http://www.osnews.com/story/19701/How_to_Secure_Your_Windows_Computer_and_Protect_Your_Privacy Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Sun, 22 Nov 2009 15:55:46 GMT http://www.osnews.com/images/osnews.gif http://www.osnews.com http://osnews.com/thread?312301 http://osnews.com/thread?312301 Install Linux. Thu, 01 May 2008 02:10:00 GMT donotreply@osnews.com (Devils_Advocate) Comments http://osnews.com/thread?312307 http://osnews.com/thread?312307 One tip is to create a ramdisk and redirect your browser cache's to there (and the relevant web site tracking index.dat file will also be created there). Once the PC is turned off all the data in it goes with it. Thu, 01 May 2008 02:55:00 GMT donotreply@osnews.com (Jerra) Comments http://osnews.com/thread?312310 http://osnews.com/thread?312310 A really Excellent article. Thu, 01 May 2008 04:19:00 GMT donotreply@osnews.com (Nehemoth) Comments http://osnews.com/thread?312311 http://osnews.com/thread?312311 But when your are able to following that from a technical point of view and don't absolutely need some application running natively under some Windows, well, why not installing Linux or .. GOSH ..even some *BSD?
To make my point more clear, what we have here is again one of the countless proposals to overcome the inherent deficiencies of common commercial software. Which is about layering layer after layer on top of another until it is getting so complex that its internals are not understandable anymore as a whole.
Other aspects of that are the here mentioned agendas of Adobe with Flash and Microsoft with its Silverlight. Apart from the managabiltity of that stack of layers upon layers, ever thougth about the systems one needs to comfortably running that?
You can see that from an ecological, or practical point of view. Ecological insofar as that more complex software wastes more wattage, practical insofar as that this model is impractical for the coming ultramobile devices and ambient network infrastructure.
So we have a whole other side of software and operating system development, which is free and does care about such matters, which is actually REFACTORING the best pieces of proven to be successful code into something which is getting better and better all the time, and is MORE managable.

Why not use it when you care about that at all? Thu, 01 May 2008 04:23:00 GMT donotreply@osnews.com (Sophotect) Comments http://osnews.com/thread?312312 http://osnews.com/thread?312312 Good article, but it really does miss two key factors to not just protecting your privacy, but denying 99% of the viruses out there from even getting a foothold.

Don't use IE, don't use Outlook. Sure it talks about 'securing' IE, but that's more like relying on pulling out than wearing a raincoat.

For the majority of users a good deal of what the article talks about - deleted files not being 'deleted', tracking cookies, unique id's on office documents - REALLY don't matter on Grandma's computer. Sure if you are in a secure office environment working on critical stuff the competition would love to steal - that's a concern... If you are going nuts making purchases on non https websites that nobodys ever even heard of - that's a concern... If you don't want wifey seeing your porn - then it's a concern.

Apart from that, if you are doing anything that REALLY worries you that much about someone getting hold of it, you are probably doing something illicit, illegal and frankly should get what's coming to you.Edited 2008-05-01 04:35 UTC Thu, 01 May 2008 04:32:00 GMT donotreply@osnews.com (deathshadow) Comments http://osnews.com/thread?312314 http://osnews.com/thread?312314 Not too much anyone who's worked with windows shouldn't already know. For the less than capable user there are a few things that you must do when you build a pc for them.

Install an application based firewall in the background

block any network access to IE, windows messenger, outlook express and then install live messenger and block that too.

with a few more things mentioned in the article a pc that'd would have to be formatted every other week becomes set and forget. Thu, 01 May 2008 04:53:00 GMT donotreply@osnews.com (stabbyjones) Comments http://osnews.com/thread?312322 http://osnews.com/thread?312322 For this case, why not install Linux then ?

I mean, you have crippled all the internet applications on that machine, therefore, for them to browse they have to use Firefox or Opera. But there is still some sites that will install Windows trojans when you open the site in FF and blindly click OK anyway, so visiting dodgy sites in an alternative browser on Windows is still unsafe if you have not got a clue what you are clicking on.

Also, you cannot do what you suggest to people's computers because it will break compatibility with applications that need a fully working internet explorer for the installation or operation. Thu, 01 May 2008 06:00:00 GMT donotreply@osnews.com (raver31) Comments http://osnews.com/thread?312325 http://osnews.com/thread?312325 I fix three or four computers a day, at people's homes, day in - day out.
The /only/ way to avoid the plethora of malware on the Internet is to use /anything/ but IE. Firefox is the first port of call, and adBlock - adverts & flash are a major security risk now, don't think that they're not. I've seen it all first-hand over and over... Thu, 01 May 2008 06:32:00 GMT donotreply@osnews.com (Kroc) Comments http://osnews.com/thread?312329 http://osnews.com/thread?312329 Excellent article indeed. However, what about WGA and the known backdoors plus the applications and services harvesting user data?:

http://tinyurl.com/2ptclh

I hardly boot Windows XP, because I feel very uncomfortable with the idea "someone is spying at me".

I feel Microsoft has crossed the line here of what is ethical acceptable. Thu, 01 May 2008 07:39:00 GMT donotreply@osnews.com (ml2mst) Comments http://osnews.com/thread?312335 http://osnews.com/thread?312335 Somebody able to attack it will find it anyway and in addition you open up a new attact vector.
Basically somebody can jam your network and set up a new unencrypted with the same name and your windows box will just connect without notifying you that the network changed. This is a pretty recent finding .. i only know a good german article about it, but even Microsoft has a fairly good one:

http://technet.microsoft.com/de-de/library/bb726942


Basically keeping Windows secure is VERY hard. At the moment it is way simpler to just use Linux or Mac and keep them updated.

( GERMAN: http://www.heise.de/security/Drahtlos-Einbruch-trotz-WPA-dank-WLAN-... )Edited 2008-05-01 08:50 UTC Thu, 01 May 2008 08:40:00 GMT donotreply@osnews.com (kragil) Comments http://osnews.com/thread?312343 http://osnews.com/thread?312343 I have no idea why your comment was voted down, it made perfect sense to me and was not inflammatory or derogative in anyway.

I voted you back up because I fully agree with what you wrote!

I guess the astroturfers are in full flight tonight Thu, 01 May 2008 10:30:00 GMT donotreply@osnews.com (RawMustard) Comments http://osnews.com/thread?312357 http://osnews.com/thread?312357 Perhaps you need to run Windows to run some apps that you use, perhaps you prefer it, perhaps you want to play games.

Don't presume your choices are good for everybody. Thu, 01 May 2008 11:19:00 GMT donotreply@osnews.com (BluenoseJake) Comments http://osnews.com/thread?312361 http://osnews.com/thread?312361 ..and don't absolutely need some application running natively under some Windows.. Thu, 01 May 2008 11:22:00 GMT donotreply@osnews.com (Sophotect) Comments http://osnews.com/thread?312372 http://osnews.com/thread?312372 raver31 wrote:
-"I mean, you have crippled all the internet applications on that machine, therefore, for them to browse they have to use Firefox or Opera. But there is still some sites that will install Windows trojans when you open the site in FF and blindly click OK anyway"

well, that depends. if you are crazy enough to browse the web logged in as administrator then yes you are certainly vulnerable to trojans should you encounter a site that eploits a bug in your browser.

however, installing and running Firefox, Opera etc under a unpriviledged account will make sure that although exploits may allow malicious code to be executed, the amount of damage that code can do is limited to the rights of unpriviledged account.

running IE is another matter though. since Microsoft chose to integrate it into the system there are likely possibilities for for exploits to compromise the system under the guise of IE which may give the malicious code further priviledges.

raver31 wrote:
-"Also, you cannot do what you suggest to people's computers because it will break compatibility with applications that need a fully working internet explorer for the installation or operation."

apart from when using windowsupdate.com, I haven't encountered situations or software where I need internet explorer. Thu, 01 May 2008 12:51:00 GMT donotreply@osnews.com (Valhalla) Comments http://osnews.com/thread?312378 http://osnews.com/thread?312378 I always wonder if people like the parent have actually tried this in real life.

What happens when this person - your client - buys a game and can't play it? What happens when they try to download some software and can't run it? What happens when they buy some exotic hardware - like an iPod - and it doesn't work right? What happens when they want to buy something from the iTMS and they can't access it?

Linux is great, don't get me wrong, but it's not the solution for everybody. When are people going to realize that Linux is NOT a panacea, and you can't just slap it onto someone's PC when they ask for your help? Thu, 01 May 2008 13:21:00 GMT donotreply@osnews.com (Adam S) Comments http://osnews.com/thread?312379 http://osnews.com/thread?312379 Windows Update is a standalone app in Vista and Server 2008 and you don't need IE for it. Thu, 01 May 2008 13:22:00 GMT donotreply@osnews.com (Adam S) Comments http://osnews.com/thread?312389 http://osnews.com/thread?312389 I can perfectly understand your reasoning about Linux not being the cure for the average user. But as i said elsewhere, if you are not dependant on running some Windowsapplication natively, it may be. In my experience the need to use Windows is an illusion. It wasn't once, but it is now. For exactly the same reasons which are mentioned in the article. Because these measures are way over the top of what an "average user" can or is willing to manage and understand why he has to do that. Of course some peripherals do not work, or do it less than optimal. But one can perfectly circumvent that problem by choosing them accordingly. And have less stress that way.Edited 2008-05-01 13:50 UTC Thu, 01 May 2008 13:44:00 GMT donotreply@osnews.com (Sophotect) Comments http://osnews.com/thread?312394 http://osnews.com/thread?312394 Having actually moved people from Windows to Linux, I can tell you that in real life, this only works maybe 50% of the time.

People are generally not happy when they don't understand that Linux is not Windows, and that not all hardware will work out of the box, no drivers on disks will work, the software that came with their CD Labeler, or their new scanner, or their new camera, etc will not work.

Yes, sometimes Linux can be a great answer. But many times, it just doesn't work for the user to switch without the will. Thu, 01 May 2008 13:57:00 GMT donotreply@osnews.com (Adam S) Comments http://osnews.com/thread?312396 http://osnews.com/thread?312396 wrong tip,
RAM (in spite of general belief) can retain information for minutes/several days. With physical access to your machine it is possible to retrieve information from RAM.

Linux (UNIX in general) does exactly the same thing:
run
dd if=/dev/mem bs=1m count=[mem size] | strings | grep [whatever]

dump it

rather encrypt whole disk with AES-loop


When I was using windows boot/system partition was read-only (with registry fixes for some Adobe and MS programs) for users (cache/temp moved to another partition)
always used Run As (never logged as root), never used IE. Updates. firewall (OpenBSD/PF, and windows firewall)
for several years systems were clean (viruses/malware) with long uptimes

I am not saying that this is best way of protection, but worked for me. Thu, 01 May 2008 13:58:00 GMT donotreply@osnews.com (broch) Comments http://osnews.com/thread?312401 http://osnews.com/thread?312401 Having actually moved people from Windows to Linux i can understand that they are not happy in some cases, but it is less hassle for me. To the driver discs which don't work, as of now this is a myth because for most common hardware you don't need them anymore. If they have problems with the limits which are outweighed by other factors then they may harass somebody else. It is as simple as that.

*shrug*Edited 2008-05-01 14:25 UTC Thu, 01 May 2008 14:12:00 GMT donotreply@osnews.com (Sophotect) Comments http://osnews.com/thread?312405 http://osnews.com/thread?312405 Adam S wrote:
-"Windows Update is a standalone app in Vista and Server 2008 and you don't need IE for it."

I was talking about the site, http://www.windowsupdate.com/ Thu, 01 May 2008 14:20:00 GMT donotreply@osnews.com (Valhalla) Comments http://osnews.com/thread?312406 http://osnews.com/thread?312406 I understand what you're saying, I really do. But I tire of people who say things like "if they do it that way then forget them." That's precisely why Linux continues to struggle to make significant inroads, because it's "my way or the highway" too often.

This is like when I said "businesses use HTML email, get used to it," and people had the GALL to say "Well, I wouldn't do business with them."

Good for you. If, by some slim chance, you got some interest from a multi-million dollar company and chose to turn them away on some silly principal, good for you and your principals. But your loss, I'd say.

Same thing here. If you ran a small business and refused to support people who chose to stay on Windows for no good reason other than they were familiar with it and wanted it, good on you. I hope you have enough business to not need those customers. But back in the real world, we have to deal with TODAY. And most people aren't ready to make that commitment, including power users, until THEY chose to make it, because it comes with a STEEP learning curve. 90% of desktop users can't install Flash or Java into a Linux distro without assistance. They aren't much interested in the politically-motivated "switch or die" opinion of their IT-for-hire repair guy, who arrogantly tells them that they need to use Linux or not be supported. Thu, 01 May 2008 14:21:00 GMT donotreply@osnews.com (Adam S) Comments http://osnews.com/thread?312407 http://osnews.com/thread?312407 You can't use that site in Vista or Server 2008. Windows Update is a standalone app, and the site will tell you so. Thu, 01 May 2008 14:23:00 GMT donotreply@osnews.com (Adam S) Comments http://osnews.com/thread?312409 http://osnews.com/thread?312409 Adam S wrote:
-"You can't use that site in Vista or Server 2008. Windows Update is a standalone app, and the site will tell you so."

ehh ok, sure. but I'm running Windows XP. and here it works with Internet Explorer, but not with Firefox or Opera (likely due to it relying on activex), so as I said in the earlier post, for me that is the only situation I've encountered where I need to use Internet Explorer.

where exactly are you going with this Adam? Thu, 01 May 2008 14:32:00 GMT donotreply@osnews.com (Valhalla) Comments http://osnews.com/thread?312417 http://osnews.com/thread?312417 Yah ;-) For exact these reasons i'm not in the ICT-Field anymore. Because in most cases it's a waste of time and energy, a moving target, sysiphus work. So, when i do this in private, in my spare time, as a favor, i feel perfectly legitimated to act like this.
And i don't do this out of the blue. I say in advance that they can't do this and that but they don't have to do this and that anymore and show them how it could look. Or my Wife shows them, or her Mother which has some Taxstuff running under Wine, or her Brother which is an Electrician and has some of his needed Businessapplications running under Wine. All have differnet desktops, toolkits, layouts, programs and whatnot else. And guess what? Most people are happy. Because it works, and they don't need to buy expensive new machines. Really, i couldn't care less for some Multibillion$-Company showing interest :-) Thu, 01 May 2008 14:44:00 GMT donotreply@osnews.com (Sophotect) Comments http://osnews.com/thread?312418 http://osnews.com/thread?312418 Windows does not require IE anymore for WU. As time goes on, you won't need IE, which is what the grandparent said, that he needed IE for WU. All I've been saying is that that restriction has been removed in all current versions (and, presumably, future versions) of Windows. Thu, 01 May 2008 14:46:00 GMT donotreply@osnews.com (Adam S) Comments http://osnews.com/thread?312469 http://osnews.com/thread?312469 "well, why not installing Linux or .. GOSH ..even some *BSD?

Is GOSH some kind of new operating system? Thu, 01 May 2008 19:51:00 GMT donotreply@osnews.com (Isolationist) Comments http://osnews.com/thread?312523 http://osnews.com/thread?312523 i'm not saying it's perfect but it's a step towards stopping people with no idea destroying their pc.

i don't run windows myself anymore (debian) but convincing other people to make the switch when they're used to their ways is hard.

most people with a low pc skill use webmail not outlook and while it's sitting there it's useless and a possible threat.

if you force people to use opera or firefox (which is my point in blocking IE) you can can block scripts and ads and even though there are still vulnerabilities there is less chance of someone with a low skill level destroying the system after you've set it up.

if anything needs IE you can always allow connections from IE temporarily. it's blocked by a firewall and not removed from the system. so functionality isn't reduced

this doesn't change anything in the system itself and is more of a simple lockdown. i much prefer getting a call saying an application isn't working rather than the whole system is shagged. Fri, 02 May 2008 00:17:00 GMT donotreply@osnews.com (stabbyjones) Comments http://osnews.com/thread?312559 http://osnews.com/thread?312559 Exotic hardware like an ipod ? You are aware that ipods and linux work seamlessly ? Rythmbox, Amarok, gpodder etc etc

anyway, you are right, most people cannot use Linux, but my initial response was to the parent post, where someone locked down a Windows box so tight that Linux would actually work better. Fri, 02 May 2008 10:51:00 GMT donotreply@osnews.com (raver31) Comments http://osnews.com/thread?312562 http://osnews.com/thread?312562 I do realize iPods work seamlessly, but not all associated stuff does. Obviously, no iTMS. iTunes. No iPhone. Fri, 02 May 2008 11:19:00 GMT donotreply@osnews.com (Adam S) Comments http://osnews.com/thread?312722 http://osnews.com/thread?312722 That's the question I asked once on discussion forum where I hang out...

Discussion that followed: http://forums.murc.ws/showthread.php?t=58810 (no point in copy&paste, I guess)

Suffice to say I don't run any, not even the one built into Windows. And no problems because of that...

If I'll _really_ want a firewall, I'll use pfsense or m0n0wall

PS. Before anybody brings out again the only good sounding argument for software firewalls - if you need software firewall to know that your machine has been compromised by some malware, you've already lost. Sun, 04 May 2008 01:06:00 GMT donotreply@osnews.com (zima) Comments http://osnews.com/thread?312894 http://osnews.com/thread?312894 why not? Because Linux is not "safe version of Windows". Period. Mon, 05 May 2008 15:59:00 GMT donotreply@osnews.com (autumnlover) Comments http://osnews.com/thread?312896 http://osnews.com/thread?312896 1. I recommend to avoid Commodo firewall. Not for the firewall itself, but for its broken uninstaller. I do not know if they fixed it already, but I tried it about month ago and it was disastrous.

2. Have two firewalls running at once do not make any harm? I don't think so. Mon, 05 May 2008 16:03:00 GMT donotreply@osnews.com (autumnlover) Comments