A Practical Guide to Securing Your Windows PC – The New York Times

0
606

We independently review everything we recommend. When you buy through our links, we may earn a commission. Learn more
There’s no one-size-fits-all solution to computer security, and locking down and securing your computer might feel like an impossible task, but that doesn’t have to be the case. There is such a thing as “good enough” security for most people. And securing your Windows PC doesn’t have to cost money, consume a lot of time, or require technical know-how—it just takes enough patience to navigate a series of Windows settings.
The most important tip we have isn’t about settings but about behavior. Being able to recognize phishing attempts and being skeptical of what you download will do more to safeguard your information than any other recommendation we offer here.
If you receive a message that looks suspicious—whether it’s a text message, an email, a social media message, or anything else—don’t click any links, especially if you don’t know the sender. These are often phishing attempts, messages meant to trick you into revealing personal information such as your credit card numbers or passwords.
Sites like Download.com, Tucows, and Softpedia often include extra junk you don’t want in the software downloads.
For example, you might receive an email asking you to verify your bank login information, but if you look closely at the details, you’ll see that it isn’t actually from your bank. If you get a suspicious-looking email requesting information or login credentials, whether it seems to be from your bank or some other company, verify it by logging in to the account in question directly instead of clicking a link in the email. If the message seems to come from a friend, say, through an email or Facebook Messenger, follow up with your friend on a different platform to make sure it’s legit (or to let them know that their account may be compromised). To see examples of these tactics in action, check out Google’s Phishing Quiz. Freedom of the Press Foundation also has a great explainer, and the FTC details a lot of the most common scams.
Should a phishing attempt succeed in stealing your password, multi-factor authentication, through either an app or a security key, can still help protect you. With multi-factor authentication enabled on your accounts, two different “keys” are required to get into your account: your account’s password, and a second code generated from an app, a text message, or a physical device (such as your phone or a special USB key). Without that second factor, the password is essentially useless. It’s also useful to employ a password manager, which not only stores complex and unique passwords but can also occasionally catch phishing scams, as well.
Another common home for malware is the world of illegitimate software downloads, which can take the form of pirated software or a lookalike download site that attempts to trick you into thinking it’s legitimate.
The first results you’ll find when searching for software online often lead you to sites like Download.com, Tucows, and Softpedia—legitimate sites in themselves—but all of which often include extra junk you don’t want in the software downloads or make it difficult to find the correct download link.
Your best bet for avoiding this kind of adware or viruses is to search the official Microsoft Store for software first. We also like Ninite and PrivacyTools as places to download legitimate, usually free software.
For downloading games, stick to sites and platforms like Steam, GOG, Epic Games Store, the Microsoft Store, and Itch.io. If you don’t find what you need there, poke around any other website you encounter to confirm that you’re in the right place before downloading software. Keep an eye out for lots of spelling errors, annoying pop-ups, automatic downloads, or any software (or movie, music, or game) sale that appears too good to be true.
If there’s an application you’re hesitant to open after downloading, upload the file (or copy and paste the download link) into VirusTotal, which will analyze the software to see if it’s in virus databases (note that this process shares the file with the security community as a whole, so don’t use VirusTotal for any potentially personal documents).
If you’re comfortable with more advanced software, run any suspicious document files through Dangerzone. This software strips out any potential malware and then converts suspicious document files (PDF, DOC, JPG, and more) into a PDF file you can view safely.
Microsoft periodically releases security updates for Windows, and though they may seem annoying, installing them is one of the most important things you can do to keep your computer secure. These updates patch holes in the operating system, in addition to updating rules for the antivirus software (which we’ll get to shortly), to help protect your computer.
By default, your computer is set up to download and install these updates automatically, but if you’ve disabled them, you should turn them back on. If you’ve previously found them annoying, you can tweak a few of the settings to make these updates less intrusive.
Set up properly, these updates will download and run in the background, often without you realizing it. You’ll still need to reboot your computer now and again to install some of them, so be sure to do so.
When your computer’s storage drive is encrypted, no one can access its data without your password while the computer is turned off. If you lose a laptop on a flight, someone grabs it when you’re on the road, or a person breaks into your house and steals your computer, they won’t be able to access any of the data on it.
How you enable encryption on your storage drive depends on which version of Windows you have and who made your computer. Some Windows laptops have device encryption enabled by default. To check:
Windows 10
Windows 11
If device encryption isn’t an option, look for BitLocker, a free encryption application included in certain versions of Windows 10 (and 11) Pro, Education, and Enterprise. In Windows 11, the BitLocker toggle is on the above page in Settings, but in Windows 10 you need to look elsewhere:
If you’re having trouble finding device encryption, Microsoft’s Windows support articles may provide more information. BitLocker can also encrypt external drives, including SD cards and flash drives, which is a more secure way to delete files on such drives before formatting.
If BitLocker isn’t available, you’ll need to turn to third-party software. We like VeraCrypt, but keep in mind that its encryption process is more complicated than BitLocker’s. Some solid-state drive manufacturers may also provide software for securely erasing their SSDs, though we haven’t tested any of those utilities.
If something goes seriously wrong with a PC, whether it’s due to a bug or a virus, it’s far easier for most people to wipe a storage drive clean and start over from scratch than it is to troubleshoot the problem.
