posted by Howard Fosdick on Mon 6th Sep 2010 21:56 UTC
IconIn previous OS News articles, I've claimed that mature computers up to ten years old can be refurbished and made useful. My last article identified and evaluated different ways to refurbish these computers. One approach is to keep the existing Windows install and clean it up. This has the advantage of retaining the Windows license and software, the installed applications, and the existing drivers. But it takes some work. In this article we'll see what this entails.

Cleaning up an unknown Windows system requires three steps, performed in this order:

  1. Security
  2. Anonymization
  3. Performance tuning
This article discusses security and anonymization. Next month's article covers performance tuning. This article is based on my free guide How To Secure Windows and Your Privacy. The guide was published two years ago but is still relevant to cleaning up Windows.  I'll leave out the screen illustrations in the guide, as well as its more detailed techniques.

We'll cover the highlights here. The goal is to answer this question -- how can you secure a Windows computer about which you can make no assumptions?

Orientation

This article assumes you've already decided to revitalize Windows. If you're interested in whether cleaning up an existing Windows install is a good way to refurbish a computer, see the discussions in previous articles in this series.

I'll assume you are securing Windows XP, since XP was Microsoft's primary consumer offering from 2001 to 2007. The tips in this article also apply to Windows 7 and Vista, but the examples are based on XP.

I assume that the copy of Windows you want to secure is on an "unknown computer." By this I mean a computer that is previously unknown to you, so you can not make any assumptions about it. If you're refurbishing a "known" computer, for example, an old machine you haul out of your own basement or attic, you may be able to skip some of the steps.

It's important to understand that due to the ways in which rootkits and like technologies operate, you can never be theoretically certain that an unknown Windows computer you clean up is completely secure. Only wiping the disk and cleanly installing an operating system absolutely guarantees security. But from a practical standpoint, the procedures in this article ensure adequate security for normal situations.

Before you can secure Windows, if you're working with an unknown computer you might have to circumvent password protection.  While there are several different approaches to this problem, I've had excellent results with the free program Offline NT Password and Registry Editor. The program deletes the Administrator password so you can log on to the Administrator account without entering a password. You'll need a user login with Administrator rights to secure Windows.

Be sure to reset the Administrator account password after you gain access. Obviously, Windows passwords don't offer much protection if someone has physical access to the computer. But they're still vital to protect against unauthorized remote access. (To secure your data against someone who can physically access the computer, use Windows' built-in encryption or a competing free encryption program.)

You can secure and anonymize Windows without buying any software. All the programs mentioned in this article are free, except one which is specifically noted.

It's always a good idea to back up Windows prior to changing it. Use Windows' System Restore or System Protection feature to make a backup or "restore point" for Windows:  Start -> All Programs -> Accessories -> System Tools -> System Restore.

Firewall

The first step to securing Windows is verifying that it has a functioning firewall. Firewalls prevent unauthorized connection to the computer from the outside. An internet-connected Windows computer without a firewall will be quickly compromised. You don't want to spend time cleaning up Windows by running anti-malware programs until you've secured it with a functioning firewall.

Windows XP came with either of two different firewalls (depending on the release). Both secured the computer against incoming connections, but neither could block unauthorized outgoing connections. Windows 7 and Vista bundle a firewall that can also block outgoing connections, but by default this feature is disabled. Windows ME, 98, and 95 did not come with firewalls.

In addition to protection against incoming penetration attempts, you need outgoing firewall protection to secure an unknown computer.  Otherwise, if the computer is already compromised and sending out information, you will have no way to know it. The bundled XP firewall will not tell you. Nor will the Windows 7 and Vista firewalls -- unless they have been specifically configured to block unauthorized outgoing connections. Read how to enable outbound Windows 7 and Vista firewall protection here and here.

Outbound filtering can not guarantee that no information is sent from a compromised computer to the outside world, but it can stop many such attempts. See this TechNet article if you're interested in the details about where outbound firewall protection helps and what it can not stop.

If you are refurbishing XP and need a bi-directional firewall for full two-way protection you might try the free programs listed at The Free Country:
I've found ZoneAlarm easy to set up and largely self-configuring. Gizmo's Freeware offers good reviews of free software including firewalls and also presents user feedback on which they think best. 

