[SOLVED] Really would love tips and advice on how to setup Windows 10 to be secure

SonJustin

Distinguished
Oct 9, 2013
37
1
18,535
I have not been living a safe cyber life. I have terrible passwords, have never bothered to limit access to my personal info when apps ask, and have never looked into the security or privacy options of Windows 10 and more. I wanna change all that. So far I reset PC; deleting everything off my m.2 drive, beginning fully fresh. I even made a new Microsoft account / outlook email. But now I wanna make sure I go about being secure and protecting my privacy, among other things. This is my plan so far:

Step 1. Buy Bitwarden and use it as a Password Manager. I've learned a decent amount about this, and if I let it generate random complex passwords for everything, I just gotta remember and keep safe copies of the master pass phrase. I will also wanna use 2FA, probably the USB key version.

Step 2. Either use free Webroot from work, or get 75% off of Bitdefender and use that instead. If you think I should do this before Step 1, let me know!

Step 3. Learn about VPNs (because I'm dumb) and acquire one. I'll have to research how they work and which ones are highly rated.

Step 4. Create up to 5 emails in total. Why? I'd like each one to have a specific purpose: One email for financial/credit stuff. Another email for correspondence ONLY with friends and family. A third email for shopping on sites that have your payment method on hand (like Amazon or eBay). A fourth email for all those junk sites that require an email just cause, like Discord, Steam, or whatever. Especially sites that wanna send ads. And the final email would be for work-stuff only.

Step 5. Go through the slow, long process of changing all the passwords of all the accounts I have for apps, sites, etc. Using Bitwarden, I should be able to have it generate the passwords. Also, I'll link each account to it's appropriate new email (e.g. use Bitwarden to change my <Mod Edit> Steam password, then change Steam email to Email #3) I know I have at least 190 accounts, many will need to be changed. But maybe I'm better off deleting many of them and starting fresh?

Step 6. Determine the pros and cons of keeping or deleting my old Google and Microsoft account. For Microsoft, I have it linked to my Xbox One X, and have Game Pass Ultimate free until Feb 2022. If I delete the Microsoft account, what will happen to the Game Pass. Same with Google, will I lose my Youtube account?

That's all for now. I really wanna be smart going forward, and this feels like the right direction. I appreciate anyone who responds to the points.
 
Last edited by a moderator:
Solution
And it would be dumb to make a different Microsoft account for the standard user, correct?
3 accounts...

The first one, MS, Admin.
Then, create 2x other local accounts. 1 Standard, 1 Admin.

Use the MS account only when you need to interact with MS.
The local Admin is used for managing the PC.
The local Standard is your daily driver.

That's the way I do it anyway. And have done for years.

SonJustin

Distinguished
Oct 9, 2013
37
1
18,535
Step 0: Don't click on stupid stuff.
Step 0.1: Don't download stupid stuff.

  1. Password manager, sure
  2. Given Step 0 and 0.1, Windows Defender is just as good as a paid solution
  3. Up to you
  4. Yes.
  5. Given #1, you'll have to do this
  6. No real need.

Haha thanks for the blunt yet useful answer! Yeah, avoid the dumb <Mod Edit> for sure. So I have been hearing Windows Defender is really good lately, how long has that been a thing? I always thought Defender was just the basic protection built-in, and that it would make sense to buy a dedicated antivirus.
Do you use a VPN at all?
And as for the last post, idk I just feel weird moving to 2 new Microsoft and Google accounts and then having 2 previous ones floating around with all my info. If they WERE ever compromised at one point, would changing the passwords with Bitwarden, as well as their linked emails, be enough to fully secure them?
Thanks man
 

USAFRet

Titan
Moderator
Haha thanks for the blunt yet useful answer! Yeah, avoid the dumb <Mod Edit> for sure. So I have been hearing Windows Defender is really good lately, how long has that been a thing? I always thought Defender was just the basic protection built-in, and that it would make sense to buy a dedicated antivirus.
Do you use a VPN at all?
And as for the last post, idk I just feel weird moving to 2 new Microsoft and Google accounts and then having 2 previous ones floating around with all my info. If they WERE ever compromised at one point, would changing the passwords with Bitwarden, as well as their linked emails, be enough to fully secure them?
Thanks man
Windows Defender has been good for some years now.

