* Darius' Guide to Windows 2k/XP Desktop Security
posted by Darius on Tue 8th Feb 2005 22:14 UTC

"Windows security, Page 2/3"
The 10 Rules
  1. Don't let anyone near your Windows box who doesn't understand and follow these rules: If you are reading this article hoping to find out how to secure a Windows machine for your computer-illiterate friend, relative, or employees, you've come to the wrong place. In fact, I would say that it is extremely difficult (if not impossible) to lock down Windows for somebody who knows nothing about security. If you know how to do this, you need to write your own article :) I've seen a Windows box locked down almost to the point of being bullet-proof, only to be infected after 15 minutes of use by someone clueless about security. If you know a person like this who isn't willing to be taught, then set up Linux for them or by them a Mac. Windows is an OS for power users, not the computer illiterate.
  2. Take the proper precautions before going online: In this case, you have a few option. Any or all of the following should be sufficient:
    1. Set up a hardware router/firewall: This isn't nearly as difficult as it sounds. In fact, you can walk into just about any computer electronics store and pick one of these up for about $30. They're easy to set up and work great with pretty much any operating system. This doesn't necessarily do everything a software firewall does, but it should be enough to protect yourself against any/all worms that propagate by scanning the Internet and looking for unprotected Windows machines. Even if you don't do anything else in this guide, you are still miles ahead of other people who just connect their machines straight into a cable/DSL modem.
    2. Install a software firewall before going online: You should burn one of these to CD and have it ready before you reinstall Windows the next time.
    3. For XP users - install Service Pack 2 before going online: This is always recommended, even for non-XP users. However, XP Service Pack 2 is probably the only service pack secure enough to let you go online without some kind of firewall long enough to get all the critical updates. Note that you can download a program called AutoStreamer that allows you to easily slipstream a service pack into your Windows installation. (Slipstreaming a service pack is the process of integrating the service pack into your Windows installation so that it is automatically installed as part of the Windows installation process.)
  3. The first thing to do when you get online is go to Windows Update and download all the Critical Updates that are listed: After that, do this about once or twice a month. Or, you can turn on Automatic Update, but I don't recommend doing so unless you're using Windows XP with Service Pack 2 installed. (It just works better in SP2). If you happen to miss a critical update by a week or more, just following the other rules in this guide should protect you against pretty much anything by default.
  4. Avoid using Internet Explorer unless absolutely necessary: This is probably the most important thing to remember. There are all kinds of programs out there that are meant to patch up and secure IE, but you should seriously consider ditching IE and using something like Firefox or Opera instead.
    I realize there are a handful of sites that require you to use IE, such as Windows Update. However, outside of Windows Update, it's very important to be cautious even when you have to use IE. For example, if you're at a web site called "Joe's Warez Shack" and he wants you to install some ActiveX control before downloading a crack, use some common sense! I would go as far as to say only accept ActiveX controls from companies that you know and trust.
    There are a few other things to keep in mind here as well. When I say don't use IE, that includes email programs (such as Outlook and Outlook Express) that use the IE rendering engine. I would recommend Thunderbird as an alternative, but if you must use either of these two programs, be sure and download the latest security updates for both of them. Also, Outlook Express (the latest version with service pack) allows you to view all email in plain text - turn that option on. I don't know if Outlook has this option or not, but go into Options and turn off as much HTML stuff (especially scripting) as you can. Also, a note a about programs that use the IE rendering engine for HTML interfaces - these should be safe to use, except for those programs that actually allow you to browse the web such as the IE 'shell' browsers and Winamp with it's 'mini browser.' Note that although some of the shell browsers may have some built-in security measures, if you decide to use them, you do so at your own risk! Maybe they are secure, and maybe they aren't. But I'd rather not find out :) As for Winamp and other programs like it, feel free to use them ... just don't browse the web with them!
  5. Download and install a software firewall: You don't actually have to pay any money for one of these - there are free ones available such as Sygate (the one I use), ZoneAlarm, Kerio, and others as well.
    Oh, and there's one other thing about software firewalls. While this next thing is optional, it's definitely recommended - when you're not using the computer, turn on your firewalls 'lock' option, which stops all incoming/outgoing traffic to/from your computer until you're ready to use it again. This can usually be done by right-clicking on the firewall's icon in the task tray. If it turns out that the firewall is blocking some programs (such as anti-virus updates) that need to access the Internet while you're away, some firewalls (such as ZoneAlarm) have an option to let certain programs access the Internet, even when the firewall is locked.
    About hardware routers/firewalls: As previously discussed, these are available for cheap. I would recommend getting one of these, even with a software firewall installed (although it is not absolutely necessary, so long as you're protected in other ways before going online). If you have an older/spare PC lying around, you can also use that as a firewall, although if this kind of thing interests you, you probably already knew that :)
  6. Download and install an anti-virus program: Again, you don't have to spend any money on one of these if you don't want to. Free anti-virus programs exist such as AVG (the one I use), Avast, Nod32, and others. Once you've got one of these installed, turn on automatic updates and set it to scan for viruses in the middle of the night, so you don't have to do anything else with it. Just be sure and check it every once in awhile to make sure that it is downloading updates properly.
    Now, I'm about to say something very controversial. As long as you follow all the other rules in this guide, you do not have to run a virus scanner resident (in the background) if you don't want to. I know people who don't and have been virus free for years. However, if you choose not to run one resident, you must be extremely vigilant about not using IE and scanning each and every file that is introduced to your system. Please be warned that doing this is like riding a motorcycle without a helmet - I seriously don't recommend it, even for experienced users, because it's just too easy to be careless or forget. But it is an option.
    A couple of other things to note about anti-virus programs - since most Linux users run a software firewall of some sort, this is really the only security-related program you'll have to run that Linux users don't! Also, if you've only been running VirusScan or Norton Anti-virus, try something else - you may be surprised to find that you can run an anti-virus program without much of a performance hit at all. Nod32 users know exactly what I'm talking about :)
  7. Avoid running any email attachments before scanning them: This also includes anything in compressed files, such as .zip. Also, be especially weary about the following file extensions: .bat, .chm, .cpl, .cmd, .crt, .com, .doc, .exe, .hlp, .hla, .inf, .js, .pif, .scr, .xls, .vbs (Did I miss any?) If you've got a virus scanner that can scan incoming email, this is relatively hassle-free.
  8. Turn on file extensions: Go to Folder Options in Windows Explorer and un check the option that says Hide extensions for known file types. This is so that you can see the file extension of all programs, which is helpful because some virus writers try to hide file extensions like this: test.txt.exe - if you had file extensions turned off, you would simply see it as test.txt and may full you into thinking is a text file instead of an executable.
  9. Research any program before you install it: Before you install any program, you'll want to check to make sure that it contains no intrusive adware/spyware. Besides the once or twice a month Windows Update check and occasionally checking that your virus scanner is keeping up to date, this is really the only thing you have to actively do to keep your Windows box secure. This isn't really as hard as it seems, and generally takes less than 5 minutes, probably less time than it would take to install an app in Linux if you had to look outside of your distro's repository to find it. Here is what I normally do when I'm ready to install an app for the first time:
    • Go to Google and type in appname spyware where appname is the name of the program you want to install. If the program does contain spyware, you'll usually get several links pointing this out. For example, if you search for kazaa spyware, you get about a million links for Kazaa adware/spyware removal tools, so you know this program is bad news. A note about spyware removal tools - DON'T USE THEM! If you know that you're going to have to remove a bunch of crap after installing some app, then it's better to not install it and look for something else to use instead. Otherwise, installing it and removing the crap afterwards is like having unprotected sex with somebody you know has an STD, and then going to the doctor the next morning to get a shot for whatever they might've had. This rule also applies for programs like Adaware, Spybot, and the rest of their ilk. Although you can keep them on your machine to scan every once in awhile just for piece of mind, these programs should NEVER be used as an 'insurance policy'. The reason why I bring this up is because I've seen a lot of people with the mentality of "Well, I can install anything I want because I've got XYZ spyware remover installed that will protect me." NO NO NO NO NO!!!!!!!!!!!!!!!! Please, don't believe the marketing hype of some snake-oil salesmen trying to convince you that their app is going to save you from everything. If I EVER find out you've been doing this, I will come and slap you around a bit with a large trout! Except in a case which I specify below, you absolutely should never depend on these apps to protect you. They may be good to scan with occasionally, but that is all they should be used for! Though I don't run these programs resident, I have a couple of them installed and scan my machine about once a month - the only thing they ever find is cookies.
    • Go to Download.com, search for your app, and read the User Comments. Fortunately, if an app does contain something nasty, there's a pretty good chance a bunch of other lemmings have already installed it before you, so take advantage of people who learned the hard way :) Usually, if an app is adware/spyware infested, the User Comments will let you know.

