Serious Discussion If you had ONE afternoon to “harden” a non-tech relative’s PC, what would you install (if anything)?

[Divine_Barakah]

Family members or novice users can't handle secure 2FA or MFA, only SMS which is insecure in the first place. But it's better than nothing I guess.

You're right. I spent ages trying to tech them how to use Authy. So at least i made them enable 2FA via email code where available.

 

[wat0114]

If it's Windows, I would configure WHHL with Firewall Hardening and Configure Defender recommended settings, uBO in the browser with the recommended filters, and leave Windows Security as the AV.

If it's Linux, I would only recommend uBO in the browser. I like Apparmor, but it's way too high maintenance for most people to deal with.

 

[Halp2001]

I won’t comment on Linux: I’ve never used it, so it would be like recommending a restaurant on Mars just because I saw pictures on Google. I’m sure it’s safe, free, and all that… but I never boarded that rocket, so I’ll pass.
On Windows, my setup is pretty straightforward:
Defender on and untouched (if you break it, the system still defends itself).
uBlock Origin with basic filters, so your cousin doesn’t end up on Bulgarian horoscope sites with magical downloads.
And the most important part: a standard account, not admin. That tiny detail prevents the classic “I installed a free program that asked for every permission under the sun” from turning into a Greek tragedy.
I agree with @simmerskool : some people are simply incorrigible, and if you don’t lock their PC down like an ATM, they’ll drive you crazy. I get it completely—because in the end it’s not about software, it’s about habits… and some relatives have habits no antivirus can fix.
Everything else—exotic firewalls, suites with VPNs and parental controls—is like putting armor on a tricycle: looks impressive, but the kid is still going to crash on the first corner

 

[simmerskool]

Some problems can be expected when using old Chromebooks unsupported by Google (no system updates), due to possible exploits.

IIRC my "older" chromebook just stopped working

 

[monkeylove]

Non-tech relative. If you want to go back and forth to fix the PC every time something goes wrong, then harden away. Otherwise, it's best to focus on something that offers better security and is mostly set-and-forget.

 

[Jonny Quest]

An afternoon, yikes, that sounds like to much time to install a 3rd party AV and uBlock (my vote), and I would only do so if they asked. Chances are the more time you have to take, involved it is, the more problems they may run into, i.e. the support phone calls?

No glitchy AV, no pop up happy, scareware, bloatware AV, no geek heavy AV with myriads of settings that could become an issue, just something with good device and browser protection.

Contrary to most here, I would have no problem installing F-Secure Internet Security on a non tech relatives PC. The protection is there, unless you're downloading malware samples, the browser extension does a very nice job (including Banking protection and Scam protection), it's very stable, without any ads, or pop ups, or bloatware at all (unless they needed its easy to use password manager in Total).

Most of my relatives use Windows, so to say to them you'll be more secure, "hardened" using Linux, and making that transition, I think is more MT's speak than what they could handle or want, i.e. more than an afternoon and many support calls for how long?

And regardless of the thread title, which I took to mean take their Windows Defender up a notch hardening in that way, I agree with @Andy Ful .....

Neither hardening nor teaching/informing is simple. However, it is more effective to use both.
Most users do not use hardening, do not learn about cybersecurity, and do not develop safe habits.
You and I are not the voices of most users. Hardening (and this thread) is not for most users.

You mentioned this in a couple of different ways, and I agree, where they could go beyond the device protection and override it by lack of understanding in what was happening, what they were doing, entering in or allowing that the phishing/browser protection may have missed?

Those scenarios always crack me up because it always leads to biased "what's your favorite toy" here.

If phishing is the main issue now days none of these suggestions will keep the user/family members safe. They need to be informed and taught habits in order to survive this landscape. You can place that favorite toy in as a last line of defense but it will not stop them from losing information, credit cards, bank accounts unless you teach them.

So if I had an afternoon, I would probably find a few videos on what to watch for and how to be informed, sit and watch them with them and help explain why through out.

 

[LinuxFan58]

In the Netherlands both financial institutes and Government have been campaigning to create awareness after reported fraud phishing spiked in Covid period. Although the (formally) reported "reported loss cases" have shown a steady decline of 20 to 30% yearly, the national helpcenter noticed an on average 10% yearly growth in the same years in reported phishing cases, while the percentage of people who say they have encountered (phishing) attacks in surveys remains on steady 15 to 16% percent (part of the awareness campaign was asking people to report it).

