Securing Your PC

3thixs, How-To
Back

1. Update BIOS

For best compatibility and security you should update your computer's BIOS. A modern BIOS (really UEFI) is a full operating system that runs below and at the same time as Windows, and needs patches too! People who built computers in the early 2000's will tell you BIOS updates are risky - and they were - but not anymore. These updates deliver fixes, features, and security updates you won't ever hear on the news.

Even new computers/motherboards need updates. If you're starting from scratch, do the BIOS update after installing Windows 10.

2. Configure BIOS

This part is important and is something nobody ever talks about. From the boot of your computer, press the setup hotkey. It may be F1, F2, F8, F10, Del, or something else to get into SETUP mode. Again BACKUP YOUR COMPUTER.

In the BIOS:

Set a setup password. Make it simple, this is only to prevent malicious modification by someone in front of the computer or by a program trying to corrupt it.

Change boot to/prioritize UEFI. Disable everything except UEFI DVD, UEFI HDD, and USB UEFI if you plan on using a USB stick to install Windows.

Enable the TPM (if available) and SecureBoot (if available) options. This is super important.

Disable 1394 (FireWire) and ExpressCard/PCMCIA (if you're on a laptop) as a layer to further mitigate DMA attacks. This isn't as important anymore, but if you don't use them you might as well turn it off.

Save settings and shut down.

3. Update Windows 10

In Start > Settings > Update, continue updating and rebooting Windows until there's nothing left. I usually wait until this is done before I start installing stuff.

4. Set UAC to full

Listen to me. UAC is a critical security control that has vast impacts you can't see. It is not computer bubblewrap. It exists for very important reasons. You aren't cool for turning it off.

Follow these instructions to set UAC to the highest option, "Always notify me." Anything less allows any malware to instantly elevate to administrator level permissions. UAC isn't magic, but it's a layer you want to use.

5. Enable Drive Encryption

If you have Windows 10 Home: Start > Settings > System > About Look for the "Device encryption" setting at the bottom of the About pane. If it's not there, your computer does not support the limited encryption feature that Home supports. You should upgrade to Windows 10 Pro or set a HDD password in your BIOS if your computer supports it. Depending on model of drive, HDD password will provide less protection than BitLocker.

If you have Windows 10 Pro: Right-click on Start > Control Panel > BitLocker Drive Encryption > Turn on BitLocker

If it says you don't have a TPM, here's how to use BitLocker without a TPM.

This section is dedicated to installing and configuring a 3rd-party browser. Chrome remains the premiere browser with impressive security. I use both Chrome and Firefox. You should choose what you prefer. Either is a great choice.

6.1 Install Google Chrome x64

Until recently, installing Chrome the normal way would give you a per-user install. This means the Chrome executables and shortcuts are in your user profile and can be modified by a malicious program without elevation. Additionally, although Chrome should have auto-updated to the much more resilient 64-bit version of Chrome automatically, but it’s a good idea to make sure both of these things are fixed.

On this page, click "Chrome MSI for Windows 64‑bit" and install.

You don't have to uninstall what you're running right now, everything will be silently ported over.

6.2 Install Firefox x64

Again, Firefox is a great choice for a browser. You should ensure you’re using Firefox 64-bit.

7. Content blocker: uBlock Origin

The majority of threats to users come through malicious advertisements displayed on mainstream websites. Or someone you care about could get a false pop-up saying their computer is infected, and get tricked into calling a scam tech support company.

uBlock Origin is the fastest, most complete, and most reputable “ad-blocking” software available.

8. Firewall: Glass Wire or OpenSnitch for Mac OS

Personal Firewalls such as these monitor all data incoming and outgoing and display it for you in the GUI. You can start blocking connections if you don't recognize them and/or you can block everything and start allowing connections as you go following the zero trust model.

9. PC Cleaner: BleachBit

When your computer is getting full, BleachBit quickly frees disk space. When your information is only your business, BleachBit guards your privacy. With BleachBit you can free cache, delete cookies, clear Internet history, shred temporary files, delete logs, and discard junk you didn't know was there. It wipes clean thousands of applications including Firefox, Adobe Flash, Google Chrome, Opera, and more. Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster.

10. Shut Down

I know this may seem silly but this will be the best thing you can do if you aren't using your computer. It's hard to attack something that isn't online.

© 3thixs