As I have browsed this site and others like it, I have often seen comments like “The only way to secure a Windows box is to not connect it to the Internet!” and “How can you stand to use Windows when you have to run tons of apps such as spyware removers and spend hours trying to keep it secure?” Some people have even gone as far as to say that it is literally impossible to secure Windows. Well, I’m here to tell you that not only is it possible, it’s actually quite trivial! It requires very little effort and you can do it without running a buttload of security apps and without spending a dime.
In fact, 90% of the work involved using my method occurs when you first install Windows. After that, it takes very little effort on your part. In this guide, I’m going to show you how to go about securing Windows on the desktop – the easy way π From now on, if somebody tries to tell you that you can’t secure Windows, you can point them to this article.
However, before we get started, here are a few things to keep in mind:
- This guide is for Windows 2000 and XP on the desktop. It is not for Win9x, and it is not for severs either. Also, it is intended for people with broadband connections, because they are the ones who are most at risk.
- I don’t claim to be any sort of expert on security. Over the years, I have learned what I needed to learn in order to stay safe. Therefore, this is a ‘minimalist’ method of security, which includes only what you really need to know. Before you say “This can’t possibly work!” or accuse me of not including this or that, just remember this … the proof is in the pudding. Before you write this off as being crap, just try it for a month or so and judge for yourself. I have been using this knowledge for years and have never had any security issues following these rules, and neither has anyone else I know who has followed them.
- That being said, though I can say with a great amount of certainty that this will work for you, nothing is guaranteed, because I don’t know of anything that is ‘fool-proof.’
- Just so you don’t think I’m totally biased, I will say that Windows is horribly insecure out of the box. If this bothers you, I would recommend checking out some Windows alternatives, including the snazzy new Mac Mini’s.
Personally, I don’t care what you use. But if you want or need to use Windows, this information is for you.
- One of these days, there may be some kind of ‘super worm’ released that can blast right through firewalls and such, but until then, even with unpatched vulnerabilities out there, you should still be safe following this guide.
- Before posting any comments, read the FAQ at the end of the article – I wrote it especially for you π
Prerequisites
So how much about Windows (and computers in general) do you actually need to know in order to follow these rules? Not much, really. If you’re reading this, I’m assuming your Windows box is probably already infected. Therefore, it’s probably a good idea to reinstall Windows when following this guide (as some things are better off done as soon as you install Windows anyway), so I’m assuming you’re going to (and know how to) do that. Other than that, the only other two requirements I can think of is that you know how to download/install programs and burn CDs.
If you want to use this guide to set up a computer for someone else to use, the other person doesn’t need to know much at all, as I have taught grandmas how to do this. However, just be sure you follow rule #1 below!
The 10 Rules
- Don’t let anyone near your Windows box who doesn’t understand and follow these rules: If you are reading this article hoping to find out how to secure a Windows machine for your computer-illiterate friend, relative, or employees, you’ve come to the wrong place. In fact, I would say that it is extremely difficult (if not impossible) to lock down Windows for somebody who knows nothing about security. If you know how to do this, you need to write your own article π
I’ve seen a Windows box locked down almost to the point of being bullet-proof, only to be infected after 15 minutes of use by someone clueless about security. If you know a person like this who isn’t willing to be taught, then set up Linux for them or by them a Mac. Windows is an OS for power users, not the computer illiterate.
- Take the proper precautions before going online: In this case, you have a few option. Any or all of the following should be sufficient:
- Set up a hardware router/firewall: This isn’t nearly as difficult as it sounds. In fact, you can walk into just about any computer electronics store and pick one of these up for about $30. They’re easy to set up and work great with pretty much any operating system. This doesn’t necessarily do everything a software firewall does, but it should be enough to protect yourself against any/all worms that propagate by scanning the Internet and looking for unprotected Windows machines. Even if you don’t do anything else in this guide, you are still miles ahead of other people who just connect their machines straight into a cable/DSL modem.
- Install a software firewall before going online: You should burn one of these to CD and have it ready before you reinstall Windows the next time.
- For XP users – install Service Pack 2 before going online: This is always recommended, even for non-XP users. However, XP Service Pack 2 is probably the only service pack secure enough to let you go online without some kind of firewall long enough to get all the critical updates. Note that you can download a program called AutoStreamer that allows you to easily slipstream a service pack into your Windows installation. (Slipstreaming a service pack is the process of integrating the service pack into your Windows installation so that it is automatically installed as part of the Windows installation process.)
- The first thing to do when you get online is go to Windows Update and download all the Critical Updates that are listed: After that, do this about once or twice a month. Or, you can turn on Automatic Update, but I don’t recommend doing so unless you’re using Windows XP with Service Pack 2 installed. (It just works better in SP2). If you happen to miss a critical update by a week or more, just following the other rules in this guide should protect you against pretty much anything by default.
