Computer defense
January 12, 2016 10:04 AM

I'm getting a new computer (Windows 10). What are the current best practices in personal computer protection, starting from the beginning?

This question is over a year old.
posted by the man of twists and turns to Computers & Internet (15 answers total) 40 users marked this as a favorite
From the Google security team's recent blog post, security experts’ top advice is:
  1. Install software updates
  2. Use unique strong passwords, and a password manager
  3. Use two-factor authentication
Notably absent is installing anti-virus software. Do use the built-in security software in Windows 10, but be wary of third-party software. Much of it has a long history of causing more security problems than it solves. There are some good ones out there, but do your research if you plan to install one.

I would add to this list:
  • Make regular automated back-ups of everything (to a USB hard drive, for example).
  • Use full-disk encryption. (Enabled by default in Windows 10, but be aware that it backs up the key to your Microsoft account. This is probably fine for protecting your data against common thieves, but maybe not against the FBI/NSA/etc.)
  • Enable features that let you find your device if it’s lost or stolen.
  • If you install Flash Player or other browser plugins, make them click-to-play instead of allowing every web site to run them automatically.
Lastly, all these security measures can be broken by you if someone tricks you into giving away your credentials over the phone or email. Be aware of common scams, and don’t download and run software except from the most trusted sources.
posted by mbrubeck at 10:46 AM on January 12, 2016


Not much has changed to be honest, there is some good advice out there but a lot of it goes completely overboard for the majority of people:

Don't bother with a virus checker, Windows 10 has one already.
Keep Windows updated, if you're using Windows 10 Home then it'll force you to stay updated whether you like it or not.
Keep your apps updated, I like ninite for doing this.
Don't browse the web without an adblocker - nasty things can be delivered that way.
Don't browse the web with Internet Explorer, use Chrome or Firefox.
Enable smart screen filter in Windows.
Backup regulary. If you have friends or family, take advantage of Crashplan to back up everyone's stuff to everyone else's computers.
Don't disable UAC. Don't just blindly click "yes" when it appears.
Don't download stuff from dodgy websites.
Disable "hide extensions for known file types" in Windows. That way you can see if a picture really is a picture or something else.

I've always worked on the principle that you should never run two virus checkers at the same time as it'll severely impact performance.
posted by mr_silver at 10:47 AM on January 12, 2016


Whether or not this is protection depends on your point of view, but if I may self-link a little I posted a guide on disabling some of 10's intrusive features on the Blue a while back.

The other thing I regularly recommend to people is to go through your installed applications periodically and get rid of anything you don't absolutely need installed. Makes it a lot simpler when you are trying to diagnose issues and most people don't need many applications installed these days.

Notably absent is installing anti-virus software. Do use the built-in security software in Windows 10, but be wary of third-party software. Much of it has a long history of causing more security problems than it solves.

I agree with this, I'd just use Defender and maybe Malwarebytes.

Use full-disk encryption. (Enabled by default in Windows 10, but be aware that it backs up the key to your Microsoft account. This is probably fine for protecting your data against common thieves, but maybe not against the FBI/NSA/etc.)

Note that you'll want to check if you actually have this option, as it varies. If not, you can always buy 10 Pro and use Bitlocker.
posted by selfnoise at 10:52 AM on January 12, 2016


(This is not a complete answer, but hopefully will be useful towards building a complete answer.)

In my view, the best practices in personal computer protection boil down to reducing the number of points of failure that are directly tied to that computer -- as few eggs in one basket as possible, so to speak.

- Cloud-based file backup. External hard drives are fine, but are often susceptible to the same risk factors as your computer (theft, backpack soaked by the rain, house fire) and so don't offer much "backup". If you don't have many files that you would consider sensitive to loss, Google Drive, Box, and Dropbox all have free versions that have a small amount of space. If you have a large number of files to protect, I would add Crashplan to the list of services to check out.

- Aizkolari's advice in the thread that you link remains good advice: having a non-administrator account for your day-to-day use is a great way to mitigate the risks of malware. (If you were doing physical security, you'd much prefer for an attacker to end up with a key to the front door than a building master key.)

-Two-factor authentication on as many accounts as possible. Google offers 2-factor that works quite well for its services; I believe that most large banks should also have a way to enable it. 2-factor systems tend to be designed with smartphone users in mind, but many of are compatible with text messaging or even phone-call verification.

I don't have a particular recommendation for anti-virus/-malware software, but I consider the built-in Windows Defender and Firewall to be sufficient, especially considering that it's free. As with all security software, keeping it up to date is paramount to any other feature.

Beyond recommending one anti-virus+firewall combo or another, I think the advice in the linked thread is sound, especially samsara's profile. The one addition I'd make to that write-up is to secure your web browser; since most of your exposure to the Internet is probably going to be through your browser, it makes sense to reduce the exposure. To this end, I recommend:

- Ad-blocker. If only for your sanity/bandwidth, install something like Ad-Block Plus (and then whitelist trusted websites like Metafilter).

