Serious Discussion If you had ONE afternoon to “harden” a non-tech relative’s PC, what would you install (if anything)?

[Bot]

If you had to set up a non-technical relative today (new laptop or phone, fresh install, you get one afternoon to do it), would you pay for a full security suite, or would you stick with built-in protections plus a short “house rules” list?


I’m asking because the threat mix has shifted.


A lot of real-world damage now comes from identity and credential abuse (phishing, session theft, OAuth tricks), not just classic “download an EXE, get a virus.” Verizon’s 2025 DBIR calls out stolen credentials as a dominant theme in common breach patterns, and Microsoft’s 2025 Digital Defense Report also frames identity attacks as a major driver.
ENISA’s 2025 threat landscape also highlights phishing as a leading intrusion vector and points out how often intrusions end up with infostealers, banking trojans, or ransomware.


So, what actually helps a normal person more in 2025: paying for “one box that does everything,” or keeping it simple and relying on the OS and browser?

The case for paying for a suite​

A decent suite can be “one subscription that buys less chaos,” especially for families.


Common upsides:

• Extra layers beyond basic AV: scam protection, web protection, exploit mitigation, ransomware controls, sometimes identity monitoring, parental controls, cloud backup, VPN, password manager. (Example: Norton 360 bundles VPN, parental controls, monitoring features depending on tier.
• Central dashboard: easier for you to manage or at least verify “it’s still running.”
• Some products perform well in independent testing, and suites can also be relatively light on system impact depending on the vendor and configuration.

Counterpoints people raise:

• Bundles can encourage bloat: more prompts, more browser add-ons, more “upsell” noise.
• A suite does not fix weak habits: password reuse, clicking everything, approving prompts, giving away one-time codes.
• The suite is only as good as updates and the user not disabling it.

The case for built-in protections plus a few rules​

This approach assumes: “keep the platform current, reduce attack surface, and teach 6 rules.”


Why it works for many home users:

• Windows 11 includes Microsoft Defender Antivirus and SmartScreen-style protections, updated continuously.
• macOS has built-in protections like XProtect and Gatekeeper.
• Android has Google Play Protect scanning and related protections.
• In independent lab testing, built-in tools like Microsoft Defender can score competitively, depending on the test period and scenario
• A reputable password manager plus MFA/passkeys often reduces real risk more than adding a second “virus scanner,” because stolen credentials keep showing up as a primary problem.

Counterpoints:

• Built-in is not always “idiot proof,” especially if the user ignores warnings.
• Some people benefit from stronger web filtering, safer banking modes, parental controls, or a tighter “support model” that a suite provides.

The real question​

If you only get ONE chance to set it up correctly, what is the most resilient setup against:

• Credential theft and phishing
• Malicious downloads and fake updates
• Scam calls/texts and QR scams
• “I clicked it because it looked urgent” behavior

 

[monkeylove]

Avast Premium or similar, which you can get for $3 or so (one year/device) in some online stores (just buy from sellers with the highest ratings), and then set it in game mode or similar.

 

[Parkinsond]

WHHL

 

[Zero Knowledge]

First free WD +Andy Ful's Firewall Hardening and set Configure defender to high or cheapest license you can get of the big boys who always do well on tests.

Would also install an Adblocker of what ever kind you prefer. That's about it, not much more is needed these days for normal casual users, just hope and pray !

 

[Sampei.Nihira]

For a non-technical relative, you need to leave what they use and therefore know how to manage and harden every area of the PC with an install-and-forget configuration.

The account used needs to be evaluated.
It will almost certainly be necessary to change the DNS at the system level and in the browsers used.

If they use WD, I would proceed to add the most at-risk software used by the relative to the WD-Anti-Exploit list + harden it with HC.

As usual, then proceed to harden the browser used.

P.S.

I voted:

Other

Obviously, it is not possible to enter the exact setup.

 

[TairikuOkami]

Nothing, because you basically give them a lifetime customer support for free. Never again.
The more security you use, the less convenient it gets and you will have to be on call 24/7.

I would maybe update everything and set up a safe, but non-filtering DNS, like Quad9.

 

[Andy Ful]

Hardening a non-tech relative’s computer can be a good idea if done correctly. I have hardened many such computers.
Here are some general thoughts:

1. The hardened system should produce only a small number of alerts/blocks (probably one or fewer per month).
2. The person who applies the hardening must be prepared to solve the problems within one day.
3. There should be a simple way to quickly unharden the system.
4. The hardening tools should allow the use of the event logs. Without knowing the blocked events, it is often hard to identify problems.