VPN? Except for work, I don't.
Well...I'm about to, but only for accessing my local network from outside. Primarily to get to my security camera feeds.
 
  • Like
Reactions: SonJustin

SonJustin

Distinguished
Oct 9, 2013
37
1
18,535
Windows Defender has been good for some years now.

VPN? Except for work, I don't.
Well...I'm about to, but only for accessing my local network from outside. Primarily to get to my security camera feeds.
Damn, so Defender sounds better even then free Webroot which I get through my work? I figured that third-party antivirus would work harder to be safer and most secure and protective, as an incentive for you to buy it lol
 
Random list of thoughts:
  • Don't run an administrative level account as your daily driver
  • As long as you don't click on or download and run anything suspicious, you can get away with using only Windows Defender. And I would argue that Microsoft actually has a reason to make sure Windows Defender is actually a decent anti-malware program. Not to mention I have paranoia issues with third-party ones after reading https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/
  • Make regular back-ups of data you want to keep that are/can be physically separated from the computer
  • Keep software up-to-date if possible.
    • This includes not skipping Windows updates. However, since Microsoft has such an impressive track record of trouble-free updates, I would advise waiting maybe two weeks before letting Windows do its thing.
  • Install as few things as possible. The less things you install, the less things you have to worry about.
  • If the app requires elevated privileges to run (i.e., it triggers UAC when you launch it) and it's not updating itself, think very hard if you really need to use it. Apps that ask for elevated privileges just to run should be heavily scrutinized.
As for your specific things:
  1. Password managers are good. If you're using 2FA, make sure you have a back up plan for that. Most 2FA places will generate random recovery codes you can use. Also, physical 2FA (like Yubikey) is not widely supported, so I would suggest getting a 2FA authentication app like Authy.
    • If the place doesn't support an authentication app, then e-mail linking is fine too
    • Avoid 2FA or recovery through text messaging if possible. An attacker can easily intercept texts if they know your phone number. Plus you know, it's PII you have to give out.
  2. See previous points
  3. VPNs are good for unsecured or untrusted networks and getting around regional restrictions, but "protecting your privacy as you browse the web" is semi-true. It might hide from the network you're connected to what you're trying to access, but any sensitive data between you and the website is already encrypted if it's using HTTPS.
  4. If you don't mind managing all that, sure.
  5. Delete accounts to things you haven't used in a while. They're a liability. Otherwise change the passwords that need changing.
  6. If you delete your accounts, you lose access to whatever that was tied to it. If you're going to make new email accounts anyway, you could also just keep the old one around just in case you had something tied to it that you didn't catch.
 
  • Like
Reactions: SonJustin

USAFRet

Titan
Moderator
Make regular back-ups of data you want to keep that are/can be physically separated from the computer
Yep...I forgot to mention this one.

 

SonJustin

Distinguished
Oct 9, 2013
37
1
18,535
Yep...I forgot to mention this one.


Dumb question but what's the best method of using backup software on Windows 10? Is there a free one included? And if not, any recommendations on which ones to download? Unless you want me to backup everything manually without software.
 

USAFRet

Titan
Moderator
Dumb question but what's the best method of using backup software on Windows 10? Is there a free one included? And if not, any recommendations on which ones to download? Unless you want me to backup everything manually without software.
As in the above link, I use Macrium Reflect.
The free version is just fine.

Much better than what is built in with Windows.
And I have had to use it after a drive death.

960GB SSD died suddenly. No idea why.
Put in a new drive, click click in Macrium...all 605GB data recovered exactly as it was at 4AM when that drive ran its nightly incremental backup.
 