Test the Firewall

When you are done configuring the firewall, test how well the computer resists outside penetration by running the free ShieldsUp! program. ShieldsUp! probes your computer and tells you about any security vulnerabilities it finds. (Those concerned about privacy might also find it enlightening to see the identifying system information your computer passes to any web site you visit.)

Verify that your firewall blocks unauthorized outgoing connections by downloading the free LeakTest program from the same web site. Only firewalls offering bi-directional protection will pass LeakTest.

Malware

Once you've secured your perimeter you're ready to identify and eliminate malware from your computer.  Malware includes viruses, trojans, keyloggers, dialers, rootkits, botware, spyware, worms, and adware.  I recommend installing and running a number of free anti-malware programs, one after another, using this procedure:
  1. Download the anti-malware program
  2. Install it (verifying no conflicts occur with existing anti-malware)
  3. Update it to the latest anti-malware definitions or "signature files"
  4. Full-scan the disk(s) with the program
  5. Remove infections (automatically and/or manually)
  6. If infections were found, re-run the same program to verify they are successfully removed
Install and run anti-malware programs serially -- rather than in parallel -- to avoid possible program conflicts. It can be very confusing when asked to identify which infections or potential infections to remove when confronted with a long list of them from several programs running at once. The serial approach also makes handling false positives easier. So while running anti-malware programs one after another takes more time, it's a more accurate way to ensure you've identified and removed all malware.

If a program finds some malware and automatically removes it, re-run that same program a second time to ensure that the malware was successfully removed. If you find persistent infections the anti-malware can not automatically remove, you may have to get involved in the process yourself with an analytical program like Trend Micro's HiJackThis.

Why should you run multiple anti-malware programs? No anti-malware program has a 100% detection rate. Anti-malware programs have different strengths and best identify different threats.

Often people tell me "I rely only on XYZ Anti-Malware and don't need to run any other program, because XYZ tells me my system is clean. Just use XYZ Anti-Malware and you don't need any other anti-malware program." This is fallacious reasoning. All the clean scan by XYZ Anti-Malware tells you is that it can't find any infections. This doesn't guarantee your system is free of infection. If you don't understand this then read about the complexities of malware detection at the AV Comparatives web site. Or glance at this list showing how detection rates vary and that no program approaches a 100% detection rate.

The table below lists effective free anti-malware tools I've used. The two middle columns of the table tell whether the free version of the product provides real-time and/or batch disk-scanning capabilities.  You initially deep-scan the disks to clean a computer. Then going forward, you'll also want to install real-time protection.  Free products frequently change their coverage so the two middle columns may become outdated if you're reading this article some time after it was published. 

With apologies to the vendors, I've listed the popular short names for their products instead of the longer formal product names. The links go directly to each vendor's web site. At most of them you simply click the "downloads" tab to download their free product.


Product:
Free Real-Time
Protection?
Free
Disk Scanner?

Comments:




Ad-aware
Some (processes protection only)
yes
Best known for adware prevention, detection & removal
avast!
yes
yes
Good general purpose program
Avira
yes
yes
Good general purpose program
AVG
yes
yes
Good general purpose program
a2 (or a-squared)
now known as Emsisoft Anti-Malware
no
yes
Good general purpose scanner. Real-time protection was dropped from the most recent free version.
Clamwin
Some
(email only)
yes
Slower scanner than some of the others but thorough and yields usefully different results.
HiJackThis no
yes
Best product for manual removal of infections that other products can not automatically remove. Requires your involvement and expertise.
Malwarebytes no
yes
Good general purpose scanner
RootKitRevealer no yes Specialized but keys on a very important threat -- rootkits. Requires your involvement and expertise.
Spybot Search and Destroy
yes
yes
Best known for spyware detection & removal
SpywareBlaster
yes
no
Best known for Internet Explorer and Active X defense
SpywareGuard
yes
no
Best known for spyware prevention
WinPatrol
yes
no
Best known for intrusion prevention
 

Find good summaries of free anti-malware programs at The Free Country's web pages on anti-virus,  spyware & browser protection, and intrusion prevention programs. Gizmo's Freeware has a nice list of what they consider the better free programs as well as comparisons and reviews. CNet's download site for free software also offers good product evaluations.

