Securing Your Windows PC

The majority of the people reading this are probably windows users so I'm going to focus this guide there. Windows 10 specifically. I often hear a lot of people choosing to stick with Windows 7 instead of ten. While it's still supported this is fine, but be aware that the spying stuff in Windows 10 has been back ported into Windows 7.

BIOS

We're going to start off with booting your machine. Ideally, whenever you're attacked, your machine will be offline. Please remember that if your machine is running and unlocked when it's compromised, neither BIOS settings or full disk encryption will help you.

Whenever your PC first turns on, it will go though BIOS. Since it's the first thing that happens, it's the first thing we will secure. There are many different BIOS options, and not every device has the same one. So you're going to have to use some common sense if yours is different. Also, the majority of BIOSes can easily be flashed to default settings, so it's important to not rely on this by itself.

The first thing we want to do is add a boot password. (Sometimes called a user or system password) and an admin password. A user password will prevent people from accessing your device, and an admin password will prevent changes to the BIOS settings. The main goal of this is so people can't change the boot order and allow booting from USB/CD drives. Unfortunately some will allow this even without a password, but it's worth a shot.

On that note, you're going to want to change your boot order/priority to make your OS hard drive boot first, and disable booting from anything else. It's important to completely disable the rest, since an attacker could remove your hard drive to force the machine to boot from another device, then simply reconnect the hard drive after booting.

You'll want to disable options such as recovery and ones that store the BIOS on your hard drive. If your computer has it, you'll want to enable hard drive locking. This password protects your hard drive. One other thing to note about this is that a lot of Dell laptops (and maybe more) have a special built-in password that securely erases the hard drive if the password is entered. Much like a cryptonuke that I'll talk about later. I have this "delete everything" password written down on a piece of paper and "Half-hidden". If someone looks at my desk they will see the sticky note labled "HDD0-SE". And since the password prompt says HDD0, they will assume this is the password. They will try it, and then all my data is deleted. Finding this delete everything password isn't easy though, and it's different for each device. I spoke with Dell to get mine.

Next, be sure that features such as secure boot and anything else mentioning security are turned on. The only exception to this are tools such as LowJack and CompuTrace. These are basically backdoors you can choose to have in case your computer is stolen. I admit it can be useful if you don't have sensitive data on your machine and don't want it to be stolen, but if you're following this guide you're probably not the kind of person who wants to give another company backdoor access to your system.

FDE

After BIOS, your computer would normally load your operating system. But we want to encrypt that in order to keep our data safe if your device or hard drive is stolen. On linux, full disk encryption is essentially a built in feature. but for Windows, we'll want to use Veracrypt.

After installing this you'll want to set up system encryption. Make sure to use a custom PIM to make your password two-dimensional. If you're feeling adventurous, try using a hidden operating system. You'll sometimes have to disable secure boot to use VeraCrypt, but this won't be a problem since you've locked the boot order and encrypted your hard drive. Windows does support Bitlocker, but this is closed source, and there is a strong chance that Microsoft will have a copy of your recovery keys. Not to mentioned you need a TPM module or USB alongside your password. A large amount of TPM modules seem to be implemented incorrectly anyways.

For Linux users reading this, you'll want to set up LUKS encryption. And make sure to add nukes. Looks hard, but I promise it isn't. After your device is encrypted with luks, use this command to add "delete everything" passwords: cryptsetup luksAddNuke /dev/sda5 What are nukes? Just like before with the secure erase password, these are special passwords that will wipe your encryption headers when typed in. My Kali install is using all 8 keyslots. I have one really long and complicated password that will unlock my device. I have seven more passwords that will delete everything. Make sure to put the letter "A" as a nuke, and "AAAAAAAA", as this will help ensure that bruteforce attempts destroy your data. For the five remaining keyslots, I use passwords that I have previously used, that way an attacker who has been following me is likely to try it to see if I have re-used the password.

I'm not sure what options are available for a Mac, as I don't use them.

Hardening Windows

So now we focus on the actual windows installation itself. Here we try to make it harder to break into.

The very first thing you need to do is reinstall your OS. I get it, that probably sounds pretty cumbersome, but I do it once or twice a year and it's not nearly as bad as it seems. Besides, if you're already compromised before we begin then this won't do you any good.

So now you have a fresh installation, and you made sure to turn off all spying stuff when you were installing it. Once you have Windows fully loaded and running, we're going to want to get rid of all the bloatware. To do this, we will use tool called Decrap My Computer. This will go through and get rid of all the software that's been added on top of windows. Then of course you're going to want to use some of the many programs to help stop the spying telemetry.

There is a really nice website that has a walk through showing you how you should have your windows installation set up. I'm not going to lie, it's long an tedious, but if you're serious about this you should give it a shot. Maybe at some point somebody can automate it. The trick is balancing security with usability. This mainly comes down to things like disabling services, setting very strict firewall rules (whitelist mode, not blacklist), and running everything in sandboxes. It does mention a few programs you should check out, but really the ones I would recommend are MBAE, Sandboxie, and a good antivirus. Also, if your antivirus doesn't have a built in firewall, you'll definitely want to get one.

This article is my 3rd oldest. It is 1173 words long, and it’s got 0 comments for now.