10 Windows 10 Settings You Should Change Right Away

[androbourne]

People freaking out about UAC needs to chill.

First off if you are in a business environment. You don't use UAC to monitor app installations or changes on the OS. Real administrators used GPOs to lock down the systems.

I'm not saying it's completely useless. UAC just adds another "layer" of protection. How secure that is on the other hand, is another story. This game is about risk mitigation, any layers you add to that just helps with the mitigation.

Secondly for home use or even just general use. UAC has been hacked and bypassed so many times its a joke. If you really think you are protected with UAC on then you got another thing coming.

Same applies with local Windows Firewall. Again. while its another "layer of protection" it is not as secure as you think.

Just to give you an idea about UAC and that was just with 1 sec of googling. There are many more references for hacks and bypasses to UAC.

https://null-byte.wonderhowto.com/how-to/bypass-uac-using-dll-hijacking-0168600/

For my clients. I personally leave Windows Firewall and UAC on unless there are programs that conflict with it. Again. Mitigation is the name of the game. However, this is not the point I focus strongly on. You are much better off focusing on locking down WAN/LAN traffic and using a good firewall with good local protections, AVG, Malwarebytes, DNS protection tools. etc.... and training your clients on what and what not to open!

These tools will more often then not save your ass. Simply having UAC and Windows Firewall on isn't going to protect you from most the threats out there.

 

[jimmysmitty]

People freaking out about UAC needs to chill.

First off if you are in a business environment. You don't use UAC to monitor app installations or changes on the OS. Real administrators used GPOs to lock down the systems.

I'm not saying it's completely useless. UAC just adds another "layer" of protection. How secure that is on the other hand, is another story. This game is about risk mitigation, any layers you add to that just helps with the mitigation.

Secondly for home use or even just general use. UAC has been hacked and bypassed so many times its a joke. If you really think you are protected with UAC on then you got another thing coming.

Same applies with local Windows Firewall. Again. while its another "layer of protection" it is not as secure as you think.

Just to give you an idea about UAC and that was just with 1 sec of googling. There are many more references for hacks and bypasses to UAC.

https://null-byte.wonderhowto.com/how-to/bypass-uac-using-dll-hijacking-0168600/

For my clients. I personally leave Windows Firewall and UAC on unless there are programs that conflict with it. Again. Mitigation is the name of the game. However, this is not the point I focus strongly on. You are much better off focusing on locking down WAN/LAN traffic and using a good firewall with good local protections, AVG, Malwarebytes, DNS protection tools. etc.... and training your clients on what and what not to open!

These tools will more often then not save your ass. Simply having UAC and Windows Firewall on isn't going to protect you from most the threats out there.

As you said its all about mitigation. Yes UAC can be bypassed. However that requires local access, per your link, and not what most threats are. Most threats are junkware that installs quietly in the background then installs the required files to annoy or even take the system over (ransomware). A proper setup with UAC and the right type of user helps to, again as you said, mitigate that issue.

The issue here is that this site is designed for the majority with a side of minority catering. It should always keep that in mind when making suggestions. Yes the minority of users here are high level users. We know what we are doing. We can walk through the registry and understand what we are doing. The majority however who come looking for answers and are not experienced should never disable additional mitigation nor should they rummage around in the registry, especially since one wrong move can cause catastrophic events to happen.

 

[Saga Lout]

In the hope some folks less informed than most of the above posters read this thread, I have to say drivers may not often be corrupted but driver download sites are becoming increasingly untrustworthy.

 

[bobalazs]

Like Petya or Wannacry would care about UAC... Good joke guys. Uac is overrated.

 

[tiberiuzbirnea]

"Get Rid of the Useless Lock Screen" doesn't work

 

[Lostinlodos]

BIGPINKDRAGON286 Hit the target.
The only thing user account control stops is the manual installation of software or manual changes to the system. Being, you the user did something.
You clicked something. You hit enter and didn’t pay attention. Etc.
It’s annoying protection for stupid people.
Before you shout back about drive by downloads, Windows Defender is currently best in class or top 2 on every (reputable) 2018 comparison test. And catches 98-100% if tested exploits.
Meaning it’s blocked before you would need UAC.
I don’t use chrome, but Firefox, edge, and safari all block expanded system access by default so if something is tinkering in your registry from a web site you gave it permission to do so, or disabled the far more useful block on un-prompted system access.
There is never a reason for a browser to have unrestricted access to your system.
The only place that would be useful is in multiple file upload transfers.
If you are using a cloud drive service all the reputable ones and many of the less-so, have desktop apps that are specific to doing so. And if you’re doing transfers of your own many inexpensive and free ftp programs support html transfers. Again a limited use scenario.

For the millions of sheeple who blindly click away uac has some use in partially protecting them from their own ignorance and stupidity. But it’s a false sense of security. And oh so many just click ok on anything that pops up including UAC!
Honestly... if you’re dumb enough to download a pdf to fill out your inheritance claim from Nigeria, and you’re not in or from Nigeria, you probably deserve the loaded payload in it.
Tom’s is targeted at smart people. Not click click click fools.

