How to secure your BYOD Windows 10 DeviceAlex Fields
I do not want to confuse anyone too much with this post. So let me begin with a clear disclaimer:
I am not suggesting that we abolish Active Directory and encourage open BYOD across our small and mid-sized enterprises. Active Directory and Group Policy still provides the best means of securing your Windows environment. If you are going to Bring Your Own Device, I still strongly suggest that you join it to the domain and check it in with IT, so it can be managed appropriately.
There, glad that is out of the way. Now, that being said, we have to face a stark reality: some people are going to be doing this BYOD thing.
Currently I am using a (personal) Surface Pro 4 as my primary device, which comes with a fair amount of built-in security features enabled by default–many of which I will be covering here.
BYOD without joining to the corporate domain comes with some benefits as well as its fair share of drawbacks and risks. For example, I get more control over certain behaviors on my computer, but I frequently have to re-authenticate or sign into local network resources separately.
This is in no way supported…
…By anyone but you. It is also worth mentioning: your IT department or service provider may offer very limited (if any) support for configurations and devices that are outside their band of management–and that makes total sense : How can a service provider support it without visibility/control mechanisms in place?
Make no mistake, each BYOD is essentially an island.
So although it isn’t recommended, some people want to be able to use personal devices as work machines, at least on occasion–especially when so much of what we do is accessible now in the cloud, and can (in principle) be reached from any place and any device. Therefore, I think it is of some value to offer up general guidance/tips for configuring a personal Windows 10 PC or tablet, with safety & security in mind.
Part 1: UEFI Settings
Check with your manufacturer, but there is usually a way to get into the UEFI settings, as the computer first starts to boot–before you get to the Windows splash screen. We used to call this area “BIOS” in earlier computers, but most are now UEFI-based. In many cases, you can enter the UEFI through one of the “F” (function) keys, such as F11 or F12. But, in the case of the Surface Pro 4 (which I am using), it is achieved by holding down the volume “up” button when you power on the device. Just Google it if you are unsure for your device’s make/model.
Once inside the UEFI, you will want to enable/configure the following:
Enable TPM: The Trusted Platform Module–these days, I would not recommend buying a device without TPM 2.0. the TPM is a local store for cyptographic keys which can act, in some cases, as a second factor of authentication. It will enable, among other things, the use of BitLocker (encryption for your hard drive) without configuring a separate USB hardware key / BitLocker password. This feature is on by default in the Surface line of products.
Enable SecureBoot: Also on by default in the Surface. Although there are technically loopholes in SecureBoot that have recently been uncovered, it is still a good idea to enable this. There is a chain of integrity/trust in the boot process from firmware to Windows that is better-protected with this on. It will prevent certain types of pre-boot exploits that attempt to load themselves “underneath” the OS.
Disable stuff you don’t use: Many security gurus out there are extra paranoid about hackers getting access to your camera, so they will often recommend disabling the video & microphones on your device if the option is available. Some people like the novelty of video conferencing with products like Skype, but let’s be honest: most of us normal folks are too ugly for that to make sense. I’ve been experimenting with the Windows Hello feature (more on this below), so my camera is still on. You can still get a physical cover for it, as an alternative.
Disable boot to network/USB: Most of us don’t need the computer to boot from the network or USB. I don’t, unless I am specifically trying to reload the machine. (Aside: in many cases, it is advisable to load your own fresh install of Windows, for example using Microsoft’s Media Creation Tool, instead of accepting all the garbage that comes with it “out of the box.” But then remember to turn other boot options off again when you’re done.)
Set a UEFI/boot password (optional): This is an extra layer of security that you may not care to add (I don’t), but just know that you can set an additional password here (this would be outside of your Windows password).
Part 2: Configure Windows
You know how Administrators enforce annoying things like password complexity / expiry rules and User Account Control? Well they do those things for good reason. You aren’t getting away with anything–except maybe being a dumbass–if you skip out on this stuff.
Microsoft account: I always associate my computer with a Microsoft account. Windows 10 allows you to join a workplace, add a local account, or enter a Microsoft account, such as Hotmail.com, Outlook.com, Live.com, etc. With this last option, you can do things like store BitLocker Recovery Keys in OneDrive, or use Find My Device. Some people will argue that this means less privacy and more risk, but whatever. To each their own. I don’t have another place I store my BitLocker keys.