- Avoid using Internet Explorer unless absolutely necessary: This is probably the most important thing to remember. There are all kinds of programs out there that are meant to patch up and secure IE, but you should seriously consider ditching IE and using something like Firefox or Opera instead.
I realize there are a handful of sites that require you to use IE, such as Windows Update. However, outside of Windows Update, it’s very important to be cautious even when you have to use IE. For example, if you’re at a web site called “Joe’s Warez Shack” and he wants you to install some ActiveX control before downloading a crack, use some common sense! I would go as far as to say only accept ActiveX controls from companies that you know and trust.
There are a few other things to keep in mind here as well. When I say don’t use IE, that includes email programs (such as Outlook and Outlook Express) that use the IE rendering engine. I would recommend Thunderbird as an alternative, but if you must use either of these two programs, be sure and download the latest security updates for both of them. Also, Outlook Express (the latest version with service pack) allows you to view all email in plain text – turn that option on. I don’t know if Outlook has this option or not, but go into Options and turn off as much HTML stuff (especially scripting) as you can. Also, a note a about programs that use the IE rendering engine for HTML interfaces – these should be safe to use, except for those programs that actually allow you to browse the web such as the IE ‘shell’ browsers and Winamp with it’s ‘mini browser.’ Note that although some of the shell browsers may have some built-in security measures, if you decide to use them, you do so at your own risk! Maybe they are secure, and maybe they aren’t. But I’d rather not find out π As for Winamp and other programs like it, feel free to use them … just don’t browse the web with them! - Download and install a software firewall: You don’t actually have to pay any money for one of these – there are free ones available such as Sygate (the one I use), ZoneAlarm, Kerio, and others as well.
Oh, and there’s one other thing about software firewalls. While this next thing is optional, it’s definitely recommended – when you’re not using the computer, turn on your firewalls ‘lock’ option, which stops all incoming/outgoing traffic to/from your computer until you’re ready to use it again. This can usually be done by right-clicking on the firewall’s icon in the task tray. If it turns out that the firewall is blocking some programs (such as anti-virus updates) that need to access the Internet while you’re away, some firewalls (such as ZoneAlarm) have an option to let certain programs access the Internet, even when the firewall is locked.
About hardware routers/firewalls: As previously discussed, these are available for cheap. I would recommend getting one of these, even with a software firewall installed (although it is not absolutely necessary, so long as you’re protected in other ways before going online). If you have an older/spare PC lying around, you can also use that as a firewall, although if this kind of thing interests you, you probably already knew that π - Download and install an anti-virus program: Again, you don’t have to spend any money on one of these if you don’t want to. Free anti-virus programs exist such as AVG (the one I use), Avast, Nod32, and others. Once you’ve got one of these installed, turn on automatic updates and set it to scan for viruses in the middle of the night, so you don’t have to do anything else with it. Just be sure and check it every once in awhile to make sure that it is downloading updates properly.
Now, I’m about to say something very controversial. As long as you follow all the other rules in this guide, you do not have to run a virus scanner resident (in the background) if you don’t want to. I know people who don’t and have been virus free for years. However, if you choose not to run one resident, you must be extremely vigilant about not using IE and scanning each and every file that is introduced to your system. Please be warned that doing this is like riding a motorcycle without a helmet – I seriously don’t recommend it, even for experienced users, because it’s just too easy to be careless or forget. But it is an option.
A couple of other things to note about anti-virus programs – since most Linux users run a software firewall of some sort, this is really the only security-related program you’ll have to run that Linux users don’t! Also, if you’ve only been running VirusScan or Norton Anti-virus, try something else – you may be surprised to find that you can run an anti-virus program without much of a performance hit at all. Nod32 users know exactly what I’m talking about π - Avoid running any email attachments before scanning them: This also includes anything in compressed files, such as .zip. Also, be especially weary about the following file extensions:
.bat, .chm, .cpl, .cmd, .crt, .com, .doc, .exe, .hlp, .hla, .inf, .js, .pif, .scr, .xls, .vbs (Did I miss any?) If you’ve got a virus scanner that can scan incoming email, this is relatively hassle-free. - Turn on file extensions: Go to Folder Options in Windows Explorer and un check the option that says Hide extensions for known file types. This is so that you can see the file extension of all programs, which is helpful because some virus writers try to hide file extensions like this: test.txt.exe – if you had file extensions turned off, you would simply see it as test.txt and may full you into thinking is a text file instead of an executable.
