2.2.

USER ACCOUNT PASSWORD

Password-protecting your and all other user accounts and using unique user accounts for each
person accessing the computer are basic security requirements.

2.2.1. HOW TO CHECK IF YOUR WINDOWS ACCOUNT IS PASSWORD PROTECTED

Step 1. Press + L. which is the shortcut to lock your screen. If you have a password on your
user account you will need to enter it here. If you do not have a password you will be able to
access your desktop again without entering a password.

Note: The Windows key is a key located on most windows computers between the Ctrl and Alt
keys, it should either have a or icon on it.

Figure 1: Windows lock screen with password-protected user account

2.2.2. HOW TO PASSWORD-PROTECT A WINDOWS USER ACCOUNT

Step 1. Click to open the Windows Start menu then click to

open the settings panel.
Step 2. Click [Accounts] then select [Sign-in options] from the left-hand menu.

Figure 1: Account sign-in page when there is no user password set

Step 3. Click [ADD] to add a new password.

Step 4. Enter your new password under New password and Reenter password. Be mindful that
you do not reveal too much about your password in the Password hint field.
Figure 2: Windows account password creation screen

Step 5. Click [Next] to apply your new password. Revisit this process if you wish to change your
password.

2.2.3. HOW TO ADD NEW WINDOWS USER ACCOUNTS OR A GUEST ACCOUNT

To add new Windows user accounts or a guest account, follow the steps below:

Step 1. Select [Accounts] through your Settings menu.

Figure 1: Selecting Accounts through the Windows Settings menu

Step 2. Select the [Family & other users] tab on the left side of the Account Settings window.

Figure 2: Family & other users tab of the Account Settings window

Step 3. Click the plus sign next to [Add someone else to this PC] under Other users.

Step 4. Through the following window, click on the [I don't have this person's sign-in information]
link.
Figure 3: Adding a new user account without sign-in information

Step 5. Click the [Add a user without a Microsoft account] link through the following window.
Figure 4: Adding a user without a Microsoft account

Step 6. Type the user name for the new account under the Who's going to use this PC? section.
Figure 5: Adding account information for the new user

Step 7. Type the password for the new account under the Make it secure section.

Step 8. Re-type the password for the new account under the section under it.

Step 9. Type something in the last section which will help you remember the password, if you
ever forget or lose it.

Step 10. Click [Next] to proceed.

If you return to the Family & other users section of your Account Settings, you will see the new
user account that you have just created.

Figure 6: New user account created

2.3. SCREEN LOCK

To prevent third parties from physically accessing your computer, you should be able to lock
access to your machine when you are not working on it and the screen should automatically
lock itself after a period of inactivity. The sections below explain how you can do so.

2.3.1. HOW TO SET A TIME-OUT SCREEN LOCK WHEN YOUR COMPUTER IS INACTIVE
If you step away from your computer and forget to lock your screen, your computer should
automatically lock itself after several minutes of inactivity.

Step 1. Click the Start button and search for Change screen saver

Step 2. Select On resume, display logon screen to activate the screen lock timeout.

Step 3. Set the number of minutes of inactivity your computer should wait before locking the
screen. We suggest a fairly short time period such as 3 minutes.
Figure 1: Screen saver settings page with preferred settings

Step 4. Click [OK] to apply the screen saver settings.

3. SECURITY
3.1. SYSTEM UPDATES [WINDOWS 7 - 8.1]
Windows 10 automatically downloads and installs Windows updates for you, keeping you
protected against the latest software exploitation. This section of the guide is for Windows Visa,
7, 8, and 8.1 users.

Step 1. Click the Start button and search for Windows Update.
Step 2. Your operating system may not be automatically updating itself. If automatic updates are

disabled you will see the below screen. Click to activate

automatic updates.

Figure 1: Windows 7 Windows Update screen with automatic updating disabled

Step 3. Click [Change Settings] from the Windows Update side panel.

Step 4. Change the time under Install new updates: Every day at 3:00 AM to a daytime hour
such as 5:00 PM.