We have a guide to backing up your computer, but the idea is pretty simple: At the very least, everyone should back up their files to a local external storage drive. Most people should also consider a cloud backup service, which provides a third, offsite copy of your files. Doing so protects against any mechanical failures of your computer and also ensures that you have multiple copies of the files you care about in case virus, malware, or ransomware infections result in data loss.
Microsoft includes a good, free antivirus program in every edition of Windows called Microsoft Defender. In independent tests at AV-TEST, an IT security institute, the free software regularly performs just as well as paid software. Microsoft Defender, combined with the other safe-computing approaches in this guide, will catch most malware.
Although Microsoft Defender’s default settings offer good protection, take a few minutes to run through the settings to familiarize yourself with the software and set up some optional tweaks.
Open Settings > Update & Security (or Privacy & Security in Windows 11) > Windows Security.
If you think your computer still has some sort of malicious software installed, but Microsoft Defender isn’t picking anything up, we recommend downloading the free version of Malwarebytes and doing a manual scan of your computer to see if it finds something new. If Malwarebytes shows a problem, the free version can also remove it.
On top of getting rid of annoying ads, an ad blocker added to your web browser can help to block malicious ads, such as the kind that toss up dozens of pop-up windows or try to “warn” you that your system is “infected.”
Most people should have a login password for their computer, especially if it’s a laptop that you carry with you. Windows doesn’t require a login password for local-only accounts that aren’t linked to your online Microsoft account, so if you skipped this step, it’s worth going back and turning it on.
Open Settings > Accounts > Sign-in options. On Windows 10, click Manage how you sign in to your device. On Windows 11, click Ways to sign in and then select the password option and type in a password.
Some Windows laptops (and desktops with specific webcams) support logging in with Windows Hello, which uses either fingerprint recognition (using a fingerprint sensor) or facial recognition (your webcam) to log you in.1 If your computer supports this feature and it works well for you, enabling it is a good step to take, especially if you don’t like logging in with a strong password.
Before enabling Windows Hello, note that if you are in a circumstance where law enforcement or a judge may try to compel you to unlock your laptop with your fingerprint (or face), you should consider skipping the biometrics and using only a password. In 2019, a judge in Northern California ruled that law enforcement can’t force you to unlock your device with your face or fingerprint, but that same year a judge in Illinois ruled the opposite. Until this issue is resolved, it’s best to stick with a password if you have concerns about someone unlocking your computer against your will.
Additionally, if you sign in to Windows with your Microsoft account (some versions of Windows and some features require that you do), we strongly suggest setting up two-step verification on that account.
If you’d prefer not to deal with complicated passwords and authentication through your Microsoft account, you might instead use a local account instead of your Microsoft account. This approach removes any syncing capabilities, including password recovery through Microsoft, but ensures that less data leaves your computer.
Depending on how you use your computer, you may also prefer to scroll down and enable the dynamic lock feature, if it’s available, which will lock your device when you walk away. This feature likely isn’t necessary if you work from home, but it can be useful when you’re in public spaces or traveling.
Bloatware—the extra software that sometimes comes preinstalled on your computer—is not typically a security risk, but it is often useless, annoying, and liable to create clutter in your software library that makes it easier for something more malicious to hide.
If your computer is pretty new and you haven’t installed much software, the easiest way to clean it up is to reset it, while still keeping your files. Open up Settings > System > Reset this PC and select Keep my files, and then follow the on-screen instructions. (This process shouldn’t remove any of your personal files, but before you begin it’s a good idea to create a backup, just in case.) In many instances, this gets rid of the extra software some PC makers preinstall, but we’ve also seen some PCs reinstall some software even after a clean Windows installation.
If that doesn’t work, head into Settings > Apps > Apps & features and then scroll through the list of installed applications. Click the three-dot icon and then click Uninstall for anything you don’t want. On this page you can see who made the software. In addition, the operating system won’t let you uninstall anything critical to your computer’s functionality. If you’re not sure what an app is, you can search for it on Should I Remove It? to get more info. (We do not recommend using the Should I Remove It? software, as it’s a little bloated itself.)
Like your phone, your laptop has all sorts of permissions settings to prevent applications from accessing certain data, such as your contacts, your location, the camera, and more. Pop into this settings page occasionally to make sure no app is overreaching for permissions it doesn’t need.
Some of the app permissions are complicated, but Microsoft has a good explanation of what each one means if you find yourself unsure of what to do.
Windows tends to collect a lot of data about you, and there isn’t always much you can do about it. But you can at least opt out of a few of the more egregious aspects:
If you use a Microsoft account for other purposes, it’s also a good idea to log in to your account’s privacy dashboard and change preferences there. Microsoft collects telemetry data about how you use your computer, where you are, and more. If you want to tweak these settings and are comfortable tinkering with your computer, we’ve used O&O ShutUp10++ with good success.
This article was edited by Arthur Gies and Mark Smirniotis.
Like Apple’s Face ID, Windows Hello uses an infrared scanner to map the physical features of a person’s face rather than relying on a normal camera. Facial recognition is often inaccurate for people with darker skin tones or whose looks don’t conform to traditional gender stereotypes.
Thorin Klosowski
Thorin Klosowski is the editor of privacy and security topics at Wirecutter. He has been writing about technology for over a decade, with an emphasis on learning by doing—which is to say, breaking things as often as possible to see how they work. For better or worse, he applies that same DIY approach to his reporting.
Further reading
by David Huerta and Yael Grauer
by Andrew Cunningham and Thorin Klosowski
by Haley Perry
by Haley Perry
Let’s be friends!
You can send us a note too.
© 2022 Wirecutter, Inc., A New York Times Company

source