Securing Windows 10 Pro - Main Fam PC

Brief:

Elderly parents.

Online Banking, Online tuition of vulnerable children with learning disabilities (volunteering). Zoom meetings. Emails. Online shopping. Bills and accounts management.

This is the main family PC. Windows 10 pro.

Adult children live far away (due to work). PC has to be maintained at a distance. There is no one there to fix any problems within 48 hrs (hands on).

I am doing a fresh Windows 10 pro install.

ASKING FOR HELP:

How do I lock this PC down to harden it against ransomware, viruses & malware. I need to secure the machine so it is hard to disrupt.

Asking for the communities help. I've been out of the IT game for a while, so I am unsure what the minimum steps are, that I should take.

My sincere thanks to any, willing to contribute.

KD

Hi, basic ideas:

1. Once configured- create a 3rd party disk image and save it to a disk you keep aside so you can readily restore PC to 'as was' (other than data changes)

2. Set a schedule for creating a restore point e.g. daily (tutorial available).

3. Ensure any accounts available to users are standard, not admin.

4. Leave UAC as default

5. As it's Pro, use group policy to lock things down as appropriate. E.g. block program installs.
You may find Policy Plus (free) useful - like the group policy editor but it has search.

Some ideas:
Top 12 Group Policy Settings for Preventing Security Breaches
Important Group Policy Settings & Best Practices to Prevent Security Breaches

You can readily find more - I searched for
group policy settings to secure PC for older people

Consider these:




6. Establish a really simple means of specific data backup
I use a giveaway program - all I need do is plug in the appropriate USB external disk- and the backup runs.
Wait for that to complete- remove disk.

The program I use is Genie Timeline.
Giveaway Genie Timeline Home 10 Serial Key Free Lifetime
- don't know if this is still valid.

Should you need to restore the system from the disk image, the data backup (if used!) will help you restore the data.

(Of course a better approach is to keep personal data off C: but that may not be something you can readily do for some reason..)

outside of the advice given above which is a good approach

an ad blocker that is blocking ads, trackers and spam. Set the browsers internal settings to be secure like never remember history and block cookies which the latter is something not easy to setup if you are unsure as it has the potential to break sites.
Something like ghostery addon is a one time set and forget and will tell websites not to leave cookies.

Anything in the browsers settings that says block turn it on unless you need those functions

Ublock or adblockplus

Host file could be set to resolve to local host on domains that you don't want to allow.

firewall and AV make sure its on.

Make sure the router is secure.

Past that the rest is to advanced to upkeep and this is something you want to tackle as remote support meaning unless you want to spend hours remediating the situation all the time if the user/s are not capable, they will most likely be calling many times with issues as they won't know how to run the computer in more locked down state due to lack of understanding.

if they are click stuff to go type of users(turnkey) then you are limited in what you can achieve.

Agreed.. it's unlikely they'll go to 'bad' sites, but could be tricked by fake emails, for example.

Adding lists of blocked sites to the Hosts file, for example, is inadequate.

ublock origin (browser add-on and ad-blocker) attempts to block sites based on lists, but usually just gets in the way of valid sites.

Pentagon said:

It is very realistic that you were infected long before you realize that you are infected. In more than 90 % of the cases.
So I don't see any sense to create restore points every day!

If that's a comment on what I said, do you see me referring to infections in relation to restore points?
No, not at all.

There may be other things one needs to recover from quickly and conveniently - and possibly over the telephone in this case.

I don't think Guest account or S mode is a good idea, its not about babying the parents through their own computer that will just lead to headaches and angry parents always calling.

If they are older generation and are not as literate on the computer then there is cause for things to happen but i think at the same time you need to work gracefully in this situation, its their computer you want to guide them effectively through certain things but not lock them out of functionality to the point that it becomes a "computer issue", "Its not working" etc, because they won't understand past that if this is the case.

Try to teach them what an ad looks like or a phishing email or a potential bad link if they don't know

Safe computing starts with effective use of the computer, locking it down in a way where a normal user might not know how to effectively use that computer is a disservice and means more hands on for anyone that is trying to offer support.