Step 5. Check the check boxes next to Give me recommended updates the same way I receive
important updates, Allow all users to install updates on this computer, and Give me updates for
Microsoft products and check for new optional Microsoft software when I update Windows.
These settings will improve the frequency and ease of updates and also update Microsoft Office
suite products which are also frequent targets for software exploitations.
Figure 2: Windows 7 Update screen

Step 6. Click [OK] to save your update settings.

3.2. WINDOWS FIREWALL

Ensuring that your system's firewall is turned on at all times is essential, as it is designed to
protect your operating system from unauthorised access to your computer through the Internet
based on a set of predetermined security rules.

To turn on your Windows firewall or to check that it is on, follow the steps below:

Step 1. Type Firewall in your system's search panel to find the Windows Firewall Control Panel.
Figure 1: Searching for Windows Firewall

Step 2. Click on the [Turn Windows Firewall on or off] link.

Figure 2: Windows Firewall Control Panel

Step 3. Select the [Turn on Windows Firewall] option under Private network settings (if it's not
already selected).
Figure 3: Turning the Windows Firewall on

Step 4. Select the [Turn on Windows Firewall] option under Public network settings (if it's not
already selected).

3.3. REMOVING BLOATWARE

Many PC manufacturers include additional software with Windows when you purchase a new
computer. These manufacturers are paid by the software vendors to include this software and
the bundled software may not benefit and may even harm the interest of the consumer. One
high profile case was the Superfish adware pre-installed on Lenovo computers which actively
broke internet security processes in order to serve advertisements to users.

Such software is known as bloatware: software which bloats your computer. Best practice is to
install a fresh copy of Windows on a new computer using a disk provided by Microsoft, however
this may often be impractical or expensive. The next best option is to uninstall the extra software
that comes with your computer.
Step 1. Click the Start button and search for Add or Remove Programs.

Step 2. Review your installed programs. If you have a new computer this will be simpler than if
you have been using it for long with many additional software installed. Look for programs you
do not recognise and especially for programs not made by Microsoft. If you do not recognise a
program try to research it online to understand its function and reputation. Also beware of
software without a publisher name, meaning the software is not signed by a recognised
software company.

Step 3. If you identify programs you would like to remove, click on it then click Uninstall and
follow the program-specific uninstallation instructions.

4. AVOIDING MALWARE ON WINDOWS

4.1. WINDOWS SMARTSCREEN
The Microsoft Windows operating system includes SmartScreen, which is designed to protect
users from malware and phishing attacks by scanning URLs accessed by the user against a
blacklist of websites containing known threats.

To configure SmartScreen, follow the steps below:

Step 1. Type Control Panel in your system search panel on the bottom of the screen, click on it
to open Control Panel.

Step 2. Click [System and Security] and then [Security and Maintenance] to open window below.
In this window click the [Change Windows SmartScreen settings] link on the left side of the
window.
Figure 1: Security and Maintenance window

Step 2. Select the [Get administrator approval before running an unrecognised app from the
Internet (recommended)] option to use SmartScreen protection against malicious URLs. Or
select [Warn before running an unrecognised app] if your system does not offer previous option.
Figure 3: Enabling Windows SmartScreen

4.2. WINDOWS DEFENDER

Windows Defender is software designed to detect and remove malware and it is built in
Windows operating systems.

To scan your computer for malware with Windows Defender, follow the steps below:

Step 1. Through your control panel, select [System and Security].

Step 2. Open the [Security and Maintenance] window.

Figure 1: Security and Maintenance window

Step 3. Click [Scan now] under the Security section to begin scanning your computer with
Windows Defender for malware.
Figure 2: Scanning a computer with Windows Defender

This will display whether your PC is being protected.

Figure 3: PC status following Windows Defender scan

Step 4. For a full scan, select [Full] and click [Scan now].

