How to Secure Windows

In previous OS News articles, I’ve
claimed that mature computers up to ten years old can be
refurbished and made useful. My last article
identified and evaluated
different ways to refurbish these
One approach is to keep the existing Windows install and clean it
up. This has the advantage of retaining the Windows license and
software, the
applications, and the existing drivers. But it
takes some work. In this article we’ll see what this entails.Cleaning up an unknown Windows system requires three steps, performed
this order:

  1. Security
  2. Anonymization
  3. Performance tuning

This article discusses security and anonymization. Next month’s article
covers performance tuning. This article is based on
myfreeguideHow To Secure Windows and
Your Privacy
The guide was published two years ago but is still relevant to cleaning
up Windows. I’ll
leave out
screen illustrations in the guide, as well as its more detailed

We’ll cover the highlights here.
The goal is to answer this question — how can you secure a
Windows computer about which you can make no assumptions?


This article assumes you’ve already decided to revitalize Windows. If
you’re interested in whether cleaning up an existing Windows install is
a good way to refurbish a computer, see the discussions inprevious
in this series.

I’ll assume you are securing
Windows XP, since XP was
Microsoft’s primary consumer offering from 2001 to 2007. The tips
in this article also apply to Windows 7 and Vista, but the
arebased on XP.

I assume that the copy of Windows you want to secure is on an
“unknowncomputer.” By this I mean a computer that is
previously unknown to you, so you can not make any assumptions about
If you’re refurbishing a “known” computer, for example, an old
machine you haul out of your own basement or attic, you may be able
to skip some of the steps.

It’s important to understand that due to the ways in which rootkits and like
technologies operate, you can never be
theoretically certain that an unknown Windows computer you clean up is
completely secure. Only wiping the disk and cleanly installing an
operating system absolutely guarantees security. But from a
practical standpoint, the procedures in this article ensure adequate
security for normal situations.

Before you can secure Windows, if you’re working with an
unknown computer you might have to circumvent password
protection. While there are several different approaches to this
problem, I’ve had excellent results with the free programOffline NT Password and
Registry Editor
The program deletes the Administrator password
you can log on to the Administrator account without entering a
password. You’ll
need a user login with Administrator rights to secure Windows.

Be sure to reset the Administrator account password after you
gain access. Obviously, Windows passwords don’t offer much protection
if someone has physical access to the computer. But they’re still vital
to protect against unauthorized remote access. (To secure
your data against someone who can physically access the computer, use
Windows’ built-in encryption
or a competing free encryption

You can secure and anonymize Windows without buying any software. All
the programs mentioned in this article are free, except one which is

always a
good idea toback up Windows prior to changing it. Use Windows’ System Restoreor
System Protection feature to make a backup or “restore point” for
Windows: Start
-> All Programs -> Accessories -> System Tools -> System


The first step to securing Windows is verifying that it has a
functioning firewall.
prevent unauthorized connection to the computer from the
outside. An internet-connected Windows computer without a firewall will
be quickly compromised. You don’t want to spend time cleaning up
Windows by running anti-malware programs until you’ve secured it with a
functioning firewall.

Windows XP came with either of two different firewalls
(depending on the release). Both secured the computer against incoming
connections, but neither could block unauthorized outgoing connections.
Windows 7
and Vista bundle a firewall that can also block outgoing
but by default this
feature is disabled. Windows ME, 98, and 95 did not come

In addition to protection against
incoming penetration attempts, you need outgoing firewall protection
tosecure an unknown
Otherwise, if
the computer is already
compromised and
sending out information, you will have no way to know it.
XP firewall will not
tell you.
Nor will the Windows 7 and Vista firewalls — unless they have been
specifically configured to block unauthorized outgoing connections.
Read how to enable outbound Windows 7 and Vista firewall
and here.

Outbound filtering can not guarantee that no information is sent from
compromised computer to the outside world, but it can stop many such
attempts. See this TechNet article
if you’re interested in the details about where outbound firewall
protection helps and what it can not stop.

If you
are refurbishing XP and need a bi-directional firewall for full two-way
protection you might try the free programs
listed at The Free Country:

easy to set up and largely
self-configuring. Gizmo’s Freeware offers good reviews of free software
including firewalls
and also presents
feedback on which they think best.

Test the Firewall

When you are done configuring the firewall, test how well the computer
resists outside penetration by
running the free ShieldsUp!
ShieldsUp! probes your computer and tells you about any security
vulnerabilities it finds. (Those
concerned about privacy might also find it enlightening to see the
identifying system information your computer passes
to any web site you visit.)

Verify that your firewall blocks unauthorized outgoing connections by
downloading the free LeakTest
program from the same web site. Only firewalls offering
bi-directional protection will pass LeakTest.


Once you’ve secured your perimeter you’re ready to identify and
malware from your computer. Malware
includes viruses, trojans, keyloggers, dialers, rootkits,
botware, spyware, worms, and adware. I recommend installing and
a number of free anti-malware programs, one after another, using this

  1. Download the anti-malware program
  2. Install it (verifying no conflicts occur with existing
  3. Update it to the latest anti-malware definitions or “signature
  4. Full-scan the disk(s) with the program
  5. Remove infections (automatically and/or manually)
  6. If infections were found, re-run the same program to verify they
    are successfully removed

Install and run anti-malware programs serially — rather than in
parallel — to avoid possible program conflicts. It can be very
confusing when asked to identify which infections or potential
infections to remove when confronted with a long list of them from
programs running at once. The serial approach also makes handling
false positives easier. So while running anti-malware programs
one after another takes more time, it’s a more accurate way
to ensure you’ve identified and removed all malware.

If a program finds some malware and automatically removes it, re-run
same program a second time to ensure that the malware was successfully
removed. If you find persistent infections the anti-malware can not
automatically remove, you may have to get involved in the process
yourself with an analytical program like Trend Micro’s HiJackThis.

Why should you run multiple anti-malware programs? No anti-malware program has a 100%
detection rate
. Anti-malware
programshave different
and best identify differentthreats.

Often people tell me “I rely only on XYZ Anti-Malware and don’t need to
run any other program, because XYZ tells me my system is clean. Just
use XYZ Anti-Malware and you don’t need any other
anti-malware program.” This is fallacious reasoning. All the clean scan
by XYZ Anti-Malware tells you is that it
find any infections. This doesn’t guarantee your system is free
of infection. If you don’t understand this then
read about the complexities of malware detection at the AV Comparatives
Orglance at this
showing how detection rates vary and that no program
approaches a 100% detection rate.

The table below lists effective free anti-malware tools I’ve used. The
middle columns of the table tell whether the free
version of the product provides real-time and/or batch disk-scanning
capabilities. You initially deep-scan the disks to clean a
computer. Then going forward, you’ll also want to install real-time
protection. Free products frequently change
their coverage so the two middle columns may become outdated if you’re
reading this article some time after it was published.

With apologies to the vendors, I’ve listed the popular short names for
their products instead of the longer formal product names. The links go
directly to each vendor’s web site. At most of them you simply click
“downloads” tab to download their free product.



Disk Scanner?

Some (processes protection only)
Best known for adware
prevention, detection & removal
Good general purpose program
Good general purpose program
Good general purpose program
a2 (or

now known as Emsisoft Anti-Malware
Good general purpose scanner.
Real-time protection was dropped from the most recent free version.

(email only)
Slower scanner than some of the
others but thorough and yields usefully different results.
HiJackThis no
Best product for manual removal
of infections that other products can not automatically remove.
your involvement and expertise.
Malwarebytes no
Good general purpose scanner
RootKitRevealer no yes Specialized but keys on a very important threat — rootkits.
Requires your involvement and expertise.
Spybot Search and

Best known for spyware detection
& removal
Best known for Internet Explorer
and Active X defense
Best known for spyware prevention
Best known for intrusion

Find good summaries of free anti-malware programs at The Free
Country’s web pages on anti-virus,
browser protection,
and intrusion
programs. Gizmo’s Freeware has a nice list
of what they consider the better free programs as well as comparisons
and reviews. CNet’s download
for free software also offers good product evaluations.

I’ve excluded Microsoft’s own tools from the above chart because I
have experience with them all. Microsoft’s anti-malware programs have
evolved from Windows Live
(once known as Windows OneCare Live), to Windows Defender
(once known as Microsoft Anti-Spyware), to their current offering, Microsoft
(also known as MSE). Along the way
Windows Update (once known as Automatic Updates) downloaded and
installed the Microsoft
Software Removal Tool
(also known as MSRT).

Whew! That’s
a long and winding road. The good news is that with its current free
product, MSE,
Microsoft has drawn a bead on malware with a very effective
product. Kudos to Microsoft for making MSE freely available. MSE is not
bundled with Windows so you have to download and
install it.

Spyware and Adware

The next step in securing your unknown PC is to identify and prune
unneeded processes
from the:

  • Startup list
  • Systray
  • Services
  • Scheduler

Spyware and adware often lurk in
these locations.Typical consumer computers are chock full of
unneeded programs, at least a few of whichare usually spyware.
Use the free program WinPatrol
to manage and
clean all four of these locations.

The same thought applies to Internet Explorer. You want to review its
add-ons — Browser Help Objects (BHO’s), toolbars, and extensions.
WinPatrol makes
it easy to disable and eliminate whatever you don’t want. A
typical Windows user’s computer is jam packed with IE add-ons, most of
which the users don’t even realize are present.

Cleaning up these four areasbenefits performance as
well as security.

Software Updates

A key vector through which malware strikes is through common software
applications that many consumers neglect to keep updated. These include
Windows itself, Adobe PDF and flash video, browsers like Internet
Explorer and Firefox, email readers like Outlook and Outlook Express,
media players like RealPlayer, and other
widely-used applications. You need to update software to the latest
fixes to ensure security going forward.

Start with Windows and download and install all possible Microsoft
updates. What’s available will depend on your Windows verison and
release. If you have a computer that has not been used in awhile, you
might find that Windows updates come in several waves (groupings), each
of which will be applied and require a reboot before the next wave of
updates. It’s not unusual to spend a very long day downloading and
installing Windows updates on a neglected computer.

One big issue to consider in revitalizing Windows is whether and when
Microsoft ends support for the version of the product with which you’re
working. Windows XP is in the midst
of Microsoft’s de-support process. Other Windows versions are already
de-supported. If this concerns you,check the discussion
in my previous article on the larger issues of selecting operating
systems for refurbishing. (This article assumes you’ve already decided
to secure
Windows and helps you do it.)

Windows update, move on to updating common programs. While you’re at
it, verify that the “automatic updates” option is enabled for each.
Or for better control, consolidate and manageall
application updates through the Windows Scheduler.

If you have many programs to update you might run the free Secunia
. It detects and reports on
out-of-date programs and helps ensure that all “bug
fixes” are applied.

Standard Windows Security Settings

Given an unknown computer,
you can’t assume that the previous user(s) followed any of the
“standard” Windows security advice of whichyou’re aware.
example, check Share settings for files, disks, and printers; look for
well-known security holes that have come up over the years like Windows
Messenger or other IM tools; check for remote access through Services
like Remote Assistance and Terminal services; configure Internet
Explorer how you normally would in regards to active scripting and
similar security issues; disable
auto-run for CDs, DVDs, and USB memory sticks; turn off automatic
preview in Outlook; check
for bit-torrent shared disks or folders. Whatever
you normally change in Windows to secure it for yourself, you must
check and set on this computer you’re revitalizing.

Your list
of “standard” Windows security settings may differ from what I’ve
listed here.
The point is that you need to set Windows security settings on any
revitalized computer just as you would your own.


I call the process of removing all reference to previous users of a
system anonymization.
Some don’t consider anonymizing an unknown computer worth their
time. After all, it doesn’t affect their use of it. Others consider it
essential. For example, what if the previous owner
illegally downloaded music, software,movies, photographs, or
pornography? You
want to make sure
this stuff is fully eliminated from the computer before you use it or
pass it on to someone else. Here I’ll just hit the
highlights of how to anonymize Windows.

