10 ways to make Windows computers safer

These days everyone knows someone whose computer was hacked; everyone has heard of others who have been hit by ransomware, and who have suffered significant losses as a result. The losses are sometimes financial, but often they are non-monetary, like losing all family photographs, music, files, and so on.

While it is not possible to entirely prevent these kinds of things, there are some easy steps that we can all take to considerably minimize the likelihood of this kind of thing. It is however equally the case that the majority of these things also make it a little harder to use our computers, and this is by design.

The primary reason why people fall victim to these attacks is complacency, or letting one’s guard down for just a moment. The simple tips below try to prevent that by making it just a little bit harder for you do yourself harm in this way. So here are some tips that I believe we can all take to improve our computers security. I write them from the perspective of a Windows user; if you are a user of a Mac, similar things apply to you but I don’t use a Mac so I don’t know what they are. And, if you are one of those few Linux users, you are likely a nerd anyway and probably can figure this stuff out for yourself.

There used to be a time when the #1 way to make Windows computers safer was to move to a Mac. That is unfortunately not true any longer. Macs are also vulnerable to many of the exploits that we see these days.

Don’t login as an Administrator user; restrict administrator privileges

One of the horrible things that Windows does on initial installation is to ask you for your name, and setup an account for you. And it makes that user an Administrator. In my experience, most home computer users regularly login using that account.

When setting up a computer, always create a user who will be an administrator, and after the computer is setup, create a regular user who is a standard user. It should look something like this when you look at the users settings.

If the account(s) that are commonly used on your computer are Administrators, do this:

Create a new user on your machine with a name like “MyComputerAdministratorDingDong” and make that user an Administrator.
Login as “MyComputerAdministratorDingDong” and change the accounts that you regularly use to be a Standard User. If this is a shared computer, this means all users become Standard Users.
Ensure that the password MyComputerAdministratorDingDong is long and different from your own password; and don’t tell everyone what it is.
Update Windows User Account Control (UAC) to be paranoid and prompt you on all changes to the computer.

What have you accomplished here?

By making all common users Standard Users, you have made it harder for exploits which typically require Administrator privilege to, well, exploit.

When someone wants to install software, make changes to your computer, and so on they will need to be the Administrator, and will need the password to the “MyComputerAdministratorDingDong” account. This does make it mildly harder to use the computer, but it is a worthwhile safeguard.

Look at all the software on your machine and uninstall things that you don’t recognize

Over time, computers accumulate cruft. And if your computer wasn’t secured as described above, you are likely to find lots of cruft. Uninstall anything that you don’t recognize, or don’t use now.

What have you accomplished here?

In addition to potentially making your computer quicker, you have also removed all potentially suspicious software from your machine. Should you need one of them later, you can certainly add it back.

Get yourself a good Anti-Virus software package

It is amazing that this is still something one has to list. Most ISP’s offer Anti-Virus free, download and install one. If your ISP doesn’t purchase one and install it.

Windows 8 and 10 come with Defender. In my experience they are not quite as good as commercial Anti-Virus software packages. While Defender is free, it is worth getting something else at this stage; maybe someday soon Defender will be better.

What have you accomplished here?

Anti-virus software is an essential part of your protection plan. Make sure you have one; and Windows Defender isn’t (today) the answer.

Change your WiFi password and make it something that is hard to guess, preferably obscene

This should be self-explanatory but passwords like “password”, “homewifi”, and “xfinity” are just too easy to guess! Make it something that is hard to pronounce, uses numbers and punctuation.

My preference is to make it something obscene, that way you won’t be yelling it out to people you meet.

That last thing is something I advocate for all passwords, make them words that you will not utter in public; does wonders for password security.

What have you accomplished here?

Getting on a network with other computers is one of the ways in which a bad actor could infect your computers. By making it harder to get on your network, you have added a layer of protection to your network.

