It's 2022, and malware today is socially engineered. Just installing antivirus software on the PC is not sufficient. Hence, you have to take additional steps to ensure the complete Windows 10 and Windows 11 hardening. Having security software is only one of the ways, but there are other levels of hardening that you probably don't know.
So, here is a complete Windows 10/11 hardening checklist to protect your PC.
Windows 10/11 Hardening: What should you do?
Are you still using Windows XP or Windows 7? In that case, it will be a good idea to upgrade to Windows 10 or the latest version Windows 11. I understand that it may appear to be a bit difficult to operate at the beginning. However, once you get used to the interface, it will be a part of your life as any other operating system. So moving forward, this guide will focus on Windows 10/11.
Operating System: Regular Updates
Microsoft has officially stopped support for Windows XP on April 8th, 2014. Also, Windows 7 met with the same fate on January 14th, 2020. Hence, you will not receive any updates from Microsoft on these two operating systems. Due to the lack of regular updates and security patches, these operating systems are at higher risk with the view of recent attacks.
Considering the security point of view, Windows 10/11 should be your choice.
Motherboard: Secure Boot
Bootkit type of malware can infect the master boot record of the system. Also, it executes automatically when the computer starts up. As it runs outside the file system, an operating system level protection isn't enough. Hence, if you are assembling a PC, go for a Motherboard that supports Secure Boot and set the boot menu to UEFI only. All modern laptops already have motherboards with Secure boot support.
Here is a list of Intel Motherboards which support SecureBoot. For other brands, check the description or their release notes.
How to confirm if I am running Secure Boot?
You can quickly check if Secure Boot is enabled or not.
- Open the "Run console," press Windows key + R
- On the Run Console type msinfo32 and hit enter
- Under System Summary search for Secure Boot State.
System Protection: Create a Restore Point
It's always a good practice to have a restore point. When system protection is on, Windows automatically keeps and updates a restore point to which you can revert if you face any issues.
You can also create a manual restore point. Doing so gives you control over the state of Windows where you want to return. I usually create a restore point manually after a fresh installation with a basic set of applications. However, you can also do so as per your choice. A restore point is not helping you directly in Windows 10/11 hardening, but it provides a flag point where you can always return.
Account Settings: Prefer Non-Admin User
By default, we get the access and privileges of administrators on the first account creation of Windows. You should create another user with standard privileges and use it for daily work. It lowers the risk of infection as a standard user account doesn't have all access to the system. For escalated privileges (if necessary), you can use the Admin account.
Encrypt Drives with BitLocker
Drive encryption protects your data from unauthorized access. Since Windows 10/11 includes BitLocker by default, you do not have to spend anything. Also, you can use it to encrypt local and removable storage devices. Learn more about BitLocker and implement the same.
Review Windows 10/11 Privacy Settings
In this section, you can tweak how Windows 10/11 collects your data or apps accesses system resources. In Privacy settings, visit all the sections and disable the options accordingly. I recommend you to disable all the data settings you do not want Microsoft to use. In case you wish to be a part of the Windows Insider Program, you need to enable Full Diagnostics & Feedback.
App permissions are very useful in case you only want to allow certain apps to use your File system. Hence, it will protect you from ransomware attacks. To ensure Windows 10/11 hardening, you should review and limit the apps that can access your Camera and Microphone. There are many more settings that you can tweak in this section.
Note: If you have an antivirus with ransomware protection, you will not have access to change File System as your antivirus actively manages it.
Cleanup: Uninstall Unnecessary Software
The less you have, is better. Avoid the risk by uninstalling software products you don't use. Intruders exploit many popular programs to gain access to your system and infect it. Some prominently exploited software programs are Adobe Flash and Java, so get rid of them unless extremely necessary.
CCleaner, Revo Uninstaller, iolo System Mechanic Pro and Uninstaller Pro are reliable solutions to uninstall unnecessary applications and clean up garbage. Also, apps like CCleaner can optimize PC Speed automatically. It is an essential step in Windows 10/11 Hardening. Hence, do not miss it.
