Windows computers have a number of security features to protect your data. Unfortunately, they aren’t always turned on by default. This article details best practices – and in some cases, critical steps (!) that you should take to protect your data and business. And don’t worry, you don’t need to be an IT professional to enable these security settings.
Is Windows 10 secure? Yes, it can be! Almost all of the best practices listed below are free and quick to turn on. By not taking these steps, you are leaving your data and business vulnerable to cyberattacks and hackers. And if your business is in a highly regulated industry like financial services or healthcare, most of these steps are required or strongly recommended.
Are these steps necessary if you have a new Windows computer? Yes! Windows computers are not perfectly configured as soon as you open the box. Some of the default settings are for convenience’s sake. These best practices are quick to implement and will save you hours of headaches when you experience a breach or cyberattack (yes, sorry, that’s ‘when’ and not ‘if’).
You may have heard the phrase ‘harden a computer’ – so what does this mean? It means configuring the security settings. You are making it ‘hard’ for hackers to get in. Hardening your computers is how you can further protect your data and business.
Below are 12 best practices for securing Windows computers. If you have an IT firm, share this list with them to make sure your computer is properly configured. Never assume these settings are already enabled – it’s best to double check.
Encryption is a must-have. With it, anyone who steals your computer can’t access your data without your password. With no encryption, if you lose your computer, you have a reportable breach on your hands.
If you’re running Windows 10 Professional (or higher), simply follow these instructions to turn on “BitLocker,” the built in free encryption tool:
If you’re running Windows 10 Home or an older version of Windows, you really should update. There are other encryption programs out there, but they tend to be fairly technical and are not always reliable.
Be sure to store your encryption recovery key in a safe place. When you first set up encryption using BitLocker, you will be asked to create a Recovery Key. Save the recovery key in a safe place, like another computer, a filing cabinet, or securely in the cloud. We like to store ours in LastPass (https://www.lastpass.com/), our favorite password management tool.
Take a screenshot of Bitlocker. When Bitlocker is done encrypting your hard drive, take a screenshot (https://www.howtogeek.com/226280/how-to-take-screenshots-in-windows-10/) and save it for audit purposes. If your computer is ever lost or stolen, use the screenshot to prove that the computer is encrypted.
This is something you definitely need to have in place. There is no single “best” backup approach. However, make sure you pick one that you’ll actually use. The best ones are completely automatic, and don’t require you to remember to do anything.
Make sure your computer is set up to always apply the latest security patches for your operating system.
Video instructions for turning on Windows updates: https://youtu.be/vD045mRlrwI
Follow these instructions for turning on Windows updates: https://support.microsoft.com/en-us/help/12373/windows-update-faq
Follow these instructions for turning on Microsoft Office updates:https://support.microsoft.com/en-us/help/2753538/automatic-updating-for-office-2013-and-office-2016-click-to-run-is-not
Unfortunately, auto-update only applies to your operating system (Windows), and not to the other programs you install. With our Virtual CISO offering, we provide a service that scans your computer for unpatched software. Here are the usual top offenders: anything Adobe, Zoom, and all browsers.
Delete unused programs -- you don’t have to patch what you don’t have. Once a quarter, go through your “Control Panel > Uninstall a Program” and uninstall any programs you no longer use. Video instructions: https://youtu.be/fK5RYb5wttY
Use antivirus -- free or paid, make sure you have an antivirus tool for your computer. All of them work fairly well these days, including the free Windows Defender (https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963) that comes with Windows 10.
If you’d like to see how your antivirus measures up, This site independently tests various antivirus tools: https://www.av-comparatives.org/dynamic-tests/
Get a web browsing antivirus tool, too -- hackers will try to get you to visit websites that install viruses or that try to steal your passwords. We like the service called DNS Filter that automatically blocks you from unknowingly visiting malicious websites.
Your computer should lock and require a password any time it is left unattended for more than 15 minutes.