- Cookie manager. In Firefox, I like Self-Destructing Cookies. I'm not familiar with Chrome options, but maybe this.

- Script blocking/management. NoScript and Ghostery are probably the most popular options here. I use RequestPolicy in Firefox which is a bit more fussy but gives more granular control over requests IMO; though I haven't used it, uMatrix looks similar.

On preview, I now see that I'm late to the party!
posted by .holmes at 10:55 AM on January 12, 2016


I usually suggest that people set their networks to use opendns instead of their ISP's DNS servers because they try to block malware domains. It's certainly not perfect, but it's not worthless either. Helped us flag a laptop that was getting out past our firewall as infected a year or two ago (you have to register to get alerts).
posted by mattamatic at 10:57 AM on January 12, 2016


On the subject of cloud backups, a helpful comment last year keyed me into a way to encrypt my personal files before they hit the cloud (in this case I use 10's built in OneDrive) which was my main concern about files on the cloud.

I back up my important personal files that way, and then I also back up my entire data drive to a local external drive and then also periodically a sneakernet external drive I keep in my office at work(also encrypted). Which seems like overkill until you realize how silly cheap these drives are.

I tried using Crashplan a while back and for whatever reason it simply could not handle the number of camera RAWS I have.
posted by selfnoise at 11:23 AM on January 12, 2016


To underline some of what's been said above: remember that "the cloud" is just Handwavian for "someone else's server"; if it's sensitive, encrypt.
posted by Emperor SnooKloze at 11:38 AM on January 12, 2016


Also I'll just link to this current Blue thread. It seems like many people are advocating using adblockers and script blockers in your browser since it seems like this is a common malware trajectory.
posted by selfnoise at 11:42 AM on January 12, 2016


If you haven't bought a computer yet, buying one from Microsoft will avoid the crappy bundled software the vendors include. The new surface books are pretty nice...
posted by yeahwhatever at 12:23 PM on January 12, 2016


Don't use an administrator account as your daily user account.
Install OS updates.
Don't install Flash.
Don't use IE.
Use uBlock Origin browser plugin on Firefox and/or Chrome.
Backup your data.
posted by LoveHam at 1:38 PM on January 12, 2016


Wow, good stuff here. I second (or third) relying on the native virus software. Provided Winders is updated, it should be plenty. Additional software is just going to gum up the works.

I would from time to time check your program files against shouldiremoveit.com

especially if you see stuff in your programs list that you don't remember installing.

Run disk cleanup. Run ccleaner. Run malwarebytes.

Eat Snacky Smores
posted by NedKoppel at 1:46 PM on January 12, 2016


Keep Windows updated, if you're using Windows 10 Home then it'll force you to stay updated whether you like it or not

The OS will ask if you want to reschedule, but eventually it'll reboot itself to install those updates whether you like it or not (ask me how I know). I went digging to find what was installed and noticed it's possible to remove updates though I don't know how permanent those changes would be.

I've had Windows 10 for a week and I hate it so much I'm downgrading to Win 7 Pro so I can't help much with how to protect this OS, but whenever I have to set up a windows machine I use the guides over at Black Viper. Hope it helps.
posted by squeak at 3:09 PM on January 12, 2016


Setting up a new computer is the best time to set it up so you're not using an admin account for day-to-day work.

That has already been mentioned, but I just wanted to add that it is super satisfying when a program that would normally happily install junk without you ever knowing, instead has to bring up the admin password request, and you're all "Really?! How about 'NO'? How about 'NO!' with a side of 'GET BACK TO YOUR ROOM!' " :)
posted by anonymisc at 4:03 PM on January 12, 2016


As mentioned upthread, don't use IE. That prohibition extends to cases where IE is calling itself "Edge".

Don't use Outlook or Outlook Express. Literally any of the alternatives are better, up to and including connecting to your IMAP server with telnet and typing the protocol commands with your fingers. I like Thunderbird.

Completely remove OneDrive, and be pissed off that it's so hard to uninstall (to say nothing of the fact that it never should have been installed by default in the first place).

Turn off everything -- Every. Thing. -- under Settings->Privacy. (By "turn off" I mean of course "set to least permissive setting".)

Learn about "Wi-Fi Sense" and how to defend yourself from it. (Shameless self-link on this topic.) Change your WiFi password.
posted by sourcequench at 5:28 PM on January 12, 2016


Something I found out very recently: if you are still using a 3rd-party antivirus, the free version of Avast is now inserting an ad into your email signature for both desktop clients and webmail. I read some recommendations and switched to Avira. Microsoft's built in scanner didn't test as well.

The makers of Spybot Search & Destroy have made a program to stop Windows 10 from phoning home constantly. Read more about that over here.
posted by IndigoRain at 6:19 PM on January 16, 2016


« Older Want website, will panic   |   we take what we can get / the hell out of this... Newer »
This thread is closed to new comments.