Only allow secure computers on your homegroup, and your home WiFi network

Most households with more than one computer likely share a homegroup and share files, music, and pictures on the homegroup.

If you are not able to secure a computer (as described above) kick that computer off your homegroup, move them to a Guest WiFi network.

So, what do I do about my internet connected TV’s, phones, and other devices which I can’t secure in this way. You could do one of two things, either get another cheap WiFi access point for those, or put them on the Guest WiFi network as well.

What have you accomplished here?

Your homegroup should be a safe space. By eliminating all potentially unsafe actors from the homegroup, you have improved the level of safety there.

No matter how you read email, don’t click on links that you don’t recognize

Phishing, link highjacking, and numerous other nasty things that cause harm to your computer are caused by clicking on links. So if you receive email that includes links, buttons, and other calls to action, think before you click. Hovering over a link or a button will typically reveal what the action will be.

There is no easy way to tell someone how to recognize a fake email message; scammers are quite sophisticated these days. So just be safe and don’t click on things unless you are really sure you know what you are doing.

But, you can remember these simple tips:

Banks, Financial Institutions, and most legitimate businesses will address emails to you by name; not “Dear Customer”. If the email does not address you by name, it is likely bogus.
If you get an email saying your account has been terminated, will be terminated, has been compromised and you need to take immediate action, don’t click on the link provided. Instead find the link to login to whatever account, institution, or website and login directly. If the link is real, that’s fine, you at least know where you are going. And if it is a fake, you will realize it very quickly when you find that your account is fine!
If you get email saying “someone in your contact list has shared a document with you” it is a fake; services like Dropbox will tell you who shared the file with you.

What have you accomplished here?

Many exploits require you to take an action that triggers the installation of the bad software. By taking these steps, you have made it harder for this to happen.

Disable automatic downloads, disable automatic showing of images

Web browsers and email clients allow you to set these privacy options. And they are well worth setting.

Search for directions for your specific browser and email client and make these changes.

What have you accomplished here?

Many exploits require you to take an action that triggers the installation of the bad software. Automatic downloads and infection buried in some image file formats are one way in which bad actors get around this. By taking the steps described here, you have made it harder for this to happen.

Enable a screen-saver (with a lock and a timeout)

This is particularly important for laptops and computers in shared areas. Enable a timeout and a lock screen. When you step away from the keyboard, lock the computer (Windows Key-L). Require a password to unlock the computer.

What have you accomplished here?

An unlocked computer is an invitation for someone to meddle. A locked computer (with a good password) is significantly harder for one to damage.

Disable autoplay USB

One of the most common sources of malware, viruses, and other nasty stuff is shared USB drives. Disabling autoplay along with the steps above can significantly improve the security of your machine.

If you are given a USB drive, consider the source carefully. I prefer to just say “No” and ask people to email the document(s) to me, or to put them on a shared drive like Dropbox.

What have you accomplished here?

Recently a new breed of exploits merely require someone to plug in a rogue USB stick into your machine and the malware gets automatically installed because of autoplay. By disabling autoplay, you make this harder (not impossible).

Disable USB ports

And if you want to be truly sure, here’s what I do with my laptop when I travel. Reboot the machine to BIOS and disable the USB ports.

That way, when the friendly gentleman comes along and gives you a document on a USB stick, you can safely say it doesn’t work (then blame your IT department for it). If the person insists that he can fix it, you are still safe because no matter how much he jiggles the USB stick in the port, it won’t work.

On one occasion, a particularly persistent (read: pesky) individual said he knew what was wrong, that the port was disabled in the BIOS. And he went to reboot the computer to BIOS and sure enough “My IT Department” had set a password on that and damn them because I don’t know what it is.

What have you accomplished here?

Similar to the earlier step, you make it much harder for bad actors to infect your computer using the USB port as the attack vector.

As you can likely see, each of these steps will make it just a little bit harder to use, and enjoy your computer. But as the adage goes, “no pain, no gain”.