  • Like
Reactions: SonJustin

SonJustin

Distinguished
Oct 9, 2013
37
1
18,535
Random list of thoughts:
  • Don't run an administrative level account as your daily driver
  • As long as you don't click on or download and run anything suspicious, you can get away with using only Windows Defender. And I would argue that Microsoft actually has a reason to make sure Windows Defender is actually a decent anti-malware program. Not to mention I have paranoia issues with third-party ones after reading https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/
  • Make regular back-ups of data you want to keep that are/can be physically separated from the computer
  • Keep software up-to-date if possible.
    • This includes not skipping Windows updates. However, since Microsoft has such an impressive track record of trouble-free updates, I would advise waiting maybe two weeks before letting Windows do its thing.
  • Install as few things as possible. The less things you install, the less things you have to worry about.
  • If the app requires elevated privileges to run (i.e., it triggers UAC when you launch it) and it's not updating itself, think very hard if you really need to use it. Apps that ask for elevated privileges just to run should be heavily scrutinized.
As for your specific things:
  1. Password managers are good. If you're using 2FA, make sure you have a back up plan for that. Most 2FA places will generate random recovery codes you can use. Also, physical 2FA (like Yubikey) is not widely supported, so I would suggest getting a 2FA authentication app like Authy.
    • If the place doesn't support an authentication app, then e-mail linking is fine too
    • Avoid 2FA or recovery through text messaging if possible. An attacker can easily intercept texts if they know your phone number. Plus you know, it's PII you have to give out.
  2. See previous points
  3. VPNs are good for unsecured or untrusted networks and getting around regional restrictions, but "protecting your privacy as you browse the web" is semi-true. It might hide from the network you're connected to what you're trying to access, but any sensitive data between you and the website is already encrypted if it's using HTTPS.
  4. If you don't mind managing all that, sure.
  5. Delete accounts to things you haven't used in a while. They're a liability. Otherwise change the passwords that need changing.
  6. If you delete your accounts, you lose access to whatever that was tied to it. If you're going to make new email accounts anyway, you could also just keep the old one around just in case you had something tied to it that you didn't catch.
  • The new Microsoft account I made to log into this PC (which has just been fully reset), is it by default the administrative level account? If so, I should make a secondary account? What's wrong with using the account that has more privileges? ALSO, if I am on a second account and require administrative powers, I can just swap over to allow it?
  • Another advocate for Windows Defender. That's impressive. All this time I thought there'd be some "ultimate" antivirus that people recommend like Bitdefender or Webroot.
  • As for the 2FA, I probably won't get the Yubikey, since it sounds complex and not much supports it. Plus, I can see myself groaning needing to plug it in for access on the go. And dammmmmn, no using my phone as part of the 2FA? Email is better?
  • I thought VPNs are really just there to protect my identity and whatnot online, <Mod Edit> like that.
  • I will def delete old accounts, all the ones I don't use.
  • I have Game Pass Ultimate until February on my Microsoft account, which is all tied to my Xbox One X account. If I delete the Microsoft account, the Game Pass and Xbox account goes poof?
Thanks!
 
Last edited by a moderator:
Dumb question but what's the best method of using backup software on Windows 10? Is there a free one included? And if not, any recommendations on which ones to download? Unless you want me to backup everything manually without software.
If you can pare down your data to less than 5GB or whatever the cloud services gives you for free, package it up with encryption using 7-Zip and upload it there. It's manual, it's a pain, but it's free.

Otherwise my current method is using a program called Free File Sync to copy files over to a NAS and an external external drive. I haven't had a need for file history (I should probably look into it).

I have something else for cloud storage as my off-site backup.
 
  • Like
Reactions: SonJustin

SonJustin

Distinguished
Oct 9, 2013
37
1
18,535
As in the above link, I use Macrium Reflect.
The free version is just fine.

Much better than what is built in with Windows.
And I have had to use it after a drive death.

960GB SSD died suddenly. No idea why.
Put in a new drive, click click in Macrium...all 605GB data recovered exactly as it was at 4AM when that drive ran its nightly incremental backup.