- Research any program before you install it: Before you install any program, you’ll want to check to make sure that it contains no intrusive adware/spyware. Besides the once or twice a month Windows Update check and occasionally checking that your virus scanner is keeping up to date, this is really the only thing you have to actively do to keep your Windows box secure. This isn’t really as hard as it seems, and generally takes less than 5 minutes, probably less time than it would take to install an app in Linux if you had to look outside of your distro’s repository to find it. Here is what I normally do when I’m ready to install an app for the first time:
- Go to Google and type in appname spyware where appname is the name of the program you want to install. If the program does contain spyware, you’ll usually get several links pointing this out. For example, if you search for kazaa spyware, you get about a million links for Kazaa adware/spyware removal tools, so you know this program is bad news. A note about spyware removal tools – DON’T USE THEM! If you know that you’re going to have to remove a bunch of crap after installing some app, then it’s better to not install it and look for something else to use instead. Otherwise, installing it and removing the crap afterwards is like having unprotected sex with somebody you know has an STD, and then going to the doctor the next morning to get a shot for whatever they might’ve had. This rule also applies for programs like Adaware, Spybot, and the rest of their ilk. Although you can keep them on your machine to scan every once in awhile just for piece of mind, these programs should NEVER be used as an ‘insurance policy’. The reason why I bring this up is because I’ve seen a lot of people with the mentality of “Well, I can install anything I want because I’ve got XYZ spyware remover installed that will protect me.” NO NO NO NO NO!!!!!!!!!!!!!!!! Please, don’t believe the marketing hype of some snake-oil salesmen trying to convince you that their app is going to save you from everything. If I EVER find out you’ve been doing this, I will come and slap you around a bit with a large trout! Except in a case which I specify below, you absolutely should never depend on these apps to protect you. They may be good to scan with occasionally, but that is all they should be used for!
Though I don’t run these programs resident, I have a couple of them installed and scan my machine about once a month – the only thing they ever find is cookies. - Go to Download.com, search for your app, and read the User Comments. Fortunately, if an app does contain something nasty, there’s a pretty good chance a bunch of other lemmings have already installed it before you, so take advantage of people who learned the hard way π Usually, if an app is adware/spyware infested, the User Comments will let you know.
Only in a couple of instances have I ever had to do any more work than that. However, if neither of the above methods yields any results, here are a few other things you can try.
- Look on the program’s web site and if it is free, look to see if it specifically mentions whether or not the app contains adware or spyware. This information can usually be found either in the feature bullet points or the privacy policy. Though some software authors may decide to lie about this, it may give you some insight. Note that if the app is open source (especially if you find it on Source Forge), you can be pretty sure it is safe to use.
- Look to see if the app costs money. If it does, there’s a good chance there’s no spyware. This is not a rule set in stone though, so be careful!
- Ask a computer-literate friend to see if they’ve ever heard of the app.
- If you’ve got a spare PC, a test partition, or an emulator (such as Virtual PC) installed, you can install the app there and then use spyware removers to scan with and see if they find anything. If the app checks out clean, it should be safe to install ‘for real’.
- If all else fails (and this is a last resort), run setup for the program, and scan through the license agreement to see if there’s any mention of ‘3rd party programs’ or anything like that.
Assuming that if you follow this rule and also don’t use IE, you should never have any spyware on your system. A couple of last things to note on this topic:
- Though I generally tend to avoid any program which contains ads, I don’t claim that everything which contains adware is bad. For example, Opera has ads in the ‘free’ version, but they don’t cause any harm to your system or drastically slow your bandwidth to a crawl.
- When I’m setting up a computer for somebody who I know probably won’t bother to do this much work before installing something, I usually put the fear of death in them by telling them that if they install anything from the Internet, it’s probably going to trash their machine. That way, they will usually either ask me or someone else before proceeding. This isn’t the ideal situation, but it’s better than having to clean up the mess after they install some spyware-infested monstrosity π
- Go to Google and type in appname spyware where appname is the name of the program you want to install. If the program does contain spyware, you’ll usually get several links pointing this out. For example, if you search for kazaa spyware, you get about a million links for Kazaa adware/spyware removal tools, so you know this program is bad news. A note about spyware removal tools – DON’T USE THEM! If you know that you’re going to have to remove a bunch of crap after installing some app, then it’s better to not install it and look for something else to use instead. Otherwise, installing it and removing the crap afterwards is like having unprotected sex with somebody you know has an STD, and then going to the doctor the next morning to get a shot for whatever they might’ve had. This rule also applies for programs like Adaware, Spybot, and the rest of their ilk. Although you can keep them on your machine to scan every once in awhile just for piece of mind, these programs should NEVER be used as an ‘insurance policy’. The reason why I bring this up is because I’ve seen a lot of people with the mentality of “Well, I can install anything I want because I’ve got XYZ spyware remover installed that will protect me.” NO NO NO NO NO!!!!!!!!!!!!!!!! Please, don’t believe the marketing hype of some snake-oil salesmen trying to convince you that their app is going to save you from everything. If I EVER find out you’ve been doing this, I will come and slap you around a bit with a large trout! Except in a case which I specify below, you absolutely should never depend on these apps to protect you. They may be good to scan with occasionally, but that is all they should be used for!
FAQ
Alright, so that’s it. Now you’ve got a secure box, have spent no money (except for maybe a hardware router/firewall, which goes well with any OS), and you’ll usually spend 15-30 minutes a month (for app research and Windows Updates) securing your box. That’s quite a far cry from the ‘hours and hours’ being proclaimed by the anti-Windows Evangelists, isn’t it? And you’re not even running a spyware remover resident!
Now, there are a few questions which will inevitably come up, so I’m going to address them here:
Q. Instead of using Windows, why not switch to something inherently more secure?
A. This is a good idea, and I would recommend that everyone explore the alternatives. I suppose anyone who knows about the alternatives and still chooses to run Windows does so for their own reasons. The reason why I do so is because I believe that Windows has the very best applications for what I use computers for. As a friend of mine so eloquently put it, “I don’t like Windows – I like what I can run on Windows.” Even hardcore anti-MS zealots have admitted that Windows is best for me to use, once they see the list of apps I’m using. Of course, there’s always the political/religious aspect of computing, but some of us are getting too damn old to be idealists.
Q. What about cookies / file encryption / file erasing?
A. Personally, I view these as privacy issues rather than security-related. The only time this would be of concern is if somebody has access to your box, either because you didn’t follow proper security precautions outlined here or because somebody with bad intentions has physical access to your machine. Obviously, if you are around people you don’t trust, you need either log off or lock your computer when away from it – this is true of any OS.
Q. What about not running as Administrator?
A. I have found that some programs don’t respond well to this, and it is generally a pain in the arse to pull off. Plus, I have never found it necessary, as I have always run as Administrator with no problems thus far.
Q. What about turning off some services and/or network protocols?
With a firewall installed, I haven’t found it necessary to do any of this. Remember, this is a bare bones guide to security, and only things that are absolutely essential are included here.
As an extension to the previous question …
Q. What happens if an app turns off the firewall?
Generally, a virus scanner would alert you of such an app on your machine. However, failing this, I have tried it before using ZoneAlarm – when another running program shuts down the firewall (as opposed to a user doing it from the UI), before it dies, it does something to your Internet connection so that when you try to visit a webpage, it’ll redirect you to another web page that informs you of what has happened. I’m not sure if all firewalls do this, but I bet most of them do.
Q. How do you know that you have never been hacked/infected?
Well, how does anyone know? π Truth is, I have been hit before, but only as a result of either purposely doing it as a test or not following my own rules (eg – not running anti-virus resident and not scanning files), and I have also seen other people’s infected machines. So I know what the symptoms are when a machine is infected. Plus, I’ve used a variety of virus scanners and anti-adware tools in the past, so you would think at least one of them would’ve found something by now!
I would like to conclude this by saying that if you have any comments, suggestions, or anything to add for a future revision of this article, please don’t hesitate to contact me. Also, I’ve been thinking about writing a similar article on Windows stability, which isn’t much more involved than this. Would anyone be interested in reading? Needless to say, I can easily go two years or more with 40+ apps installed on a single Windows install.
And what about speed, you ask? My friend Shane has already covered this quite nicely:
http://www.monroeworld.com/pchelp/tweakxp.php
The only thing I would add to what he wrote is to install this app, and turn on Windows classic folders.
Hmmm, no security issues and an OS that runs fast and smoother than a baby’s butt. See, you don’t have to ditch Windows in order to get these kinds of perks π
About the author
I’ve been using Windows (in one flavor or another) for about 11 years now. I’ve also played with several other operating systems (some more than others), including Slackware, Gentoo, Debian, Suse, Redhat/Fedora, Knoppix, Mandrake, Linspire, Xandros, Libranet, LFS, FreeBSD, MacOS 8/9/OSX, etc. But my OS of choice is and has always been Windows. I’m not a Windows fanboy, I just believe in using the right tool for the job.
If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSNews.
You’re right, nobody said there weren’t games for the Macintosh plataform; the lights behind (or ahead from a Windows’ user) is kind of true. But that depends. If you want to get your work done or play computer games.
I do both. That’s why my 2nd box is Β΄made of WindowsΒ΄; but when you need to the your work done efficiently and with a very professional look, I’d choose my OS X and it’s Β΄non-existantΒ΄ applications.
“if you require a piece of hardware between your OS and the internet, your OS probably isn’t ready for the internet. ”
So far I have not found an OS that I would not use a router to connect to the internet with. I guess that means that there aren’t any OS’s that are internet ready? Call me paranoid, but I do not connect without one.
I actually enjoyed the article. I don’t use Windows anymore, but I also know that my OS does not work best for everyone. As the author stated, he needed to use tools that had no good equivalent on the other OS’s.
Bill
So, all in all, Macintosh plataform does NOT lack software of any kind! you can do everything you do with your Windows box!
Just for starters, I sometimes I work from home by logging into a company intranet that only works on the Windows version of Internet Explorer, as it makes extensive use of ActiveX controls. Whether this is a good thing or a bad thing is not the point. The point is if I buy a Mac and ditch my Windows machine, I can’t work from home anymore unless I get Virtual PC, but that kind of defeats the point, doesn’t it?
(mattb)
not trying to troll here, if im just missing something let me know. my guess is that longhorn will be alot more “unixy” then xp.
