Additional Security Settings
Next, we want to use ‘Local Security Policy’.
This can be found in the ‘Start Menu’ under ‘Windows Administrative Tools’.
- Navigate to
Account Policy|Password Policy|Maximum password age
- The author recommends setting no maximum age on password as he believes it causes more trouble than it is worth to set an arbitrary forced password change.
- Navigate to
Account Policy|Password Policy|Minimum password length
- And set a minimum password length (the author’s preferred minimum is at least 12).
- Navigate to
Account Policy|Account Lockout Policy|Account lockout threshold
- Set the
Account lockout threshold to the maximum number of login attempts you wish to allow before a soft lockout. When you do you will get a popup indicating the default lockout time periods (default is to block the account for 30 minutes on reaching the threshold number of failures)
Local Policies|Security Options
There are number these to modify; we’re not going show screenshots of setting them, but will only give the recommended settings.
|Interactive Login: Display user information when session is locked
||Select ‘User display name only’ OR ‘Do not display user information’
|Interactive Login: Do not require CTRL+ALT+DEL
|Interactive Login: Machine inactivity timeout
|Microsoft network client: Digitally sign communications (always)
|Microsoft network client: Digitally sign communications (if server agrees)
|Microsoft network client: Send unencrypted password to third-party SMB servers
|Microsoft network server: Digitally sign communications (always)
|Microsoft network server: Digitally sign communications (if client agrees)
|Network security: LAN Manager authentication level
||Send NTLMv2 response only. Refuse LM & NTLM
|User Account Control: Admin Approval Mode for the Build-in Administrator Account
|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
||Only enable if you require the ability to administer the system using Remote Desktop
|User Account Control: Behavior of the elevation prompt for administrators in Admin Approval mode
||If you enable ‘UIAccess applications’ above, choose ‘Prompt for consent on the secure desktop’, otherwise choose ‘Prompt for credentials on the secure desktop’
|User Account Control: Behavior of the elevation prompt for standard users
||Prompt for credentials on the secure desktop
The remaining ‘User Access Control’ settings should be ‘Enabled’ except ‘Only elevate executables which are signed and validated’ which needs to be disabled unless you are fortunate enough to only need admin access for Microsoft-blessed executables.
If you’ve used BitLocker and used a USB drive to store the security information required to unlock the drive on boot, this author recommends you use ‘Disk Management’ and ‘Remove Drive Letter’ for the USB drive that has the key. This reduces the chances of it accidentally being used for any other purpose.
Some ‘Windows Defender’ Security Options
Windows Security, if you have enabled
Core Isolation you may be interested in
Windows Defender Application Guard under
App & browser control|Isolated browsing. Enabling this adds an option to Edge that essentially allows you to open an Edge window in a virtual (protected) environment without launching an actual virtual machine. There are also extensions for Google Chrome and Firefox, with caveats.
- Another useful option is to enable
Virus & threat protection|Ransomware protection|Controlled folder access. Note that for third party unsigned applications you will need to make a special exception if they access things like the ‘Documents’ folder, or the base hard drive (e.g. ‘Libre Hardware Monitor’).
- The final option for this sections, is enabling
Virus & threat protection|Virus & thread protection settings|Change notification settings|Account protection notifications
General Environment Settings
- There are probably some other initial tweaks you will want to make, especially if you are used to a particular desktop setup.
- Some of your setup (if you have previously used the same Microsoft Account and enabled synchronization then and haven’t disabled it now) will automatically be brought over, but some things, like the author’s personal preference of having the taskbar on the right-hand side of the screen, instead of along the bottom of the screen, have to be configured for each user and device (especially with a personal account rather than ‘business’ setup).
- Some per-device configuration most will probably want, is setting up “Display Settings” as they prefer.
- Another is that for a DDI (Double-density = 2K) or higher pixel count you will probably find the fonts and icons extremely small, so you may want to use a scaling factor (the author finds 125% tends to have issues, due to the math, but 150% usually works well on a 2K display).
