Securing Windows 10 PCs: What to watch out for Watch Now

It is tempting to think that the process of securing a Windows 10 device can be reduced to a simple checklist. Install some security software, adjust a few settings, hold a training session or two, and you can move on to the next item on your to-do list.

Alas, the real world is far more complicated than that.



There is no software magic bullet, and your initial setup simply establishes a security baseline. After that initial configuration is complete, security requires continued vigilance and ongoing effort. Much of the work of securing a Windows 10 device happens away from the device itself. A well-planned security policy pays attention to network traffic, email accounts, authentication mechanisms, management servers, and other external connections.

This guide covers a broad spectrum of business use cases, with each heading discussing an issue that decision makers must consider when deploying Windows 10 PCs. And although it covers many options that are available, this is not a hands-on guide.

In a large business, your IT staff should include security specialists who can manage these steps. In a small business without dedicated IT staff, outsourcing these responsibilities to a consultant with the necessary expertise might be the best approach.

Before you touch a single Windows setting, though, take some time for a threat assessment. In particular, be aware of your legal and regulatory responsibilities in the event of a data breach or other security-related event. For businesses that are subject to compliance requirements, you'll want to hire a specialist who knows your industry and can ensure that your systems meet all applicable requirements.

The following categories apply to businesses of all sizes.

Managing security updates

The single most important security setting for any Windows 10 PC is ensuring that updates are being installed on a regular, predictable schedule. That's true of every modern computing device, of course, but the "Windows as a service" model that Microsoft introduced with Windows 10 changes the way you manage updates.

See also: Here's how Microsoft can fix its Windows 10 update issues

Before you begin, though, it's important to understand about the different types of Windows 10 updates and how they work.

Quality updates are delivered monthly through Windows Update on the second Tuesday of each month. They address security and reliability issues and do not include new features. (These updates also include patches for microcode flaws in Intel processors.) For particularly severe security issues, Microsoft might choose to release an out-of-band update that is not tied to the normal monthly schedule.



All quality updates are cumulative, so you no longer have to download dozens or even hundreds of updates after performing a clean install of Windows 10. Instead, you can install the latest cumulative update and you will be completely up to date.



Feature updates are the equivalent of what used to be called version upgrades. They include new features and require a multi-gigabyte download and a full setup. Windows 10 feature updates are released twice a year, typically in April and October, and are made available through Windows Update. They are not installed automatically unless the current Windows 10 version has reached the end of its support lifecycle.



See also: FAQ: How to manage Windows 10 updates

By default, Windows 10 devices download and install quality updates as soon as they're available on Microsoft's update servers. On devices running Windows 10 Home, there's no supported way to specify exactly when these updates are installed, although it's possible for individual users to pause all updates for up to 7 days. On PCs running business editions of Windows 10 (Pro, Enterprise, or Education), users can pause all updates for up to 35 days, and administrators can use Group Policy settings to defer installation of quality updates on PCs by up to 30 days after their release.

As with all security decisions, choosing when to install updates involves a trade-off. Installing updates immediately after they're released offers the best protection; deferring updates makes it possible to minimize unscheduled downtime associated with those updates.

Using the Windows Update for Business features built into Windows 10 Pro, Enterprise, and Education editions, you can defer installation of quality updates by up to 30 days. You can also delay feature updates by as much as two years, depending on the edition.

Also: Windows 10 Enterprise customers will now get Linux-like support

Deferring quality updates by 7 to 15 days is a low-risk way of avoiding the possibility of installing a flawed update that can cause stability or compatibility problems. You can adjust Windows Update for Business settings on individual PCs using the controls in Settings > Update & Security > Advanced Options.

In larger organizations, administrators can apply Windows Update for Business settings using Group Policy or mobile device management (MDM) software. You can also administer updates centrally by using a management tool such as System Center Configuration Manager or Windows Server Update Services.

Finally, your software update strategy shouldn't stop at Windows itself. Make sure that updates for Windows applications, including Microsoft Office and Adobe applications, are installed automatically.

Identity and user account management

Every Windows 10 PC requires at least one user account, which is in turn protected by a password and optional authentication mechanisms. How you set up that account (and any secondary accounts) goes a long way toward ensuring the security of the device.

Devices that are running a business edition of Windows 10 can be joined to a Windows domain. In that configuration, domain administrators have access to the Active Directory features and can authorize users, groups, and computers to access local and network resources. If you're a domain administrator, you can manage Windows 10 PCs using the full set of server based Active Directory tools.