I've excluded Microsoft's own tools from the above chart because I don't have experience with them all. Microsoft's anti-malware programs have evolved from Windows Live OneCare (once known as Windows OneCare Live), to Windows Defender (once known as Microsoft Anti-Spyware), to their current offering, Microsoft Security Essentials (also known as MSE).  Along the way Windows Update (once known as Automatic Updates) downloaded and installed the Microsoft Malicious Software Removal Tool (also known as MSRT).

Whew! That's a long and winding road. The good news is that with its current free product, MSE, Microsoft has drawn a bead on malware with a very effective product. Kudos to Microsoft for making MSE freely available. MSE is not bundled with Windows so you have to download and install it.

Spyware and Adware

The next step in securing your unknown PC is to identify and prune unneeded processes from the:
  • Startup list
  • Systray
  • Services
  • Scheduler
Spyware and adware often lurk in these locations. Typical consumer computers are chock full of unneeded programs, at least a few of which are usually spyware. Use the free program WinPatrol to manage and clean all four of these locations.

The same thought applies to Internet Explorer. You want to review its installed add-ons -- Browser Help Objects (BHO's), toolbars, and extensions. WinPatrol makes it easy to disable and eliminate whatever you don't want.  A typical Windows user's computer is jam packed with IE add-ons, most of which the users don't even realize are present.

Cleaning up these four areas benefits performance as well as security.

Software Updates

A key vector through which malware strikes is through common software applications that many consumers neglect to keep updated. These include Windows itself, Adobe PDF and flash video, browsers like Internet Explorer and Firefox, email readers like Outlook and Outlook Express, media players like RealPlayer, and other widely-used applications. You need to update software to the latest fixes to ensure security going forward.

Start with Windows and download and install all possible Microsoft updates. What's available will depend on your Windows verison and release. If you have a computer that has not been used in awhile, you might find that Windows updates come in several waves (groupings), each of which will be applied and require a reboot before the next wave of updates. It's not unusual to spend a very long day downloading and installing Windows updates on a neglected computer.

One big issue to consider in revitalizing Windows is whether and when Microsoft ends support for the version of the product with which you're working. Windows XP is in the midst of Microsoft's de-support process. Other Windows versions are already de-supported. If this concerns you, check the discussion in my previous article on the larger issues of selecting operating systems for refurbishing. (This article assumes you've already decided to secure Windows and helps you do it.)

After Windows update, move on to updating common programs. While you're at it, verify that the "automatic updates" option is enabled for each. Or for better control, consolidate and manage all application updates through the Windows Scheduler.

If you have many programs to update you might run the free Secunia Software Inspector. It detects and reports on out-of-date programs and helps ensure that all “bug fixes” are applied.

Standard Windows Security Settings

Given an unknown computer, you can't assume that the previous user(s) followed any of the "standard" Windows security advice of which you're aware.  For example, check Share settings for files, disks, and printers; look for well-known security holes that have come up over the years like Windows Messenger or other IM tools; check for remote access through Services like Remote Assistance and Terminal services; configure Internet Explorer how you normally would in regards to active scripting and similar security issues; disable auto-run for CDs, DVDs, and USB memory sticks; turn off automatic message preview in Outlook; check for bit-torrent shared disks or folders. Whatever you normally change in Windows to secure it for yourself, you must check and set on this computer you're revitalizing.

Your list of "standard" Windows security settings may differ from what I've listed here. The point is that you need to set Windows security settings on any revitalized computer just as you would your own.

Anonymization

I call the process of removing all reference to previous users of a system anonymization. Some don't consider anonymizing an unknown computer worth their time. After all, it doesn't affect their use of it. Others consider it essential. For example, what if the previous owner illegally downloaded music, software, movies, photographs, or pornography? You want to make sure this stuff is fully eliminated from the computer before you use it or pass it on to someone else. Here I'll just hit the highlights of how to anonymize Windows.

First, securely delete the data files owned or created by previous users. If the users followed the convention of storing their files in the My Documents or Documents folder, it will be trivial to locate and delete them. The Windows Search function makes it easy to find data files of a particular type stored elsewhere, such as photographs, videos, music, Office files, etc. Be sure to delete other obsolete large files like *.zip archives and *.iso disk images.

Use programs like Eraser to securely delete files by over-writing them. Another option is the last free version of BCWipe. Remember, if you don't over-write a deleted file, it could be possibly be retrieved later by someone using the proper un-delete utility.  This is because Windows delete/ empty Trash sequence just removes a directory pointer to a disk file. It does not affect the file itself. So that file could be un-deleted with the proper tool until Windows re-uses its space at some random point in the future.