- Assuming you use OneDrive, then from ‘File Explorer’ in your ‘home’ (user profile in Windows parlance) directory, you probably want to move folders like ‘3D Objects’, Downloads, Music, and Videos into ‘OneDrive’; you will still see them in ‘File Explorer’ under your user profile (home) directory, but their ‘Location’ (in the folder’s Properties) will have changed to a subfolder of the ‘OneDrive’ folder.
- If using Documents backed up to OneDrive (so
%USERPROFILE%\Documents folder is empty and
%USERPROFILE\OneDrive\Documents is your actual Documents folder), you might want to delete
%USERPROFILE%\Documents to avoid confusion.
- Configuring the Weather app on ‘Start Menu’ or removing it from there makes sense (and is per-device)
- In general the ‘Start Menu’ has to be configured per-device and is about personal preferences; you might want to tweak a few things now that make further setup more convenient, but do the main tweaking once you’ve got all your programs and apps installed and/or as you have time.
- It is similar for the Cortana button on the taskbar (the author removes the Cortana icon since he doesn’t use Cortana)
- To do that for yourself right-click on the taskbar and make sure that ‘Show Cortana icon’ is not checked.
- Monitor adjust (colour calibration). You want to do this more than you realize! It’s amazing how much of a difference it makes.
- Go to
Control Panel|Colour Management|Advanced|Calibrate display and follow the directions
- If you have a Microsoft 365 Personal or Family subscription, the author recommends you install the MS 365 desktop apps (traditional Word, Excel, Publisher, etc) at this point,
- First uninstall the freebie version of OneNote (it can not only be confusing which version you want but the exiting install can interfere with proper operation of the MS 365 version).
- The author recommends installing Microsoft 365 desktop apps through the link in your Microsoft 365 account rather than from the Microsoft Store as he experienced issues with the Microsoft Store install of the desktop apps.
- Now is a good time to browse through
Settings and tweak features on or off or configured them as you wish.
- You will probably want at least a few things from the Microsoft Store (I’ll just talk about freebies, since paid content tends to be based on personal preferences and interests).
- Go to ‘My Library’
- Hide what you don’t want to install on this device.
- Whether from ‘My Library’ (because you’ve done this before), or by searching the store, the author recommends the following apps:
- Microsoft To Do (this may have been installed with MS 365; if so prefer that version; likewise with OneNote)
- Your Phone
Settings|Time & Language I recommend you download all the options for your language (if it’s not English US and you used and English US installer, or English UK using the English UK installer), and once the downloads are complete, make sure all the language settings are configured to use your language.
- Setup signatures in Outlook and Microsoft Mail (these, sadly, are not synced)
- If you use OneDrive and you have enough local storage, you probably want to enable ‘Always keep on this device’ on OneDrive; otherwise you will want to keep at least your most essential documents and so on ‘Always on this device’.
- You should enable
FileHistory for backing up local files to external storage or a network drive. It’s not perfect and you need to regularly check the
Event Viewer to make sure that backups are succeeding, but it’s the bare minimum of what you should do. Note that it doesn’t backup files that are only stored in the cloud.
Power User / Developer Settings
- Another tweak the author likes is pinning his home (user profile in Windows speak) folder to ‘Quick Access’ (e.g. having a ‘Quick Access’ link to C:\Users\my-user).
- The author also finds it convenient to have the
Control Panel on the Start Menu
- Also for the
Control Panel the author prefers the ‘large icon’ view, rather that category based.
- You will probably want at least a few things from the Microsoft Store (We’ll just talk about freebies, since paid content tends to be based on personal preferences and interests).
- Whether from ‘My Library’ (because you’ve done this before), or by searching the store:
- Windows Terminal
- Diagnostic Data Viewer
Control Panel|Programs & Features we want to add the following Windows Features:
- Windows Subsystem for Linux (aka WSL)
- The rest require that your device supports Hyper-V. To check if it meets the requirements, execute
systeminfo.exe in an Administrative PowerShell.