For Windows 10 PCs that are not joined to a domain, as is the case in most small businesses, you have a choice of three account types:

Local accounts use credentials that are stored only on the device.



use credentials that are stored only on the device. Microsoft accounts are free for consumer use and allow syncing of data and settings across PCs and devices; they also support two-factor authentication and password recovery options.



are free for consumer use and allow syncing of data and settings across PCs and devices; they also support two-factor authentication and password recovery options. Azure Active Directory (Azure AD) accounts are associated with a custom domain and can be centrally managed. Basic Azure AD features are free and are included with Microsoft 365 and Office 365 Business and Enterprise subscriptions; additional Azure AD features are available as paid upgrades.



The first account on a Windows 10 PC is a member of the Administrators group and has the right to install software and modify the system configuration. Secondary accounts can and should be set up as Standard users to prevent untrained users from inadvertently damaging the system or installing unwanted software.

Requiring a strong password is an essential step regardless of account type. On managed networks, administrators can use Group Policy or MDM software to enforce an organization password policy.

To increase the security of the sign-in process on a specific device, you can use a Windows 10 feature called Windows Hello. Windows Hello requires a two-step verification process to enroll the device with a Microsoft account, an Active Directory account, an Azure AD account, or a third-party identity provider that supports FIDO version 2.0.

When that enrollment is complete, the user can sign in using a PIN or, with supported hardware, biometric authentication such as a fingerprint or facial recognition. The biometric data is stored on the device only and prevents a variety of common password-stealing attacks. On devices connected to business accounts, administrators can use Windows Hello for Business to specify PIN complexity requirements.

Finally, when using Microsoft or Azure AD accounts on business PCs, you should set up multi-factor authentication (MFA) to protect the account from external attacks. On Microsoft accounts, the Two-step Verification setting is available at https://account.live.com/proofs. For Office 365 Business and Enterprise accounts, an administrator must first enable the feature from the Office portal, after which users can manage MFA settings by signing in at https://account.activedirectory.windowsazure.com/proofup.aspx.

Data protection

Physical security is every bit as important as issues related to software or networks. A stolen laptop, or one left behind in a taxi or a restaurant, can lead to significant risk of data loss. For a business or a government agency, the impact can be disastrous, and the consequences are even worse in regulated industries or where data breach laws require public disclosure.

On a Windows 10 device, the single most important configuration change you can make is to enable BitLocker device encryption. (BitLocker is the brand name that Microsoft uses for the encryption tools available in business editions of Windows.)

Also: Windows 10 Expert's Guide: Everything you need to know about BitLocker

With BitLocker enabled, every bit of data on the device is encrypted using the XTS-AES standard. Using Group Policy settings or device management tools, you can increase the encryption strength from its default 128-bit setting to 256-bit.

Enabling BitLocker requires a device that includes a Trusted Platform Module (TPM) chip; every business PC manufactured in the past six years should qualify in this regard. In addition, BitLocker requires a business edition of Windows 10 (Pro, Enterprise, or Education); the Home edition supports strong device encryption, but only with a Microsoft account, and it doesn't allow management of a BitLocker device.

For full management capabilities, you'll also need to set up BitLocker using an Active Directory account on a Windows domain or an Azure Active Directory account. In either configuration, the recovery key is saved in a location that is available to the domain or AAD administrator.

On an unmanaged device running a business edition of Windows 10, you can use a local account, but you'll need to use the BitLocker Management tools to enable encryption on available drives.

And don't forget to encrypt portable storage devices. USB flash drives. MicroSD cards used as expansion storage, and portable hard drives are easily lost, but the data can be protected from prying eyes with the use of BitLocker To Go, which uses a password to decrypt the drive's contents.

Also: Windows 10 tip: Protect removable storage devices with BitLocker encryption

In large organizations that use Azure Active Directory, it's also possible to protect the contents of stored files and email messages using Azure Information Protection and the Azure Rights Management service. That combination allows administrators to classify and restrict access to documents created in Office and other applications, independent of their local encryption status.

Blocking malicious code

As the world has become more connected and online attackers have become more sophisticated, the role of traditional antivirus software has changed. Instead of being the primary tool for blocking the installation of malicious code, security software is now just another layer in a defensive strategy.

Every installation of Windows 10 includes built-in antivirus, anti-malware software called Microsoft Defender Antivirus (formerly Windows Defender), which updates itself using the same mechanism as Windows Update. Microsoft Defender Antivirus is designed to be a set-it-and-forget-it feature and doesn't require any manual configuration. If you install a third-party security package, Windows disables the built-in protection and allows that software to detect and remove potential threats.