You’re missing something. I’ve been running the way I described in the article for years now, and following the guidelines, the number of times I’ve been hacked/infected has been 0. Though I would agree with anyone who says that in GENERAL runnnig as a regular user is better than running as root/admin whenever possible, but in the case of Windows, it’s a matter of convienence vs safety, and convience wins out here.
(To everyone else …)
Many of you have talked about how much better the security is on other platforms – you are REALLY stating the obvious. But sometimes, a person doesn’t get to dictate the platform he/she uses, especially if our jobs depend on it. We have to learn to deal with that platform and work around its limitations, which is what we do. Linux users especially do the same thing, just in different areas.
I’m sure many of you would get annoyed if somebody posted an article explaining how to set up fonts properly in distro x, and then somebody like me came along and said “Hey, but Windows does this out of the box!!” Yeah, so what? That mean you’re going to drop your distro of choice and switch to Windows just because of that? Come on, people … THINK before you post!! You don’t think Windows users who read this site don’t KNOW that security is better on other platforms? Who exactly are you trying to impress with your profound wisdom?
when it comes down to it, security and convenience will alwas be a tradeoff. as it stands, i find the windows security policy system pretty useless, they dont offer anywhere near enough modularity. for example, say i want to give install permissions to a user, but dont want to give them +w to /windows. right now, its not possible, but it will be if they keep going the way they are going. you are right by saying as of now, its more trouble then its worth to run as a limited user in windows. however, it wont alwas be that way
for example, say i want to give install permissions to a user, but dont want to give them +w to /windows. right now, its not possible, but it will be if they keep going the way they are going. you are right by saying as of now, its more trouble then its worth to run as a limited user in windows. however, it wont alwas be that way
Right, that was my whole point. I didn’t mean to say that it would ALWAYS be that way, but just for the moment anyway
“The new gen gaming console like th playstation 3 and xbox 2 will handily trounce the highest end PC in player experience. ”
Boy, you said it. And that’s not even mentioning the patches you’ll undoubtedly need to get the game to work on your PC, and of course that’s only if you meet the hardware requirements in an age when a brand new $650 computer can’t even play a $20 game without dropping frames, generally freaking out and on occasion, just for fun, getting kicked out of the app by Windows “We’re sorry but Windows needs to kick you out of your game even though you haven’t saved it an hour”… By the time you’ve spent upwards of $800 on your computer or more, you can finally play Unreal Tournament. The real question for FPS people is why don’t they get off their @$$es and go do paintball if they’re so anxious to shoot people, especially considering the money they would save? Do people really feel good about buying spending a grand or so just to play videogames?
They talk about first person shooters all they like, but play a game like KOTOR on XBox and then try and play it on PC with the mouse and keyboard. Way too tedious.
The real question for FPS people is why don’t they get off their @$$es and go do paintball if they’re so anxious to shoot people, especially considering the money they would save? Do people really feel good about buying spending a grand or so just to play videogames?
Because I just spent six years in the army and I don’t feel like paintballing anymore, on top of all the actual CQB training we did. I have a PC and I want to install the games that I want, period. Be it FPS’, RTS’, and RPG games that we love. We don’t have to come up with the alternative of buying a console, just because my mac doesn’t have all the games I want to play. And what concern is it of yours if I feel good spending a grand just to play videogames?
By the time you’ve spent upwards of $800 on your computer or more, you can finally play Unreal Tournament.
How’s this for embellishment? By the time you throw out your old mac and buy a new one, you can finally play Unreal Tournament.
You’re missing something. I’ve been running the way I described in the article for years now, and following the guidelines, the number of times I’ve been hacked/infected has been 0. Though I would agree with anyone who says that in GENERAL runnnig as a regular user is better than running as root/admin whenever possible, but in the case of Windows, it’s a matter of convienence vs safety, and convience wins out here.
You will probably never know when a sophisticated hacker has made mary with your PC.There isn’t a tool on earth that could detect all the hooks and advanced techniques of hiding processes.The point is merely in my opinion,that a personal experience can’t be reflected on something exact.The result of adding one and one is and will most likely allways be two,and it’s a bit hard to swallow when someone likes 3 better and mentions that as an option in a serious theme article.You could argue about the colours or the game atmosphere of some game without stepping on the toes of reality all day long.Without claiming to know everything i feel the need to say in my very own humble opinion that sercurity is a exact process with a lot off user parameters involved.The stuff as in Q3 doesnt belong in any serious security article,other than emphasizing a obstacle and preferably followed by an acceptable solution.
“And what concern is it of yours if I feel good spending a grand just to play videogames? ”
None at all. The post wasn’t directed at you specifically, but since you asked, you don’t think that’s a little bit ridiculous spending that much when you could have just done Halo 2 for a couple of hundred??
