The New Oil

The New Oil logo
Privacy/Cybersecurity: Securing Desktop

Recommended Settings for Desktop/Laptop Devices

Linux

Just like cell phones, desktop operating systems like Windows and Mac track their users to an excessive degree. Windows is by far the worst offender, however Mac also has their share of telemetry. In a perfect world, the best option for a desktop operating system is Linux. Linux is an open-source operating system with dozens of variants (called “distros,” short for “distributions”), each offering their own unique set of features and target audience. Most linux distros are considerably more private compared to Windows and Mac, though some place additional emphasis on privacy or security. The most private and secure distro I’m aware of by far is Qubes, however Qubes has an immense learning curve, especially if you’ve never used Linux before. Quite frankly, for most people, Qubes will be more headache than it’s worth: most users will have to make significant sacrifices and the privacy and security gained in return are more than they really need. Most users will be absolutely fine with one of my other recommendations listed here and will encounter a much more pleasant user experience and smoother transition, with nearly all the same apps, programs, games, and features they’re used to being available or easy to replicate. That said, for those desiring maximum privacy and security, Qubes is hard to beat.

For most readers, my recommended distro depends on your plans. If you want something that “just works” out of the box and you have no desire to really master the command line, become a Linux expert, or advance on to further Linux-based subjects (such as self-hosting), then I strongly recommend Fedora Silverblue. Silverblue is an official variant of Fedora that offers an “atomic” base operating system, making it quite resilient (though not impervious) against malware and other unwanted changes. Users can find most common programs as a Flatpak or Snap package, which basically installs programs as self-contained, sandboxed “apps” which improves security without sacrificing stability or usability. (This is an oversimplification, but should give you a general idea of how Flatpaks and Snaps works.)

For those who wish to someday become Linux experts or move on to things like self-hosting (or who are unwilling to install Linux manually for any number of reasons, which I will discuss shortly), I recommend starting with Pop! OS. It is based on Ubuntu, so you’ll find the most abundant and easy-to-understand support from a plethora of online resources, and it has a very user-friendly interface that most users will easily adjust to while learning more advanced skills like the terminal.

Whatever distro you choose, please note that while Linux is usually significantly better for privacy, it is not necessarily a huge improvement in security and in some cases can actually be worse. However, as with web browsers, I believe that this tradeoff is insignificant for most users, provided that you use good online habits and are reasonably cautious. For those who wish to learn more about Linux, I highly recommend The Linux Experiment. Nick produces top-tier content about various distros and all the other topics surrounding Linux that will likely answer every question you can imagine and teach you all you want to know about what Linux is capable of, has to offer, and which distro you should consider. You can also test out a number of popular distros right in your browser without installing anything using DistroSea.

Installing Linux is very easy (there are tons of guides online), and most distros will work on nearly any device. However, if you are uncomfortable and would prefer to buy pre-installed devices, the best option will be to buy a device from System76, which comes pre-installed with Pop! OS. At this time, I’m not aware of any vendors who sell devices that are pre-installed with Fedora Silverblue.

Not everybody has the luxury of switching to Linux for any number of reasons, such as needing a a specialized program that only runs on Mac/Windows or being in possession of a device that is technically not yours and therefore you can’t make such changes to. For those who can make changes to their devices but still require at least occassional access to Mac or Windows, I recommend considering dual booting. Be sure to make a good backup of your data before attempting this, and do lots of research on both the process and the distro you intend to dualboot as there can be a lot of considerations like security and hardware compatibility. It can be a little confusing or intimdating at first, but once you get the hang of it it’s not terribly difficult to do or manage.

Mac vs Windows

For those who wish to maintain access to a mainstream device for any reason, you very likely have already decided which you’d prefer and why. For those who are on the fence, allow me to weigh in. Thankfully this is a very black-and-white area that can be summed up in a few easy bullet points: _ Macs have better privacy and security than Windows (though it does still collect some telemetry, which can be reduced through the recommendations on this page). _ Windows 11 is unarguably more secure than Windows 10. _ Both Windows 11 and Windows 10 are abysmal for privacy, though Windows 11 is worse (though much of the telemetry can be reduced through the settings recommended on this page). However Windows 10 will soon stop being updated with security updates, so given the choice I recommend Windows 11. _ I would only recommend Windows if you are an avid gamer or wish to easily dual boot Linux as this is better supported on Windows devices than Macs.

