have the original account password will be able to access the encrypted data.
Encrypt User Folders
Right-click on the user folder that you want to encrypt, and then select "Properties" from the context menu that appears.
In the Properties window, click on the "Advanced" button located at the bottom of the General tab.
In the Advanced Attributes window, check the box next to "Encrypt contents to secure data", and then click on the "OK" button.
You'll be prompted to choose whether you want to encrypt just the folder or the folder and its contents. Select "Apply changes to this folder, subfolders and files", then click on the "OK" button.
If you have files in the folder that are currently in use by other programs, you'll be prompted to close those programs before proceeding with the encryption process. Close any programs that are using files in the folder, and then click on the "Retry" button.
Click on the "Apply" button in the Properties window to start the encryption process. Depending on the size of the folder and its contents, this process may take some time to complete.
Once the encryption process is complete, the folder and its contents will be protected with AES-256 encryption algorithm. Only users who have the original account password will be able to access the encrypted data.
Use 1Password
Information: To access additional details about the security measures implemented by 1Password, please refer to the 1Password Security, Secret Key Security, and Secure Remote Password.
1Password employs a robust security model designed to ensure the safety and privacy of user data. It uses end-to-end encryption, meaning that only the user holds the keys to decrypt their data, protected with 256-bit AES encryption and PBKDF2 key strengthening. The data is further secured with a Secret Key combined with the user's account password. Additional features such as automatic clipboard clearing, code signature validation, auto-lock, and Watchtower vulnerability alerts provide layered security. 1Password also emphasizes transparency by using open standards and undergoing regular independent security audits, making it a reliable tool for safeguarding sensitive information.
Backup With Cloud Storage
Dropbox
Open your web browser and navigate to the Dropbox website.
Sign up or log in:
If you don't have a Dropbox account, click "Get Started" to create one.
If you already have an account, log in.
Consider subscribing to the Dropbox Plus plan for enhanced security features like remote wipe, folder rewind, and vault, which help safeguard your data.
Download Dropbox: After signing in, download the sync software by clicking the download here.
Run the installer: Once the download is complete, find the file (usually in your "Downloads" folder) and double-click it to start the installation.
Install Dropbox: Follow the on-screen instructions to complete the installation on your computer.
Set up Dropbox: After installation, choose the location for your Dropbox folder on your computer. The default location is in your user directory. It is recommended to keep it in the default location.
Important: Do not use Dropbox's built-in method to sync user folders like "Downloads" or "Documents." Instead, follow the more effective syncing method described below.
Sync User Folders With Dropbox
Open File Explorer by pressing the Windows key + E.
Navigate to your Dropbox folder.
Create a new folder inside your Dropbox folder and name it "PC".
Inside the "PC" folder, create five subfolders and name them "Documents", "Downloads", "Pictures", "Music", and "Videos".
To change the location of your original user folders, right-click on each folder (such as "Documents" or "Pictures") in the left pane of File Explorer and select "Properties".
In the Properties window, click the "Location" tab and then click the "Move" button.
Navigate to the corresponding folder you just created in your cloud storage ("PC/Documents" for "Documents", for example) and select it.
Click "Apply" to confirm and then "OK" in the Properties window to save the changes.
Repeat these steps for each user folder you want to sync with Dropbox.
Everything in those folders will now be synced to your cloud storage, including any new files you add or changes you make.
To further protect your files, you may want to consider encrypting the whole cloud storage folder with Encrypting File System (EFS).
Requirement: Windows Pro
Right-click on the Dropbox folder in File Explorer and select "Properties".
Click the "Advanced" button and then check the box for "Encrypt contents to secure data".
Click "OK" to save the changes.
Cloudmounter
Information: It’s advisable to secure your highly sensitive data using encryption tools like CloudMounter or Cryptomator before uploading it to Dropbox. My personal preference leans towards CloudMounter over Cryptomator, as it allows me to select the specific folders I wish to encrypt.
CloudMounter is a utility that allows Windows users to mount various cloud storage services, such as Dropbox, Google Drive, Microsoft OneDrive, Amazon S3, and WebDAV, as local drives on their computers. This integration enables users to manage, upload, and download files directly from File Explorer without needing to store the files on their hard drive, thus saving space. Additionally, CloudMounter supports FTP, SFTP, and FTPS protocols, offers file encryption for enhanced security, and provides seamless access to online files as if they were local, making it a versatile and convenient tool for managing cloud storage.
Block Common Malware
Folder Guard
Folder Guard is a powerful security tool that controls access to your files and folders. It can make them read-only, hidden, or appear empty to unauthorized users and programs. It is highly effective in protecting browser data from info stealers—malicious software that targets personal details like usernames, passwords, and credit card information. Folder Guard allows exclusive access to sensitive browser data, preventing external access attempts. It also offers ransomware protection, keeping your files safe from encryption, modification, or deletion.
Protect The Boot Chain
Open an elevated command prompt by right-clicking the Windows Start button and selecting "Terminal (Admin)."
In the command prompt, type "reagentc /disable" and press Enter. This command disables Windows Recovery.
Restart your computer and enter the BIOS or UEFI settings by pressing the appropriate key during startup.
Password protect your computer's BIOS or UEFI settings. Look for the security or password section of the BIOS/UEFI settings, and follow the prompts to set a password.
Disable other booting methods, such as booting from CD/DVD, USB drives, or external hard drives. This prevents unauthorized users from booting the computer with a different operating system or bootable device.
Set the boot sequence to boot only from the hard drive that contains the operating system.
Save the settings and restart your computer. Your computer will now be more secure, as unauthorized users will not be able to boot from external devices or modify the BIOS/UEFI settings without the password.