Here's how I setup my device (WIP):
FILE SECURITY
01. The 1st thing I do when setting up a new system is to create a new partition on the internal disk, where I allocate anywhere from 60 GB to 120 GB (depending on the size of the internal disk) for exclusive use of the OS and programs. I don't store any user file in this partition. This has immense benefits and zero disadvantage:
i. In case of a system problem (software errors, malware, etc.), I can easily wipe (or format) the system partition and do a clean install of the OS (or restore a clean image from backup) without worrying about my files.
ii. System backups are very fast as the file size is much smaller.
02. Important files (especially documents and camera roll) are ALWAYS on the cloud. This not only keeps them safe but also accessible from all of my devices.
FILE BACKUP
03. The most important files are already backed up to the cloud. Yet I do a local backup to my external disk every once in a while, though not on any schedule.
SYSTEM SECURITY
04. Currently, I use only Windows Defender and Windows Firewall. They are adequate for my requirements. I have set Windows Firewall to BLOCK all connections by default. Windows Defender provides real time security, and is adequate for how I use my system.
05. I ALWAYS download apps from the developer website. I make sure that the web address is a secure one (https) and the domain belongs to the developer. For example, Firefox will only be downloaded from
mozilla.org.
06. Every app I download is first uploaded to
VirusTotal for malware analysis, regardless of where I download it from. I won't install it even if one antivirus engine flags it, with very rare exceptions. What I look for in the scan results is which antivirus engine is flagging the app. If the app itself is highly reputed, downloaded from developer website, and the scanning engine is less known, I may consider it as a false positive. For example, the Firefox installer was recently flagged by a less known antivirus scanner called Cylance. Just 1 out of about 65 scanners flagged it as malware. I considered it a false positive. But if 2 or more antivirus engines flag a file, I definitely won't install it. I won't consider them a false positive. They may both (all) be wrong, but I won't risk it.
Among the more than 60 antivirus scanners used on
VirusTotal, I specifically look for the scan result of Kaspersky, BitDefender, Norton (Symantec) and Malwarebytes. I also loot at Sophos and Dr.Web. Ifany of these engines flag an app, I won't install it, regardless of where the app was downloaded from. Remember, even if an app is downloaded from the original site, it can still get infected via 'man-in-the-middle' attacks.
07. I don't usually install unknown or less known programs. But when I do, I run them in Windows Isolated Environment or an isolated environment using Sandboxie Plus. This allows the program to run in a secure isolated environment and prevents it from making any changes to the system, including registry.
SYSTEM BACKUP
07. I use the built-in System Image feature to backup my system once in a while, and there is no fixed schedule. More recently, I am making a system image using the Sysprep route. The advantage of this method is that the image strips out device specific information so that it can be installed on any device. This is an advantage over the built-in System Image utility which creates an image that can only be restored to the system on which it was prepared.
08. I backup all the drivers currently installed on the system. This is especially useful when OEM drivers are not available, or when an update breaks a driver.
09. I create a Recovery Disk that includes system files.
DATA PRIVACY
10. More than security, it is data privacy that I think is more at threat. Just about everyone is collecting data these days, and mostly stealthily. And internet is the primary mode of collecting data. So I block internet access to all programs, unless they need it for core functionality.
FILE SHARING
11. I create a new user on the device that has read/ write access to folders I want to share. This user isn't for logging in on the device itself, instead its sole purpose is to have user credentials that will be used on other devices on the network to connect to shared files and folders on the PC. The advantage here is that I can avoid giving away my Microsoft account credentials on 3rd party apps that I use on other devices to access shared folders on my PC.
12. I am trying to setup SFTP server on my system so I can use SFTP instead of the less secure SMB to access shares.
WINDOWS SETTINGS CONFIGURATIONS
13. I disable Cortana because I don't use it.
14. I disable location, camera, microphone, etc. for most apps. I don't understand why Microsoft Store, Feedback, etc. need access to my camera and microphone.
CUSTOMIZATIONS
