Windows security: How to protect your home and small business PCs

Windows security abstract concept

Maintaining effective security shouldn’t take an excessive amount of time. 

d3sign/Getty Images

When it comes to digital security at home and in your small business, you’re on your own. Large businesses typically have dedicated IT staff tasked with ensuring the security of a corporate network and preventing outsiders from stealing data or planting ransomware. You have … yourself.

Special Feature

The worst time to start thinking about security for the PCs on your network is after you’ve experienced a catastrophic incident. The best time is right now, which is why we’ve assembled this guide.

Following the steps I lay out here should help you understand which security issues are most important and, based on that knowledge, establish a security baseline. This isn’t a set-it-and-forget-it task, unfortunately. Online attackers are determined, and the threat landscape is constantly evolving. Maintaining effective security requires continued vigilance and ongoing effort.

Does that sound overwhelming? Maintaining effective security shouldn’t take an excessive amount of time. Spend a few minutes each week reviewing Windows Security to ensure that no red or yellow indicators have appeared, and do a more comprehensive review each month after the Patch Tuesday updates.  

In this guide, I cover more than just the Windows device itself, because many of the threats come from outside. To stay secure, you need to pay close attention to network traffic, email accounts, authentication mechanisms, and unsophisticated users.

This article focuses primarily on the needs of PC owners managing Windows PCs in a home or small business environment, without full-time IT staff. For installations where you’re required to connect to a business network, you’ll need to coordinate your personal security configuration with corporate policies. In some cases, device management policies will prevent you from adjusting some settings.

Also: How to lock down your Microsoft account and guard it from attackers

I’ve also provided guidance to help you understand the differences between Windows 10 and Windows 11, as well as the different editions available for both operating systems (Home, Pro, Enterprise, Education). We know there are still lots of PCs running Windows 10 out there, many of which don’t meet the system requirements to upgrade to Windows 11.

Before you touch a single Windows setting, though, take some time for a threat assessment. In particular, be aware of your legal and regulatory responsibilities in the event of a data breach or other security-related event. Even small businesses can be subject to compliance requirements; if that applies to you, consider hiring a specialist who knows your industry and can ensure that your systems meet all applicable requirements.

windows-security2

A yellow exclamation point or red checkmark means you need to resolve the security issue.

Screenshot by Ed Bott/ZDNET

In Windows 10, Microsoft introduced the Windows Security app, which consolidates security settings and status information into a single location. The Windows 11 version of this app follows the same basic design but adds some features specific to newer hardware. Regardless of which operating system is in use, this app should be a regular part of your security monitoring.

Also: The best Windows laptop you can buy

From this starting point, you can inspect (and adjust) settings for antivirus and antimalware software, device security, firewall and network protection, and other crucial security options. Green checkmarks indicate there are no issues that need immediate attention. Yellow and red icons indicate security issues that need to be addressed.

When visiting an app like this, the natural temptation is to click every category and turn on every option you see. Resist that urge, especially in the App & Browser Control > Exploit Protection section. Changes you make here can have unintended consequences in everyday activities, especially with older apps. The default settings should be adequate for most systems. If you choose to make changes here, do so gradually, and don’t make any additional changes until you’re certain that the previous adjustments worked as expected.

The single most important security setting for any Windows PC is ensuring that updates are being installed on a regular, predictable schedule. That’s true of every modern computing device, of course, but the “Windows as a service” model that Microsoft introduced with Windows 10 changes the way you manage updates.

Before you begin, though, it’s important to understand the different types of Windows updates and how they work.

  • Quality updates are delivered monthly through Windows Update on the second Tuesday of each month. They address security and reliability issues and do not include new features. (These updates also include patches for microcode flaws in Intel processors.) For particularly severe security issues, Microsoft might choose to release an out-of-band update that is not tied to the normal monthly schedule. 

All quality updates are cumulative, so you no longer have to download dozens or even hundreds of updates after performing a clean install of Windows. Instead, you can install the latest cumulative update and you will be completely up to date.

  • Feature updates are the equivalent of what used to be called version upgrades. They include new features and require a multi-gigabyte download and a full setup. Windows 10, which is rapidly nearing its end-of-support deadline, no longer receives feature updates. For Windows 11, Microsoft’s current policy is to release one feature update per year, in the second half of the year. Feature updates are delivered through Windows Update and are not installed automatically unless the current version has reached the end of its support lifecycle.

Also: The best all-in-one computers you can buy

By default, modern Windows devices download and install quality updates as soon as they’re available on Microsoft’s update servers. Unless an administrator blocks this action, individual users can pause all updates for up to five weeks, one week at a time.

