Simple ways to debloat, secure, and enhance the privacy on Windows 10.
In this post I will be outlining easy ways to harden and lock down a windows install. These solutions are not comprehensive, so if you need further privacy or security I would suggest installing Linux. Furthermore, Windows 10 is soon to be outdated, and running an outdated OS comes with security risks, so be aware.
Fresh Installation
If you are performing a clean install of windows, you can actually skip creating a Microsoft account by not connecting internet during setup. When prompted, simply skip setting up internet access and the option for skipping account creation will appear. Also make sure to turn off all telemetry requests when the options arise.
Applications
Below are applications I use to debloat, harden, and privatize Windows 10:
Revo Uninstaller
Revo Uninstaller is the best program for not only getting rid of programs, but also cleaning up all their leftover files that they “forgot” to remove. Revo also has the capacity to uninstall Windows apps, including the ever pesky Edge. Use Revo to debloat your system and remove all the garbage Windows 10 comes pre-installed with. Simply run the program and use the uninstall button on everything you don’t need. Select all and delete when Revo finds extra leftover files.
Simplewall
Simplewall is an application firewall that denies internet access on a per-app basis. You can configure it to run on startup and auto-deny internet access to apps that don’t need it, including Microsoft apps. As applications request access you can approve or deny them. Simplewall also has a feature to block Windows update, if you want to. I do this but be aware it leaves you vulnerable to security risks. Make sure you have peak computer hygiene if you disable updates. Also be aware that this is not a full-proof firewall, as Microsoft can still gain internet access before the OS is fully initialized.
OOSU10+
O&O Shut Up 10 is software that brings all of the privacy features Microsoft has hidden or made hard to access into a central program. Turn on and off features you like or dislike (like Cortana). Green entries are safe to disable, yellow are partially supported, and red are potentially dangerous to disable. Evaluate each option yourself and compare it yo your threat model.
Clam AV
Clam AV is an open source antivirus that runs via the command line. It may take some getting used to, but it works well and is less privacy invasive than Windows Defender. Run os-wide manual scans often and scan any exes and dlls you may download. Read their documentation here.
Librewolf
Librewolf is a hardened and privacy friendly fork of Firefox. It removed all of Mozilla’s telemetry and made tweaks to its settings to resist fingerprinting, which is a technique to identify you via your browser’s configuration.
To harden even further, set DuckDuckGo as your default browser, set cookes to auto-delete, and turn on letterboxing in about:config.
Ublock Origin, Privacy Badger, NoScript
Browser addons that fortify your browser even further. Ublock Origin blocks harmful content, Privacy Badger stops trackers and a degree of fingerprinting, and NoScript disables Javascript completely, enabling you to choose what sites can run javascript and which cannot.
In Ublock, go to its settings and enable all filters for extra protection.
In NoScript, once you visit a site, you can set its domain to trusted to allow it to run javascript, which is often necessary for most websites to work. The pro here, is that it blocks all of the other cross-site scripts from running. It also prevents a malware attack called cross-site scripting.
Privacy badger works well, no configuration required.
Mullvad VPN
VPNs are server services that route and encrypt your traffic to hide where and what you are doing from your ISP and local network. Very useful for adding an extra layer of security to your internet traffic. If you don’t want to pay for Mullvad, Proton VPN has a free tier.
To configure for maximum security, turn on DAITA, quantum resistance, and optionally multihop if you don’t mind slower speeds. Also set your protocol to Wireguard, and use a DNS filter that fits your needs.
Conclusion
Overall we have hardened Windows by:
- Denying a Microsoft account on install
- Debloating unwanted programs with Revo
- Denying telemetry and application data harvesting with Simplewall
- Configuring privacy settings with OOSU10+
- Using an alternative antivirus with ClamAV
- Resisting browser fingerprinting with Librewolf
- Blocking malware with Ublock Origin
- Blocking trackers with Privacy Badger
- Blocking Javascript trackers and malware with NoScript
- Double encrypting and obfuscating internet traffic with Mullvad VPN