>You mean in breathtaking 3D graphics and medicore gameplay? At least on a PC, you have the whole ‘indie’ scene going on, games that are written and played by people who don’t judge the value of a game based on its polygon count. More than likely, the games that will be made for the PS3 and Xbox2 will be the same games we’ve been playing since the mid-80’s … only with prettier graphics. IMHO, I’ve played $10 shareware games that are more fun to play than just about anything released on the current generation of consoles.
i disagree (big suprise), it all depends on the genre. i would eat my hat before playing an fps or rts on console. at the same time, platformer and adventure games tend to be FAR superior on console. however, you are totally right about the whole “indie” scene on the pc, gathering of developers being a shining example of low cost, low budget games being better then the average flashy high bugdet shooter of the month.the only reason windows is currently on my main box is more of a world of warcraft bucket then anything else, if you are into rts, fps, simulation, or mmorpgs, you really dont have a choice other then pc. if you are more a sports, platformer, adventure, racing, or fighting game kinda guy, a console is the way to go.
You will probably never know when a sophisticated hacker has made mary with your PC.There isn’t a tool on earth that could detect all the hooks and advanced techniques of hiding processes.
You’re right, which means if you run into this kind of hacker who wants in your PC bad enough, he’s going to get in, period. There’s no such thing as a computer online that’s not hackable. What I’m talking about here in this article is security for your average, every day desktop user, who doesn’t very often have some badass hacker specifically gunning for his machine. In almost all situations, it’s either some worm making the arounds or somebody trying to find a way to use your box as a spam relay – they’re not going to waste time trying to get into a reasonably secure system when there are 100,000 others out there that are wide open.
Having to do all those advanced security stuff certainly goes a long way of making your box more secure, as will hiring a security guard to sit outside by your front door while you’re at work will make your house more secure. But when we leave our homes, we lock our front doors and accept that there is a very small chance that when we get home, all of our furniture will be gone. But the chance of that happening is so small, we normally don’t do much more than that, unless you’ve got like $100,000 hidden away in your closet or something
Linux isn’t necessarily secure out of the box. I’ve had an unprotected Linux box get hacked within 24 hours of going online.
when i take Slackware online, i disable services in inetd.conf. and add “–nolisten tcp” to X server args. with no listening daemons, it’s much harder to own my box.
some extra tips for Windows:
Qwik Fix (if you use IE)
patch Mozilla, AIM, and other apps
disable unused services in services.msc
don’t implicitly trust other boxes on your home LAN
20,000 entry hosts file to block suspect sites
all of the above takes maybe an hour or two, plus a few minutes a month to patch programs. it beats reinstalling Windows, or worse yet, losing your CC number to a script kiddie.
The post wasn’t directed at you specifically, but since you asked, you don’t think that’s a little bit ridiculous spending that much when you could have just done Halo 2 for a couple of hundred??
Not ridiculous at all when you already have the system. I, as well as what I would assume is much of the user base that even strolls through OSNews.com, don’t only use windows to game. Quite the contrary for me, actually. I am a gamer, but do not game nearly as much as I used to. And when I do, Windows suffices. I also use Windows for work and encoding my DVD collection to avi, surf, IM, myHTPC box, etc. As for gaming, all I have to do is buy the game and install it. So, for me and many others, windows and the PC suits our gaming needs just fine. I don’t think $50 is too exhorbitant a price to play Halo 2 on the PC.
Running without admin priveledges and trying to get things done on a daily basis in windows is a friggin headache for someone who wants to be productive.
I don’t have Admin privileges on my Windows box at work, and yet I am productive…I mean, really, what amount of time a day do you normally spend installing software? Furthermore, I’m not sure how that would qualify as “productive” time…”productive” time is when you use applications, not when you install them, IMHO.
You mean in breathtaking 3D graphics and medicore gameplay?
Hey, I don’t mind that you prefer Windows at all, but if you’re going to attack my industry in one broad stroke, I’m going to have to step in and correct you.
There are lots of very good 3D games with amazing graphics for the PS2/Xbox/Gamecube consoles. Of course, there’s a lot of crap too, but that’s volume for you. It’s not fair to generalize the way you do
At least on a PC, you have the whole ‘indie’ scene going on, games that are written and played by people who don’t judge the value of a game based on its polygon count.
Really? I’d be curious to hear about some of those ‘indie’ games. Unless you’re talking about puzzle games, such as Bejeweled… The only example I can think of of a successful non-puzzle indie game is Counter-Strike, and that was a Half-Life derivative, which itself was a Quake derivative (though it had better gameplay than both its predecessors).
More than likely, the games that will be made for the PS3 and Xbox2 will be the same games we’ve been playing since the mid-80’s … only with prettier graphics.
That’s because these games are fun. You’re basically saying that because we’re not inventing whole new genres, there’s no creativity in games, which is complete BS. After all, there hasn’t been any new genre created in movies or literature for decades, and still you get some pretty good films once in a while.