For those who must use Mac or Windows, even with dual booting or as a separate device, I have listed a set of recommend settings for both operating systems that I encourage you to change (if you can) to make your device a little more private and secure. You can see my criteria for this page and why I recommended these settings here.

Mac OS 13: Ventura

  • If you are setting up a new device from scratch, please note that you should be able to continue through setup without entering an Apple ID. You can get all of the programs I recommend without using the App Store, and major system updates will still be applied even without signing in. Note that your apps will not auto-update, however (the system will if you apply the appropriate setting below).
  • Wi-Fi > Details (next to your current network) > Limit IP address tracking: enable
  • Wi-Fi > Details (next to your current network) > DNS: Set a privacy-respecting DNS (ignore this if you plan to use a VPN)
  • Bluetooth: Turn off whenever not in use
  • Network > Firewall > Firewall: Enable
  • Notifications > Allow notifications when the display is sleeping: Off
  • Notifications > Allow notifications when the screen is locked: Off
  • Notifications > Allow notifications when mirroring or sharing: Off
  • General > Software Update: Enable all
  • General > AirDrop & Handoff: Disable all
  • General > Sharing: Disable all
  • Time Machine: Back Up Automatically
  • General > Time Machine: Select Backup Disk
  • General > Time Machine > Options: Back up frequency: Set to your desired frequency
  • Siri & Spotlight: Disable all
  • Privacy & Security > Location Services: Disable anything you don’t need
  • Privacy & Security: Examine all other apps to ensure they only have the necessary permissions
  • Privacy & Security > Analytics & Improvements: Disable all
  • Privacy & Security > Apple Advertising > Personalized Ads: Disable
  • Privacy & Securityy > Security > Allow apps downloaded from: App Store and identified developers
  • Privacy & Security > Allow accessories to connect: Ask for new
  • Privacy & Security > FileVault: Turn On FileVault (or use Veracrypt)
  • Privacy & Security > Lockdown Mode: On (This will disable a significant number of features, however if you are able to live without them, it will help protect other users who need this feature from being easily identified.)
  • Desktop & Dock > Default web browser: Brave/Firefox
  • Lock Screen > Require password after screen saver begins or display is turned off: Immediately
  • Touch ID & Password: Use of a fingerprint is personal preference, so long as a strong password or passphrase is also in use.
  • Internet Accounts > iCloud: I strongly discourage the use of iCloud as I believe most of its benefits can be replicated in a more privacy-respecting way using other services listed on this site. However, if you wish to use iCloud, enable Advanced Data Protection.
  • Wallet & Apple Pay: I do not recommend the use of these services
  • Keyboard > Dictation: Off
  • Advanced users who want more granular control and feel comfortable making extreme changes may want to look into Little Snitch or LuLu. These are firewalls to help further control the traffic leaving your device and reduce data collection by Apple and others.