- VM Platform—for WLS2
- Windows Hypervisor (For VirtualBox, Vagrant, Docker, etc)
- Configure your
Hyper-V Switch in
Windows Administrative Tools|Hyper-V Manager
- I recommend adding an external network that shares the main LAN NIC with Hyper-V and the management host. Note that this cannot be a wireless link.
- If you have a second ethernet NIC, I recommend creating second external network that does not share with the host (so it will no longer be visible in you host, but you will be able to use with virtual machines).
- I also recommend moving the default Hyper-V Hard Drive location out of
- Update WSL2 kernel to the latest WSL2 kernel update package for x64 machines
- For WSL or WSL2 users: Install a Linux distro and configure (see Microsoft’s Guide to Installing WSL and WSL2).
- Once your distro is installed:
sudo apt update
sudo apt upgrade
sudo apt dist-upgrade
sudo apt install restic
- In an Administrator PowerShell issue the command
- If you enable Remote Access to your system, the author recommends that in Windows Defender Firewall, to allow RDP connections only from private networks, and to limit them to coming from the local subnet.
Using Chocolatey to Install ‘Traditional Desktop’ Software
Install Chocolatey (a package manager for Windows)
Just follow the official Chocolatey install guide.
Install Software for Windows Available Through Chocolatey
NOTE: The original software licenses still apply so it is important that
they are compatible with your situation. You can verify that by using
the Chocolatey Online Package Browser, or
ChocolateyGUI (a graphical interface for Chocolatey).
Most of the software is open source and ought to be no problem for internal use;
if you are planning on ‘distributing’ anything then you need to pay close
attention to licensing terms. The author has made note of any software that you may need
to play closer attention to the licensing terms, even for internal use, for which
the author is aware of the more complicated situation.
Some Suggested Software
Regular User Software
||GUI for Chocolatey
||Privacy-oriented Web Browser
||Google’s Web Browser
||Vector graphics creator and editor
||A very powerful graphics / image manipulation program
||Password management tool
||System (CPU, memory, disk, temp, and so on monitoring in system tray)
||Music Player and Manager; Has more features than Groove Music, and the only Groove feature not present on Quod Libet may be the ability to stream and control Spotify from the music player app (instead of the standalone Spotify app).
||Screen, webcam, and sketch board recorder and editor
||RSI prevention utility (require regular breaks)
||Video conferencing / chat. NB If you have more than one computer your probably need to install manually due to download restrictions; also pay attention to the licensing terms.
Power User / Developer Software
||Compress/Decompression and archiving/unarchiving
||Write images to removable media (USB/SD cards/etc)
||Git for Windows
||The major version control and source code management system in the software world
||Git Credential Manager for Windows
||Manage Git credentials using the Windows system secrets store
||The Go language and standard library
||Powershell / Cmd console text editor
||A better notepad (text editor) for Windows
||Command-line backup software
||Power tools for Windows
||Visual Studio Code
||Code and text editor and development environment, and more
||Compose key for windows – intuitive entry of unusual characters
||SSL certificate creation and management
Configure 7-zip for Best Effect
Make 7-zip the default for filename extensions for which Windows doesn’t have native support.
- Launch 7-zip as Administrator
- Select 7-zip as the default program for any filename extension not claimed by another program (e.g. not .zip)
Configure SSH and Git
Enable the ‘ssh-agent’ Service
Make Windows OpenSSH Client the Default for Git for Windows
To set this for a single user set the environment variable
GIT_SSH_COMMAND to point to
the OpenSSH binary in the user’s environment variables.
[Environment]::SetEnvironmentVariable("GIT_SSH_COMMAND", "cat - | $((Get-Command ssh).Source.Replace('\','/'))", [System.EnvironmentVariableTarget]::User)
Also, makes sure
GIT_SSH is unset for the user:
[Environment]::SetEnvironmentVariable("GIT_SSH", "", [System.EnvironmentVariableTarget]::User)
To set it for all users, set
GIT_SSH_COMMAND in the system environment variables.