First, securely delete the data files owned or created by
previous users. If the users followed the convention of storing their
files in the My Documents or Documents folder, it will be trivial
locate and delete them. The Windows Search function makes it easy to
find data
files of a particular type stored elsewhere, such as photographs,
videos, music, Office files,
etc. Be sure to delete other obsolete large files like *.zip archives
and *.iso disk images.

Use programs
like Eraser to securely
files by over-writing them. Another option is the last
version of BCWipe.
Remember, if you don’t over-write a deleted file, it could be possibly
be retrieved later by someone using the proper un-delete
utility. This is because Windows
delete/ empty Trash
sequence just removes a directory pointer to
a disk file. It does not affect the file itself. So that file could be
un-deleted with the proper tool until Windows re-uses its space at some
random point in the future.

In the United States, law enforcement uses full-disk scanning software
that will find files on disk that have not been securely deleted
(over-written). The American courts generally consider that any files
found on the computer belong to the owner. So if you pick up an unknown
computer and do not find and securely delete any illegal files, as the
new owner you are considered
liable for those files.

You’ll want to delete the old user accounts and replace
them with
your own set of user logins. Each new account should have an
authorization level.
Make sure all the passwords you create are good
ones — long strings, mixing together characters, digits, and special
characters, with both upper- and lower-case alphabetics. Ensure that
Windows presents a mandatory login
screen upon start-up. (I get so many donated computers that let anyone
into Windows merely by turning
on the computer.)

While it’s easy to delete old users and their files, it’s
more difficult to remove previous user information from
application configuration files and to find and delete all their
profiles. Be sure to securely delete their email if it’s stored on the
computer. Most
difficult of all is ensuring that all reference to the users is removed
Registry. You might be able to use Windows Registry Editor to search
their logins and names to remove their Registry
references. Or you
might find this process next to impossible. It all depends on their
previous use of the computer, and the applications they installed and

Some items you need to find and securely delete to remove all trace of
users include temporary files, temporary internet files, histories,
cookies, flash cookies, DOM storage, recently typed URLs, autocomplete
form history,
search autocomplete, most recently used (MRU) lists, log files, and
Index.dat files. Windows even keeps
a list of all the web sites anyone using the computer
ever visited. This can be found in
either one or two
locations, depending on whether Internet Explorer auto-complete is

most of this tracking data. CCleaner is a free program but it
installs the Yahoo! toolbar on Internet Explorer — as far as I can
tell, without asking. If you prefer to avoid this you can download an
older version of the program that eschews this behavior from FileHippo here.

Couple CCleaner with PurgeIE
for Internet
Explorer users, or its equivalent for Firefox users, PurgeFox. Both are
free for 15 days of
full use and cost $19.95 thereafter.

The free program MRU-Blaster
all most-recently used traces.

My favorite approach to anonymization isto delete all possible
traces of
previous users of the computer — remove user accounts and
their profiles, delete their files,run the Disk Clean
utility, CCleaner,PurgeIE or PurgeFox, and do a Registry scan and
edit.Then run Eraser or BCWipe
one time as the final step in the process to fully over-write all
portions of the disk and securely delete any “deleted” files. Finish up
by running the Windows defragmentation
utility on the disk to increase performance.


Securing mature Windows computers takes some time but is not especially
difficult. You can do it withfree software. In this article I’ve
hit the highlights of how to do this to reuse mature computers and keep
them in service.
Securing Windows is vital for any
computer that changes hands should
the new owner keep the existing Windows install.

Because of rootkits and like technologies, you can never be
theoretically certain that an unknown Windows computer you clean up is
completely secure. Only wiping the disk and cleanly installing an
operating system absolutely guarantees full security. But from a
practical standpoint, the procedures in this article ensure adequate
security for normal situations.

Anonymizing Windows is easy on a surface level, but requires real
expertise if your goal is to completely thorough. Many consider
anonymizing of
limited concern, so I’ve only treated this topic superficially here.
But keep in mind you really do want to securely erase the previous
owner’s data files, because these might contain illegally downloaded
music, videos, photographs, software, or pornography.

Next month I’ll describe how to performance tune
unknown Windows XP systems. This will be based on my new guide that covers all Windows
versions, How
to Tune Up Windows
. Meanwhile, please comment and
your own techniques for securing and anonymizing mature Windows

Howard Fosdick (President, FCI) is an independent consultant who
specializes in
databases and operating systems. His hobby is refurbishing computers as
a form of social work and environmental contribution. Reach him at contactfci at the domain name of sbcglobal (period) net.

Previous Articles in this Series:
Reuse with Open Source

How refurbishing defeats planned
Scandal: Most
“Recycled” Computers Are Not Recycled

What happens to many “recycled”
to Revitalize Mature

Overview of how to revitalize
computers for reuse
Other Resources:
Secure Windows and
Your Privacy

Free e-book tells
how to secure
Windows (July 2008)
to Tune Up Windows
E-book tells how to performance
Windows (March 2010)


  1. 2010-09-06 10:08 pm
  2. 2010-09-06 10:22 pm
    • 2010-09-06 10:36 pm
    • 2010-09-07 12:04 am
      • 2010-09-07 4:48 am
    • 2010-09-07 2:06 am
      • 2010-09-07 4:49 am
        • 2010-09-07 6:28 am
          • 2010-09-07 6:40 am
          • 2010-09-07 7:43 am
          • 2010-09-07 9:30 am
          • 2010-09-07 10:55 am
          • 2010-09-07 11:40 am
          • 2010-09-07 2:11 pm
          • 2010-09-07 7:17 pm
    • 2010-09-07 6:56 am
      • 2010-09-07 8:03 am
        • 2010-09-07 9:50 am
          • 2010-09-07 9:59 am
          • 2010-09-07 10:54 am
          • 2010-09-07 3:00 pm
          • 2010-09-07 9:36 pm
      • 2010-09-07 9:31 am
        • 2010-09-07 10:37 am
          • 2010-09-07 12:42 pm
          • 2010-09-07 1:18 pm
          • 2010-09-07 1:37 pm
          • 2010-09-07 2:00 pm
          • 2010-09-07 1:51 pm
  3. 2010-09-06 11:04 pm
    • 2010-09-07 12:17 pm
  4. 2010-09-06 11:45 pm
    • 2010-09-07 2:00 am
    • 2010-09-07 2:10 am
      • 2010-09-07 3:31 am
        • 2010-09-07 3:15 pm
  5. 2010-09-07 12:05 am
    • 2010-09-07 12:20 am
      • 2010-09-07 3:55 pm
    • 2010-09-07 1:28 am
      • 2010-09-07 3:55 pm
        • 2010-09-07 4:48 pm
    • 2010-09-07 1:46 am
      • 2010-09-07 4:49 am
        • 2010-09-07 7:22 am
          • 2010-09-07 4:03 pm
          • 2010-09-07 5:57 pm
          • 2010-09-07 11:37 pm
    • 2010-09-07 8:01 am
      • 2010-09-07 4:00 pm
  6. 2010-09-07 12:32 am
  7. 2010-09-07 12:50 am
  8. 2010-09-07 4:44 am
    • 2010-09-07 5:36 am
      • 2010-09-07 8:10 am
        • 2010-09-07 10:24 am
        • 2010-09-07 2:31 pm
          • 2010-09-07 7:16 pm
          • 2010-09-07 7:20 pm
          • 2010-09-07 7:42 pm
          • 2010-09-07 8:22 pm
          • 2010-09-07 8:52 pm
        • 2010-09-07 4:12 pm
  9. 2010-09-07 4:59 am
  10. 2010-09-07 7:40 am
    • 2010-09-07 11:35 am
  11. 2010-09-07 9:30 am
    • 2010-09-07 9:44 am
    • 2010-09-07 11:46 pm
      • 2010-09-08 6:54 am
  12. 2010-09-07 12:16 pm
  13. 2010-09-07 9:25 pm
    • 2010-09-09 9:15 am
      • 2010-09-09 5:53 pm
        • 2010-09-10 3:40 pm