    Only in a couple of instances have I ever had to do any more work than that. However, if neither of the above methods yields any results, here are a few other things you can try.

    • Look on the program's web site and if it is free, look to see if it specifically mentions whether or not the app contains adware or spyware. This information can usually be found either in the feature bullet points or the privacy policy. Though some software authors may decide to lie about this, it may give you some insight. Note that if the app is open source (especially if you find it on Source Forge), you can be pretty sure it is safe to use.
    • Look to see if the app costs money. If it does, there's a good chance there's no spyware. This is not a rule set in stone though, so be careful!
    • Ask a computer-literate friend to see if they've ever heard of the app.
    • If you've got a spare PC, a test partition, or an emulator (such as Virtual PC) installed, you can install the app there and then use spyware removers to scan with and see if they find anything. If the app checks out clean, it should be safe to install 'for real'.
    • If all else fails (and this is a last resort), run setup for the program, and scan through the license agreement to see if there's any mention of '3rd party programs' or anything like that.

    Assuming that if you follow this rule and also don't use IE, you should never have any spyware on your system. A couple of last things to note on this topic:

    • Though I generally tend to avoid any program which contains ads, I don't claim that everything which contains adware is bad. For example, Opera has ads in the 'free' version, but they don't cause any harm to your system or drastically slow your bandwidth to a crawl.
    • When I'm setting up a computer for somebody who I know probably won't bother to do this much work before installing something, I usually put the fear of death in them by telling them that if they install anything from the Internet, it's probably going to trash their machine. That way, they will usually either ask me or someone else before proceeding. This isn't the ideal situation, but it's better than having to clean up the mess after they install some spyware-infested monstrosity :)
    Well, really there is no number 10 :) But since 10 is such a good number, I'm keeping this one as a placeholder for something else that might come up in the future.
Table of contents
  1. "Windows security, Page 1/3"
  2. "Windows security, Page 2/3"
  3. "Windows security, Page 3/3"
e p (0)    148 Comment(s)

Related Articles

Technology White Papers

See More