Thanks. I'll do that. But since I just reset the PC, I can worry about it later, as I have nothing really on here.
I definitely need more SSDs. I have one 256gb Crucial SSD from 2015, and an Intel m.2 which is used running Windows 10.
You seem smart. Any suggestions on good SSDs or m.2?
 
  • The new Microsoft account I made to log into this PC (which has just been fully reset), is it by default the administrative level account? If so, I should make a secondary account? What's wrong with using the account that has more privileges? ALSO, if I am on a second account and require administrative powers, I can just swap over to allow it?
The first account made in Windows is administrator by default. You'd have to make a secondary account. If you use Windows store apps, you can still use your Microsoft account, but you just have to tell the Windows Store to only use it for Windows Store Apps and not the entire Windows account.

The primary advantage to using a Standard Account is there's still quite a few settings in Windows that can have system wide changes that don't trigger the UAC prompt, but they do require elevated privileges to modify. For example if an app asks to be allowed through the firewall, it requires elevated privileges to allow it through when the network is considered "private" (which allows the computer to share data through the network). Another is, and this'll answer the next question, it requires you to enter the login credentials of an administrator account to pass any UAC checks. So you can't simply click "OK" on a UAC prompt, you have to actively acknowledge it.

The only problem is the UAC check is simply there to grant permission that the user can perform the action. Some apps really want an administrator account running it and getting permission isn't enough. For those apps, you can right click on it and select "Run as administrator" so you run the app as the administrator account.

While this may sound like a pain in the butt, I've been using a Standard User account for the past 10 years and it's rarely an annoyance. If anything, it's made me more cognizant of apps that seem to really want to run with an administrator account, which I distrust a lot.

  • Another advocate for Windows Defender. That's impressive. All this time I thought there'd be some "ultimate" antivirus that people recommend like Bitdefender or Webroot.
The only reason why I would put more trust in Microsoft's own product is 1. they actually know how their OS works 2. they have incentive to have something that cleans up malware targeting their platforms and 3. third party anti-malware developers usually only provide an anti-malware service, which means they have more incentive to try to make money off of you.
  • As for the 2FA, I probably won't get the Yubikey, since it sounds complex and not much supports it. Plus, I can see myself groaning needing to plug it in for access on the go. And dammmmmn, no using my phone as part of the 2FA? Email is better?
You can use your phone, as there are 2FA apps. It's just avoid using text messaging as 2FA if you can.

  • I thought VPNs are really just there to protect my identity and whatnot online, <Mod Edit> like that.
That's what HTTPS is for.

  • I have Game Pass Ultimate until February on my Microsoft account, which is all tied to my Xbox One X account. If I delete the Microsoft account, the Game Pass and Xbox account goes poof?
Yup.
 
Last edited by a moderator:
  • Like
Reactions: SonJustin

SonJustin

Distinguished
Oct 9, 2013
37
1
18,535
The first account made in Windows is administrator by default. You'd have to make a secondary account. If you use Windows store apps, you can still use your Microsoft account, but you just have to tell the Windows Store to only use it for Windows Store Apps and not the entire Windows account.

The primary advantage to using a Standard Account is there's still quite a few settings in Windows that can have system wide changes that don't trigger the UAC prompt, but they do require elevated privileges to modify. For example if an app asks to be allowed through the firewall, it requires elevated privileges to allow it through when the network is considered "private" (which allows the computer to share data through the network). Another is, and this'll answer the next question, it requires you to enter the login credentials of an administrator account to pass any UAC checks. So you can't simply click "OK" on a UAC prompt, you have to actively acknowledge it.

The only problem is the UAC check is simply there to grant permission that the user can perform the action. Some apps really want an administrator account running it and getting permission isn't enough. For those apps, you can right click on it and select "Run as administrator" so you run the app as the administrator account.

While this may sound like a pain in the butt, I've been using a Standard User account for the past 10 years and it's rarely an annoyance. If anything, it's made me more cognizant of apps that seem to really want to run with an administrator account, which I distrust a lot.