Scan Non-Microsoft Products for vulnerability
In Windows 10/11, Microsoft automatically updates the apps that you get from Microsoft Store. Also, you need to update 3rd party software regularly. While updating the software, you also reduce the chances of existing software vulnerabilities. In case you have a lot of applications on your system and find it difficult to update them manually, check the IObit Software Updater. It helps you by automatically updating any software to the latest version.
Windows 10/11 Hardening: Never disable User Account Control
Yes, UAC prompts are annoying, but by disabling it, you lose more than just a pop-up. Disabling UAC also disables file-system & Registry virtualization and Protected Mode. When an application wants to make a system change like modifications that affect other users, modifications of system files and folders, and installation of new software, a UAC prompt shows up, asking for permission.
User Account Control makes sure that these changes are made only with approval from the administrator. Read more about UAC.
Strong Passwords: Tough to Guess
It is a grave mistake, but it isn't your fault. Hard-to-guess passwords are difficult to remember. Why not use a sophisticated tool to manage and remember all your passwords in a safe Vault? I have been using LastPass for a long time for this purpose. It generates secure passwords as well as stores them in encrypted form. You can get passwords on demand and auto-fill whenever required.
Active Protection: Use Antivirus
It is indeed necessary even after following everything stated above. No matter how many manual actions you take, there should be a program that continuously monitors every activity. It is possible only if you have an Antivirus program. Windows 10/11 includes Microsoft Defender (formerly known as Windows Defender), and it can protect you from primary threats. Also, the latest additions include ransomware protection by default. However, you should solely depend on it only if you are fully aware of your internet browsing habits.
I recommend more than just a plain antivirus like an Internet Security program that has an inbuilt firewall and spam protection. Bitdefender Total Security is a perfect choice with advanced antivirus protection, two-way Firewall protection, and Cloud-Antispam. Read out full Bitdefender Total Security review for more details.
Update Windows Device Drivers
Updating device drivers is essential. Not only it keeps your devices at optimal performance level but also prevents any exploits that may exist in older versions. Windows 10/11 automatically updates the device drivers for you. However, if you feel that you are not receiving proper driver updates, you can check a 3rd party driver updater like Driver Booster Pro.
Frequently Asked Questions(FAQ)
Do I still need an Anti-Malware?
If you have followed everything till now, you probably won't need one. Also, if you are using a primary antivirus, it is not recommended to use another real-time protection. However, if you want to have an additional layer of security, you can use an anti-malware with real-time protection off. Hence, you have to perform another scan manually. The good idea is to perform a full system scan weekly manually. If you wish, you can give a try to Zemana or Malwarebytes.
How do I protect myself from risky Websites?
If you use Bitdefender Total Security, it comes with a real-time URL checker which notifies you about malicious website. You can avoid visiting them or go ahead by adding them as an exception. In any case, you will not accidentally land on malicious websites. Apps like Advanced SystemCare Pro also implements features like Host file and browser Homepage protection. You can learn more about the functionality in this Advanced SystemCare Pro Review.
Does Windows 10/11 Hardening protect my Online Privacy?
Unfortunately, the answer is NO. The tweaks in this guide only allow you to protect the Windows 10/11 environment. However, if your concern is with online privacy, then you should use a VPN. With the increase of ISP monitoring, a VPN is a must-use service. A misconception among many people is that a VPN is only needed to access geo-restricted content. Well, it is not precisely correct.
Apart from letting you access streaming content and services, a VPN also encrypts all your connections using various Tunneling protocols. Also, many new VPN services like Surfshark provide advanced features like ads, Malware, and tracker blocker. Hence, you should use a VPN regularly and especially when you are using public Wi-Fi.
So this concludes the Windows 10/11 Hardening checklist. This article includes all the tricks that will make your Windows 10 and Windows 11 safer. However, always remember that you have to be careful with every Windows update and check for the changes in the new version. If there is any change in the privacy sections, you will have to change the particulars accordingly.
Comment below and let me know if you have any more questions.
Sourojit is Executive Editor at Dealarious. Rumor says He is Computer Science Engineer; He neither accepts it nor denies it. Tech Explorer, Philosopher and a Storyteller.