It’s like saying that music sucks because most musicians still use a 4/4 beat, or that modern computing sucks because we’re stuck in the WIMP paradigm. In fact, there’s a reason why such formulas exist: that’s because they work. Same thing goes for video games – you can’t just say a first-person shooter or a real-time strategy game is just “more of the same” and not innovative because of its genre – it’s how the genre is explored (the implementation, if you will) that counts.
IMHO, I’ve played $10 shareware games that are more fun to play than just about anything released on the current generation of consoles.
I find this hard to believe. Please give us some examples. I also doubt that you’ve played much console games over the past couple of years. Again, there’s been a lot of crap, but there’s also been some very innovative (and fun) games produced.
Virtually impossible for normal windows desktop use. I am not a windows desktop wizard and don’t claim to be, but I wonder how many of these folks professing users not to run as root or with admin priveledges really actually use windows.
I’ve been doing since 1996. What problems are you having ?
A bevy of FPS shooters and RTS games are one of the main gaming reasons I stick with windows.
Sure, but as soon as you step out of those genres the PC game scene sucks compared to consoles (which is not surprising, since a lot more development money goes into console games than into PC games as a whole).
The reason why FPS and RTS are more fun to play on PCs is, as you point out, the fact that you can use the mouse and keyboard combon. These types of games are more difficult to play with a console controller (despite the constant improvement in controllers). Case in point: Quake3 on the Dreamcast was very playable with the Dreamcast mouse and Keyboard. On the other hand, Halo and Halo 2 are proof positive that you can play FPS on consoles. However, you must realize that FPS and RTS games are but two genres among many.
Another point for consoles is ease of use. I want to play a new game? I just buy or rent it, drop it in the console, and it just works. No need for installation, updating drivers, troubleshooting all kinds of little problems, tweaking resolution+effects to get a decent frame rate, etc., etc.
PC gaming is mainly for geeks, while console gaming is much more mainstream (Minesweeper and Solitaire being the exception, of course).
lol, no ones saying there aren’t any games for the mac, there are, just not as many and the selection is light years behind that of the windows crowd.
Similarly, the selection for Windows PC is light years behind that of game consoles.
well, it seems like microsoft disagrees with you. we’ve seen them moving towards a multiuser system since nt. sp2 (whose purpose was a massive security overhaul) broke the old windows single user behavior that was used by older apps.
SP2 did nothing of the sort. It didn’t make fundamental changes at the level you’re talking about.
newer nt operating systems use something real similar to SELinux, which is along the lines of security policies rather then root.
NT has been doing this since it was released in 1993.
not trying to troll here, if im just missing something let me know. my guess is that longhorn will be alot more “unixy” then xp.
First you need to explain what you mean by “unixy”.
when it comes down to it, security and convenience will alwas be a tradeoff. as it stands, i find the windows security policy system pretty useless, they dont offer anywhere near enough modularity. for example, say i want to give install permissions to a user, but dont want to give them +w to /windows.
This is a developer issue not a Windows one. App installations shouldn’t be writing to the Windows directory at all and *should* allow for installation into the user’s own directory.
From my experience, you get a dialog box asking for the root password. And after about the 20th time I got asked for the password, I just started typing it in without even thinking about it. God forbid a trojan or something were to ask for the password, because I would most certainly type it in as a force of habit.
The problem isn’t the things you do deliberately, it’s the things that happen without you knowing – program bugs that let exploits in. If you’re running as a regular user, the damage is somewhat contained. More importantly, most pieces of malware are written with the assumption that the user will be running as admin and simply fail if they’re not (as they try to do things they don’t have permissions for).
Not running as admin is basically a containment procedure – it means when you shoot yourself in the foot you don’t blow the whole bottom part of your leg off with it. It costs nearly nothing in terms of inconvenience but introduces substantial barriers to today’s malware (this will change in time as more malware is written to not need admin privileges, but hasn’t yet).
Basically, the formula for modern gaming is this:
Take last year’s game, add a couple of new weapons/levels and maybe increase the polygon count using the same engine, and then sell it for $50 as a whole knew game.
I’m sorry, but the majority of modern games are not even worth the packages they come in, either on the PC or consoles. I actually own an Xbox, bur rarely touch it because the games are so damn lame. Like Halo 2 which everyone brings up – was supposed to be this badass FPS, so I rented it and played it for maybe 10 minutes, basically the same crap we’ve seen over and over and over again. Hell, look at EA Sports and their ilk – how do they get away with charging full price year after year for what should be $10 expansion packs to last years games?
Sorry, but I come from the ‘golden age’ of video gaming, where you didn’t have to sit through 3 hours of CG snorefest (hell, if I wanted to watch a movie, I would’ve rented one) and/or pour through a 300-page manual just to get into a game, so maybe I expect too much. And I’m not just biased towards video games, as most movies and music sucks too. Of course, you find a few gems every now and then, but is it really worth having to dig through the piles of shit in order to find them?
But hey, I guess if you like playing the same games year after year, you really don’t have much to complain about.