From the above, it follows that for many users, the hardening can be a waste of time. However, it can still be useful for many non-tech users.
The users who want to install anything possible, visit any website, play any game, share files with anyone, etc., will feel the hardening as useless and irritating.
People who prefer using the Windows built-in features and apps from the Microsoft Store can take full advantage of proper (even very restrictive) hardening.

In most cases, the initial hardening should focus on the Web browser (including file/website reputation).
In many cases, it is also possible to restrict scripting, firewall, some services, and a few Windows features.
In the case of Home Administrator (full control of machines), the application control can be considered.

 

[LinuxFan58]

Not an afternoon, just 30 minutes max: Hard Configurator with Avast profile and Avast free. Would probably also added two browser profiles one with hardened Chrome website permissions and AdGuard and one for banking/shopping with Avira browser guard and all website permissions on default. I would also add Quad9 as DOH and add two different themes to get visual feedback in what browsing mode they are using.

The benefits of providing two browsing profiles is that ordinary users are made aware of the importance of safe hex habits (and it also helps to show the male family members that Avira extensions blocks most phishing websites and AdGuard blocks annoyances on adult websites, so that it makes sense to use 2 different profiles). I also add the paywall filter in AdGuard which unlocks some popular Dutch female magazines.

I have done this often and as far as I can recall never needed to give support afterwards. I think the clue is to provide benefits using surfing mode for casual browsing to most family members helps to create awareness of safehex habits.

 

[Dave Russo]

I would recommend cyberlock with Defender Ui

 

[Divergent]

Those scenarios always crack me up because it always leads to biased "what's your favorite toy" here.

If phishing is the main issue now days none of these suggestions will keep the user/family members safe. They need to be informed and taught habits in order to survive this landscape. You can place that favorite toy in as a last line of defense but it will not stop them from losing information, credit cards, bank accounts unless you teach them.

So if I had an afternoon, I would probably find a few videos on what to watch for and how to be informed, sit and watch them with them and help explain why through out.

 

[Andy Ful]

If phishing is the main issue now days none of these suggestions will keep the user/family members safe.

Nothing in this thread contradicts the benefits of learning and developing safe habits. This can be good advice for security-oriented users, like MT members. It can also be a good solution for your relatives, if you are a good teacher and they have motivation + enough time.
However, teaching and informing can be effective after some months (or years) and not for all users. Even years of teaching do not guarantee sufficient knowledge for many people. A good example is teaching mathematics in schools.

Phishing is not the main issue nowadays.

https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=36

This is also a good example of why teaching can be only one of several factors required to increase security. For most users, it is impossible to stay up to date with new attack vectors (like ClickFix). On the contrary, almost all ClickFix attacks could be easily prevented by simple hardening (known for several years).

 

[Divergent]

Nothing in this thread contradicts the benefits of learning and developing safe habits. This can be good advice for security-oriented users, like MT members. It can also be a good solution for your relatives, if you are a good teacher and they have motivation + enough time.
However, teaching and informing can be effective after some months (or years) and not for all users. Even years of teaching do not guarantee sufficient knowledge for many people. A good example is teaching mathematics in schools.

Phishing is not the main issue nowadays.

https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=36

View attachment 294014

This is also a good example of why teaching can be only one of several factors required to increase security. For most users, it is impossible to stay up to date with new attack vectors (like ClickFix). On the contrary, almost all ClickFix attacks could be easily prevented by simple hardening (known for several years).

Yes nice, but where in your graph does it state any of these software solutions will protect a user from phishing or exposing critical information from lack of being informed. I'm just curious as to how you feel any software solutions will save a user from themselves when the issue is mostly internet related and not so much device.

 

[Miravi]

If a person isn't tech savvy, a really secure setup risks putting up barriers that they don't understand. On the other hand, if you leave them with an unobtrusive setup, they may not be well protected from every kind of danger. There's only so much you can do.

In this position, I might just leave a cheap, reliable set-and-forget antivirus like Avast, an adblocker setup, and somewhat hardened Windows settings/services.

 

[Andy Ful]

Yes nice, but where in your graph does it state any of these software solutions will protect a user from phishing or exposing critical information from lack of being informed. I'm just curious as to how you feel any software solutions will save a user from themselves when the issue is mostly internet related and not so much device.

No solution can protect users all the time and against all possible threats.
Both hardening and teaching/informing are required, although with different proportions for different users.
As I have already written in one of my posts: "In most cases, the initial hardening should focus on the Web browser (including file/website reputation)." This also includes anti-phishing and protecting critical information (Website reputation, Ad blockers, secure DNS, Password Managers, Multi-Factor Authentication, etc.).