As with all security decisions, choosing when to install updates involves a trade-off. Installing updates immediately after they’re released offers the best protection; deferring updates makes it possible to minimize unscheduled downtime associated with those updates.

On devices running Windows Pro, Enterprise, and Education editions, administrators can defer installation of quality updates by up to 30 days after their release. You can also delay feature updates on these editions by as much as 365 days. On devices running Windows Home edition, there’s no supported way to specify exactly when these updates are installed.

Deferring quality updates by 7 to 15 days is a low-risk way of avoiding the possibility of installing a flawed update that can cause stability or compatibility problems. You can adjust Windows Update for Business settings on individual PCs by using the Local Group Policy Editor (Gpedit.msc); the settings you need are available under Local Computer Policy > Administrative Templates > Windows Components > Windows Update.

Also: 3 essential Windows tools for troubleshooting (and how to use them)

In larger organizations, administrators can apply Windows Update settings using Group Policy or mobile device management (MDM) software. You can also administer updates centrally by using a management tool such as System Center Configuration Manager or Windows Server Update Services.

Finally, your software update strategy shouldn’t stop at Windows itself. Make sure that updates for Windows applications, including Microsoft Office and Adobe applications, are installed automatically.

Microsoft sparked controversy with its decision to require a Microsoft account when setting up a PC with Windows 11 Home edition for the first time. I’ve also seen some online angst over the subsequent change in policy that extends that requirement to Windows 11 Pro machines set up for personal use. There are, of course, workarounds that allow you to bypass this restriction; for full details, see “Windows 11 setup: Which user account type should you choose?”

If you already have a personal Microsoft account tied to services like Microsoft 365 Home or Family or an Xbox Live account, signing in with a Microsoft account makes it easy to access your Office apps and OneDrive storage and online gaming.

Even if you have no Microsoft services, however, there’s a solid security benefit behind that design decision. Signing in with a Microsoft account on Windows 10 or Windows 11 automatically encrypts the contents of the system drive, and the recovery key is backed up to a secure location, accessible by signing in to that Microsoft account. That minimizes the risk that a forgotten password can lead to catastrophic data loss.

Also: Beyond passwords: 4 key security steps you’re probably forgetting

If you don’t use Microsoft services, feel free to create a brand-new Microsoft account on the fly, as part of the setup process, and use that new account exclusively for signing in to Windows. You get the benefits of full system disk encryption, multi-factor authentication, and (if you choose to use it) 5 GB of OneDrive storage, at no extra cost. Just think of it as a local account whose username has @outlook.com on the end.

If you’re still determined to use a local account, you can set up Windows using a throwaway Microsoft account first, and then make the switch to a local account. Just be aware that doing so means you’ll also have to find a different encryption option, and you won’t have any recovery mechanism if you forget your sign-in credentials.

With all that out of the way, do the following as well:

  • Set up multi-factor authentication for your Microsoft account. (You’ll find full instructions here: “How to lock down your Microsoft account and keep it safe from outside attackers.”)
  • Create standard accounts for other users (and even for yourself). Your primary account, by default, has administrator privileges. If other people (employees or family members) use the same PC, give them standard accounts that are unable to change system settings or install untrusted software without your approval. You can also give yourself a standard account for everyday use, but that’s a needless precaution that will simply force you to type in a password instead of clicking OK to a User Account Control dialog box.
  • Install a password manager and make sure all your online accounts have strong, unique login credentials.
  • Set up multi-factor authentication for online accounts wherever it’s available. (See “Multi-factor authentication: How to enable 2FA to boost your security”)

For PCs at home, set up children’s access using standard accounts and consider setting up the family safety features in Windows 10 and Windows 11. You can use those options to set authorized times for young people to be online and to help keep them from straying into unsavory corners of the internet. You’ll find all the links you need in the Windows Security app.

  1. Check the status of your TPM.
  2. Ensure that Secure Boot is enabled.
  3. Turn on Windows Hello, using biometric authentication if it’s available.

security-processor-details

If the specification version says 2.0, the system meets the requirements for Windows 11.

Screenshot by Ed Bott/ZDNET

Microsoft’s hardware compatibility rules for Windows 11 upped the security game for PCs, although not without controversy. Previously, the governing principle for every new Windows version involved maximum backward compatibility, with even 10-year-old PCs being eligible to install the new operating system.

