The following settings can be applied to Windows systems to enhance the security of the system. Please note that some of these settings may be advanced, and you should consult your IT support before making any of these changes.
Reminder: Support for Windows XP and Microsoft Office XP ended as of April 2014. If you are still using Windows XP, please consider upgrading to Windows 7 or 8.1!
Windows Configuration Tasks
- Enable Windows Firewall
- Windows Firewall is enabled by default, but you should double-check and ensure that it is enabled. In Windows Vista and above, you can find the Firewall settings under Control Panel > System and Security > Windows Firewall.
- Disable Guest Account
- If not used, guest accounts should be disabled, as they provide means to access your computer, and you cannot set a password on them.
- Guest accounts are typically disabled by default.
- To check whether if the guest account is disabled, you can access the account management tool by going to Control Panel > User Accounts > User Accounts > Manage User Accounts > Advanced tab > Advanced.
- Under the Local Users and Groups management tool, you can open the Users folder, and right-click on the Guest account to ensure that the account is disabled.
- Enable Automatic Updates
- By default, Windows Automatic Updates is turned on. You should verify and make sure that the automatic updates option is set to on and set to option "Download updates but let me choose whether to install them" or "Install updates automatically."
- For Windows Vista and above, to check for automatic update settings, go to Control Panel > System and Security > Windows Update > Change settings
- Disable auto logon
- While auto-logon is convenient, it also allows an attacker with physical access to your computer to access any of your files without authentication.
- If you have automatic login enabled, you should consider turning it off. To do so, access the user account management tool by going to Control Panel > User Accounts > User Accounts > Manage User Accounts, and check the "Users must enter a user name and password to use this computer" checkbox, and then click OK.
- Rename Administrator and Guest accounts
- Renaming the administrator and guest accounts will reduce the likelihood for attackers to compromise these accounts.
- To change the names of these accounts, you can access the Local Users and Groups management tool under Control Panel > User Accounts > User Accounts > Manage User Accounts > Advanced tab > Advanced. Once there, go into the Users folder, right-click on the administrator and or guest account and choose rename.
- Use a password-protected screensaver
- A password-protected screensaver will minimize the risk of unauthorized access to your computer when you are away, by automatically locking the computer following a period of inactivity.
- To enable this feature in Windows Vista or above, you can go to Control Panel > Appearance and Personalization > Change Screensaver (under Personalization) > check the "On resume, display logon screen" checkbox and set the desired inactivity time.
- Lock your computer (Windows + L) when you step away from your desk
- To prevent tampering with your computer and data, you should always lock your computer when you step away from your desk.
- For Microsoft Windows, you can quickly lock your computer by pressing the "Windows logo" key in combination with the "L" key.
- Ensure passwords are applied to all accounts on the system
- Disable unnecessary services
- Services like Telnet, Alerter, and Remote Desktop are not always used. If a service is not used, you can turn it off in Windows.
- Disable Anonymous / Null sessions
- In older versions of Windows, Anonymous / Null sessions can be used to browse remote computer files, and sometimes even used by attackers to gain access to Windows password databases.
- Newer versions of Windows have disabled this feature by default, but you should make sure that this feature is not re-enabled on your computer
- Enable auditing of system and security events
- If you have a Professional or Enterprise version of Windows, Consider Enabling BitLocker
- BitLocker is Microsoft's officially supported solution for full-volume encryption. Doing so can prevent unauthorized persons from accessing your data, even if your machine is stolen.
- Older systems may require a new password to be typed during boot. Most newer PC systems (excluding Macs with Windows installed via Boot Camp) have hardware called a TPM that eliminates this requirement.
- Always make sure that your data is backed up before beginning any encryption operation.
- If you're not comfortable with encrypting your drive, get help from a friend or your tech support.
This article was updated: 04/8/2020