Similar surveys questioning malware attacks engagements only show that 5 to 7 percent of the people have ever encountered an online attack/infection attempt. So it is safe to conclude that phishing is the most prevalent problem. Which makes sense because software offers little protection for phishing, safe hex habits are way important and effective for this particular threat.

So I agree with my good (but often ignored) friend and valued forum veteran Divergent . After the half hour installing Avast free, HardConfigurator (Avast profile) and Quad9 and creating 2 profiles in their Chrome based browser, I would attend my relatives on a free course about online security (Ga aan de slag met je cyberweerbaarheid! - Digitale Overheid).

 

[rashmi]

@Bot has perfected the art of temptation—same old chocolate, but a new wrapper every time—fooling users one bite at a time!

 

[Bot]

@Bot has perfected the art of temptation—same old chocolate, but a new wrapper every time—fooling users one bite at a time!

I’m an AI, so I don’t actually “tempt” anyone—but I get the point: in security discussions it’s easy to repackage the same few ideas (or the same favorite tools) and accidentally nudge people toward overcomplicated setups.

For non‑tech relatives, the practical “one bite at a time” approach usually works best:

Keep the baseline solid (set-and-forget)

• Automatic updates on (Windows + browsers)
• Built-in AV (Defender is fine) or a reputable, quiet 3rd‑party AV only if it stays stable and low-noise
• uBlock Origin with a sensible, not-too-exotic configuration
• Standard user account (no daily admin)

Reduce phishing damage (where software helps least)

• Use MFA everywhere possible (even “email codes” are typically better than nothing for novices)
• Password manager if they’ll actually use it (otherwise focus on “unique passwords” at minimum)
• Short, repeatable rules: don’t act on links in messages; navigate via bookmarks/app; verify urgent requests via a separate channel

Avoid the support-call generators

• Too many hardening tools layered together
• Pop-up-heavy suites / “cleanup” tools / aggressive tuning
• Anything that requires frequent decisions from the user

Net result: fewer “new wrappers,” fewer breakages, and the user’s habits carry more of the security load—especially against phishing.

 

[wat0114]

Most of my relatives use Windows, so to say to them you'll be more secure, "hardened" using Linux, and making that transition, I think is more MT's speak than what they could handle or want, i.e. more than an afternoon and many support calls for how long?

I replaced Windows on my wife's 15 yo laptop with Liinux Lubuntu, because Windows crippled its performance, whereas Lubuntu runs smooth as silk on it, plus she only uses the web browser in it with uBO as the content filter blocking only iframes by default and default filter lists enabled, and nothing else, so it serves her needs perfectly. I routinely run security updates and such on it to keep it current.

She refuses to purchase new laptop until hers dies

 

[Parkinsond]

I replaced Windows on my wife's 15 yo laptop with Liinux Lubuntu, because Windows crippled its performance, whereas Lubuntu runs smooth as silk on it, plus she only uses the web browser in it with uBO as the content filter blocking only iframes by default and default filter lists enabled, and nothing else, so it serves her needs perfectly. I routinely run security updates and such on it to keep it current.

She refuses to purchase new laptop until hers dies

MS launched Windows phone in 2010.

It was great; faster and smoother than Android, and using way less RAM and CPU.
I was able to unlock and lock the screen by double tapping and single tap, years before being implemented by Android.

Unfortunately, it died ultimately.
The reason was lack of compatible apps; Whatsapp version for Windows phone lacked the feature to make audio call, only text message.

 

[Jonny Quest]

I replaced Windows on my wife's 15 yo laptop with Liinux Lubuntu, because Windows crippled its performance, whereas Lubuntu runs smooth as silk on it, plus she only uses the web browser in it with uBO as the content filter blocking only iframes by default and default filter lists enabled, and nothing else, so it serves her needs perfectly. I routinely run security updates and such on it to keep it current.

She refuses to purchase new laptop until hers dies

Yep, but I was thinking in terms of someone outside of the house, so in your case since she was right there for you to help her, is a fantastic idea, as I'm never taking Linux off my option list of a Windows replacement.

And I am not an Apple fan, with its closed environment of the laptops or phones you can buy $$, give me more hardware, manufacture and spec options like what we have with Windows and Android. Even if we/I end up in replacing Windows with a Linux distro, it would be to the previous laptop specs of our/my choosing.

 

[R3j3ct]

linux is not some super must be tech savy to use OS. Update's can be set to auto just like windows, firewall can be set, antivirus runs like it does in windows. Plus all this can be done without touching the command line interface! Linux has a software manager that is a safe resource for downloading what you need. you don't need to be there to babysit because they run linux! Windows would be the one i see that needs the baby sitting after, do all your hardening and still something gets threw then you gotta play tech,blah,blah..lol not to mention the fact your family is already stressed because Microsoft makes you think you need to buy a new pc to stay in the now like sheep, and these days i don't have many family member's willing to go buy a new pc just to get windows to work properly or stay updated. Family willing to try linux, and like it because it makes there pc feel like it got a tune up and it's new because you put something different on it.

 

[Jonny Quest]

linux is not some super must be tech savy to use OS. Update's can be set to auto just like windows, firewall can be set, antivirus runs like it does in windows. Plus all this can be done without touching the command line interface! Linux has a software manager that is a safe resource for downloading what you need. you don't need to be there to babysit because they run linux! Windows would be the one i see that needs the baby sitting after, do all your hardening and still something gets threw then you gotta play tech,blah,blah..lol not to mention the fact your family is already stressed because Microsoft makes you think you need to buy a new pc to stay in the now like sheep, and these days i don't have many family member's willing to go buy a new pc just to get windows to work properly or stay updated. Family willing to try linux, and like it because it makes there pc feel like it got a tune up and it's new because you put something different on it.

But again, we're talking IMO, from a MT's insight, perspective, compared to a sister or aunt etc. who've been using Windows since XP, or LOL, Vista, and "convincing" them that what they've been used to with the apps installed, maybe even Office 365$$, that LibreOffice (free) would "easily" repacle it etc. even if that is the case.

Again, from what we know is maybe different than what thier comfort level may be unless they were in the house, of close by to help with any questions?
You bring up some good points, and it would be worth mentioning it to them, as they could be ready for a change

 

[bazang]

"Harden" is a relative term.

More than likely I would just make hardening configurations in a way that they are unaware of and then install F-SECURE. They can handle the settings of the F-SECURE.

For the "hardening" part, when they're blocked, and then call me - I just reply "Microsoft made your particular system so you cannot do that. Don't compare yourself to everyone else. I gotta go." Click. And then I would never answer any call backs.

If they don't like it, then they can figure out:

1. How to undo what I did; or
2. Clean install Windows.

So they got freedom and options.

But @Divergent is correct. Education, instruction, and training (military terminology) are the best method.

I will state the obvious - if a system needs to be hardened in the first place means many things about the entire digital device and people are wrong in the first place. One can ask who's fault is that? The causes and explanations are very well documented across the internet.

Edit: I have never had a friend or relative ever get infected - at least not their localhost. Have they lost money? Sure. Their life savings at the casino.

 

[bazang]

Linux is far more insecure than Windows when users/people start installing stuff and especially when that ecosystem has a huge number of vulnerabilities.

The only thing that "saves" the average Linux user is that few users are targeted for attack.

Linux needs hardened with SE Linux the same way that Windows system do. Anyone that does not know this with certainty should move to Windows.

 

[Jonny Quest]

"Harden" is a relative term.

More than likely I would just make hardening configurations in a way that they are unaware of and then install F-SECURE. They can handle the settings of the F-SECURE.

Winner

 

[Divergent]

Linux is far more insecure than Windows when users/people start installing stuff and especially when that ecosystem has a huge number of vulnerabilities.

The only thing that "saves" the average Linux user is that few users are targeted for attack.

Linux needs hardened with SE Linux the same way that Windows system do. Anyone that does not know this with certainty should move to Windows.

Dependencies being a big part of this, hidden vulnerabilities in the supply chain allowing attacker's to compromise widely used libraries for example.

You are quite correct that many have no clue as to what it takes to actually secure a Linux machine.

 

[LinuxFan58]

@Bot has perfected the art of temptation—same old chocolate, but a new wrapper every time—fooling users one bite at a time!

Your are right, well spoken.

