SCOTT'S WORLD
← Back to Blog
2025-12-10tech

25 Security Practices That Actually Protect You (Windows, Mac, and Linux)

Dr. Scott is not a licensed medical, legal, or financial professional. Content on this site is educational and informational only. Always do your own due diligence and consult qualified experts before making decisions based on the material here.

25 Security Practices That Actually Protect You (Windows, Mac, and Linux)

Most people treat their computer security the way they treat their car's oil — they'll get to it eventually. The problem is that eventually often comes after something goes wrong.

This is a no-fluff checklist. Twenty-five practices that remove unnecessary exposure, strip junk software, block surveillance capitalism, and tighten the doors attackers walk through. Most take under five minutes. A few take twenty. None require a degree.

Platform callouts are noted where the step differs meaningfully by OS. Where no callout appears, it applies everywhere.

---

The Basics That Most People Skip

1. Keep your OS and applications updated — automatically

The majority of successful attacks exploit vulnerabilities that already have patches available. According to Verizon's 2024 Data Breach Investigations Report, a significant portion of breaches involve known vulnerabilities where patches existed but were never applied. Enable automatic updates and stop postponing them.

  • Windows: Settings → Windows Update → toggle on all automatic options

  • Mac: System Settings → General → Software Update → enable all automatic options

  • Linux: `sudo apt install unattended-upgrades` (Debian/Ubuntu) or enable `dnf-automatic` (Fedora/RHEL)

2. Use a password manager

Reused passwords are one of the most exploited attack vectors in the world. A password manager generates and stores unique, complex passwords for every account so you only have to remember one. Bitwarden is free, open-source, and audited. 1Password and KeePassXC are solid alternatives.

3. Enable two-factor authentication (2FA) on every account that supports it

Microsoft's internal research found that MFA blocks over 99.9% of automated account compromise attacks. Prefer an authenticator app (Authy, Google Authenticator, or your password manager's built-in TOTP) over SMS, which is vulnerable to SIM-swapping.

4. Run as a standard user, not an administrator

Most people use their computer logged in as an administrator every day. This means any malware that executes inherits your full permissions. Create a separate standard user account for daily use and reserve the admin account for installations and system changes. This alone limits the damage from most malware significantly.

  • Windows: Settings → Accounts → Family & Other Users → Add account, set as Standard User

  • Mac: System Settings → Users & Groups → Add User, set as Standard

  • Linux: `adduser username && usermod -aG sudo username` for a sudo-capable standard account

---

Encryption and System Lockdown

5. Encrypt your storage drive

If your laptop is stolen, drive encryption is the only thing keeping your files private. Without it, anyone with physical access can pull the drive and read everything.

  • Windows: Search "BitLocker" → enable on your system drive (requires Windows Pro; Home users can use "Device Encryption" in Settings → Privacy & Security)

  • Mac: System Settings → Privacy & Security → FileVault → Turn On

  • Linux: Enable LUKS encryption during OS installation. Retroactive encryption requires a fresh install.

6. Enable and verify your firewall

Your OS firewall is a baseline control. It should always be on.

  • Windows: Control Panel → Windows Defender Firewall → ensure it's active for all network profiles

  • Mac: System Settings → Network → Firewall → turn on

  • Linux: `sudo ufw enable` then `sudo ufw status` to verify

7. Enable Secure Boot

Secure Boot prevents malicious bootloaders from loading before the OS starts — a class of attack called a bootkit. Most modern systems support it.

  • Windows/Linux: Access UEFI/BIOS settings on startup (usually F2, F12, or Delete) and enable Secure Boot under the Security tab

  • Mac: Enabled by default on Apple Silicon; verify via Apple menu → Shut Down, then boot into Recovery to check Security Policy

8. Disable Remote Desktop and Remote Management when not in use

Remote Desktop Protocol (RDP) is one of the most scanned-for services on the internet. If you are not actively using remote access, disable it entirely. The CISA has issued multiple advisories warning that exposed RDP is a primary ransomware entry point.

  • Windows: Settings → System → Remote Desktop → Off

  • Mac: System Settings → Sharing → disable Remote Login and Remote Management

  • Linux: `sudo systemctl disable ssh` (if SSH is not needed; if it is needed, configure key-based auth and disable password login)

9. Disable unnecessary startup services

Services that launch at startup represent attack surface even when you are not actively using the applications they belong to. Audit and trim what runs.