Windows 11

  • If you are installing Windows 11 from scratch, please note that the Home version will offer you the least amount of control regarding settings and disabling telemetry and analytics. If possible, you should try to get Pro, Education, or Enterprise editions. However, these frequently cost more than the Home version (which is usually included free when purchasing the device), sometimes several hundred dollars for a single license. As such, this guide is written for the Home version.
  • If you are installing Windows 11 from scratch, please note that you can install it without a Microsoft account. I found this method effective in my most recent install experience. You will receive a warning that you’ll miss out on features, but these features are not relevant to security and avoiding an online account will improve your privacy.
  • Finally, if you are installing Windows 11 from scratch, you should select “English (World)” as a language during the setup if possible. I’ve seen several sources claim that this will dramatically reduce (if not entirely eliminate) the number of preinstalled third-party apps and software (aka “bloatware”) such as Candy Crush and Spotify. I have not tested this myself yet, but I see no reason not to at least try it.
  • System > Notifications: Off
  • System > Storage > Storage Sense: On
  • System > Nearby sharing: Off
  • Bluetooth & devices > Bluetooth: Off whenever not in use
  • Bluetooth & devices > Phone Link: Do not link your phone
  • Bluetooth & devices > AutoPlay: Off
  • Network & internet > Wi-Fi > Random hardware addresses: On
  • Network & internet > Ethernet > Network profile type: Public network
  • Personalization > Lock screen: Leave the default picture, or pick something that does not reveal any personal information (ex, don’t put a family photo as your lock screen)
  • Personalization > Device usage: Turn everything off
  • Apps > Installed apps: Uninstall anything you don’t use
  • Apps > Advanced app settings > Choose were to get apps: installing apps from the Microsoft Store offers better security due to sandboxing, but may also affect privacy by introducing additional analytics and telemetry. Pick this setting accordingly.
  • Accounts: Give your account a nondescript username, like “user” or “admin” instead of “Bob” or “bsmith” (this can be done in Control Panel > User Accounts > User Accounts)
  • Accounts > Your info: pick a profile picture that doesn’t reveal any personal information.
  • Accounts > Sign-in options > Ways to sign in: (in order of recommendation) Security key, Fingerprint recognition, Password (ideally a passphrase), PIN, Picture Password, or Facial recognition.
  • Accounts > Sign-in options > Additional settings > If you’ve been away…: “When PC wakes up from sleep.”
  • Accounts > Sign-in options > Additional settings > Automatically save my restartable apps…: Off
  • Accounts > Sign-in options > Additional settings > Show account details…: Off
  • Accounts > Access work or school: Do not connect a work or school account. Legally, in the United States, your employer or school cannot force you to use a personal device. They must provide a device. Giving them access will give them some access to your data and some control over your device. (Note: I am not a lawyer, this is not legal advice, consult an actual lawyer if you are being pressued to use this setting.)
  • Time & language > Typing > Show text suggestions…: Off
  • Time & language > Typing > Multilingual text suggestions: Off
  • Time & language > Typing > Autocorrect mispelled words: Off
  • Time & language > Typing > Highlight mispelled words: Off
  • Time & language > Typing > Typing insights: Off
  • Privacy & security > Windows Security: Ensure you have green checks on “Virus & threat protection,” “Account protection,” “Firewall & network protection,” “App & browser control,” and “Device security.”
  • Privacy & security > General: Turn everything Off.
  • Privacy & security > Speech: Off
  • Privacy & security > Inking & typing personalizaton > Personal inking and typing dictionary: Off
  • Privacy & security > Diganostics & feedback: Turn everythign Off.
  • Privacy & security > Diagnostics & feedback > Delete diagnostic data: Delete
  • Privacy & security > Activity history: Turn everything off
  • Privacy & security > Activity history > Clear activity history for this account: Clear history
  • Privacy & security > Search permissions > History: Off
  • Privacy & security > Search permissions > History: Clear device search history
  • Privacy & security > Search permissions > More settings: off
  • Privacy & security > App permissions: Evaluate each of these categories, completely turn off any settings you don’t use. For categories you do use, examine which apps have permission and revoke any apps that don’t have a valid need for it.
  • Windows Update: By default, Windows 11 automatic updates are enabled. I still recommending checking this tab periodically to ensure there were no errors updating (especially after the second Tuesday of each month, as this is when Microsoft pushes most of their updates).
  • Windows Update > Advanced options > Optional updates: I recommend checking this setting while you’re checking your other system updates. These updates include things like drivers that will help keep your system running as smoothly as possible.
  • If you don’t plan to use a VPN, then I encourage you to use an Encrypted DNS Resolver. Follow these instructions to change your DNS. Select “Encrypted preferred, unencrypted allowed” if the option is available. If the option is not available, the rest of the steps should still apply.
  • Advanced users who want more granular control and feel comfortable making extreme changes may want to look into W10Privacy and Bulk Crap Uninstaller to remove additional, pre-installed bloatware and Portmaster or Simplewall for additional firewall controls to block outgoing connections and further reduce data collection by Microsoft and other third parties.

Given the choice between Windows 10 and 11, you should pick Windows 11. Experts agree that Windows 11 is significantly more secure than Windows 10. However, Windows 11 also comes with some strict hardware requirements. If you are unable to use Windows 11 for any reason, I have listed my recommended settings for Windows 10 below.