Large organizations that use Windows Enterprise edition can deploy Microsoft Defender Advanced Threat Protection, a security platform that monitors endpoints such as Windows 10 PCs using behavioral sensors. Using cloud-based analytics, Microsoft Defender ATP can identify suspicious behavior and alert administrators to potential threats.

Also: Microsoft: Improved security features are delaying hackers from attacking Windows users

For smaller businesses, the most important challenge is to prevent malicious code from reaching the PC in the first place. Microsoft's SmartScreen technology is another built-in feature that scans downloads and blocks execution of those that are known to be malicious. The SmartScreen technology also blocks unrecognized programs but allows the user to override those settings if necessary.

It's worth noting that SmartScreen in Windows 10 works independently of browser-based technology such as Google's Safe Browsing service and the SmartScreen Filter service in Microsoft Edge.

On unmanaged PCs, SmartScreen is another feature that requires no manual configuration. You can adjust its configuration using the App & Browser Control settings in the Windows Security app in Windows 10.

Another crucial vector for managing potentially malicious code is email, where seemingly innocuous file attachments and links to malicious websites can result in infection. Although email client software can offer some protection in this regard, blocking these threats at the server level is the most effective way to prevent attacks on PCs.

An effective approach for preventing users from running unwanted programs (including malicious code) is to configure a Windows 10 PC from running any apps except those you specifically authorize. To adjust these settings on a single PC, go to Settings > Apps > Apps & Features; under the Installing Apps heading, choose Allow Apps From The Store Only. This setting allows previously installed apps to run, but prevents installation of any downloaded programs from outside the Microsoft Store.

Also: Windows 10 tip: Keep unwanted software off PCs you support

Administrators can configure this setting over a network using Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure App install Control.

The most extreme approach for locking down a Windows 10 PC is to use the Assigned Access feature to configure the device so that it can run only a single app. If you choose Microsoft Edge as the app, you can configure the device to run in full-screen mode locked to a single site or as a public browser with a limited set of features.

To configure this feature, go to Settings > Family & Other Users and click Assigned Access. (On a PC connected to a business account, this option is under Settings > Other Users.)

Must read

Networking

Every version of Windows in the past 15 years has included a stateful inspection firewall. In Windows 10, this firewall is enabled by default and doesn't need any tweaking to be effective. As with its predecessors, the Windows 10 firewall supports three different network configurations: Domain, Private, and Public. Apps that need access to network resources can generally configure themselves as part of initial setup.

To adjust basic Windows firewall settings, use the Firewall & Network Protection tab in the Windows Security app. For a far more comprehensive, expert-only set of configuration tools, click Advanced Settings to open the legacy Windows Defender Firewall with Advanced Security console. On managed networks, these settings can be controlled through a combination of Group Policy and server-side settings.

Also: Windows RDP flaw: 'Install Microsoft's patch, turn on your firewall'

From a security standpoint, the biggest network-based threats to a Windows 10 PC arise when connecting to wireless networks. Large organizations can significantly improve the security of wireless connections by adding support for the 802.1x standard, which uses access controls instead of shared passwords as in WPA2 wireless networks. Windows 10 will prompt for a username and password when attempting to connect to this type of network and will reject unauthorized connections.

On Windows domain-based networks, you can use the native DirectAccess feature to allow secure remote access.

For times when you must connect using an untrusted wireless network, the best alternative is to set up a virtual private network (VPN). Windows 10 supports most popular VPN packages used on corporate networks; to configure this type of connection, go to Settings > Network & Internet > VPN. Small businesses and individuals can choose from a variety of Windows-compatible third-party VPN services.

Also: VPN services: The ultimate guide to protecting your data on the internet

Previous and related coverage:

How to install, reinstall, upgrade and activate Windows 10

Here's everything you need to know before you repair, reinstall, or upgrade Windows 10, including details about activation and product keys.

After Windows 10 upgrade, do these seven things immediately

ou've just upgraded to the most recent version of Windows 10. Before you get back to work, use this checklist to ensure that your privacy and security settings are correct and that you've cut annoyances to a bare minimum.

How to upgrade from Windows 10 Home to Pro for free

You've got a new PC running Windows 10 Home. You want to upgrade to Windows 10 Pro. Here's how to get that upgrade for free. All you need is a Pro/Ultimate product key from an older version of Windows.

Related stories: