Advice Request Boosting security for Microsoft Windows, iOS and Android devices

[ryanh]

We have a bunch of devices (20 to be exact) that are a combination of Microsoft Windows 10, iOS 16 and Android 13 devices. All the Windows machines have Bitdefender Total Security installed as do the Android phones. The iOS devices rely on the in-built protection from Apple.

As the devices are used by people of all ages (kids, adults and seniors) with varying needs e.g. school, work, keeping in contact with others e.g. email, social and skills, it's impossible to whitelist/blacklist every site the visit for example, prevent downloading files/apps or installing software . None of the users have administrative accounts on Windows but do have the ability to download and install apps on the tablets and phones. Where possible, the devices also have Patchy My PC installed to update third-party software. The risks span from malicious sites, phishing emails and malware laden apps.

• What solutions are there (free and paid) to improve the overall security of the devices combined with Bitdefender Total Security?
• Which of these support multiple licenses that can be centrally managed e.g. installations, configurations?

 

[HarborFront]

Nowadays, good practice on the user part is not enough. You need to take proactive actions. Below are some pointers to start boosting the security of your devices.

For Windows machines, you need to harden

1) the OS
2) the System
3) the browser(s)

and that will cover

A) Windows Security
B) Theft/Loss/Unauthorized Access
C) Malware Infection
D) Hacking
E) Data Theft
F) Browser Protection

For Android devices

1) Best is not to carry out any financial transaction over the net with a phone
2) If really need to, get a separate phone with a totally new number ie. not those recycled numbers. Do NOT use this phone for other things besides only for financial transaction. Do NOT install other apps except those needed financial apps.
3) Enable SIM card lock. Note that if the phone don’t use SIM card then it’ll not work. This method is good only when the phone is lost or stolen
4) Do NOT link/expose your phone number to online accounts
5) Secure the phone with a strong password/PIN/fingerprint during start up
6) Using standalone authentication app and MFA with a security key. Do NOT use 2FA sending email and SMS
7) Use a password manager with strong password and 2FA with a security key
8) Don’t reply to calls, emails, or text messages that request personal information to avoid phishing attempts.
9) Embedded SIM (eSIM). In terms of physical device protection though, eSIMs potentially offer a welcome safeguard. After all, for an unsophisticated thief with no way of altering the SIM profile, a smartphone becomes much less of a tempting steal! When it comes to preventing data theft, the arrival of the eSIM actually makes next to no impact. The security weakness isn’t in the format; it’s caused by weak credentials, inadequate checks by the carriers – or a combination of the two.
10) Use a VPN to encrypt your phone services
11) Lock down critical apps

Not using iOS devices so not sure how to secure them. I think more or less the same for android.

 

[ForgottenSeer 97327]

When Windows users have no admin rights (and are only allowed to install Store apps) your are well protected with a premium AV, but when you want to bring protection to the next level

Setup a home firewall on an old PC: Cybersecurity Delivered - Sophos Security Solutions video which gives you an idea

Spoiler: Setup when you already have a better wifi-router

Edit: my old nucPC broke down, so currently not using Sophos XG anymore, visit the Sophos community for questions

 

[ryanh]

Nowadays, good practice on the user part is not enough. You need to take proactive actions. Below are some pointers to start boosting the security of your devices.

For Windows machines, you need to harden

1) the OS
2) the System
3) the browser(s)

and that will cover

A) Windows Security
B) Theft/Loss/Unauthorized Access
C) Malware Infection
D) Hacking
E) Data Theft
F) Browser Protection

For Android devices

1) Best is not to carry out any financial transaction over the net with a phone
2) If really need to, get a separate phone with a totally new number ie. not those recycled numbers. Do NOT use this phone for other things besides only for financial transaction. Do NOT install other apps except those needed financial apps.
3) Enable SIM card lock. Note that if the phone don’t use SIM card then it’ll not work. This method is good only when the phone is lost or stolen
4) Do NOT link/expose your phone number to online accounts
5) Secure the phone with a strong password/PIN/fingerprint during start up
6) Using standalone authentication app and MFA with a security key. Do NOT use 2FA sending email and SMS
7) Use a password manager with strong password and 2FA with a security key
8) Don’t reply to calls, emails, or text messages that request personal information to avoid phishing attempts.
9) Embedded SIM (eSIM). In terms of physical device protection though, eSIMs potentially offer a welcome safeguard. After all, for an unsophisticated thief with no way of altering the SIM profile, a smartphone becomes much less of a tempting steal! When it comes to preventing data theft, the arrival of the eSIM actually makes next to no impact. The security weakness isn’t in the format; it’s caused by weak credentials, inadequate checks by the carriers – or a combination of the two.
10) Use a VPN to encrypt your phone services
11) Lock down critical apps

Not using iOS devices so not sure how to secure them. I think more or less the same for android.

Thanks for the detailed suggestions. Follow-up questions:

• What is recommended to harden the operating system and browser?
• What does system cover? Do you mean physical security?
• Why do you suggest not carrying out financial transactions with a phone?
• What alternatives do you recommend if you aren't using a phone?

 

[HarborFront]

Thanks for the detailed suggestions. Follow-up questions:

• What is recommended to harden the operating system and browser?
• What does system cover? Do you mean physical security?
• Why do you suggest not carrying out financial transactions with a phone?
• What alternatives do you recommend if you aren't using a phone?

Can read below to harden OS

Harden Windows Security | Only with official documented methods | Always up to date

Please make sure you read everything (preferably on GitHub because I had to remove so much formatting due to forum rules) so you will understand what each security measure means, why it's there and what to expect. everything is properly documented. also pay attention to the Trust section to see...

malwaretips.com

Hard_Configurator - Windows Hardening Configurator

Yes please give the user always the choice to use SRP (maybe off be default). On my win 11 MS decided to disable SAC. SAC was for me the reason to try 11 at all (so I'm quite disappointed). So if there is no SRP and MS disables SAC for you you got "nothing" otherwise. It is improbable that...

malwaretips.com

Advice Request - Possible ways to harden Windows?

Apart from disabling macros and remote access, what are other ways to harden windows?

malwaretips.com

NVT SysHardener: Harden Windows Settings

@Guilhermesene Thanks for the feedback! You can install this new version over-the-top of the installed version, reboot is not needed. Multilingual for some of our applications is on the todo list. @ItsReallyMe Thanks for the additional useful information. after Sep 15, Forza Horizon 5...

malwaretips.com

Anything not relating to OS/browser hardening can put under System e.g. the use of a VM, use of system-wide software for protection like VPN, AV/AM, Adguard for desktop etc

Using hp for financial transactions is very convenient on-the-go, but very risky as it's not as secure as using the PC/laptop

Use your PC/laptop to carry out financial transactions on the net. I also mentioned the use of a dedicated phone for financial transactions on the net only, if needed.

 

[Back3]

I've been using Windows and IOS for the last ten years. On Windows 11, I have an antivirus ( F-Secure Safe), Firewall Hardening, NextDNS and uBlock Origin for my browsers and make regular backups with Macrium Home.
On IOS, I added NextDNS profile configuration on every device. Everything runs smoothly.

 

[Kongo]

I've been using Windows and IOS for the last ten years. On Windows 11, I have an antivirus ( F-Secure Safe), Firewall Hardening, NextDNS and uBlock Origin for my browsers and make regular backups with Macrium Home.
On IOS, I added NextDNS profile configuration on every device. Everything runs smoothly.

In addition to that you can try Lockdown-Mode on iOS devices if it isn’t too restrictive for you:

About Lockdown Mode - Apple Support

Lockdown Mode helps protect devices against extremely rare and highly sophisticated cyber attacks.

support.apple.com

 

[Kongo]

Here a recent event where Lockdown-Mode actually prevented a Zero-Day Exploit:

Apple’s high security mode blocked NSO spyware, researchers say

 

[TuxTalk]

on iOS just leave as it, every app installed runs in his own environment ( sandbox ) no need to worry.
For Windows just use a recommended Antivirus with Firewall.