Help & Support

How to update Windows to protect yourself against ransomware

While supporting the Windows operating system is not what we do here (anymore) I feel that it’s important to have a clear, step by step method to protect your business. I have compiled this from many other reputable sources but please test on a small scale before deploying to your entire company. I hold no responsibility or liability for the results.

This won't fool-proof your business against malware/ransomware but it adds another layer of protection.

Update Windows

These are some of the things you can check or fix now that will help protect you from ransomware.

  1. Update your system immediately:

As Microsoft is constantly patching there will be updates that could block the exposed vulnerability that the attackers would use to spread the malware.

To keep your Windows system up to date, go here and follow the instructions:

https://support.microsoft.com/en-us/help/311047/how-to-keep-your-windows-computer-up-to-date

  1. Update your anti-malware software

If you are using a 3rd party service to protect your PC please ensure it’s definitions (that’s it’s database of known threats and protection rules) are up to date.

Do a Google search with “how to update” followed by your software provider ie.

How to update notons security essentials

Enable Windows Defender

Enable Windows defender adds another layer to protect against malware being installed on your computer:

Windows 10:

  1. Select the Start button, then select Settings  > Update & Security.
  2. Select Windows Defender, then turn Real-time protection on .

Windows 7

  1. Select Start and type “Windows Defender”, select the app that is displayed
  2. In Windows Defender, click Settings > Check Turn on real-time protection recommend

Reduce the administrative rights of your user account

This is best practice even in the best of times.

This is why: If you accidentally clicked on a malicious email and your only using a standard account (non-administrator) then the virus won't be able to install itself on your computer or have access to secure areas of Windows.

When Windows prompts you to elevate your account to an admin which has the rights to install,  you can then deny the install (DO NOT enter in your username and password) and cancel the request.

Pat yourself on the back and tell your boss you saved them thousands of dollars in ransom payment.

Windows 10

Create a new account:

  1. Select Start > Settings > Accounts > Family & Other People > Add someone else to this PC
  2. Give it an appropriate username
  3. Set the password the same as your current account (why? See notes below)
  4. click next

Change this to an administrator account:

  1. Select Start > Settings > Accounts > Family & Other People
  2. Select the new admin account you just created, click Change Account Type
  3. Select Administrator and click OK

Change your normal account to a standard account:

  1. Select Start > Settings > Accounts > Family & Other People
  2. Select the your account that you usually use , click Change Account Type
  3. Select Standard User and click OK
  4. Restart you PC

Windows 7

Create a new admin account:

  1. Go to start > control panel > User Accounts and Family Safety
  2. Click User Accounts
  3. Select Manage another account
  4. Select Create a new account
  5. Give it an appropriate username
  6. Set the password the same as your current account (why? See notes below)
  7. Set as Administrator type
  8. Save

Change your normal account to a standard account:

  1. Go to start > control panel > User Accounts and Family Safety
  2. Click your normal user account
  3. Select Change the Account type
  4. Choose Standard
  5. Click Change Account Type button
  6. Restart and log back into your normal account.

Using this new system:

  1. When you try to install [good] software Windows will prompt you to enter in an Admin account
  2. With the new admin account selected, enter in your password (same as your normal account if you followed the above instructions)
  3. Your software will install

NOTE: You might be asking why are we doing this if the passwords are the same, in this case the passwords are irrelevant, best practice yes, all your passwords must be different. Real World: never going to happen as it’s too hard. We want this to be simple to stop ransomware and other malware/virus’.

Reducing your rights for normal use and Windows asking permissions to install software software for a particular moment in time is the important part. Once malicious software or people have gained access to your computer it’s game over anyway.

Disable SMBv1 protocol

Don’t worry too much about understanding this one but rest assured if you are on Windows 7 or 10 and recently patched your computer you don’t need to do this.

BUT please test on a single machine first before doing this on others (what to test is at the end).

  1. Go to Start and type cmd
  2. When the command.exe application appears, right click and select Run As Administrator
  3. In the command prompt window, type powershell.exe
  4. You should now see a PS in front of the c:\windows\system32> file path
  5. Now copy the below command and paste into the command window:

For Windows 7

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

For Windows 10

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Test

Restart your computer, test your

  • printers (send a test print)
  • Network drive connections (can you see files on a shared network drive)
  • Check any other connected devices are working

Backout

If you run into trouble and want to backout of this, you can reverse the changes by entering the below in a command prompt:

  1. Go to Start and type cmd
  2. When the command.exe application appears, right click and select Run As Administrator
  3. In the command prompt window, type powershell.exe
  4. You should now see a PS in front of the c:\windows\system32> file path
  5. Now copy the below command and paste into the command window:

For Windows 7

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force

For Windows 10

Set-SmbServerConfiguration -EnableSMB1Protocol $true

Chrome OS & MAC OSX

Go read a book, you have nothing to worry about. :)

Disclaimer

Please be advised that the information given in this post is “as is”. Even though I have taken great care in preparing this document I take no responsibility for the results of these procedures.  You should always consult your network administrator or conduct a small test prior to deploying in your business.

Back to help