Step 5. Click [Update] to ensure that your virus and spyware definitions are automatically
updated to help protect your PC.
Figure 4: Virus and spyware definitions

4.3. HOW TO MAKE FILE EXTENSIONS VISIBLE TO AVOID BEING TRICKED BY MALWARE
File extensions are a part of the names of files which tell the operating system which type of file
it is and what process or application to use to open it. For instance for the file While My Guitar
Gently Weeps.mp3 the .mp3 portion of the name tells the computer that it is an MP3 music file
and can be opened by your default music player. By default Windows will hide these extensions,
and some malware exploits this setting by attempting to makes its files appear to be a different
type than it actually is. To mitigate this threat, you can change Windows settings to view file
extensions, and optionally to view hidden files and operating system files where viruses also
sometimes hide.

4.4. HOW TO VIEW FILE EXTENSIONS

Step 1. Open the File Explorer .

Step 2. Click the View menu tab and then click Options
Figure 1: Windows 10 File Explorer View tab

Step 3. Click the View tab.

Figure 2: Windows 10 Folder Options View tab

Step 4. Uncheck the box next to [Hide extensions for known file types].

Step 5. Click [OK].

Note: Notice now that file extensions will be visible on all files. Beware of files which are
presented to you as being media or office documents but which have extensions for an
unrelated file type such as .EXE, .MSI, or .BAT.
Figure 3: Files with extensions visible including an example potentially malicious file

4.5. HOW TO VIEW HIDDEN AND OPERATING SYSTEM FILES

Some malware hides itself as well as your documents as hidden files then creates shortcuts with
names identical to your original documents which, when opened, redirect to the virus file and
infects your computer. This is a particularly common attack on removable flash drives. To
improve your ability to recognise infected file, you may change Windows settings to view hidden
and operating system files.

Step 1. Open the File Explorer .

Step 2. Click the View menu tab and then click Options
Figure 1: Windows 10 File Explorer View tab

Step 3. Click the View tab.

Figure 2: Windows 10 Folder Options View tab

Step 4. Select the option [Show hidden files, folders, and drives] and uncheck the box next to
[Hide protected operating system files (Recommended)]. You will see a warning window:

Figure 3: View protected operating system files warning

Step 5. Click [YES]. Windows operating system files will now be visible and should not be
tampered with. However if you see unusual hidden files in your personal documents and
removable drives you may be viewing malware.

Step 6. Click [OK].

Note: Standard operating system and temporary files known as will now be visible to you, such

as or . You may ignore these safely.

4.6. HOW TO DISABLE AUTOPLAY TO PROTECT AGAINST MALWARE

By default Windows enables AutoPlay a feature where plugged in removable media (like USB
drives or devices) are examined and, based on their content, such as pictures, music or video
files, an appropriate application to play or display the content is launched.

Step 1. Click the Start button and search for AutoPlay.

Figure 1: Windows AutoPlay options screen

Step 2. Turn off Use AutoPlay for all media and devices.

5. WINDOWS FULL-DISK ENCRYPTION WITH BITLOCKER

Having a password to login to your Windows computer account is good first step but not enough
to protect the files stored on this account. An attacker with physical access to the computer can
read user files unless they are encrypted. BitLocker is built-in full disk encryption software
offered by Microsoft in Windows 7 Enterprise, Windows 8 Pro, and most versions of Windows
10 (excluding Home version). Bitlocket can encrypt entire system disk of the computer,
additional hard disks or partitions, and removable storage media.

Important: Steps below will help you encrypt your files. Without the correct password there will
be no way to recover those files. Make a secure backup of your files before encrypting the files.
Follow the below steps mindfully. Maintain a copy of your recovery key in a safe location (see
below).

5.1. HOW TO ENCRYPT THE HARD DRIVE CONTAINING YOUR OPERATING SYSTEM
Step 1. Open This PC in the File Explorer, right-click your Local Disk (C:) and click Turn
BitLocker on.

Figure 1: Right-click menu on system drive on Windows computer with BitLocker

Note: If you cannot find Turn BitLocker on in the menu above maybe you using a version of
Windows which does not offer BitLocker. Consider upgrading your copy of Windows. Or see
section 5.2. Alternatives to BitLocker below.

Note: in this example we assume that your Windows operating system is installed on drive C:

Important: If you see an error message This device can't use a Trusted Platform Module go to
section In case of error "This device can't use a Trusted Platform Module" below.