In an admin PowerShell:
[Environment]::SetEnvironmentVariable("GIT_SSH_COMMAND", "cat - | $((Get-Command ssh).Source.Replace('\','/'))", [System.EnvironmentVariableTarget]::Machine)
Also, makes sure
GIT_SSH is unset in the system enviroment:
In an admin PowerShell:
[Environment]::SetEnvironmentVariable("GIT_SSH", "", [System.EnvironmentVariableTarget]::Machine)
Configure Git for Windows for Better Linux Compatibility
||Ignore changes do file ‘mode’ bits (e.g. execute permissions)
||Make the default line ending for files Unix mode line endings. Windows 10 2004 supports text/source files of this type easily.
||Disable changing the line endings depending on whether checking out on Windows or under WSL.
||Set the default user name for commits and emails
||Set the default user email for commits and emails
||Make the default credential manager Git Credential Manager for Windows
git config --global core.fileMode false
git config --global core.eol lf
git config --global core.autocrlf false
git config --global user.name "Your Name"
git config --global user.email "Your email address"
git config --global credential.helper manager
This option prevents pulls from creating a merge or a forced update (i.e.
rewriting history) or rebase. You can still
git fetch and manually merge or
rebase as necessary.
git config --global pull.ff only
Configuring WSL so Windows Filesystems Have Proper Unix Permissions
In the WSL environment you should add
/etc/wsl.conf containing something like:
enabled = true
options = metadata,uid=1000,gid=1000,umask=0022,fmask=0011
generateHosts = true
generateResolveConf = true
See Configuring WSL Launch Settings
Once you restart WSL (which involves more than just closing your current WSL
terminal; the easiest way to guarantee a WSL restart is to reboot Windows),
while in WSL files and directories from Windows (e.g. under /mnt) will have more
normal Unix permission. You will be able to override with chmod for the
effective permissions in WSL. Also note that in some cases there are Windows
ACLs that also affect your effective permissions.
And finally, it’s generally not possible to delete files which are opened by
another process in Windows, and therefore in WSL (which differs from plain
Configure Visual Studio Code for Developing in WSL/WSL2
See the Visual Studio Code Guide to Developing in WSL
Configure Local Backups Using Restic
NB This is not for the faint of heart. If you aren’t sure of how to make this work, you would be better off to purchase a backup solution for Windows 10.
Task Scheduler (which can be find in the
Start Menu under
Windows Administrative Tools), Select
Task Scheduler Library
- Create Restic Backup Task:
- On the ‘General’ tab:
- Give the task a name.
- Set ‘When running the task, use the following account’ to SYSTEM (using
Change User or Group…).
Run with highest privileges
- On the ‘Triggers’ tab:
- Select ‘New…’.
- Set task to repeat every hour hours, for 1 day.
- Set the task to stop if it runs longer than 4 hours.
- Make sure it is ‘Enabled’.
- Click ‘Ok’.
- On the ‘Actions’ tab:
- Select ‘New…’.
- The action should be
Start a program
- Program/script should be
- Add arguments (optional): should be similar to:
-r rest:https://backuphost:31800/repo --password-file C:\ProgramData\restic\password-file backup --quiet --exclude **Temp** --exclude-caches --iexclude **\cache** --exclude **CanonicalGroupLimited.Ubuntu20.04onWindows** --cleanup-cache --exclude **WindowsApps\**\*.exe --use-fs-snapshot C:\ProgramData C:\Users — You will obviouls need to change
-r rest:https://backuphost:31800/repo to your actual repository, and you will need to create the password file and initialize the repo separately. See Restic documentation on ‘Read The Docs’ for details.
- Start in (optional): shoulde be
- Adjust the
Settings if you need to do so.
- Click ‘OK’.
- Assuming you have previously initialized the repo, and created the password file, Click ‘Run’. The task should run for some time, and when done the status code should be