Windows 10

  • If you are installing Windows 10 from scratch, please note that the Home version will offer you the least amount of control regarding settings and disabling telemetry and analytics. If possible, you should try to get Pro, Education, or Enterprise editions. However, these frequently cost more than the Home version (which is usually included free when purchasing the device), sometimes several hundred dollars for a single license. As such, this guide is written for the Home version.
  • If you are installing Windows 10 from scratch, please note that you can install it without a Microsoft account. This can be done by simply unplugging the ethernet cable and skipping the WiFi connection during install. You will receive a warning that you’ll miss out on features, but these features are not relevant to security and avoiding an online account will improve your privacy slightly.
  • Finally, if you are installing Windows 10 from scratch, you should select “English (World)” as a language during the setup. I’ve seen several sources claim that this will dramatically reduce (if not entirely eliminate) the number of preinstalled third-party apps and software (aka “bloatware”) such as Candy Crush and Spotify. I have not tested this myself yet, but I see no reason not to at least try it.
  • System > Notifications & actions > Show notifications on the lock screen: Off
  • System > Storage > Storage Sense: On
  • System > Shared experiences > Share across devices: Off
  • Devices > Typing: Everything off
  • Devices > AutoPlay: Off
  • Phone: Do not link
  • Network & Internet > Wi-Fi > Use random hardware addresses: On
  • Apps > Apps & features: Uninstall anything you don’t use
  • Accounts > Sign-in options > Require sign-in: When PC wakes up from sleep
  • Accounts > Sign-in options > Password: Use a passphrase
  • Accounts > Sign-in options > Privacy > Show account details on sign-in screen: Off
  • Privacy > General: All off
  • Privacy > Speech: Online speech recognition: Off
  • Privacy > Inking & typing presonaliziation > Getting to know you: Off
  • Privacy > Diagnostics & feedback > Diagnostic data: Required diagnostic data
  • Privacy > Diagnostics & feedback > Improve inking & typing recognition: Off
  • Privacy > Diagnostics & feedback > Tailored experiences: Off
  • Privacy > Activity history > Send my activity history to Microsoft: Off
  • Privacy > App permisions: Review each setting and disable accordingly
  • Update & Security > Windows Security > Open Windows Security > Virus & Threat Protection: All protections on
  • Update & Security > Windows Security > Open Windows Security > Firewall & Network Protection: All firewalls on
  • Update & Security: Backup: See the backups page for more information on how to keep effective backups.
  • If you don’t plan to use a VPN, then I encourage you to use an Encrypted DNS Resolver. Follow these instructions to change your DNS. Select “Encrypted preferred, unencrypted allowed” if the option is available. If the option is not available, the rest of the steps should still apply.
  • Advanced users who want more granular control and feel comfortable making extreme changes may want to look into W10Privacy and Bulk Crap Uninstaller to remove additional, pre-installed bloatware and Portmaster or Simplewall for additional firewall controls to block outoing connections and further reduce data collection by Microsoft and other third parties.

By enabling all of these settings, you are significantly reducing the amount of tracking and data collection these devices perform.

Best Practices

By default, both Mac and Windows will create an administrator account when you sign up. After signing up, create a second non-admin account and use that as your main account. This makes it harder for programs to be installed without your knowledge and reduces the risk of malware and viruses getting installed.

Third-party antivirus software has become unnecessary in most cases. Using a good ad blocker and good online habits is generally enough to keep any generic malware off your device. Both Windows and Mac both come with built-in malware protection that I encourage you to make use of. On Windows it’s called Defender. Macs come with XProtect. Linux does not ship with any stock antivirus programs, but Clam AV is the most commonly recommended.

Even with all the third-party software, tweaks, and changes we’ve made to the operating system and the browser, sometimes tracking and other unnecessary files still get through. Cleaning out unnecessary, temporary files will not only protect your privacy and security, but improve your computer’s performance. I recommend using BleachBit for this. This is a powerful program that securely deletes your unused files, removes errors from the registry, and fixes broken shortcuts among other things. BleachBit cannot be scheduled, and thus you must run it automatically. I recommend at least once per week.

Just as with phones, I encourage you to have as few apps, programs, and files as possible on your computer. Sometimes this is either impossible or just not a reasonable request but, for example, you can use your browser instead of an app to access Netflix or Hulu. I also encourage you to regularly look for and get rid of files you no longer want or need, such as photos of exes or documents you downloaded once so you could print them off. This could potentially be dangerous if your device falls into the wrong hands.

Keep in mind that forensic software can still often recover “deleted” items so if you have anything you want gone for good, be sure to perform a disk wipe, which is offered by Bleachbit. Don’t do disk wipes on Solid State Drives as this will shorten their lifespans. Instead, full disk encryption is your best defense.

Although I have recommended W10 Privacy for Windows, there are other similar offerings. Whatever you use, be sure to vet it carefully and make sure it is trusworthy. Many modification scripts and third-party variations of Windows can include security vulnerabilities you may not be aware of, such as AtlasOS, which claims to improve Windows performance for gamers but does so at the cost of numerous security features.