◄ part 1
What's the best way to protect data files?☑ Turn on BitLocker encryption for all data drives☑ Back up your encryption keys☑ Back up data files to the cloud☑ Back up critical data files to local storageReplacing a stolen laptop is inconvenient and expensive. Dealing with lost or stolen data is a nightmare. Physical security has its own challenges, but when it comes to keeping your data secure, you have two key goals:
•
Encrypt your data files. If your computer or storage device is stolen, the thief can't access
your files that are protected with robust encryption and a strong password.
•
Back up your data files. With a good backup plan, you can restore files that are lost or
damaged (even if the cause is hardware failure) and get back to work with a minimum of
downtime.
Those precautions are especially important for files containing sensitive personal or financial information for customers or clients. If you work in a regulated industry or you're subject to data breach laws, the impact is even worse.
On a Windows 11 device, the single most important configuration change you can make is to
enable BitLocker Device Encryption on the system drive and on all secondary drives, including USB flash drives. (BitLocker is the brand name that Microsoft uses for the encryption tools available in business editions of Windows. BitLocker features are identical on Windows 10 and Windows 11.)
With BitLocker enabled, every bit of data on the device is encrypted using the XTS-AES standard. BitLocker uses the Trusted Platform Module (TPM) chip to store the encryption keys.
The steps to turn on BitLocker Device Encryption are different depending on which edition of Windows 11 is installed:
•
Windows 11 Home: This edition supports strong device encryption, but only if you're signed
in with a Microsoft account. It doesn't allow the management of a BitLocker device.
•
Windows 11 Pro, Enterprise, or Education: These business editions provide full access to
BitLocker management tools. For full management capabilities, you'll need to set up BitLocker using
an Active Directory account on a Windows domain or an Azure Active Directory account. On an
unmanaged device running a business edition of Windows 11, you can set up BitLocker using a local
account or a Microsoft account, but you'll need to use the BitLocker Management tools to enable
encryption on available drives.
It is crucial that you back up the recovery key for a BitLocker-encrypted drive. In the event that you ever have to reinstall Windows or experience account problems, you'll need that 48-digit number to access the data.
If you sign in with a Microsoft account, the BitLocker recovery key is saved in OneDrive by default. You can access it by signing in at onedrive.com/recoverykey. I recommend that you print a copy of that key and file it in a safe place, just in case.
On a managed PC using a domain or AAD account, the recovery key is saved in a location that is available to the domain or AAD administrator. On a personal device, you can use the Manage BitLocker app to save or print a copy of that recovery key.
Don't forget to encrypt portable storage devices. USB flash drives, MicroSD cards used as expansion storage, and portable hard drives are easily lost, but the data can be protected from prying eyes with the use of BitLocker To Go, which uses a password to decrypt the drive's contents.
Finally, make sure that crucial data files are backed up to the cloud and to local storage (on an encrypted drive, naturally). This precaution can be invaluable if you suffer a disk crash, and it's also excellent protection against ransomware attacks.
If you're concerned about putting sensitive files in the cloud, encrypt the files using third-party software such as
Boxcryptor, or consider a zero-knowledge service that has no access to your encryption keys, such as
SpiderOak CrossClave.
How do I protect my Windows 11 PC from malicious software?☑ Configure security software☑ Configure anti-spam protection☑ Manage which apps standard user accounts are allowed to runSecurity software is one layer in a defensive strategy designed to keep threats from ever reaching a PC. It's no longer the most important layer, but it's still crucial to have up-to-date security software.
Every installation of Windows 11 includes built-in antivirus, anti-malware software called Microsoft Defender Antivirus, which updates itself using the same mechanism as Windows Update. Microsoft Defender Antivirus is designed to be a set-it-and-forget-it feature and doesn't require any manual configuration. If you install a third-party security package, Windows disables the built-in protection and allows that software to detect and remove potential threats.
To check the status of Microsoft Defender Antivirus, use the Virus & Threat Protection page in the Windows Security app. (You'll find ransomware protection options under the Controlled Folder Access heading.)
Large organizations that use Windows Enterprise edition can deploy
Microsoft Defender for Endpoint, a security platform that monitors Windows 11 PCs and other managed devices using behavioral sensors. Using cloud-based analytics, these tools can identify suspicious behavior and alert administrators to potential threats.
For smaller businesses, the most important challenge is to prevent malicious code from reaching the PC in the first place. Microsoft's SmartScreen technology is another built-in feature that scans downloads and blocks the execution of those that are known to be malicious. The SmartScreen technology also blocks unrecognized programs but allows the user to override those settings if necessary.
It's worth noting that SmartScreen in Windows 11 works independently of browser-based technology such as Google's Safe Browsing service and the SmartScreen Filter service in Microsoft Edge.
On unmanaged PCs, SmartScreen is another feature that requires no manual configuration. You can adjust its configuration using the App & Browser Control settings in the Windows Security app.
Another crucial vector for managing potentially malicious code is email, where seemingly innocuous file attachments and links to malicious websites can result in infection. Although email client software can offer some protection in this regard, blocking these threats at the server level is the most effective way to prevent attacks on PCs.
An effective approach for preventing users with standard accounts from running unwanted programs (including malicious code) is to configure a Windows 11 PC so it's prevented from running any apps except those you specifically authorize. To adjust these settings on a single PC, go to Settings > Apps > Apps & Features; under the Choose Where To Get Apps heading, select The Microsoft Store Only. This setting allows previously installed apps to run but prevents installation of any downloaded programs from outside the Store.
What's the best way to prevent attacks over the network?☑ Use a hardware firewall☑ Leave the Windows firewall turned on☑ Protect your Wi-Fi accountThe gateway for your cable, fiber, DSL or other wired internet connection should include a firewall feature that prevents outsiders from connecting to PCs that are on your internal network. Check the management interface for that device (access is typically through a web-based portal that connects to a private IP address like 192.168.1.1 or 10.0.0.1). Make sure those security features are enabled and consider changing the default administrative credentials (admin/password is common) to something more secure.
Every version of Windows shipped in the past two decades has included a stateful inspection firewall. In Windows 11, this firewall is enabled by default and doesn't need any tweaking to be effective. As with its predecessors, the Windows 11 firewall supports three different network configurations: Domain, Private, and Public. Apps that need access to network resources can generally configure themselves as part of the initial setup.
To
adjust basic Windows firewall settings, use the Firewall & Network Protection tab in the Windows Security app. For a far more comprehensive, expert-only set of configuration tools, click Advanced Settings to open the legacy Windows Defender Firewall with Advanced Security console. On managed networks, these settings can be controlled through a combination of Group Policy and server-side settings.
From a security standpoint, the biggest network-based threats to a Windows PC arise when connecting to wireless networks. Large organizations can significantly improve the security of wireless connections by adding
support for the 802.1x standard, which uses access controls instead of shared passwords as in WPA2 wireless networks. Windows 10 and Windows 11 will prompt for a username and password when attempting to connect to this type of network and will reject unauthorized connections. On networks that use a shared password, make sure that visitors connect to a separate guest network.
For times when you must connect using an untrusted wireless network, the best alternative is to set up a virtual private network (VPN). Windows 11 supports the most popular VPN packages used on corporate networks; to configure this type of connection, go to Settings > Network & Internet > VPN. Small businesses and individuals can choose from a variety of Windows-compatible third-party VPN services.
source