  • Windows: Task Manager → Startup tab → disable anything you do not recognize or need

  • Mac: System Settings → General → Login Items → remove unnecessary entries

  • Linux: `systemctl list-unit-files --state=enabled` to audit; `sudo systemctl disable ` to remove unwanted entries

---

Privacy and Anti-Surveillance

10. Disable OS telemetry and data collection

Every major OS sends behavioral data back to the developer by default. You opted into this without reading the fine print. Turn it off.

  • Windows: Settings → Privacy & Security → Diagnostics & Feedback → set to "Basic" or "Required diagnostic data only." Also disable: Activity History, Tailored Experiences, and Inking & Typing Personalization. For deeper control, use the open-source tool O&O ShutUp10++ to review and disable hundreds of additional telemetry toggles.

  • Mac: System Settings → Privacy & Security → Analytics & Improvements → uncheck everything. Also: System Settings → Privacy & Security → Apple Advertising → turn off Personalized Ads.

  • Linux: Most distributions collect minimal or no telemetry by default. Ubuntu includes optional error reporting — `ubuntu-report` — which can be disabled via Settings → Privacy.

11. Turn off advertising IDs

Both Windows and Android (and to a lesser extent macOS) assign your device an advertising identifier that tracks your behavior across apps. This is separate from cookies and survives browser clearing.

  • Windows: Settings → Privacy & Security → General → turn off "Let apps show me personalized ads by using my advertising ID"

  • Mac: System Settings → Privacy & Security → Apple Advertising → Limit Ad Tracking

12. Install uBlock Origin in your browser

uBlock Origin is a content and ad blocker with low memory usage and extremely high effectiveness. It blocks not just ads but tracking scripts, malvertising, and analytics beacons. Install it in Firefox or Chrome. The EFF's research consistently identifies it as one of the most effective browser privacy tools available.

13. Harden your browser settings

Beyond an ad blocker, a few quick changes reduce what sites can track:

  • • Disable third-party cookies (Firefox: Privacy settings → Enhanced Tracking Protection → Strict; Chrome: Settings → Privacy & Security → Cookies)

  • • Enable HTTPS-Only Mode (Firefox has this built-in; in Chrome, Settings → Privacy & Security → Always use secure connections)

  • • Disable location, microphone, and camera access site-by-site unless actively needed

14. Switch to encrypted DNS

Your DNS queries — every website you look up — go to your ISP by default, in plaintext. ISPs log and sell this data. Switch to a privacy-respecting encrypted DNS provider.

  • • Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) both support DNS-over-HTTPS and have strong privacy policies

  • Windows: Settings → Network & Internet → Wi-Fi/Ethernet → DNS Server Assignment → Manual → enter 1.1.1.1 and 1.0.0.1, enable DNS over HTTPS

  • Mac: Network settings → DNS tab → replace with 9.9.9.9; for full DoH, use a client like DNSCrypt-Proxy

  • Linux: Configure `/etc/systemd/resolved.conf` with `DNS=1.1.1.1` and `DNSOverTLS=yes`

---

Removing Bloatware and Junk

15. Audit and uninstall everything you do not use

Pre-installed software ("bloatware") on Windows machines in particular runs background processes, phones home, and uses system resources. Uninstall any application you did not deliberately install and do not actively use.

  • Windows: Settings → Apps → Installed Apps → sort by publisher and remove vendor junk (trial antivirus, shopping apps, game launchers, browser toolbars)

  • Mac: Applications folder → drag unused apps to Trash; for App Store apps, right-click → delete in Launchpad

  • Linux: `sudo apt list --installed` (Debian/Ubuntu) to review, then `sudo apt remove ` for anything unnecessary

16. Disable Cortana, Spotlight suggestions, and cloud-connected search

OS-level search assistants send your keystrokes and search queries to remote servers. For most users, local search is sufficient.

  • Windows: Search bar settings → turn off Search Highlights, Cloud Content Search, and Cortana permissions

  • Mac: System Settings → Siri & Spotlight → disable Spotlight Suggestions and Siri Suggestions in Search

17. Remove browser extensions you did not install

Malicious browser extensions are a common persistence mechanism. They can capture every keystroke, hijack searches, and inject ads. Open your browser's extensions page and remove anything you do not recognize.

---

Network Security

18. Use a VPN on public Wi-Fi

Public Wi-Fi is inherently untrusted. An attacker on the same network can perform man-in-the-middle attacks against unencrypted traffic. A reputable VPN encrypts your connection between your device and the VPN server. Mullvad and ProtonVPN are audited, no-log providers. Avoid free VPNs — they monetize your data.

19. Secure your home router

Your router is the front door of your network. Default settings are often wide open.

  • • Change the default admin username and password

  • • Update router firmware (check the manufacturer's app or web interface)

  • • Use WPA3 encryption if supported (WPA2 minimum)

  • • Disable WPS (Wi-Fi Protected Setup) — it has known vulnerabilities

  • • Create a separate guest network for IoT devices (smart TVs, cameras, thermostats) to keep them off your main network

20. Disable Bluetooth and Wi-Fi when you are not using them

Both Bluetooth and Wi-Fi broadcast signals that can be used to track your physical location and, in some cases, exploit vulnerabilities in the stack. Toggle them off when you are not actively using them, especially in public.

---

Physical and Account Security

21. Enable automatic screen lock

Set your screen to lock after 2-5 minutes of inactivity. This is basic physical security — someone walking by your unlocked machine has full access.

  • Windows: Settings → Personalization → Screen Saver → set a timeout and require login on resume

  • Mac: System Settings → Lock Screen → set "Require password after screen saver begins"

  • Linux: Configure via your desktop environment's power/lock settings

22. Enable login notifications and account alerts

Most email providers and cloud services offer login alerts. Turn them on. Knowing someone logged into your account from an unknown device is the fastest way to catch a breach early.

23. Disable AutoRun and AutoPlay

AutoRun allows external drives and media to execute code automatically when plugged in. This was a primary infection vector for malware spread via USB drives and it should always be disabled.

  • Windows: Search "AutoPlay" in Settings → turn off "Use AutoPlay for all media and devices"

  • Mac: AutoRun is disabled by default

  • Linux: Disable automounting via your file manager settings if not needed

---

Backups and Incident Readiness

24. Follow the 3-2-1 backup rule

Ransomware encrypts your files and demands payment. The only complete defense is a backup that ransomware cannot reach. The 3-2-1 rule: three copies of your data, on two different media types, with one copy offsite (or offline).

  • • Local backup to an external drive (disconnected when not in use)

  • • Cloud backup to an encrypted service (Backblaze, iCloud with Advanced Data Protection, or rclone to an encrypted remote)

  • • Test your restore at least once. A backup you have never restored is an assumption, not a safety net.

  • Windows: Settings → System → Backup / Windows Backup

  • Mac: Time Machine for local + iCloud or Backblaze for offsite

  • Linux: `rsync`, `Borg`, or `Restic` for flexible, encrypted backup solutions

25. Run a malware scan periodically

Even with good habits, scanning periodically catches things that slipped through.

  • Windows: Windows Defender (built-in) is effective and free. Run a full scan monthly. For a second-opinion tool, Malwarebytes Free is well-regarded.

  • Mac: Malwarebytes for Mac offers a free scanner. Built-in XProtect and Gatekeeper catch most threats automatically.

  • Linux: `rkhunter` or `chkrootkit` for rootkit detection; ClamAV for general scanning, especially on servers.

---

None of these require technical expertise. They require twenty minutes and the willingness to actually do them. Security is not a product you buy — it is a set of habits. Start with the ones you have not done yet.

---

Sources

1. Verizon. (2024). Data Breach Investigations Report. Verizon Business.

2. Microsoft. (2019). One simple action you can take to prevent 99.9 percent of attacks on your accounts. Microsoft Security Blog.

3. Cybersecurity and Infrastructure Security Agency (CISA). (2023). Reducing the Risk of Remote Desktop Protocol. U.S. Department of Homeland Security.

4. Electronic Frontier Foundation. (2023). Cover Your Tracks: Privacy Badger and uBlock Origin Analysis. EFF.

5. Center for Internet Security (CIS). (2024). CIS Benchmarks — Windows, macOS, Linux. CIS Security.

6. National Institute of Standards and Technology. (2020). NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems. U.S. Department of Commerce.

7. National Security Agency. (2023). Network Infrastructure Security Guidance. NSA Cybersecurity Technical Report.

8. Ponemon Institute. (2023). Cost of a Data Breach Report. IBM Security.

Dr. Scott

CommentsMEMBERS ONLY· COMING SOON

Silver Membership — Coming Soon

Members will be able to comment on every post.
Members also get 50% off all ebooks in the shop.

Learn More in Shop →
← All Posts

COOKIE NOTICE

Scott's World uses browser storage to remember your preferences and help the site behave consistently. No analytics or marketing cookies are active right now. If tracking or analytics are added later, this policy will be updated.

Privacy Policy