 

[Saga Lout]

Tom’s is targeted at smart people. Not click click click fools.

Tom's is for everyone and if you think you're smart enough to turn off UAC, it's fine. For the majority, it's safer turned on and a crypto blackmail attack doesn't care which browser you use. A standard or even an administator account with UAC off is vulnerable and I've seen enough of them to be in a position to state that categorically.

I hope you never get caught out because I wouldn't wish it on anyone but your post has to be challenged for the benefit of all our readers.

It's also an excuse for me to preach my backup régime:- BACKUP and back the backup up to an external drive then keep that in a fireproof box, preferably the one you store the fire insurance policy.

 

[Lostinlodos]

Tom’s is targeted at smart people. Not click click click fools.

Tom's is for everyone and if you think you're smart enough to turn off UAC, it's fine. For the majority, it's safer turned on and a crypto blackmail attack doesn't care which browser you use. A standard or even an administator account with UAC off is vulnerable and I've seen enough of them to be in a position to state that categorically.

I hope you never get caught out because I wouldn't wish it on anyone but your post has to be challenged for the benefit of all our readers.

It's also an excuse for me to preach my backup régime:- BACKUP and back the backup up to an external drive then keep that in a fireproof box, preferably the one you store the fire insurance policy.

And as I believe I implied I do agree there are benefits to UAC. That said as I implied there’s a major problem. And that’s a false sense of security. Having it show up when you’re changing the clock or modifying desktop display settings makes the average user ignore all the prompts; proven time and again.
In reality I think the average user needs better instructions with computers. Something we probably won’t ever get when so many companies are trying to undermine each other to boost their own product.
The fact that the general user has the current best in class AV in Defender and still goes and gets one of the various A’s or Cs generally shows that habit can’t be broken easily. They download less capable software and often disable Defender to some extent as well.
If they do that then how can you break the click ok habit?!?
I’m not taking either side. I don’t think there’s a solution. Ideally you’d have it set to the highest point all the time. But no one will put up with that.
FWIW; I primarily use a Mac now. I run two separate branches of 10 via parallels. Both of the current fast levels.
Sophos has been far more reliable for me than UAC ever was. Not prompting me for nonsense and catching things UAC misses, like driveby downloads.
PS: as you said: backup! Everything! Always!

 

[mitch074]

I manage a small feet of systems, all based around office work; machines are quad cores with 8gb or RAM and a SSD. Actual hardware differ so I cannot really use system images.
- UAC: keep as-is or increase level. NEVER GO LOWER! If you're asked to unlock: ASK SYSADMIN. If you do it anyway : SYSADMIN WILL RAIN DEATH UPON YOU
- system restore: if you don't update your drivers often, DISABLE IT. It will substantially reduce SSD wear. If by any chance the system can't be restored through safe mode or a boot disk, then you're better off reinstalling anyway.
- cleanup: use disk cleaner with Administrative rights once in a while. It does trash can AND system updates installers cleanup. Cleaning Downloads once in a while if much easier to do manually.
- privacy: run O&O ShutUp10. I personally enable all the Recommended and Limited elements. Run once in a while because Microsoft regularly re-enable some sh*t through system updates.
- privacy 2: uninstall all "recommended" crapware Microsoft forces upon you. Run Powershell as administrator, and run this command:
Get-AppxPackage -AllUsers | Remove-AppxPackage
Note, this also removes the Windows Store. You may need to re-run this command every 6 months or so, as Microsoft reinstall all its crap on each new Windows 10 edition.
- Skype users: the above also removes the "universal" Skype build, which doesn't work anyway (restoring access to microphone and camera is supposed to be done from Settings then Privacy, but at best it will need a power cycle to actually take effect). Install "Skype for Windows" from the Skype website instead.
- Windows 10 Pro only: in Windows Update advanced settings, switch away from "targeted" users. You'll run a slightly older version of Windows, but then you'll also run a much more stable version of it. No more crap like losing files, crashing the system or frying your SSD because Microsoft can't be bothered with QA when stealing your data.

Or, if you really are fed up with Microsoft's crap, install Ubuntu 18.04, then Steam, enable Beta access in Steam then enable Steamplay on all games.

 

[Saga Lout]

This thread is a bit on the necro side but these are important issues so I'll keep it open for a while longer.

Two points I'm sure you already know, mitch074; Windows 10 Updates deletes System Restore Points and Spybot Anti-Beacom can reimmunize the Privacy setting which 10 Updates also revert to Microsoft's preferred defaults, to where you told SA-B them to be changed.

There's another trick up the MS corporate sleeve. When you set Remote settings to disallow any such thing, an Update comes along and reinistates their default.