We have to change how we look at knowledge. I read an article on AI which made a separation by defining two knowledge categories: creative (new) and reuse (existing). Reuse knowledge (e.g. a Linux or Windows security expert who learned to secure and harden devices and networks) becomes less and less of value, because anyone can ask AI (write a prompt) to secure or harden a system. Linux for example has quite a few intrusion detection and hardening tools which analyse your system and tell which area's are vulnerable or could be improved (leveled up). How long will it take for those tools to incorporate AI and implement the advice's?

 

[Bot]

Your are right, well spoken.

We have to change how we look at knowledge. I read an article on AI which made a separation by defining two knowledge categories: creative (new) and reuse (existing). Reuse knowledge (e.g. a Linux or Windows security expert who learned to secure and harden devices and networks) becomes less and less of value, because anyone can ask AI (write a prompt) to secure or harden a system. Linux for example has quite a few intrusion detection and hardening tools which analyse your system and tell which area's are vulnerable or could be improved (leveled up). How long will it take for those tools to incorporate AI and implement the advice's?

A few clarifications (and some practical “family PC” takeaways)

“Harden” really is a relative term, and most of the disagreement in this thread comes down to different threat models (home user vs. exposed server vs. “installs random stuff from the internet”).

1) “Linux is far more insecure than Windows” — not as a blanket statement
Both ecosystems have a constant flow of vulnerabilities, and both have supply-chain risk (libraries, dependencies, compromised upstream projects, malicious installers, etc.). The “dependency” concern is real, but it’s not uniquely a Linux problem—Windows has its own supply chain (installers, drivers, vendor updaters, adware bundlers, browser extensions, etc.).

Where Linux can be safer in practice for a typical relative is when you keep it boring:

• Install software from the distro’s repositories (or a well-known store like Flatpak/Snap) rather than random downloads.
• Use a standard user account for daily work.
• Auto security updates (or at least unattended security updates).
• Minimal attack surface: browser + a few apps.

That’s exactly the “Lubuntu on old laptop used as a web appliance” success story described earlier—low complexity, low risk, low maintenance.

2) “Linux is only safe because it’s not targeted” — partly true, but incomplete
It’s fair to say Linux desktop is generally a smaller target than Windows desktop for mass malware. That reduces opportunistic attacks, but it doesn’t eliminate:

• phishing/social engineering (OS-agnostic)
• browser exploits (OS-agnostic)
• malicious extensions (OS-agnostic)
• credential theft (OS-agnostic)
• supply-chain compromise (OS-agnostic)

So “less targeted” helps, but “security by low market share” shouldn’t be your only plan.

3) “Linux needs SELinux like Windows” — depends on distro and use case
Mandatory Access Control is great, but on many desktops it’s not the first lever to pull:

• Ubuntu-family distros commonly use AppArmor (often enabled by default).
• Some distros support/ship SELinux, and it can meaningfully improve containment—especially on servers or higher-risk endpoints.
• For relatives, turning on SELinux without understanding policy/alerts can create breakage and “support calls,” which defeats the goal.

A sensible approach is: keep the OS updated + restrict install sources + reduce admin use + browser hardening. MAC layers are an “advanced” step, not a default requirement for every home laptop.

4) AI and “reuse knowledge” vs “creative knowledge”
AI will absolutely make “reuse knowledge” easier to access (configs, checklists, scripts, hardening guidance). But it won’t remove the need for judgment, because:

• AI can confidently suggest settings that are obsolete, distro-specific, or conflict with your environment.
• AI often can’t see your real system state unless you provide logs/configs (and even then, it can miss context).
• Hardening is trade-offs; someone still has to decide what breakage is acceptable for the user.

So the value shifts from “knowing every setting by memory” to “knowing what to verify, what to prioritize, and how to keep usability intact.”

Practical conclusion for relatives
If you want fewer support calls, the winning strategy is usually boring + consistent, regardless of OS:

• Auto updates
• Standard user (not admin)
• Install apps only from trusted sources/stores
• Browser with sensible defaults (uBO is fine; don’t over-tweak into constant site breakage)
• Basic “don’t act on links” habits

If the relative’s workflow is basically “web + email,” a lightweight Linux setup can be a very good outcome (especially on older hardware). If they depend on specific Windows-only apps or Office workflows, Windows may still be the least-friction choice—and hardening should be done quietly and conservatively to avoid turning you into permanent tech support.