Configuring a Windows computer from the ground up for security and stability – Part 2: Into The Breach

1.) Update Windows 10

In Start > Settings > Update, continue updating and rebooting Windows until there’s nothing left. I usually wait until this is done before I start installing stuff.

2.) Set UAC to full

Listen to me. UAC is a critical security control that has vast impacts you can’t see. It is not computer bubblewrap. It exists for very important reasons. You aren’t cool for turning it off.

Follow these instructions to set UAC to the highest option, “Always notify me.” Anything less allows any malware to instantly elevate to administrator level permissions. UAC isn’t magic, but it’s a layer you want to use.

3.) Enable Drive Encryption

If you have Windows 10 Home:

Start > Settings > System > About
Look for the “Device encryption” setting at the bottom of the About pane. If it’s not there, your computer does not support the limited encryption feature that Home supports. You should upgrade to Windows 10 Pro or set a HDD password in your BIOS if your computer supports it. Depending on model of drive, HDD password will provide less protection than BitLocker.

If you have Windows 10 Pro:

Right-click on Start > Control Panel > BitLocker Drive Encryption > Turn on BitLocker

Or why not use Veracrypt?

With SecureBoot, before your computer boots to Windows it verifies the OS hasn’t been corrupted with a bootkit that modifies Windows that lets a virus run hidden. 3rd party encryption tools break this chain of trust that flows from UEFI to Windows bootloader to BitLocker. This chain of trust is critical for preventing an entire category of attack against Windows. This is not theoretical, this stops real-life attacks.

For more info visit http://www.cans.scot

Configuring a Windows computer from the ground up for security and stability

This blog will walk you through configuring a Windows computer from the ground up for security and stability. This configuration will make you virtually impervious to viruses you don’t actively try to install yourself, and will help constrain any malicious code that does get on your computer.

Pretty much all of this is free, but any mentions of products in this guide are completely un-compensated.

Section A: The Ground Up

The best thing to do is start from the bare hardware and install Windows 10 from scratch with UEFI, TPM, and SecureBoot turned on. If you don’t want to do that, skip to Section B. Any retail computer purchased with Windows 8.1 will already have these turned on.

1.) Update BIOS

For best compatibility and security you should update your computer’s BIOS. A modern BIOS (really UEFI) is a full operating system that runs below and at the same time as Windows, and it needs patches too. People who built computers in the early 2000’s will tell you BIOS updates are risky, and they were, but not anymore. They deliver fixes, features, and security updates you won’t hear about on the news.

Even new computers/motherboards need updates. If you’re starting from scratch, do the BIOS update after installing Windows 10.

You can find the BIOS update tool on your manufacturer’s driver page for your computer model. You will need to reboot for it to take effect. If you have a Surface, BIOS updates are delivered through Windows Update.

2.) Prepare Windows Bootable Media

To get ready to install Windows 10 64bit on the bare hardware, use Microsoft’s Media Creation Tool to create a bootable DVD or USB stick.

Make sure everything is backed up before proceeding. The following changes will wipe your Windows installation.

3.) Configure BIOS

This is important and is something nobody talks about.

From the boot of your computer, press the setup hotkey. It may be F1, F2, F8, F10, Del, or something else to get into SETUP mode.

In the BIOS:

  • Set a setup password. Make it simple, this is only to prevent malicious modification by someone in front of the computer or by a program trying to corrupt it.
  • Change boot to/prioritize UEFI. Disable everything except UEFI DVD, UEFI HDD, and USB UEFI if you plan on using a USB stick to install Windows.
  • Enable the TPM (if available) and SecureBoot (if available) options. This is super important.
  • Disable 1394 (FireWire) and ExpressCard/PCMCIA (if you’re on a laptop) as a layer to further mitigate DMA attacks. This isn’t as important anymore, but if you don’t use them you might as well turn it off.
  • If you want, and if the computer offers it, you can enable a System and HDD password. We will be using BitLocker to protect the disk, but this is an extra layer you can add if you want. I don’t.
  • If you don’t use webcam or microphone, you may be able to turn them off in the BIOS

Save settings and shut down.

4.) Install Windows 10

Insert your DVD/USB. Boot the computer and use the boot menu hotkey to boot to your UEFI DVD or UEFI USB. The hotkey is often F12.

Follow the prompts and install Windows. If it gives you an option of where to install Windows to, and there’s already a partition, delete the partition first.

Look out for Part 2 next Wednesday

For more information on all our services, please visit our website @ http://www.cans.scot

How To Improve The Speed Of Your Work Computers

Nothing can slow a business down more than lagging computer systems. Whether you work in an office or are out on the road, in the digital age that we all live in, the chances are that you rely heavily on computer. Consequently, if work computers aren’t up to scratch in the speed department, it can massively impact on the business’s productivity.

We rely on fast computers as much as any business and we want to share with you the many ideas we use to keep our systems performing at their optimum.

MINIMISE THE NUMBER OF ITEMS THAT RUN ON STARTUP

If your computer is taking a long time to start up, the first port of call is to reduce the number of applications that you have selected to launch automatically when you power up your device.

The way in which you do this will vary according to your operating system. For Windows, all you need to do is click on the Windows button, select “run” and then type “msconfig.” Once you have done this, select the startup tab and select which applications you definitely need to open on startup, like antivirus software.

REMOVE UNWANTED PROGRAMS

Alongside preventing a multitude of applications and programs running on your computer on startup, you’ll also want to take a closer look at which programs you actually use.

If you have applications on your system that you no longer need, get into the habit of removing them. All they are doing is eating up your precious memory and weighing your system down.

USE MICROSOFT FIX IT

If you are a Microsoft user, it’s time to get familiar with the Microsoft Fix It tool. This free tool helps Windows 7 users (and earlier) to clean up and perform any straightforward maintenance tasks.

CHECK YOUR INTERNET BROWSER

We’re sorry Internet Explorer users, but if you are still stuck in the times of IE, now is the time to upgrade! Browsers like Google Chrome and Firefox are faster and have far fewer bugs, so you should instantly notice a positive change in your speed once you switch browsers.

Let’s make the Google Chrome download the last thing you ever do on IE.

SCAN FOR AND REMOVE MALWARE

Malware can harm your computer system in a number of different ways, but the most common is to greatly reduce speed and overall performance.

Make sure that you scan your system regularly, and as soon as you identify any suspicious malware, it is essential that you remove it as soon as possible.

There are a number of both free and paid for antivirus software packages, so make sure that you search around for the right option for your business. If you run a company with multiple employees, a paid for system that provides multiple licenses and allows for automatic scheduled scanning is the best way to go.

MAKE ADJUSTMENTS FOR HIGHER PERFORMANCE

If increased performance is your highest priority and you don’t mind losing minor visual effects, like mouse shadows, then you can adjust your system settings to get its priorities right.

By navigating to the “system properties” area of your computer you’ll be able to automatically adjust your settings for best performance. Furthermore, lowering your screen resolution can speed your system up and reduce the battery life of laptops.

ADD MORE RAM

So far we have covered software changes that you can make to improve the speed of your computer, but you can also do a few physical hardware changes as well. The most successful we have found is to increase the amount of RAM.

We have found that as machines age, you can extend their lifespan and overall performance by increasing the amount of RAM. Adding more RAM is more affordable than paying out for a completely new computer system, so this decision makes sense from a business and economics perspective.

Let us know how you get on!

For more info see our website @ http://www.cans.scot