At first let me state two things about IT security.
After this short introduction lets start. By talking about IT-security many users just think about a good anti-virus software. But this is not enough as the periodic waves of ransomware impressively show.
Others claim that expensive security suits are needed or that you need a whole bunch of different software tools to protect yourself. In reality each third party software has its own bugs and maybe open doors to your system which weren't there before. Many free AV solutions are also known to collect and sell your personal data. Therefor many security experts say that a right configured, up to date operation system (OS) is the best approach to keep safe (1).
I don't want to meddle in things of personal choice. I just want to show that you can have high security just by knowing and using Windows 10 build in technologies. You will see, there is more than a pure AV can do for you.
Standard User Account (SUA)
The first user, created by Windows 10 usually has administrative rights. Most people use this user account for daily work. This means, that each peace of software started by this user also has administrative rights by default. In theory there is another technology called "User Access Control" (UAC) which should prevent some actions from taking place without permission, but in the real world there are different ways to avoid this. Malware started by an administrative user could get deep into the system with ease. Once there - everything is possible.
In many cases high damage could be prevented by creating a Standard User Account (SUA). This user should be used for daily work like surfing the web or handle with office documents. If malware now tries to get deep into the system Windows 10 will first prompt you to enter the admin account password. If you get asked without reasonable reason you can avoid much harm just by one click.
Best practice: create an SUA and use it for daily work. If you want to exchange some security for convenience you could activate PIN code for the administrative account. This speed up getting admin rights if needed.
User Access Controll (UAC)
Using UAC, you can choose if you want additional security prompts before accessing certain areas of the system. You can set different steps in the settings. If you enable UAC you will be asked before a program changes certain settings. At high level more actions are protected and you will be asked more often. Again someone has to balance security and convenience. But if you get asked for permission without reasonable reason you can stop a harmful process at an early stage. If you are not sure, just say "no". If it was valid you can restart the process again later.
Best practice: Search for UAC in the Windows settings and set it at least to mid level. If you want to boost safety set UAC to max level. This helps preventing changes to Windows settings without your attention.
Best practice: If you like the Edge browser, then go for it since it uses Smartscreen technology by default. The Edge browser also get started inside an AppContainer (kind of a sandbox). This adds additional security in case of certain attacks.
Controlled folder access
Since Windows 10 Version 1709 (Fall Creators Update) this feature is part of the OS. After activation certain folders (you can change the list) are protected and could not be accessed by third party software. This way ransomware could not that easy encode all your valuable data. In Windows Defender settings you can make exceptions for certain software. This way you can still access the files using your office or backup tool. ATTENTION: This feature is only available if you choose Windows Defender as you main AV solution.
Best practice: Enable controlled folder access within the Windows Defender Security Center. Personal I deleted the desktop from the protected folder list. I did this because I don't store original files on my desktop and I want to allow third party tools to create desktop shortcuts without making an exception each time.
Software Restriction Policies (SRP)
Many users even don't know this technology exist. It is probably the most powerful weapon against unknown malware.
AV tools usually follow an blacklist approach. They simply learn how to identify malicious software and then try to stop it. The downside of this approach is that it takes sometimes days until new malware is properly recognized.
The build in SRP instead take a whitelist approach. You simply set which file or folder is save to run. All other files could not start at all. By taking this approach SRP could also block completely new or unknown malware from getting started. This technology is part of windows for a long time. E.g. it is implemented in Windows 7 as well.
Sadly it is not easy to activate and configure SRP. Users of Windows 10 Professional could use the Local Group Policy Editor (gpedit.msc). Windows Home users have to set certain registry keys. Both are no easy tasks for the average user. As a result this great security feature is often used in enterprise environments only.
Luckily, there are small tools out there which help you set and configure SRP.
Best practice: My personal favorite is the “Hard Configurator” (2). By a few clicks you can set an recommended SRP configuration ("Recommended SRP" button) which allows only installed Software to run and even block script files from being executed. The tool also provides further settings to enhance windows security by clicking on "Recommendet Restrictions". Maybe I will provide more information about the tool in a later post.
Windows Defender (WD)
If you protect Windows by SRP, the AV will only be the second line of defense. So it is up to you to choose one you like. But I encourage you to think about WD as well. Different from Windows 7, WD (coming with Windows 10) is a complete AV solution and it is free. Meanwhile its detection rate could compete with other professional AV software (3). WD is also well implemented into the OS and require just little maintenance since "Windows Update" keep it up to date.
Best practice: Go to the Windows Defender settings and enable real-time protection, cloud protection and controlled folder access. Please keep in mind that you should only use one AV with real-time protection at a time.
Protection technologies overview
|SUA - Standard user account||Prevents malware from getting administrative rights. Only work together with brain.exe|
|UAC - User access control||Prevents installations or changes to windows settings without getting to your attention. Only work together with brain.exe|
|SmartScreen Filter||Issue a warning if you enter malicious websites or run bad / unknown downloads.|
|Controlled folder access||This is a feature of Windows Defender. It protects certain folders from being accessed by random software (like ransomware).|
|SRP - Software Restriction Policies||Only certain files or the content of certain folders could be executed. SRP prevents malware which try to download and execute scripts or files in the background from doing his job.|
|Windows Defender||Free AV Solution coming with Windows 10. It's only one link in a chain to a secure system|
This list is not final. It just gives an idea why a secure system is not related to a single tool or setting. All the technologies which come with Windows 10 are part of a security strategy - which, as a whole, provide solid safety. If you think this is helpful please let others know by resteeming this post. Thx.
Please apologies my spelling since English is not my mother tongue.