In the United States, law enforcement uses full-disk scanning software that will find files on disk that have not been securely deleted (over-written). The American courts generally consider that any files found on the computer belong to the owner. So if you pick up an unknown computer and do not find and securely delete any illegal files, as the new owner you are considered liable for those files.

You'll want to delete the old user accounts and replace them with your own set of user logins. Each new account should have an appropriate authorization level. Make sure all the passwords you create are good ones -- long strings, mixing together characters, digits, and special characters, with both upper- and lower-case alphabetics. Ensure that Windows presents a mandatory login screen upon start-up. (I get so many donated computers that let anyone into Windows merely by turning on the computer.)

While it's easy to delete old users and their files, it's more difficult to remove previous user information from application configuration files and to find and delete all their profiles. Be sure to securely delete their email if it's stored on the computer. Most difficult of all is ensuring that all reference to the users is removed from the Registry. You might be able to use Windows Registry Editor to search for their logins and names to remove their Registry references. Or you might find this process next to impossible. It all depends on their previous use of the computer, and the applications they installed and configured.

Some items you need to find and securely delete to remove all trace of previous users include temporary files, temporary internet files, histories, cookies, flash cookies, DOM storage, recently typed URLs, autocomplete form history, search autocomplete, most recently used (MRU) lists, log files, and Index.dat files. Windows even keeps a list of all the web sites anyone using the computer ever visited. This can be found in either one or two locations, depending on whether Internet Explorer auto-complete is enabled.

CCleaner deletes most of this tracking data. CCleaner is a free program but it automatically installs the Yahoo! toolbar on Internet Explorer -- as far as I can tell, without asking. If you prefer to avoid this you can download an older version of the program that eschews this behavior from FileHippo here

Couple CCleaner with PurgeIE for Internet Explorer users, or its equivalent for Firefox users, PurgeFox.  Both are free for 15 days of full use and cost $19.95 thereafter.

The free program MRU-Blaster deletes all most-recently used traces.

My favorite approach to anonymization is to delete all possible traces of previous users of the computer -- remove user accounts and their profiles, delete their files, run the Disk Clean utility, CCleaner, PurgeIE or PurgeFox, and do a Registry scan and edit. Then run Eraser or BCWipe one time as the final step in the process to fully over-write all unused portions of the disk and securely delete any "deleted" files. Finish up by running the Windows defragmentation utility on the disk to increase performance.

Summary

Securing mature Windows computers takes some time but is not especially difficult. You can do it with free software. In this article I've hit the highlights of how to do this to reuse mature computers and keep them in service. Securing Windows is vital for any computer that changes hands should the new owner keep the existing Windows install.

Because of rootkits and like technologies, you can never be theoretically certain that an unknown Windows computer you clean up is completely secure. Only wiping the disk and cleanly installing an operating system absolutely guarantees full security. But from a practical standpoint, the procedures in this article ensure adequate security for normal situations.

Anonymizing Windows is easy on a surface level, but requires real expertise if your goal is to completely thorough. Many consider anonymizing of limited concern, so I've only treated this topic superficially here. But keep in mind you really do want to securely erase the previous owner's data files, because these might contain illegally downloaded music, videos, photographs, software, or pornography.

Next month I'll describe how to performance tune unknown Windows XP systems. This will be based on my new guide that covers all Windows versions, How to Tune Up Windows.  Meanwhile, please comment and share your own techniques for securing and anonymizing mature Windows systems. 

Howard Fosdick (President, FCI) is an independent consultant who specializes in databases and operating systems. His hobby is refurbishing computers as a form of social work and environmental contribution. Reach him at contactfci at the domain name of sbcglobal (period) net.

Previous Articles in this Series:



Smart Reuse with Open Source
How refurbishing defeats planned obsolescence
Scandal: Most "Recycled" Computers Are Not Recycled
What happens to many "recycled" computers?
How to Revitalize Mature Computers
Overview of how to revitalize computers for reuse


Other Resources:



How To Secure Windows and Your Privacy Free e-book tells how to secure Windows (July 2008)
How to Tune Up Windows E-book tells how to performance tune Windows (March 2010)
e p (4)    75 Comment(s)

Technology White Papers

See More