Skip to content

Instantly share code, notes, and snippets.

@NeftaliYagua

NeftaliYagua/Security recommendations for Windows users.md

Forked from fitz123/Security recommendations for Windows users.md
Created October 15, 2020 08:50
Show Gist options
  • Save NeftaliYagua/f75eb65b2c4ac2343bec9a917fb885e2 to your computer and use it in GitHub Desktop.
Save NeftaliYagua/f75eb65b2c4ac2343bec9a917fb885e2 to your computer and use it in GitHub Desktop.
Download ZIP
Security recommendation for Windows users
Raw
Security recommendations for Windows users.md

Security recommendations for Windows users

Chapter 1: Basic OS protections

  1. Change(or create) password for current user:
    1. ctrl+alt+del --> Change password
  2. Create non-admin user and sign in into the system as non-admin only:
    1. Open Run prompt: ctrl+R
    2. Open User Accounts: netplwiz.exe
    3. Create new user with password
  3. Ensure UAC is up and running:
    1. Open Run prompt: ctrl+R
    2. useraccountcontrolsettings
    3. Setup maximum notify level (Always notify)
    4. Click ok to save changes
  4. Turn on Windows Updates, at least security updates should be checked and installed daily and automatically:
    1. Open Run prompt: ctrl+R
    2. Open Update Manager: wuapp
    3. Click to change settings
    4. Choose "install updates automatically"
    5. Click "Ok"
  5. Uninstall all unknown and unnessessary applications:
    1. Open Run prompt: ctrl+R
    2. Open Remove Programs Wizard: appwiz.cpl
    3. Review installed applications:
      • You probably want to save some applications, look at the Microsoft Corporation in the Publisher column. For example I have the following applications:
        • Microsoft Visual C++...
        • Microsoft Office
        • Microsoft Silverlight
    4. Uninstall Java unless you're exactly know what you're doing
      • Additionally make sure to delete "npDeployJava1.dll" file, try to search it on C: drive
      • At a minimum disable Java in the browser by going into the Java Control PanelSecurity Tab – Uncheck Enable Java content in the browser
    5. Uninstall Adobe Flash if you're going to use Google Chrome only. It has build-in flash player
    6. Delete everything you don't want or don't use often. If you plan to use applications "someday" is better to install it also "someday" and keep the current system clean
  6. Configure Firewall:
    1. To open Search push on "win" button (or win+q on Win8)
    2. Search for "Windows Firewall" and open it
    3. Open "Change notification settings"
    4. Make sure to choose "Turn on Windows Firewall" and "Notify me when Windows Firewall blocks a new app" for all available networks
    5. Open "Advanced Settings"
    6. Review Inbound and Outbound rules:
      1. You can click on the "Inbound rules" and "Outbound rules" in the left panel and "filter by state --> Filter by enabled" to reduce reviewed list
      2. You have to see on "Name" and "Program" columns to determine what the application is
      3. Ignore system programs named ("Program" column), let's assume they a fine and minimum you want to allow:
        • System
        • %SystemRoot%\system32\dashost.exe
        • %SystemRoot%\system32\mdeserver.exe
        • %SystemRoot%\system32\proximityuxhost.exe
        • %SystemRoot%\system32\spoolsv.exe
        • %SystemRoot%\system32\svchost.exe
        • %SystemRoot%\system32\WUDFHost.exe
        • %SystemRoot%\system32\lsass.exe
      4. Try to disable everything except list above and your Known applications with necessary access. For example if you have installed some app and don't know why it's in the list (means application goes to the Internet) - disable it! If something will stop work it is safer to enable it later again if required
    7. Enable Anti-virus and Review Security configuration:
      1. To open Search push on "win" button (or win+q on Win8)
      2. Search for "Action Center" and open it
      3. Click Change Action Center Settings
      4. Better is activate everything and keep tracking messages
      5. Click "Windows SmartScreen Settings" and choose recommended setting: "Get administrator approval before running..."
      6. Activate all functions on Security chapter. You probably cannot activate "Network Access Protection agent", but this is ok. It works only in Domain networks
      7. Make sure that following are activated:
        • Network Firewall is ON
        • Windows Update is ON
        • Virus Protection is ON
        • Spy-ware and unwanted software protection is ON
        • Internet Security Settings is OK
        • User Access Control is ON
        • Windows SmartScreen is ON

Conclusion

Since now the only thing you need to be Extremely Careful and Watch at UAC/SmartScreen Pop-Ups attentively!!!

Deny everything you're not sure about

All security depends only on what you allow the system do.

Chapter 2: Web protection

Assuming you like to use Google Chrome and use it as a default browser. Let's protect the Web Surfing!

  1. Secure Flash Player (if you didn't delete it yet!):
    1. To open Search push on "win" button (or win+q on Win8)
    2. Search for "Flash Player" and open it
      1. On "Storage" tab choose ether "Block all sites from storing information on this computer" or "Ask me before allowing new sites to save information on this computer"
        1. Review already saved information by clicking on Local Storage settings by site or just click Delete All
      2. On Updates tab choose Allow Adobe to install updates
      3. Review configuration for other tabs
  2. Open Google Chrome browser:
    1. Go to the settings
    2. Click Show advanced settings
    3. Under Privacy chapter make sure to enable Enable phishing and malware protection
    4. Under Passwords and forms uncheck Offer to save your web passwords You need to use password manager to save your passwords. If you have money - your choice is 1Password if you have no money - use LastPass
    5. Install and activate the following extensions:
      • Adblock Plus - works out-of-the box
      • KB SSL Enforcer if something on the sites looks weird and half-loaded click Ignore on the extension icon. It happens because some sites have HTTPS running but unconfigured. Ignoring turn off HTTPS enforcing for particular domain
      • ScriptSafe you need to allow all domains ScriptSafe don't know about. Usually you need to choose Temp if you wanna play safe to allow particual domain temporary. You can choose Allow if you trust this domain and sure it will not harm you in the future. Choose Trust only if you TRUST to the WHOLE domain. For example you can choose Trust on apps.google.com, that will enable all scripts on whole *.google.com domain. If you choose Allow it will allow exactly apps.google.com and not mail.google.com
      • Hola As a temporary solution before be build proper VPN Choose Singapore as a country surf from
      • Remove all extensions you're not using
  3. Don't use the same passwords on different resources! Use password manager to create safe, long and different password for each login name on each login page
  4. Look at the domain/site name carefully when you're gonna to follow the link or to allow scripts on the page. You have to see exactly what you're expecting to go to. For example you can receive the fishing link looks like https://www.gogle.co.th/search?q=sadsad&oq=sadsad&aqs=chrome..69i57j0l5.639j0j7&sourceid=chrome&es_sm=93&ie=UTF-8 Look at the www.gogle.co.th <-- notice only one o at the name. Like that can be a fishing site. Most dangerous is that the site can looks exactly the same as original and usually will try to get your password. Password manager will also help you as it remember the passwords related to each domain. Password manager will not offer you a password for fishing page because domain is different. You need keep attention and do not put you passwords everywhere
  5. Keep attention on color of https sign at the left of the site name. Green lock sign guarantee you that the page is real. If the sign is red - it means something is wrong, don't believe such sites.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment