'%3e%3crect%20x='109.185'%20y='253.397'%20width='350.859'%20height='857.656'%20fill='white'/%3e%3cpath%20d='M274.77%20708.572H233.194V888.205H286.632C302.651%20888.205%20314.635%20883.711%20322.461%20875.088C330.287%20866.465%20334.322%20851.404%20334.322%20830.149V779.138C334.322%20752.539%20329.797%20734.2%20320.382%20723.997C310.966%20713.795%20295.681%20708.451%20274.77%20708.451V708.572Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M310.966%20610.558C320.015%20601.206%20324.539%20585.295%20324.539%20563.19V530.518C324.539%20490.559%20308.887%20470.519%20277.705%20470.033H232.949V624.768H269.512C287.977%20624.768%20302.039%20619.91%20311.088%20610.436L310.966%20610.558Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M277.582%200C124.362%200%200%20123.399%200%20275.704V1069.3C0%201221.48%20124.239%201345%20277.582%201345C430.803%201345%20555.165%201221.6%20555.165%201069.3V275.704C555.165%20123.52%20430.926%200%20277.582%200ZM426.523%20833.064C426.523%20878.367%20414.539%20912.739%20390.817%20936.423C375.898%20951.241%20356.7%20961.322%20333.221%20966.909V987.677C333.221%201002.5%20320.993%201014.64%20306.075%201014.64C291.156%201014.64%20278.805%201002.5%20278.805%20987.677V971.888H232.949V987.677C232.949%201002.5%20220.721%201014.64%20205.803%201014.64C190.884%201014.64%20178.655%201002.5%20178.655%20987.677V971.888H170.218C150.53%20971.888%20140.625%20962.05%20140.625%20942.496V415.743C140.625%20396.188%20150.53%20386.35%20170.218%20386.35H178.655V357.201C178.655%20342.383%20190.884%20330.238%20205.803%20330.238C220.721%20330.238%20232.949%20342.383%20232.949%20357.201V386.35H278.805V357.201C278.805%20342.383%20291.034%20330.238%20306.075%20330.238C321.115%20330.238%20333.221%20342.383%20333.221%20357.201V388.78C333.221%20389.994%20332.977%20391.087%20332.855%20392.18C354.499%20397.524%20371.863%20406.512%20384.703%20419.386C406.469%20441.491%20417.597%20475.377%20417.597%20521.045V544.364C417.597%20604.363%20397.42%20642.743%20357.556%20659.14V660.719C403.656%20676.265%20426.646%20717.074%20426.646%20782.782V833.064H426.523Z'%20fill='%23FF5C00'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1_174'%3e%3crect%20width='555'%20height='1345'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
- Protect access to your computer
- The principle of least privilege
- Multisession: separate environments
- Virtual machines
- Sandboxing
Your computer's security begins with two important concepts in cybersecurity: authentication and partitioning. These two approaches form the basis for effectively protecting your machine, preserving your privacy and ensuring your digital sovereignty. In this chapter, we'll explore in depth how to manage these aspects on your computer.
Protect access to your computer
Protecting physical and software access to your computer is the basis of its security. An unsecured machine can easily become an entry point for an attacker or allow sensitive data to leak out, even without an Internet connection. Whether you're using Windows, macOS or Linux, there are several basic measures you need to put in place to limit the risk of unauthorized access.
Operating system password
The session password (the one you are prompted for at startup or when waking from sleep) is the first barrier against intrusion attempts. It prevents a third party from accessing your data or manipulating your system if your machine is stolen or left unattended.
This password must be strong:
- It must be long enough. At present (June 2025), I recommend a minimum of 20 characters;
- It must combine upper and lower case letters, numbers and special characters;
- It should be as random as possible, and not contain any links to elements of your direct or indirect environment, such as a name, date or place.
Source: Hive Systems
A complex password is bound to be difficult to remember. I therefore recommend using a password manager like Bitwarden or KeePass.
Finally, change this password regularly—every 3 to 6 months—especially if your machine is used in shared or mobile environments.
Securing BIOS/UEFI access
Your computer's security doesn't begin once the operating system has been launched, but right from the start. Before Windows, Linux or macOS even runs, a program integrated into the motherboard, called BIOS or UEFI, depending on the generation of your machine, takes control of the machine to initialize the hardware and launch the boot process.
BIOS (Basic Input/Output System) is the predecessor of UEFI (Unified Extensible Firmware Interface). Today, UEFI is the standard on all modern computers.
By default, access to these settings is unprotected. An attacker with physical access to your machine (in a shared space, in case of theft or even temporarily without your knowledge) could enter Interface UEFI and modify critical settings. He could, for example:
- Change boot order to force launch of an external system from a USB key
- Disable security mechanisms such as Secure Boot
- Installing malware in your computer's firmware...
To protect yourself against these offline attacks, it's important to lock access to the BIOS/UEFI with a password. This password is separate from your operating system password and prevents unauthorized access to BIOS/UEFI.
To activate it, it will depend on your motherboard model, but generally you need:
- Restart your computer
- Immediately after power-up, quickly press the BIOS/UEFI access key specific to your machine (
Del,F2,F10,Esc...) - In the interface that appears, find the security or administrator password options
- Set a long, unique and random password, then save it
- Save changes and restart computer
Warning: if you lose this password, you will be blocked and will have to reset the motherboard. So be sure to keep this password in a password manager or in a secure physical location.
In addition, enable the "Secure Boot" feature if it is available and not yet active. This mechanism prevents unsigned or altered code from executing at boot time. It's designed to block bootkits and rootkits, types of malware that infect the computer boot, even before the OS starts up.
Securing the UEFI is an often overlooked but absolutely crucial measure to protect your machine against advanced attacks. It is one of the few bulwarks against physical intrusion or pre-system manipulation.
Securing physical access to the computer
Securing a workstation is not limited to software protections: if a malicious individual gains physical access to your machine, they can bypass many barriers or compromise the system without your knowledge. This is particularly true for laptops, which are easy to transport, but also for any device left in a shared space, open to the public or even simply accessible to other people.
One of the most common (but underestimated) risks is leaving a computer unattended, even for a few minutes, in public places such as libraries, conferences, open spaces and hotel lobbies. This is not just a risk of theft: in a matter of seconds, a malicious person can connect a malicious USB stick, install spyware, modify boot parameters to force an external boot, or capture credentials by injecting a hardware keylogger.
In the same vein, I advise against using external accessories or peripherals that you do not control. Avoid inserting USB sticks, external hard drives, chargers or dongles into your computer if the origin of these objects is not known (new or owned by a trusted person). Some seemingly innocuous accessories may contain circuits capable of executing malicious commands as soon as they are plugged in. Conversely, don't lend out your own accessories or leave them unattended in accessible places: they could be exchanged for compromised versions.
To limit the risk of physical theft, you can equip a desktop PC with a physical locking system. Most professional PCs feature a Kensington security port, enabling a steel cable to be attached to a fixed piece of furniture. Variants are also available for laptops. These devices do not, of course, offer absolute protection against theft, but they are sufficient to deter opportunistic attacks.
In addition, always switch off your machine when you're away from it, especially in an unsecured environment. Unlike simple standby, a complete shutdown prevents the OS from loading, and protects against certain attacks targeting RAM. It also activates your BIOS/UEFI security.
Finally, one of the most important measures you can take to protect yourself from theft is to activate full disk encryption. This protects your data by making it inaccessible without a password, even if the disk is extracted and plugged into another machine. On some systems, this encryption is enabled by default:
- macOS uses FileVault
- Windows uses BitLocker, but its activation depends on the machine and OS version
- Linux distributions do not automatically encrypt the disk, unless this option is selected during installation. You can use LUKS to encrypt the disk
In all cases, the decryption password must be strong, distinct from the system password, and stored in a secure password manager. If you're using an external disk or USB key containing sensitive data, also consider encrypting them individually with tools like VeraCrypt.
The principle of least privilege
The principle of least privilege is a fundamental rule in cybersecurity, according to which each entity (a human user, a software program, a system process, etc.) should only have the rights strictly necessary to accomplish its tasks. In other words, never grant more authorizations than necessary, as each additional permission increases the system's attack surface.
In concrete terms, on your personal computer, this means that your main user account must not have administrator rights for everyday activities: web browsing, checking email, office work, etc. Indeed, if malicious software is executed by an account with elevated rights, it will be able to modify system files, install persistent services, or disable security protections. Conversely, if it is run in a restricted environment, its ability to cause harm will be limited.
On Windows, most users have an administrator account by default, even though this is bad practice. I recommend that you create a standard user account for everyday use, and leave the administrator account for operations that really need it. When you try to perform a task that requires elevated privileges, Windows will simply ask you to enter the administrator's password rather than simply clicking on the "YES" button.
Under Linux, this principle of least privilege is better applied. By default, you have a user account with limited rights, and you can raise your privileges temporarily with the
sudo command. It is also possible to configure sudo to authorize only certain commands depending on the user (via /etc/sudoers).On macOS, although the first account created often has administrative rights, the system uses a mechanism similar to
sudo: you need to confirm your actions with a password for any critical operation. Nevertheless, it's perfectly possible to create a standard user account and reserve the administrator account for occasional use, which I recommend if the computer is used by several people.This compartmentalization is not limited to human users. Many applications require elevated privileges on installation, and then continue to run with these rights when they are no longer needed. I therefore advise you, wherever possible, to prefer applications that run in user mode, to uninstall software you no longer use, and to be vigilant about elevation-of-privilege requests.
Multisession: separate environments
In addition to separating administrator accounts from standard accounts, a complementary best practice is to create several distinct user sessions on the same computer to partition usage according to its nature. This approach is based on a simple logic: by compartmentalizing your activities into separate environments, you reduce the attack surface of each environment and limit the consequences of any security incident.
All modern operating systems allow multiple user accounts to be created on a single machine. These accounts each have their own personal space: files, applications, settings and network sessions are not shared between them, unless explicitly authorized.
For example, you could structure your sessions as follows:
- An account dedicated to your professional activity, where you install only the software you strictly need (office suites, collaboration tools, professional messaging...). This session must not be used for free web browsing or software testing;
- An account for personal use, used for everyday web browsing, social networking, streaming, or installing consumer applications. This is typically the session most exposed to browser attacks or suspicious downloads;
- An account reserved for sensitive activities, such as consulting bank accounts, managing your Bitcoin wallets, or any other use requiring a high level of security. This account should be used exclusively for these tasks, with software installed limited to what is strictly necessary, and with a stricter network configuration;
- A guest or highly restricted account, intended exclusively for occasional use by family members, for example. This account must obviously have no administrator rights and limited access.
There are several advantages to adopting this approach. Firstly, applications installed in a session cannot interfere with those of others (except in the case of privilege elevation). Secondly, if a session is compromised, for example via downloaded malware, the impact is generally contained within the limits of that account. This means that your business documents or Bitcoin wallets will remain inaccessible to malware if they are kept in another, properly isolated session.
On Linux, this separation can be reinforced by mechanisms such as AppArmor or SELinux, which can be used to further restrict access rights for each session.
It's important to note that multisession does not replace the use of a non-administrator account, nor the application of the principle of least privilege. It complements it by adding a layer of logical isolation, which is easy to set up and particularly effective for hybrid family or professional use.
Finally, another approach, more radical but particularly effective, is to dedicate a separate computer to each use, for example: one laptop dedicated exclusively to professional activity, another for personal use, and a third simple, well-secured one reserved for sensitive activities.
Virtual machines
Virtual machines (or "VMs") enable you to create completely isolated environments within your computer. A VM simulates an independent computer with its own operating system, applications and settings, but functions in reality as a program running on your main machine.
This technology is based on a hypervisor, a software program that manages the creation and execution of VMs. The best-known solution is VirtualBox, an open-source, cross-platform software package. It makes it easy to create a VM in just a few clicks, by allocating specific resources to it.
In terms of IT security, one of the great advantages of virtual machines is their ability to compartmentalize. A VM does not share its files, processes or network access with the host system, unless you explicitly configure these exchanges. So if a VM is infected by malware, or if you test sensitive software inside it, the impact remains confined to that virtual machine: your main system remains intact, provided the isolation parameters are respected (no shared directories, no USB devices passed to the VM...).
A VM can enable you to test suspicious software: if you download a program from an unreliable source or a dubious site, you can first run it in a VM to observe its behavior in complete safety. This can also be useful when browsing risky sites: you can dedicate a VM to the consultation of sensitive or unknown web content, which reduces the chances of malicious script attacks or exploitation of browser vulnerabilities. In short: using a VM allows you to easily isolate a specific use from the rest of your system.
Finally, it's important to understand that the security provided by VMs depends on their correct configuration. By default, some hypervisors authorize file exchanges between the host and the VM, or allow access to USB peripherals. These functions should be disabled to maximize isolation.
Sandboxing
Sandboxing is a computer security method that involves running an application or process in an isolated, highly restricted environment. The aim is to strictly limit the application's interaction with the rest of the system. Should a threat arise, its effects are normally contained within this perimeter.
Unlike virtual machines, which simulate a complete operating system with its own resources, sandboxing is lighter, quicker to deploy and less resource-intensive. It relies on mechanisms for limiting access rights: to memory, files, network, peripherals... A sandboxed application can, for example, read a temporary file but never access your personal directory or file system.
Here are some concrete solutions for sandboxing, depending on your OS:
Windows
- Windows Sandbox (only available in Windows 10/11 Pro and Enterprise);
- Sandboxie Plus (open source).
Linux
- Firejail: a powerful, lightweight tool that isolates applications using predefined profiles. It works well with a wide range of applications, including Firefox, VLC and Telegram;
- Flatpak: as we have already seen, this is not sanboxing software per se, but a software package manager that integrates sandboxing: each application installed via Flatpak is isolated from the host system by default, with fine-grained control of permissions (access to microphone, camera, network, etc.).
macOS
- On macOS, sandboxing is a native feature built into the kernel, but is only activated if specified by the software developer. App Store applications are automatically sandboxed, but those installed from the web (or from the command line) are not sandboxed by default.
Finally, while sandboxing offers an effective layer of protection, it's important to understand that it's not a complete replacement for a VM or a well partitioned system.
Now that we've covered the security of your computer through authentication and compartmentalization, in the next chapter we'll look at good maintenance practices to further enhance its security.
Quiz
Quiz1/5
scu2023.1
What's the main advantage of running applications in a sandbox or virtual machine?