 

[mikewinddale]

Here's my additional changes:

Enable Blue Screen of Death (rather than an instant restart without any warning):
Control Panel --> System Properties --> Advanced (tab) --> Startup and Recovery --> Settings --> Uncheck "Automatically restart"


Turn on DEP (Data Execution Prevention) for **all** programs under Control Panel --> System --> Advanced --> Performance

Under power options, disable quick boot, i.e. the quasi-sort-of-hybernation-but-not-really that saves your OS memory state (but not application memory state) whenever you restart. To me, this defeats the purpose of a restart.
Control Panel --> Power Options --> Change what the power buttons do (on the sidebar) --> Change settings that are currently unavailable (in the center of the screen) --> Uncheck "Turn on fast startup"

Disable Cortana
HKey_Local_Machine\Software\Policies\Microsoft\Windows\Windows Search (you might need to create this key if it doesn't exist), and then create the DWORD value AllowCortana and set it to 0.

Create a "God Mode" settings folder
Create a folder named GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
https://www.techlila.com/windows-10-tips-and-tricks/

 

[AlistairAB]

All these people freaking out about disabling UAC... hilarious... It is very overrated and I've personally repaired 100's of installations, none of which would have been protected by UAC. Perfectly reasonable for a home gaming PC to disable UAC for example.

 

[richardvday]

Slow week its xmas but reposting this garbage ?
This article makes a lot of questionable recommendations that generally unless you really know what you are doing should NOT be followed. Most people ARE idiots. Microsoft does that for a REASON. The people who are NOT idiots can figure out how to turn it off if it becomes annoying to them and they understand the risks.
Please kill this article and put something less destructive up

 

[nrdwka]

So much hate. Giving what peoples mostly accept UAC request without readingm there is no difference.
As for my famaly's PC, as extra layer, all browesers are equiped adblock/noscript

 

[Karadjgne]

Ppl are not idiots. They are sheep. Blissfully ignorant of just how computer illiterate they generally are. Then there are 3 other kinds of ppl, quite rare really in comparison to the masses of sheep. You have the sheepdogs, which is us the posters on Tom's and other sites, guiding the sheep when things like life happens. There's also the Shepherds, the mods and Pro's, who keep us posters in line and show us the path. Lastly there's the wolves.

Normally, everything is peachy, the sheep going about there ignorant lives in peace, sheepdogs half asleep, shepherds with their heads in the clouds and the wolves sitting and watching. Until someone screws up. Doesn't take much, wolves get too close, sheep run out of grass, sheepdogs get bored or macho and the sheep start bleating bloody ruckus. And we get postings like this.

Windows is fine when left alone as Microsoft stock. The sheep like it, it's easy enough for them, it's their comfort zone. It's only when changes are made that things get nuts. UAC, SR, Cortana and all that other grass is generally ignored by most sheep, just another weed they'll move past. Try and make them eat it, bring out the earphones, it's gonna get loud. And we get 2 pages of bleating sheep complaining about dandelions.

 

[shmoochie]

Seriously, disable UAC? Why is Avrim still allowed to author articles that are clearly not in the best interest of the average reader? Even the mods are up in arms about this one. I wish Tom's would consider what it does to their reputation when the editor-in-chief posts advice rooted in ignorance. Just buy it, anyone?

 

[Saga Lout]

It may be that he saw so many posts from folks who were sick and tired by the perishing "Are you sure you want to allow this that or the other to do these actions" or whatever the message is, and pointed out how it could be overcome.

Some of my customers have pleaded with me to stop the message. I pointed out the risk and the request to kill it went ahead. I've stood in a room with fifty PCs running and sales folks on telephones grumbling about the warning, sometimes ten at the same time. I got rid of it and sanity returned.

I wouldn't advise killing the messenger in a system where users dont have strong passwords and the sense not to download just anything.

 

[Karadjgne]

And every sheep out there is an expert, and has AV so is protected from malware, and doesn't ever visit porn sites out of curiosity or only 5 minutes to dl a torrent because the price of the game they want is unfair.

Telling sheep that disabling UAC is a 'must' to improve their windows experience was wrong from the get-go. 'Can', with a full disclosure of possible downsides, just to avoid a single user necessary affirmation would have been OK.

 

[shrapnel_indie]

Not the first article I've noticed that is another recycled piece... I didn't notice any real updates to it either... especially to the bad advice.

 

[ccrider_22]

Perhaps there is; but I wonder why MS doesn't give a way to allow one program, decided by the user, to run without the prompt on start-up....how would a hacker know what I'm starting once a week?

 

[Karadjgne]

Or simply have it in settings that it's remembered, so once authenticated, it remains authenticated and doesn't ask every single time. Sorta like permissions used in other settings.

 

[beardrinksbeer]

I have had UAC disabled for years, comp is still going strong, you just have to know what you are doing; if you don't, you get to comment on here that disabling UAC is bad

 

[mitch074]

I have disabled UAC years ago on all my comps & they are still going strong.

You just have to know what you are doing, or you will end up writing in this forum that you should disable UAC

Since you know what you are doing, you double post? Or you have a key logger installed and it double fired on you... And you didn't notice. LOL

 

[Saga Lout]

That's enough duplicates gentlemen, I say that's enough duplicates.

 

[ccrider_22]

Or simply have it in settings that it's remembered, so once authenticated, it remains authenticated and doesn't ask every single time. Sorta like permissions used in other settings.

AGREEED !! 100%