That all changed with Windows 11. For the first time ever, the official hardware specifications were (a) dramatically increased from the previous version and (b) applied not just to new hardware from PC makers but also to upgraders.

Also: Obsessed with privacy? Keep Tails on a USB drive and secure most any computer

The biggest change is the requirement for a Trusted Platform Module (TPM) version 2.0, along with the requirement to enable Secure Boot (a feature that uses cryptographic signatures to ensure that a device boots with an operating system that hasn’t been tampered with). If you’re willing to make a few registry edits, you can upgrade to Windows 11 from Windows 10 at no charge on a PC with an older TPM version and an unsupported CPU. For details, see this Microsoft support document: “Ways to install Windows 11.”

From the Device Security page in the Windows Security app, you can check both of these settings. If you see entries for Security Processor and Secure Boot, you’re good to go. If one or both of those entries are missing, you’ll need to go into the device’s firmware settings to re-enable the setting. Although there are advanced configurations in which you might need to disable Secure Boot for troubleshooting purposes, it’s best to leave this setting alone.

Finally, set up a Windows Hello PIN and enable biometric authentication if your device has a fingerprint reader or an infrared camera that supports facial recognition.

  1. Turn on BitLocker encryption for all data drives.
  2. Back up your encryption keys.
  3. Back up data files to the cloud.
  4. Back up critical data files to local storage.

Replacing a stolen laptop is inconvenient and expensive. Dealing with lost or stolen data is a nightmare. Physical security has its own challenges, but when it comes to keeping your data secure, you have two key goals:

  • Encrypt your data files. If your computer or storage device is stolen, the thief can’t access your files that are protected with robust encryption and a strong password.
  • Back up your data files. With a good backup plan, you can restore files that are lost or damaged (even if the cause is hardware failure) and get back to work with a minimum of downtime.

Those precautions are especially important for files containing sensitive personal or financial information for customers or clients. If you work in a regulated industry or you’re subject to data breach laws, the impact is even worse.

The single most important configuration change you can make is to enable BitLocker Device Encryption on the system drive and on all secondary drives, including USB flash drives. (BitLocker is the brand name that Microsoft uses for the encryption tools available in business editions of Windows. BitLocker features are identical on Windows 10 and Windows 11.)

Also: How to encrypt your email (and why you should)

With BitLocker enabled, every bit of data on the device is encrypted using the XTS-AES standard. BitLocker uses the Trusted Platform Module (TPM) chip to store the encryption keys.

The steps to turn on encryption features are different depending on which edition of Windows is installed:

  • Windows 10/11 Home: This edition supports strong device encryption, but only if you’re signed in with a Microsoft account. It doesn’t allow the management of a BitLocker device.
  • Windows 10/11 Pro, Enterprise, or Education: These business editions provide full access to BitLocker management tools. For full management capabilities, you’ll need to set up BitLocker using an Active Directory account on a Windows domain or an Entra ID (formerly known as Azure Active Directory) account. On an unmanaged device running a business edition of Windows, you can set up BitLocker using a local account or a Microsoft account, but you’ll need to use the BitLocker Management tools to enable encryption on available drives.

It is crucial that you backup the recovery key for a BitLocker-encrypted drive. In the event that you ever have to reinstall Windows or experience account problems, you’ll need that 48-digit number to access the data.

If you sign in with a Microsoft account, the BitLocker recovery key is saved in OneDrive by default. You can access it by signing in at onedrive.com/recoverykey. I recommend that you print a copy of that key and file it in a safe place, just in case.

On a managed PC using a domain or Entra ID account, the recovery key is saved in a location that is available to the domain or Entra ID administrator. On a personal device, you can use the Manage BitLocker app to save or print a copy of that recovery key.

Also: Don’t make this USB mistake, protect your data with this encrypted gadget instead

Don’t forget to encrypt portable storage devices. USB flash drives, MicroSD cards used as expansion storage, and portable hard drives are easily lost, but the data can be protected from prying eyes with the use of BitLocker To Go, which uses a password to decrypt the drive’s contents. For details, see “Protect removable storage devices with BitLocker encryption.”)

Finally, make sure that crucial data files are backed up to the cloud and to local storage (on an encrypted drive, naturally). This precaution can be invaluable if you suffer a disk crash, and it’s also excellent protection against ransomware attacks.

If you’re concerned about putting sensitive files in the cloud, encrypt those files using third-party software such as Boxcryptor. OneDrive offers a Personal Vault feature that requires extra verification to access files stored there; Dropbox has a similar feature called Dropbox Vault.

