Serious Discussion If you had ONE afternoon to “harden” a non-tech relative’s PC, what would you install (if anything)?

[SpiderWeb]

I stand at my take that uBlock Origin is actually a browser level firewall and the most effective malware prevention you can install on a non tech savvy computer. Without the ability to click on malware, bait ads and links, the chance for the relative to install malware drops to near zero after enabling the right lists. Add Bitdefender Traffic Light for phishing links and it should be enough. No alerts, no slow downs. I think Windows Defender is equal or better to the free solutions now and future updates will only make it better. I recommend avoiding free solutions because they often require setting up an account creating an unnecessary risk vector for someone non tech savvy who would probably reuse passwords.

 

[R3j3ct]

Honestly if a non-tech relative came to me i would push linux mint on them! 99% of the time they are only browsing or checking email or youtube anyways, show them the Software Manager, set firefox up with ublock origin, turn on firewall, show them keepassXC, install clamav for them to have a piece of mind & done..Got to think it's probably a older machine so a linux Xfce distro would bring it back to life!

 

[Divine_Barakah]

The best thing that flawlessly worked on family devices was Avast with Hardened Mode enabled. I am not sure it that feature still exixts though.


Update:

In Avast Knowledge Base 24/06/2025 I can still see Hrdened Mode present in settings

Adjusting settings for Avast Antivirus Core Shields | Official Avast Support

Instructions to adjust settings for Core Shields in Avast Antivirus on Windows.

support.avast.com

 

[simmerskool]

I voted depends on the person, some people are incorrigible, and their computer has to be "locked down" like an ATM or they drive you crazy. Been there, done that.

 

[Divine_Barakah]

I voted depends on the person, some people are incorrigible, and their computer has to be "locked down" like an ATM or they drive you crazy. Been there, done that.

The problem is sometimes family members try to fix issues or install new applications on their own. The first thing they do is look something up in Google and they might end up downloading a craked one or simply a PUP.

 

[Parkinsond]

I voted depends on the person, some people are incorrigible, and their computer has to be "locked down" like an ATM or they drive you crazy. Been there, done that.

It's all about moderation and keeping balance

 

[Divine_Barakah]

It's all about moderation and keeping balance

You cannot keep balance unless you know what you're doing hahahaha

 

[Parkinsond]

You cannot keep balance unless you know what you're doing hahahaha

Cannot agree more.
There is no one-size scheme to fit all users; has to be tailored according the personal use and preferences.

 

[Andy Ful]

@Divergent,

This thread is intended for people who want to "harden" PC's of some relatives. They already know why this can be useful for them and their relatives.
You clearly presented your opinion about hardening. No one wants to change your mind. However, if you have some practical experience in hardening, please share it with us.

 

[Divergent]

@Divergent,

This thread is intended for people who want to "harden" PC's of some relatives. They already know why this can be useful for them and their relatives.
You clearly presented your opinion about hardening. No one wants to change your mind. However, if you have some practical experience in hardening, please share it with us.

Practical hardening for non tech savvy users seems like a contradiction in terms Andy. As I've already shared my opinion and I'm assuming others may or may not have run into the same issues I did when attempting to "harden" one of those users systems. It causes more problems and headaches. So I place reliable recommendations of teaching and stating habits especially since the threat theater presented was based on phishing.

I did not do this to have a pissing contest with you and it is not off topic, it very much drives home the thought that most users do not wish to have their systems "tuned" like the over kill enthusiast threads here. They just want their systems to function as they wish and for their uses. This is average non tech savvy users, not MT members.

What's wrong with recommending in that short amount of time allowed in the thread title to teach them to be informed, have them watch a couple vids to learn. We all know that if you use habits and become informed and use your security as a last line of defense the odds of infection drastically drop. Most MT members are proof of this. So why do you fight that so much, what do you gain.

 

[cartaphilus]

If you had to set up a non-technical relative today (new laptop or phone, fresh install, you get one afternoon to do it), would you pay for a full security suite, or would you stick with built-in protections plus a short “house rules” list?


I’m asking because the threat mix has shifted.


A lot of real-world damage now comes from identity and credential abuse (phishing, session theft, OAuth tricks), not just classic “download an EXE, get a virus.” Verizon’s 2025 DBIR calls out stolen credentials as a dominant theme in common breach patterns, and Microsoft’s 2025 Digital Defense Report also frames identity attacks as a major driver.
ENISA’s 2025 threat landscape also highlights phishing as a leading intrusion vector and points out how often intrusions end up with infostealers, banking trojans, or ransomware.


So, what actually helps a normal person more in 2025: paying for “one box that does everything,” or keeping it simple and relying on the OS and browser?

The case for paying for a suite​

A decent suite can be “one subscription that buys less chaos,” especially for families.


Common upsides:

• Extra layers beyond basic AV: scam protection, web protection, exploit mitigation, ransomware controls, sometimes identity monitoring, parental controls, cloud backup, VPN, password manager. (Example: Norton 360 bundles VPN, parental controls, monitoring features depending on tier.
• Central dashboard: easier for you to manage or at least verify “it’s still running.”
• Some products perform well in independent testing, and suites can also be relatively light on system impact depending on the vendor and configuration.

Counterpoints people raise:

• Bundles can encourage bloat: more prompts, more browser add-ons, more “upsell” noise.
• A suite does not fix weak habits: password reuse, clicking everything, approving prompts, giving away one-time codes.
• The suite is only as good as updates and the user not disabling it.

The case for built-in protections plus a few rules​

This approach assumes: “keep the platform current, reduce attack surface, and teach 6 rules.”


Why it works for many home users:

• Windows 11 includes Microsoft Defender Antivirus and SmartScreen-style protections, updated continuously.
• macOS has built-in protections like XProtect and Gatekeeper.
• Android has Google Play Protect scanning and related protections.
• In independent lab testing, built-in tools like Microsoft Defender can score competitively, depending on the test period and scenario
• A reputable password manager plus MFA/passkeys often reduces real risk more than adding a second “virus scanner,” because stolen credentials keep showing up as a primary problem.

Counterpoints:

• Built-in is not always “idiot proof,” especially if the user ignores warnings.
• Some people benefit from stronger web filtering, safer banking modes, parental controls, or a tighter “support model” that a suite provides.

The real question​

If you only get ONE chance to set it up correctly, what is the most resilient setup against:

• Credential theft and phishing
• Malicious downloads and fake updates
• Scam calls/texts and QR scams
• “I clicked it because it looked urgent” behavior

I refuse to feed the LLM answers to the questions.

 

[Bot]

I refuse the fees the LLM answers to the questions.

Understood — if you refuse paying subscription fees, the most practical “family-proof” setup is built-in OS protections + browser hardening + account/privilege control + backups. That combination usually beats “install random free AV and hope.”

Windows (no paid suite) – my go-to hardening checklist

• Use a Standard (non-admin) daily account. Keep an admin account separate for installs/maintenance. This single change prevents a lot of “oops I installed a cracked thing” becoming a full system compromise.
• Windows Security (Microsoft Defender):
  • Turn on Tamper Protection
  • Enable PUA/PUP blocking (Potentially Unwanted App blocking)
  • Keep Cloud-delivered protection + Automatic sample submission enabled (they help with new threats)
• SmartScreen / reputation warnings: Don’t disable them. They’re annoying by design, but they stop a lot of “fake installer” nonsense.
• Ransomware protection: Consider enabling Controlled folder access if you can tolerate the occasional “allow this app” prompt (it’s optional, but valuable for relatives who might click anything).
• Automatic updates: Leave Windows Update on, and update browsers automatically. Most drive-by compromises target outdated software.

Browser layer (where most home-user risk lives)

• uBlock Origin: It’s not a full “firewall” in the network sense, but it is a strong risk reducer because it blocks malicious ads, scam domains, and a lot of social-engineering bait before a click happens.
• Disable browser notification prompts (or set to “Block”). Scam sites abuse notifications heavily.
• Lock extensions down: only uBO (and maybe 1–2 essentials). No “PDF converters,” “coupon finders,” etc.
• Optional DNS filtering without accounts: Use a reputable resolver like Quad9 at the router/device level for basic malicious-domain blocking. This avoids “create an account” services if that’s a concern.

Credentials & phishing resistance (the part AV can’t fix)

• Password manager (KeePassXC is fine) + unique passwords.
• MFA where possible, and prefer passkeys when offered (reduces classic phishing success).
• House rule: “No passwords or one-time codes to anyone, ever — even if they claim to be bank/Microsoft/family.”

Backups (the real last line of defense)

• Set up automatic backups (external drive + File History, or cloud if they already use it).
• Make sure at least one backup is not always plugged in (protects against ransomware encrypting the backup too).

About “free AV suites” and accounts
Your concern is valid: many “free” products push accounts, upsells, extra modules, and user prompts. For a non-tech relative, that can become more risk and more confusion, not less. If you keep the system as above, you typically don’t need an additional free suite.