Windows Update: Pretty freaking important. Make sure auto updates is enabled, and use Windows Defender (its definitions will be included with your updates). When you first setup a machine, run all updates manually until they are done, and it can’t find any more. Locate settings related to Updates & Defender under Start > Settings > Update & Security.
Windows Firewall: Make sure this is on, and just don’t turn it off. Sometimes Action center will notify you if it has been disabled, so pay attention to this and make sure it stays on for all profiles. Control Panel > System & Security > Windows Firewall. You can add exceptions in here if need be so the answer is never “turn the whole thing off.”
Windows Passport/Hello: Some people believe passwords are dead, or on their way out. I don’t 100% agree with that, but I still recommend configuring Windows Hello or at least a PIN. For example, with the Surface, you can allow the built-in camera (assuming it isn’t disabled) to scan your face using infrared-based recognition software. Which is pretty frickin’ cool. Some keyboards and devices also offer a fingerprint reader that can be configured with Windows Hello. What is becoming clear, statistically, is that leveraging additional authentication layers such as biometrics does stop real life breach attempts. Find Sign-In Options under Start > Settings > Accounts.
User Account Control: I’ll be the first to admit that UAC had some problems when it was first introduced back in the Vista days. I used to disable it by default everywhere for my clients and myself personally. Well, it’s grown up a bit since then (and so have I). There is only one correct setting to use here: “Always notify,” which is the highest setting. Seriously. Anything less leaves you at severe risk. When it is set to “Always…” programs cannot execute or attempt changes without your explicit approval, and if you didn’t request a change, you can always say “No” to the prompt. The easiest way to find these settings in Windows 10 is to click Start and type “UAC“–click Change User Account Control settings in the search results.
Local Admin: One further step would be to run your normal everyday account as a standard user, without local administrative privileges. Of course, if you need to add new software, you’d have credentials for a separate, local account that could do that for you. Use this in conjunction with UAC, and you can fill in the required admin credentials at only those times when needed. Control Panel > User Accounts > Change your account type.
SmartScreen: A feature that will help prevent you from unknowingly downloading/opening known malware, and also alert you to “uncommon” or suspicious looking files from the Internet.
BitLocker: Be about it. A lost or stolen device could contain private information that you don’t want others to have access to. With BitLocker, you are much better protected from this type of threat. If your device doesn’t have a TPM, trash it and get a real device with TPM and preferably Windows 10 Pro (not Home). You can setup/configure BitLocker settings in Control Panel > System & Security. Or again, just type “BitLocker” in the Start search bar and you can find the settings that way.
Part 3: Browsers & Third Party stuff
Okay, none or very few of the items above are really up for debate (with minor exceptions–e.g. the Microsoft account); the checklist I have laid out so far should be followed to a T on any Windows 10 device that you are setting up for yourself.
By contrast, some people may argue the finer points of what follows, and it is a bit of a moving target in some ways, as well. In other words, products that are considered to be “tools fit for a king” today are pauper’s fodder tomorrow. Eventually this article will fall out of date, I’m sure. But nevertheless, this stuff is important, and you shouldn’t just ignore it, either. You need to be paying attention to this stuff, and deciding how you will guard yourself against certain threats, even if you don’t go with the specific products I recommend here.
Browsers: My personal go-to is still (begrudgingly) Chrome–the 64-bit version–and that’s what I’ve recommended historically for best performance balanced with baked-in security features, although I am more skeptical everyday that there is just one right answer here. The sad reality is, it seems that we need at least three or four browsers to do our jobs some days, and we probably see that more in IT. This or that site doesn’t work so good in Internet Explorer (does anything anymore?), but it seems to work okay in Chrome. But then there is some other website or app that only plays well with Firefox. *Sigh*
Although I’m coming around on Edge, it’s still a little iffy for me–it had a lot of bugs and wasn’t even complete when it first came out with Windows 10–and although it’s a lot better now, I’m just not ready to give it my full endorsement yet. Firefox isn’t much better than the others, despite what fanboys will tell you, and it’s been buggier of late in my experience. Chrome is a battery hog, and nobody trusts Google deep down anyways–I mean they actually redacted “Do no evil” from their mission statement–who does that?! Internet Explorer is damn near unusable, and don’t even get me started with Safari. It’s a sad state of affairs. Nevertheless, you need to use these things everyday (sometimes several of them each day).