  1. Configure security software.
  2. Configure anti-spam protection.
  3. Manage which apps standard user accounts are allowed to run.

Security software is one layer in a defensive strategy designed to keep threats from ever reaching a PC. It’s no longer the most important layer, but it’s still crucial to have up-to-date security software.

Every installation of Windows 10 and Windows 11 includes built-in antivirus, anti-malware software called Microsoft Defender Antivirus, which updates itself using the same mechanism as Windows Update. Microsoft Defender Antivirus is designed to be a set-it-and-forget-it feature and doesn’t require any manual configuration. If you install a third-party security package, Windows disables the built-in protection and allows that software to detect and remove potential threats.

Also: 9 top mobile security threats and how you can avoid them

To check the status of Microsoft Defender Antivirus, use the Virus & Threat Protection page in the Windows Security app. (You’ll find ransomware protection options under the Controlled Folder Access heading.)

Large organizations that use Windows Enterprise edition can deploy Microsoft Defender for Endpoint, a security platform that monitors Windows 11 PCs and other managed devices using behavioral sensors. Using cloud-based analytics, these tools can identify suspicious behavior and alert administrators to potential threats.

For smaller businesses, the most important challenge is to prevent malicious code from reaching the PC in the first place. Microsoft’s SmartScreen technology is another built-in feature that scans downloads and blocks the execution of those that are known to be malicious. The SmartScreen technology also blocks unrecognized programs but allows the user to override those settings if necessary.

Also: There’s been a big rise in phishing attacks. This one worked

It’s worth noting that SmartScreen in Windows works independently of browser-based technology such as Google’s Safe Browsing service and the SmartScreen Filter service in Microsoft Edge.

On unmanaged PCs, SmartScreen is another feature that requires no manual configuration. You can adjust its configuration using the App & Browser Control settings in the Windows Security app.

Another crucial vector for managing potentially malicious code is email, where seemingly innocuous file attachments and links to malicious websites can result in infection. Although email client software can offer some protection in this regard, blocking these threats at the server level is the most effective way to prevent attacks on PCs.

An effective approach for preventing users with standard accounts from running unwanted programs (including malicious code) is to configure a Windows PC so it’s prevented from running any apps except those you specifically authorize. To adjust these settings on a single PC, go to Settings > Apps > Apps & Features; under the Choose Where To Get Apps heading, select The Microsoft Store Only. This setting allows previously installed apps to run, but prevents installation of any downloaded programs from outside the Store. (Note that many traditional desktop programs, including consumer favorites like VLC Media Player and iTunes, are now available from the Microsoft Store.)

  1. Use a hardware firewall.
  2. Leave the Windows firewall turned on.
  3. Protect your Wi-Fi account.

The gateway for your cable, fiber, DSL, or other wired internet connection should include a firewall feature that prevents outsiders from connecting to PCs that are on your internal network. Check the management interface for that device (access is typically through a web-based portal that connects to a private IP address like 192.168.1.1 or 10.0.0.1). Make sure those security features are enabled, and consider changing the default administrative credentials (admin/password is common) to something more secure.

Every version of Windows shipped in the past two decades has included a stateful inspection firewall. In Windows 10 and Windows 11, this firewall is enabled by default and doesn’t need any tweaking to be effective. The Windows firewall supports three different network configurations: Domain, Private, and Public. Apps that need access to network resources can generally configure themselves as part of the initial setup.

To adjust basic Windows firewall settings, use the Firewall & Network Protection tab in the Windows Security app. For a far more comprehensive, expert-only set of configuration tools, click Advanced Settings to open the legacy Windows Defender Firewall with Advanced Security console. On managed networks, these settings can be controlled through a combination of Group Policy and server-side settings.

Also: The best travel VPNs, tested and reviewed

From a security standpoint, the biggest network-based threats to a Windows PC arise when connecting to wireless networks. Large organizations can significantly improve the security of wireless connections by adding support for the 802.1x standard, which uses access controls instead of shared passwords as in WPA2 wireless networks. Windows 10 and Windows 11 will prompt for a username and password when attempting to connect to this type of network and will reject unauthorized connections. On networks that use a shared password, make sure that visitors connect to a separate guest network.

For times when you must connect using an untrusted wireless network, the best alternative is to set up a virtual private network (VPN). Both Windows 10 and Windows 11 support the most popular VPN packages used on corporate networks; to configure this type of connection, go to Settings > Network & Internet > VPN. Small businesses and individuals can choose from a variety of Windows-compatible third-party VPN services.

READ MORE HERE