Step 2. You can choose how will you unlock your disk when starting the computer. You can use
the password. Or you can unlock the disk with USB that you will prepare. In this guide we will
use a password. Click Enter a password.

Figure 2: BitLocker unlock method screen

Note: If you have a TPM chip in your computer you may have more options available to choose
from in this step. Each offers different protection opportunities. For example when you use a
USB flash drive option you can limit access to your information to people who have 2-factors of
the authentication: they have this specific USB (or it's copy) and know the password to login to
your account.

Step 3. Enter a strong password for BitLocker encryption.

Figure 3: BitLocker Create a password to unlock this drive

Note: If you use multiple languages on your computer and encounter password errors in
following steps try using English language input method.

Step 4. In this step you can back up an encryption recovery key, which can be used to open
your files (decrypt them) without knowing your password. It is important to store a copy of your
recovery key in a secure place. You may wish to use more than one of the methods available to
you. Note that saving your recovery key to your Microsoft account may compromise the security
of the key, however it offers advantages in case of losing backup key files. In this example we
will assume that you can save the file to a separate USB drive and hide protect this drive.

Insert a USB flash drive in your computer and click Save to a USB flash drive.
Figure 4: BitLocker recovery key backup methods

Step 5. Select Encrypt your entire drive and click [Next]

Figure 5: Choose how much of your drive to encrypt

Step 6. Select New encryption mode (in case you encrypting external drive select the other
option)
Figure 6: Select which encryption mode to use

Step 7. Before encryption starts, you need to try that BitLocker settings will work on your
computer. Leave Run BitLocker system check checked and click [Continue].
Figure 7: Are you ready to encrypt this drive? System check

Step 8. Restart your computer by clicking then Power then Restart.

Step 9. After your computer restarts enter the password to unlock your disk and press Enter.
Figure 8: Password entry screen

Step 10. If you enter correct password your computer will start as before. Login to your account.

Double-click small BitLocker icon in the system tray to check the status of your drive
encryption:
Figure 9: BitLocker drive encryption progress

Step 11. Allow time for the encryption process to complete.

Congratulations, you have encrypted your whole system drive!

IN CASE OF ERROR "THIS DEVICE CAN'T USE A TRUSTED PLATFORM MODULE"

If you encountered an error message saying This device can't use a Trusted Platform Module as
shown in figure below it means that your computer does not have a Trusted Platform Module
(TPM) chip that is used for encryption. However with a some configuration adjustments
described below, BitLocker can still be used on computers without a TPM chip.
Figure 10: Manager BitLocker Window with TPM Error

Step 1. Press Start . Type gpedit.msc and press Enter. In the new window opened
double-click:

●​ Local Group Policy Editor

●​ Computer Configuration
●​ Administrative Templates
●​ Windows Components
●​ BitLocker Drive Encryption
●​ Operating System Drives.
Figure 11: Local Group Policy Editor screen with Operating Systems Drive folder selected

Step 2. Then in the right-hand panel of this window, double-click Require additional
authentication at startup to open new window. Note that there is also an option called Require
additional authentication at startup (Windows Server 2008 and Windows Vista), ensure that you
editing right option.

Step 3. Select Enabled. Ensure that Allow BitLocker without a compatible TPM (Requires a
password or a startup key on a USB flash drive) is enabled. Click [OK]
Figure 13: BitLocker policy editor

Step 4. Close the Local Group Policy Editor window and return to step 1 on beginning of this
section "5.1. How to encrypt the hard drive containing your operating system"

5.2. ALTERNATIVES TO BITLOCKER

Since BitLocker is a closed source program its security cannot be independently verified.
Additionally in some versions of Windows 10 Microsoft forces users to backup encryption
recovery keys to a Microsoft online account which may compromise security of this key.

Open source full disk encryption alternatives exist for Windows: VeraCrypt and DiskCryptor both
offer full system disk encryption.
There are programs which can encrypt specific files or folders on your computer, such as
VeraCrypt, AxCrypt and GPG4Win.

____________________________
Adopted from: https://securityinabox.org/en/guide/basic-security/windows/