(EN) How to effectively secure windows 10 - using build in technologies

3년 전


At first let me state two things about IT security.

First: you will never be 100% safe. How someone act will also be in important factor. If you bring yourself in danger because you let others appeal to your fear or greed or you play with illegal content there is no rescue.
Second: Security often subtracts convenience. Locking not just the front door but each and every door, cabinet and drawer will surely raise security. But do you want to live that way? Maybe yes. But maybe you prefer to exchange some security for convenience - at least in some areas.

After this short introduction lets start. By talking about IT-security many users just think about a good anti-virus software. But this is not enough as the periodic waves of ransomware impressively show.

Others claim that expensive security suits are needed or that you need a whole bunch of different software tools to protect yourself. In reality each third party software has its own bugs and maybe open doors to your system which weren't there before. Many free AV solutions are also known to collect and sell your personal data. Therefor many security experts say that a right configured, up to date operation system (OS) is the best approach to keep safe (1).

I don't want to meddle in things of personal choice. I just want to show that you can have high security just by knowing and using Windows 10 build in technologies. You will see, there is more than a pure AV can do for you.

Standard User Account (SUA)

The first user, created by Windows 10 usually has administrative rights. Most people use this user account for daily work. This means, that each peace of software started by this user also has administrative rights by default. In theory there is another technology called "User Access Control" (UAC) which should prevent some actions from taking place without permission, but in the real world there are different ways to avoid this. Malware started by an administrative user could get deep into the system with ease. Once there - everything is possible.

In many cases high damage could be prevented by creating a Standard User Account (SUA). This user should be used for daily work like surfing the web or handle with office documents. If malware now tries to get deep into the system Windows 10 will first prompt you to enter the admin account password. If you get asked without reasonable reason you can avoid much harm just by one click.

Best practice: create an SUA and use it for daily work. If you want to exchange some security for convenience you could activate PIN code for the administrative account. This speed up getting admin rights if needed.

User Access Controll (UAC)

Using UAC, you can choose if you want additional security prompts before accessing certain areas of the system. You can set different steps in the settings. If you enable UAC you will be asked before a program changes certain settings. At high level more actions are protected and you will be asked more often. Again someone has to balance security and convenience. But if you get asked for permission without reasonable reason you can stop a harmful process at an early stage. If you are not sure, just say "no". If it was valid you can restart the process again later.

Best practice: Search for UAC in the Windows settings and set it at least to mid level. If you want to boost safety set UAC to max level. This helps preventing changes to Windows settings without your attention.


Smartscreen is part of the Edge browser coming with Windows 10. Smartscreen issue a warning if you visit bad websites like known phishing sites. This also works for downloaded files which are known to be malicious or simple new and unknown. If you are one of the first people who opens a new, unknown file you might get warned even if the file is safe. But this helps to wait a minute and think about if this is really what I want and if I really trust the source.

Best practice: If you like the Edge browser, then go for it since it uses Smartscreen technology by default. The Edge browser also get started inside an AppContainer (kind of a sandbox). This adds additional security in case of certain attacks.

Controlled folder access

Since Windows 10 Version 1709 (Fall Creators Update) this feature is part of the OS. After activation certain folders (you can change the list) are protected and could not be accessed by third party software. This way ransomware could not that easy encode all your valuable data. In Windows Defender settings you can make exceptions for certain software. This way you can still access the files using your office or backup tool. ATTENTION: This feature is only available if you choose Windows Defender as you main AV solution.

Best practice: Enable controlled folder access within the Windows Defender Security Center. Personal I deleted the desktop from the protected folder list. I did this because I don't store original files on my desktop and I want to allow third party tools to create desktop shortcuts without making an exception each time.

Software Restriction Policies (SRP)

Many users even don't know this technology exist. It is probably the most powerful weapon against unknown malware.

AV tools usually follow an blacklist approach. They simply learn how to identify malicious software and then try to stop it. The downside of this approach is that it takes sometimes days until new malware is properly recognized.