Video instructions: https://youtu.be/w-SA3mJDqec
Follow these instructions to configure this: http://www.thewindowsclub.com/lock-computer-inactivity-windows-10
If your computer is ever lost or stolen, there is a chance that a good Samaritan will find it and try to return it. Use these instructions to put a message on your computer letting someone know how to reach you: https://lifehacker.com/add-a-custom-message-to-windows-10s-login-screen-with-y-1733970887 Video instructions: https://youtu.be/ynnq5ZDo1TE
In the event that a computer is lost or stolen, free utilities can help law enforcement to make a possible recovery. These systems aren’t foolproof, though, as they require an Internet connection. Make sure that these utilities are turned on, and test them once a quarter to make sure they’re still working.
Follow these instructions to enable Microsoft’s “Find My Device” service: https://support.microsoft.com/en-us/help/11579/microsoft-account-find-and-lock-lost-windows-device
Modern browsers (like Chrome and Firefox) allow users to install Extensions. These are utilities to add features that aren’t built into the browser. However, Extensions generally have full access to everything you do in your Internet browser. Using an insecure browser extension could lead to a data breach or an infection. It’s a good idea not to install an extension unless you’ve done some research to make sure it’s safe. Your best bet is to only stick with extensions provided by major vendors, or that have high ratings and many thousands of installations.
Computer user accounts with Administrator privileges should never be used for day-to-day computing. If an attacker gets access to an Administrator account, they have full control of everything on your computer. Set up “Standard” User Accounts for everyone who uses the computer.
Follow these instructions to set up a “Standard” user account, and start using it for your day-to-day work: https://support.microsoft.com/en-us/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10
If something bad happens on a computer, it’s critical that you know who was actually sitting in front of the computer when the bad thing happened. When you’re creating new user accounts, use real names (e.g., John Smith) instead of generic names (User1, Administrator2, etc.).
Make sure the firewall built into your computer is turned on. Follow these instructions: https://support.microsoft.com/en-us/help/4028544/windows-turn-windows-firewall-on-or-off Video instructions: https://youtu.be/0a3ATET38ac
Be sure to confirm your firewall is working -- use this site to scan your computer. (https://www.grc.com/x/ne.dll?bh0bkyd2). Click “Proceed” then “‘All Service Ports.” If your firewall is working properly, the results should be all green.
This feature keeps you safe from hackers. Follow these instructions (https://articulate.com/support/article/how-to-turn-user-account-control-on-or-off-in-windows-10) and drag the slider all the way to the top. Video instructions: https://youtu.be/uvZzYySTxvc
Make sure logging is turned on. In case you ever have a breach, you want to be able to figure out what happened. Your computer keeps logs that are critical for piecing together what happened. Follow these instructions to turn on security logging: https://docs.microsoft.com/en-us/windows/device-security/auditing/advanced-security-audit-policy-settings. We recommend enabling everything except File and Registry audit policies.
Keep logs as long as you can -- computers will log your activity for a set period of time. When the computer reaches a space limit, it will delete the old logs. Set your logs up so that they keep as much as possible for as long as you can. You’ll need them if something bad happens. Set the “maximum log size” as large as you can safely store, per these instructions: https://www.calcomsoftware.com/the-policy-expert-configuring-maximum-security-log-size/
Only connect to secure wifi connections. Follow these instructions (https://itstillworks.com/check-security-wireless-network-6167740.html) to check that your wifi connections are secure. If they’re not, work with someone to make them secure, or don’t use them.
As cyberattacks continue to improve and evolve, it’s super important to take steps to protect your data and business. Following our 12 best practices for securing Windows computers is a great starting point. Is Windows 10 secure? It absolutely can be, if you take the time to set up your computer properly. Your future self will thank you in the event of a cyberattack.
Setting up your Windows computers properly is just one part of good cybersecurity. Our Virtual CISO Service includes critical activities like vulnerability scanning, phishing training and tests, cloud service audits, domain/dark web/network monitoring and more. We work with 100 of the best financial services, healthcare and manufacturing companies in the US and would love to help you too!