Next step
If you tell me Windows 10 vs 11 and what the relative mainly does (email provider, banking, downloads/games or not), I can suggest the tightest “minimal prompt, minimal maintenance” configuration.

 

[cartaphilus]

Hardening a non-tech relative’s computer can be a good idea if done correctly. I have hardened many such computers.
Here are some general thoughts:

1. The hardened system should produce only a small number of alerts/blocks (probably one or fewer per month).
2. The person who applies the hardening must be prepared to solve the problems within one day.
3. There should be a simple way to quickly unharden the system.
4. The hardening tools should allow the use of the event logs. Without knowing the blocked events, it is often hard to identify problems.

From the above, it follows that for many users, the hardening can be a waste of time. However, it can still be useful for many non-tech users.
The users who want to install anything possible, visit any website, play any game, share files with anyone, etc., will feel the hardening as useless and irritating.
People who prefer using the Windows built-in features and apps from the Microsoft Store can take full advantage of proper (even very restrictive) hardening.

In most cases, the initial hardening should focus on the Web browser (including file/website reputation).
In many cases, it is also possible to restrict scripting, firewall, some services, and a few Windows features.
In the case of Home Administrator (full control of machines), the application control can be considered.

At what point do you say Fck it and install Ubuntu with a windows skin and WINE like emulator for the stubborn apps that require windows? Back in the day Linux could do everything besides games. Now with steam *cough* steaming ahead with games on Linux vis a proton wrapper the only games that don't work are the ones requiring ring-0 access which in my own personal OPINION NO GAME SHOULD HAVE RING-0 ACCESS !


I switched my parents over to Ubuntu about 15 years ago and then gave them Chromebooks for everything else. Haven't heard about any malware infection since then.

All is piped through a 3rd party DNS filter and ublock

 

[Andy Ful]

I switched my parents over to Ubuntu about 15 years ago and then gave them Chromebooks for everything else. Haven't heard about any malware infection since then.

All is piped through a 3rd party DNS filter and ublock

If one can live with Linux or Chromebook, this can be a very secure solution.

 

[Andy Ful]

What's wrong with recommending in that shirt amount of time allowed in the thread title to teach them to be informed, have them watch a couple vids to learn. We all know that if you use habits and become informed and use your security as a last line of defense the odds of infection drastically drop. Most MT members are proof of this. So why do you fight that so much, what do you gain.

I must recall my words: "Both hardening and teaching/informing are required, although with different proportions for different users."
I am not sure how you managed to misinterpret it so much.

 

[Divergent]

If one can live with Linux or Chromebook, this can be a very secure solution.

How do either of these stop phishing I have a Chromebook and can bet if I click on the wrong thing and input my data I'm not going to be safe.

 

[Andy Ful]

How do either of these stop phishing I have a Chromebook and can bet if I click on the wrong thing and input my data I'm not going to be safe.

Yes. Phishing can still be a problem. One can harden Chrome and teach/inform relatives to increase the security level.
Teaching/informing can be easier due to a far smaller attack surface of Chromebooks. Most hardening is already done in Chromebooks on the system level.
Some problems can be expected when using old Chromebooks unsupported by Google (no system updates), due to possible exploits.

 

[Zero Knowledge]

I forgot I would also sign them up to haveibeenpwned.com for email breach notifications, I think it's a important and easy to do step.

Phishing is a tricky one, education is the key but there are some very good phishing emails that even I nearly fall for. Yubikeys are a bit much for family or novice users.

Agree with offering people a choice of free vs paid, these days AV licenses can be had for cheap you just have to make sure expensive renewals are avoided.

 

[Divine_Barakah]

I forgot I would also sign them up to haveibeenpwned.com for email breach notifications, I think it's a important and easy to do step.

Phishing is a tricky one, education is the key but there are some very good phishing emails that even I nearly fall for. Yubikeys are a bit much for family or novice users.

Agree with offering people a choice of free vs paid, these days AV licenses can be had for cheap you just have to make sure expensive renewals are avoided.

I would not care if my password or email gets pwned as long as I have 2FA enabled.

Anway, each service has its own masked email (Fastmail). I never reuse the same email alias twice. I have 2FA enabled in every service I use. And I do periodic password change.

 

[Zero Knowledge]

Family members or novice users can't handle secure 2FA or MFA, only SMS which is insecure in the first place. But it's better than nothing I guess.