Horse Sense #130

Feeling More Secure in Windows 10

We would like to "steal" your ideas to add here! Tell us something good and we will post it!

[If you are in a larger organization, then you may or may not need or be able to make some of the following changes as your system administrators may do this for you. At this early stage, the chances of them having done this if you are running Windows 10 is probably nil. You are either someone testing the product out as a guinea pig or you are not supposed to be running Windows 10!

The information below serves as a starting point for securing Windows 10. Security is an ongoing endeavor and it depends highly on what you do. Be safe. If you need help, call on us.]

When installing Windows 10, do not set up a Microsoft Account if you are in a business environment. Set up and sign in to your machine thereafter with a local account. Microsoft Accounts can help your personal information and desktop settings appear wherever you log in. That means you send a lot of very private information to Microsoft. Most businesses should not do this. I do not recommend doing this on a personal machine if there is anything on it you want to stay private.

DO NOT choose "Express Configuration" when you install unless you want to gut your security. Pick “Custom Configuration” in small print on the lower left of your screen and you will be asked whether you want to turn personalization and location settings on. Say no to all of them. While your apps might lose functionality, most business users will be better served and their networking and security staffs will be happier turning all of this sharing off. Besides, you can always turn it back on later if you find you need it. As a general rule, it is hard to beat the security setting of “off.” It is OK to turn stuff off. If your desktop never goes anywhere, why would you ever want to turn location settings on?

The next configuration page sets browser protection, connectivity and error reporting settings. You may want to turn SmartScreen on to protect against malicious content, but it will slow up your browsing and send info to Microsoft. Page prediction tries to preload things for you. It keeps your network busier, but it may not be correct and keeps your network and machine doing lots of stuff that will never pay off. It also only works with Edge. Turn it off. Allowing your PC to connect to open (unsecured!) hotspots or even to networks shared by someone in your contact list is a huge security risk. Turn these off. Ideally, you want to pay attention to the network you are connecting to and actually choose to connect to it. Connecting to the wrong wireless access point is a sure way to get into trouble. And, while you might think the choice of sending error and diagnostic information to Microsoft is a good thing, for most consumer and business users it mainly just eats up resources for no net gain, so turn those off too.

In short, you do not need to turn on any of the features that the “Express Configuration” choice turns on!

If you installed with insecure defaults already or if you want to check whether some operating system update or program install helped you out by lowering your security, click the notifications button on the bottom right of your screen. Click “All Settings” and the privacy icon will help you turn off the potential privacy leaks mentioned above as well as others. Sometimes thinking is odd. On the “Speech, Inking, and Typing” tab you want to tell your computer to "Stop getting to know me" to close privacy and security holes. That choice sounds like you would never want to turn it off. After all, if it knows you better, it should work better and keep your secrets safe, right? Wrong. That choice should really be labeled "I don't want to tell everyone my secrets".

Go through all the tabs under privacy. If in doubt, turn the setting off to improve privacy. You would think turning a setting under privacy "on" would improve your privacy. Nope. If you turn these settings "on," you turn your privacy "off." If an app does not work correctly later, it will either complain and lead you here or allow you to make a change on the spot, so I would not worry you will break anything you might need later.

Look at Settings -> Account. You can use a personal identifying number (PIN) instead of a password to log in, but that will lower your security! If you have low security tablet meant to consume content, logging in with a PIN is really quick and easy. [Content consumption devices where you do not care if someone could see everything you do might be just fine with the default (in-)security of Windows 10, like the tablet you use to watch back issues of your favorite TV program. OK, maybe you might want to turn off the camera that defaults on....] You can set up Windows Hello fingerprint security and make logins even easier. However, if you still allow access by password or PIN alone, then your security is actually lower. Windows Hello may be able to help provide you more secure access in your applications. Make sure you register several fingerprints from both hands so you do not end up locked out of a machine by a paper cut. If you use PIN code access, at least use a 4 number code.

Go to Settings -> Personalization. If you do not like the color Windows 10 gives you, change the background color to be a pleasant, high contrast solid color. Black, dark blue, dark purple, and dark green are good choices. Avoid shocking colors like red, yellow or orange, pastels, or low contrast choices which will wear on the eyes. A surprising number of people have some amount of color or shade blindness. Pick what looks best to you and you will find your productivity will increase! Change the lock screen background from the default "Windows Spotlight" to be a picture. Use Windows Paint to create a JPEG file with your name, address, phone, and e mail contact information. Import that file as your laptop or tablet lock screen background so someone can reach you if they find your machine. To enhance your chances of a safe return, instead of using a blank background with your contact info on it, use a picture of yourself so people can identify the owner easily. Now protect your system screen and save energy by setting your Screen Saver to Blank. Change the Power Management settings and add "make sure to require a password on wakeup." Now if you lock your machine by holding down WindowsKey and hitting L or the machine goes to sleep on you, someone will have to have your fingerprint, password, or PIN to log in!

Hold the WindowsKey and hit X. Choose “System.” Now click on “Advanced System Settings.” To improve your security a little bit if you are NOT in a domain, change your Computer Name to something you want and join a workgroup other than the default “Workgroup.” You can use any workgroup name, but all of the machines that share information with each other should use that same name. Do this even if you later decide to use Home Groups (relatively rare in business settings). Now click on the "Advanced" tab, select the performance settings, and adjust the video effects for "best performance." It will turn off a lot of "eye candy," simplify your screen, and make work quicker and easier to do. Making sure you have a restore point is a good thing. Click on the System Protection tab and make sure you toggle at least your system disk so it is protected and set the configuration to 5GB or less. Create a restore point if one has not already been created. Click on the Remote Assistance tab and turn access off. You can turn it on again if you really need it. Few do.

Your browser(s) are your gateway to the rest of the world. You will likely use them more than almost any other program. Make them more usable and secure. Reset the cache size in your browsers to be 16MB or less. Have your browser start up quickly by selecting a blank page as the initial display page. Turn off and uninstall any accelerators, extensions, or add-ons you do not use.

[added 8/28/15]

Turn off delivery optimization or your computer will serve as a repository and source for distributing software across the Internet. Click on the Windows 10 Start Icon. Choose Settings -> Update And Security -> Windows Update. Click on Advanced Options. In the Advanced Options page, click on "Choose how your updates are delivered." It is not obvious that you can select these options with the standard Windows 10 color scheme. These options look like you cannot choose them because they are grayed out. You *can* choose them. Turn delivery optimization off.

©2015 Tony Stirk, Iron Horse