The build in SRP instead take a whitelist approach. You simply set which file or folder is save to run. All other files could not start at all. By taking this approach SRP could also block completely new or unknown malware from getting started. This technology is part of windows for a long time. E.g. it is implemented in Windows 7 as well.

Sadly it is not easy to activate and configure SRP. Users of Windows 10 Professional could use the Local Group Policy Editor (gpedit.msc). Windows Home users have to set certain registry keys. Both are no easy tasks for the average user. As a result this great security feature is often used in enterprise environments only.

Luckily, there are small tools out there which help you set and configure SRP.

Best practice: My personal favorite is the “Hard Configurator” (2). By a few clicks you can set an recommended SRP configuration ("Recommended SRP" button) which allows only installed Software to run and even block script files from being executed. The tool also provides further settings to enhance windows security by clicking on "Recommendet Restrictions". Maybe I will provide more information about the tool in a later post.

Windows Defender (WD)

If you protect Windows by SRP, the AV will only be the second line of defense. So it is up to you to choose one you like. But I encourage you to think about WD as well. Different from Windows 7, WD (coming with Windows 10) is a complete AV solution and it is free. Meanwhile its detection rate could compete with other professional AV software (3). WD is also well implemented into the OS and require just little maintenance since "Windows Update" keep it up to date.

Best practice: Go to the Windows Defender settings and enable real-time protection, cloud protection and controlled folder access. Please keep in mind that you should only use one AV with real-time protection at a time.

Protection technologies overview

Technologie Comment
SUA - Standard user account Prevents malware from getting administrative rights. Only work together with brain.exe
UAC - User access control Prevents installations or changes to windows settings without getting to your attention. Only work together with brain.exe
SmartScreen Filter Issue a warning if you enter malicious websites or run bad / unknown downloads.
Controlled folder access This is a feature of Windows Defender. It protects certain folders from being accessed by random software (like ransomware).
SRP - Software Restriction Policies Only certain files or the content of certain folders could be executed. SRP prevents malware which try to download and execute scripts or files in the background from doing his job.
Windows Defender Free AV Solution coming with Windows 10. It's only one link in a chain to a secure system

This list is not final. It just gives an idea why a secure system is not related to a single tool or setting. All the technologies which come with Windows 10 are part of a security strategy - which, as a whole, provide solid safety. If you think this is helpful please let others know by resteeming this post. Thx.

Please apologies my spelling since English is not my mother tongue.

(1) https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/
(2) https://github.com/AndyFul/Hard_Configurator
(3) https://www.av-test.org/en/antivirus/home-windows/windows-10/december-2017/

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  trending

You got a 6.67% upvote from @redlambo courtesy of @privacybydesign! Make sure to use tag #redlambo to be considered for the curation post!

You got a 1.80% upvote from @adriatik courtesy of @privacybydesign!

You just rose by 2.9285% upvote from @therising courtesy of @privacybydesign. Earn 43.8% APR by delegating SP to therising. For more details visit: https://steemit.com/budget/@therising/auto-daily-payout-of-43-8-apr-for-steem-power-delegations-starting-from-500-sp-only-limited-period-offer.

You got a 5.02% upvote from @whalebuilder courtesy of @privacybydesign. Join @whalebuilder family at our Discord Channel. Don't let your precious stake(SP) go stale...Make it do more so you have to do less. Deligate it to @whalebuilder by clicking on one of the ready to delegate links: 50SP | 100SP | 250SP | 500SP | 1000SP | 5000SP | custom amount.

You got a 14.53% upvote from @bearwards courtesy of @privacybydesign!

This post has received a 5.56 % upvote, thanks to: @privacybydesign.

This post has received a 2.14% upvote from @aksdwi thanks to: @privacybydesign.

You got a 6.86% upvote from @luckyvotes courtesy of @privacybydesign!

Congratulations @privacybydesign! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!