This blog will walk you through configuring a Windows computer from the ground up for security and stability. This configuration will make you virtually impervious to viruses you don’t actively try to install yourself, and will help constrain any malicious code that does get on your computer.
Pretty much all of this is free, but any mentions of products in this guide are completely un-compensated.
Section A: The Ground Up
The best thing to do is start from the bare hardware and install Windows 10 from scratch with UEFI, TPM, and SecureBoot turned on. If you don’t want to do that, skip to Section B. Any retail computer purchased with Windows 8.1 onward will already have these turned on.
1.) Update BIOS
For best compatibility and security you should update your computer’s BIOS. A modern BIOS (really UEFI) is a full operating system that runs below and at the same time as Windows, and it needs patches too. People who built computers in the early 2000’s will tell you BIOS updates are risky, and they were, but not anymore. They deliver fixes, features, and security updates you won’t hear about on the news.
Even new computers/motherboards need updates. If you’re starting from scratch, do the BIOS update after installing Windows 10.
You can find the BIOS update tool on your manufacturer’s driver page for your computer model. You will need to reboot for it to take effect. If you have a Surface, BIOS updates are delivered through Windows Update.
2.) Prepare Windows Bootable Media
Make sure everything is backed up before proceeding. The following changes will wipe your Windows installation.
3.) Configure BIOS
This is important and is something nobody talks about.
From the boot of your computer, press the setup hotkey. It may be F1, F2, F8, F10, Del, or something else to get into SETUP mode.
In the BIOS:
- Set a setup password. Make it simple, this is only to prevent malicious modification by someone in front of the computer or by a program trying to corrupt it.
- Change boot to/prioritize UEFI. Disable everything except UEFI DVD, UEFI HDD, and USB UEFI if you plan on using a USB stick to install Windows.
- Enable the TPM (if available) and SecureBoot (if available) options. This is super important.
- Disable 1394 (FireWire) and ExpressCard/PCMCIA (if you’re on a laptop) as a layer to further mitigate DMA attacks. This isn’t as important anymore, but if you don’t use them you might as well turn it off.
- If you want, and if the computer offers it, you can enable a System and HDD password. We will be using BitLocker to protect the disk, but this is an extra layer you can add if you want. I don’t.
- If you don’t use webcam or microphone, you may be able to turn them off in the BIOS
Save settings and shut down.
4.) Install Windows 10
Insert your DVD/USB. Boot the computer and use the boot menu hotkey to boot to your UEFI DVD or UEFI USB. The hotkey is often F12.
Follow the prompts and install Windows. If it gives you an option of where to install Windows to, and there’s already a partition, delete the partition first.
Keep an eye out for Part 2
For more information on all our services, please visit our website @ http://www.cans.scot