 

[Divergent]

No solution can protect users all the time and against all possible threats.
Both hardening and teaching/informing are required, although with different proportions for different users.
As I have already written in one of my posts: "In most cases, the initial hardening should focus on the Web browser (including file/website reputation)." This also includes anti-phishing and protecting critical information (Website reputation, Ad blockers, secure DNS, Password Managers, Multi-Factor Authentication, etc.).

This is also nice but if you feel it's impossible to teach users that do not wish to learn habits, wait until you lock their devices down where they can not function as they wish. Informed and habits is the only viable solution and then it's on the user as to how they utilize this with their desires of use. You can lead the horse so to say.

Most users would complain your version is too complicated. I'm speaking real world here not MT members.

 

[Antimalware18]

When i was cleaning infected computers around my home town as a side gig, I offered clients a free setup and a paid setup, it depending on each individual person, their browsing habits and if they were willing or able to pay for a security suite. I explained to them the pro's of con's of both. I treat my family the same way now, most started off free and then slowly moved to paid (AVG free to Paid for my dad and brother) they were hooked by the ad's in the interface.

 

[Divergent]

When i was cleaning infected computers around my home town as a side gig, I offered clients a free setup and a paid setup, it depending on each individual person, their browsing habits and if they were willing or able to pay for a security suite. I explained to them the pro's of con's of both. I treat my family the same way now, most started off free and then slowly moved to paid (AVG free to Paid for my dad and brother) they were hooked by the ad's in the interface.

I did the same thing for a long time and ran into the same conclusion most of the time. Most users in these small towns are not interested in security that "limits" what they can do or needs to be monitored ECT. They just want to use their systems and if they got hit, please clean it and I will be in my way was most likely the case.

Now days there are very few that actually end up infected, but a while lot of them getting hit with phishing/scams. Even the users I placed full security suites and as blockers with password managers were getting nailed by these. Had one gentleman talked into uninstalling his security and allowing "Microsoft" into his system via a phone call.

I'm sure you have seen these cases as well. No amount of security will help theses folks, if they stay unaware and uninformed.

 

[Antimalware18]

I did the same thing for a long time and ran into the same conclusion most of the time. Most users in these small towns are not interested in security that "limits" what they can do or needs to be monitored ECT. They just want to use their systems and if they got hit, please clean it and I will be in my way was most likely the case.

Now days there are very few that actually end up infected, but a while lot of them getting hit with phishing/scams. Even the users I placed full security suites and as blockers with password managers were getting nailed by these. Had one gentleman talked into uninstalling his security and allowing "Microsoft" into his system via a phone call.

I'm sure you have seen these cases as well. No amount of security will help theses folks, if they stay unaware and uninformed.

This was the case most of the time. I had a client i setup with a free setup and then put on K9 web protection because of its very configurable block lists (is K9 still around or good) and I password protected it for them (because they had grandchildren that were click happy and at the age where Pron was a issue) I specifically told them do not give out the password, I get called back in less than a month with another infection....the reason being? they gave out the password to the grandchildren.

 

[Andy Ful]

This is also nice but if you feel it's impossible to teach users that do not wish to learn habits, wait until you lock their devices down where they can not function as they wish.

A proper hardening is not locking the devices. It depends on restricting some features while allowing daily work.
Did you read my post (points 1-4)?

Serious Discussion Post in thread 'If you had ONE afternoon to “harden” a non-tech relative’s PC, what would you install (if anything)?'

Dec 26, 2025

Hardening a non-tech relative’s computer can be a good idea if done correctly. I have hardened many such computers.
Here are some general thoughts:

1. The hardened system should produce only a small number of alerts/blocks (probably one or fewer per month).
2. The person who applies the hardening must be prepared to solve the problems within one day.
3. There should be a simple way to quickly unharden the system.
4. The hardening tools should allow the use of the event logs. Without knowing the blocked events, it is often hard to identify problems.

From the above, it follows that...

• Andy Ful

• 
• 
• 

Most users would complain your version is too complicated.

Neither hardening nor teaching/informing is simple. However, it is more effective to use both.
Most users do not use hardening, do not learn about cybersecurity, and do not develop safe habits.
You and I are not the voices of most users. Hardening (and this thread) is not for most users.

 

[Divergent]

You and I are not the voices of most users. Hardening (and this thread) is not for most users.

Maybe you should read the title again.