The below setup is what I use for PCs that need basic minimal protection against malware, without any, or with as less as possible, user intervention.
The software mentioned are recommended out of personal experience and based on what worked for myself, my users and my use cases. No affiliate/promo bs involved.
Of course, it still comes down to the user being the last line of defense, but this is to emphasize what can be done for free and in an easy way for the user to prevent ‘things’ from happening.
The user in this case is
- not technically-savvy
- limited in activities such as basic web browsing, instant messaging, email checking, multimedia skimming (watching videos, browsing pictures) and office work
- limited in usage of applications such as a web browser, PDF viewer, Office suite, video player
Meaning that the user will most likely never need to do or have the following done on his/her own :
- admin rights
- install programs
- modify network settings
- run executables outside their normally designated areas (C:/Windows ; C:/Program files)
This makes the security – ease-of-use – features balance very easy to achieve.
Think of it as the worry-less setup for your non-tech friends / children / parents / grandparents.
1. Separate Admin user
The main users account should clearly not be an admin. This can be configured in Control Panel, by creating a separate account as an admin (which is controlled by you, the actual administrator of the PC) and a standard user account (which is used and control by the real user of the PC)
Control Panel – User Accounts and Family Safety – User Accounts – Manager accounts
The setup should look something like below
2. Browser plugins
The combo of the 2 below can assure protection against annoiances with a low chance of breaking the users experience.
3. Custom DNS
Filtering and blocking DNS requests is an easy to way to handle daily unexpected malicious activity without user intervention.
Change DNS settings in Windows
I use OpenDNS and below their IP addresses will be added in the Windows configuration.
Go to Control Panel – Network and Interned – Network connections and right-click on the connection primarly used and select Proprieties. The below should appear and you should add the OpenDNS IP addresses
Create an OpenDNS account and set filtering profile
Go to OpenDNS and create a free OpenDNS account. The default settings should be sufficient to block common threats.
But I always opt in for some additional filtering, becaue it weeds out more adware/spyware .
The setup can be verified at welcome.opendns.com
There is a vast selection of free Antiviruses out there. I always went for Bitdefender , as it includes some content filtering as well and the impact on the resources is not that great as in other products.
You will be prompted to create a free account afterwards to actually use it. The advantage here is that you can also use the parental advisor feature, which will further help with :
- website category filtering – already done in OpenDNS, but this would be an additional layer. An issue might be in how websites are categorized by the different companies.
- usage time – restrict how much access would the user have
- Facebook monitoring – didn’t really use it so far. Threats coming from Facebook might be malicious links, which may be blocked by OpenDNS right from the DNS request or by Bitdefender on the malicious content filtering from the agent
There are solutions out there that ‘learn’ the user environment and check external trust sources to handle the traffic as automatic as possible, but there isn’t a full-proof solution to do it all on its own.
One of these solutions is ZoneAlarm
To make it as easy as possible for the user, the admin (you) should spend some time going through the users daily activities to see if there are things that need to be manually allowed.
6. Automatic updates
Some applications (like Chrome) have in-built automatic update features but not all of them. To ask the user to go to the official software website, download the installation package and install it can prove to be a big pain.
Automatic and silent updates is what we want. One software to manage this is
The drawback on Heimdal is that
- it requires Microsoft Netframework 4.7 – depending on your Windows 7 version, it might take a while to install, given the prerequisites for it
- seems to be buggy or to slow from time to time
- users will be able to install programs, but only from the ‘Recommended software’ section
Should be turned on to be automatically installed.
Just be careful that in the case of Windows 7 / 8 , the upgrade package for Windows 10 might appear and this will mean a big change for the user. It’s better to have that done manually.
And yes, the above can be even more hassle free if we ditch Windows for a easy-to-use linux distro like Ubuntu. But that’s for another post. Now you can consider the above mentioned user pretty safe against common generic threats.