The only reason why I would put more trust in Microsoft's own product is 1. they actually know how their OS works 2. they have incentive to have something that cleans up malware targeting their platforms and 3. third party anti-malware developers usually only provide an anti-malware service, which means they have more incentive to try to make money off of you.

You can use your phone, as there are 2FA apps. It's just avoid using text messaging as 2FA if you can.


That's what HTTPS is for.


Yup.
Once again, thanks for the lengthy responses that took time to write. I am probably going to make a second account after this. If you are in a situation where you need to do something that REQUIRES being the administrator account, do you allow yourself to log into that account to do the thing? Or are you simply like "nope, no going back into that admin account"

Okay so from now on, avoid text-based verification for 2FA. I've been using text-based for years. Are call-based ones any better? But it sounds like the App solution will work instead. And if a site only support 1 for of authentication, I suppose I'd just go with the App?

I will probably keep Windows Defender running and doing it's thing. Saves me money in some cases and prevents me having to see the popup of the antivirus saying "look at me I did a scan!"

Thanks again.
Random question - Are there any privacy settings you recommend me turning on or off in Windows 10? During the setup I said No to pretty much everything. But maybe I'm being paranoid and can turn things on like Location?
 
Once again, thanks for the lengthy responses that took time to write. I am probably going to make a second account after this. If you are in a situation where you need to do something that REQUIRES being the administrator account, do you allow yourself to log into that account to do the thing? Or are you simply like "nope, no going back into that admin account"
When you trigger a UAC prompt on a Standard User account, it brings up a log in prompt. When you enter the right login, it goes away like a normal UAC prompt.

Okay so from now on, avoid text-based verification for 2FA. I've been using text-based for years. Are call-based ones any better? But it sounds like the App solution will work instead. And if a site only support 1 for of authentication, I suppose I'd just go with the App?
I think the danger is simply if an attacker knows your phone number, they can spoof any form of phone number based 2FA. It isn't hard to get a SIM card with your phone number attached to it these days.

Not every 2FA enabled site has support for app-based authentication, but if they do, use it.

Random question - Are there any privacy settings you recommend me turning on or off in Windows 10? During the setup I said No to pretty much everything. But maybe I'm being paranoid and can turn things on like Location?
I turn off everything I don't need. Do note that it's a global setting, not just for Windows Store Apps. I had a fun time trying to figure out why my mic wasn't working on Discord until I found out I had to allow apps to use microphones.
 
  • Like
Reactions: SonJustin
Oh, I should add, if the program installs into your user account folder (Chrome, Discord, and other apps made with Electron), you have to install them with your daily Windows account. If you install them with the administrator account, they get installed on that account only. Those apps only install for the user that launched the installer.
 
  • Like
Reactions: SonJustin

SonJustin

Distinguished
Oct 9, 2013
37
1
18,535
  • Okay, so I will go over to the Standard Account! Seems safer and no issues since I know the UAC info anyway. Have you ever had to log into the administrator account?
  • Yeah that makes sense. So as cool as 2FA seems, it appears most sites or things that offer it might only allow for an email or phone based method? If it only allows text-based for 1FA, I assume it's better than nothing? Lol
  • Yeah I'll have to remember that, so if I have the Mic global setting off even the Mic on my VOID headset won't work. I have no webcam so that's no issue. The one thing I'm uncertain on is Location setting. Having this on still makes apps and things "ask" to use your location right? If so I'd wanna keep that on, so when I look for stores it'll look for the nearest location.
  • Since you're so knowledgeable do you have any other random suggestions for me? I have an iPhone and assume at some point I'll need to secure/reset that as well!
 

SonJustin

Distinguished
Oct 9, 2013
37
1
18,535
All my systems have local Standard and Admin accounts. As well as the needed microsoft account.
Daily use is the standard local account.
The MS account is only used if I need to interact with the Store, or something from MS.
Can you not purchase anything on the Microsoft app store on a standard account?