Antimalware / Antivirus software: I don’t have a favorite third-party in this space anymore. The big players are all kind of similar. Also it is worth mentioning that they are not as important as they once were (doesn’t mean you should ignore it). Windows Defender is pretty good out of the box these days too. In addition to antivirus, I almost always just grab a download of Malwarebytes for doing quick scans if I suspect something is amiss. Remember, Antivirus/Anti-malware is like a last layer of defense in what should be many other layers.
Browser Plugins: Regardless of which browser you’re using, don’t just use it raw. Protect yourself. Get some kind of security software to go with it. Security suites from companies like Webroot and Avast (and there are others), in addition to providing antivirus, etc., can do neat things in your browser like provide a color-coded ranking for search results based on reputation, etc. Ad-blockers can be huge here, too. Let me just highlight three other security-related products specifically that I use with my everyday browser.
- Ublock Origin: Block ads, unwanted pop-ups/annoyances and other less than useful content in websites auto-magically with almost no configuration required or weird usability issues. Simply the best.
- Malwarebytes Anti-Exploit: This will work on multiple browsers, and there is even a pay version available that will protect Microsoft Office, PDF programs, etc. I’m telling you: at least install the free version, but the pay product is worth serious consideration. The subscription is pretty affordable, and the protection it provides is good, as it will guard against emerging threats that may not be known to antivirus, etc.
- LastPass or similar: Having a cloud-based password manager is a controversial thing. Does it come w/ risk? Sure, if LastPass were to be hacked, you’d have quite a bit of cleanup to do to make sure you were protected again. Then again most people make stupid/lazy choices when they don’t use a password manager: the same login for multiple sites, never really changing passwords, and/or using generally weak passwords. But you will be a step ahead of the game if you can use a sufficiently strong “Master” password here, and also enable a second factor of authentication for yourself to get into the account. My favorite feature of LastPass is it’s ability to “assess” your use of identities/passwords across all your sites, etc. and give you a ranking as well as a checklist to improve your standing. It will highlight weak passwords, duplicate passwords, and passwords that haven’t been changed in a while. You can even let LastPass change passwords for you (usually to a randomly generated string of characters).
Backup: Pretty important, and lots of good options here. Some people are happy with just putting all their valuable files in OneDrive or similar (like DropBox, Google Drive, etc.), but while these apps do keep a file history and provide synchronization to other devices, they do not provide a true backup. I generally still recommend having a backup separate from these services. Mozy is a popular one, Carbonite, CrashPlan–the list goes on. Lately, I have been using Microsoft’s Azure Backup, and have been pleased with the results. However, if you primarily use OneDrive for personal file storage, you might want to diversify here and use a third-party provider (not Microsoft).
Two-factor authentication: Wherever you find it is supported in your cloud applications and online service providers, a second factor is a good thing to enable. Especially for banking, etc. This means security questions, SMS/text messages, Mobile phone authentication apps, etc. Note: all Office 365 plans support this, and it can be configured pretty easily by your administrator, if you ask them nicely.
Ninite: When you have lots of third-party applications to manage, one way to keep them up-to-date is to use Ninite. Run this to quickly get the latest version of all your favorite apps: Chrome, iTunes, Adobe Reader, Flash, Filezilla, etc.
Flash & Java: Speaking of some of these third-party apps–some are better avoided altogether. If you must, just be sure they are absolutely up-to-date, and even then you might consider disabling them/removing them when not in use. Flash and Java are required less and less these days, anyway.
Part 4: Other Disclaimers
If you have other suggestions or comments, be sure to leave them below! One more disclaimer before we leave today:
This list is by no means complete or exhaustive. Implementing the above in full or part includes no guarantee of any kind, implicitly or explicitly. Everyone and everything can be hacked, even with all of this in place. Remember too that security is a very large and complex topic that is always evolving, and I am by no means a security guru, but you have to start somewhere, right? It is the blessing and the curse of the generalist, but we have to keep moving.