Actually, I run as a power user at work because I don’t have admin privileges. For every day use, this works out most of the time, but sometimes I lament about the things I can’t do. So if I want to make a quick change at the system level, do I then need to shut down all my apps and log in as Administrator?
“It costs nearly nothing in terms of inconvenience”
Not to geeks maybe, but I work with people who are distressed if the incons on the desktop are out of order. So far keeping systems patched and keeping the firewall on has kept us from any problems, but if I have a need to swith these people to Firefox or user accounts, I’m going to have to present my case trial lawyer style. What do you say in a situation like that?
“Sorry, but I come from the ‘golden age’ of video gaming”
I’m curious which games you’re talking and when the golden age was. Examples?
>SP2 did nothing of the sort. It didn’t make fundamental changes at the level you’re talking about.
really? from what ive read, it made a bit of a buzz around microsoft. for the first time, microsoft broke old application compatiblity in the name of security. most of what was broken was stuff that violates NTs security paradigm. if you really want, ill google some links for you later, but it shouldnt be too hard to find.
>>newer nt operating systems use something real similar to SELinux, which is along the lines of security policies rather then root.
>NT has been doing this since it was released in 1993.
correct, that is what i was saying. with every version it becomes more powerful.
>First you need to explain what you mean by “unixy”.
unixy as in multiple users with different levels of access. i remember reading that sfu was going to be integrated as well, but thats not what i was referring to π
>This is a developer issue not a Windows one. App installations shouldn’t be writing to the Windows directory at all and *should* allow for installation into the user’s own directory.
actually, its a little of both. the problem is that everything is very tightly coupled in windows. things shouldnt need to write to windows, but in some cases they do. the registry needs to be cleaned up alot, with clear definitions of what is system stuff, and what isnt. program files should only be used for globally installed apps, otherwise they should go to the users folder. that kind of stuff. as i said throughout my post, microsoft is moving in this direction, and has for a long time. windows users shouldnt just ignore this stuff because they are used to a single user os. at the same time, ms is not done yet, and often the half implementation of this stuff will give extremely inconsistant results (whether or not something installs if you dont have privileges mostly depends on who made the installer right now).
Basically, the formula for modern gaming is this:
Take last year’s game, add a couple of new weapons/levels and maybe increase the polygon count using the same engine, and then sell it for $50 as a whole knew game.
Actually, itβd be sold as a sequel, and people would know what theyβd be getting. If they buy the sequel, itβs because they liked the original and want to play more of it. Thatβs market forces for you. There are also incentives to re-using the same engine, especially if you developed it in-house. Games cost a lot of money, and a great deal of that money is used on artistic production (modeling, animation, texture, effects, sound). If a developer can save some money by reusing last yearβs engine, theyβll do so (also, it is costly for game programmers to learn a new engine for every game). The fact is that you can produce very different games using the same engine, like you can make two very different programs using the same toolkit.
That said, itβs true that publishers will often try to duplicate the success of groundbreaking games, and this will stifle creativity and innovation. However, itβs unfair to over-generalize like you do.
I actually own an Xbox, bur rarely touch it because the games are so damn lame.
Ah, thatβs your problem, you should own a PS2 instead! π Seriously, the more innovative games (which are often from Japan) are often found on PS2 and Gamecube.
Like Halo 2 which everyone brings up – was supposed to be this badass FPS, so I rented it and played it for maybe 10 minutes, basically the same crap we’ve seen over and over and over again. Hell, look at EA Sports and their ilk – how do they get away with charging full price year after year for what should be $10 expansion packs to last years games?
Sports games tend to be repetitious, because they are based on a real-life game that doesnβt change. Meanwhile, itβs also difficult to break new ground in FPS games because there have been so many of them. I didnβt really care much for Halo 2, but I have fond memories of the first one.
Sorry, but I come from the ‘golden age’ of video gaming
You donβt have to be sorry, the first video game I played was Space Invaders, and it had only come out three months earlier. Needless to say, I was hooked after the very first game (which probably explains why I work in the games industry nowadays). Itβs a good thing we can still play these games using emulators, but the fact is that the industry has much evolved since then. Not only that, but there were sucky games back in the days as well (E.T., anyone?)
where you didn’t have to sit through 3 hours of CG snorefest (hell, if I wanted to watch a movie, I would’ve rented one)
Well, just press Start and youβll skip cut scenes on most console games. That said, some people like their games to have a story. You canβt please everyone, but fortunately you can skip movies on most games.
and/or pour through a 300-page manual just to get into a game,
By definition, console games are easy to play and reading the manual is almost always unnecessary. Most of them have 16 or 32 pages, max (often with a couple of pages devoted to ads).
And I’m not just biased towards video games, as most movies and music sucks too. Of course, you find a few gems every now and then, but is it really worth having to dig through the piles of shit in order to find them?
Yes, because thereβs no other way apart from forbidding people to make bad art/movies/books/TV/music/games. You want quality, youβll have to look for it. However, itβs not that hard: thereβs word-of-mouth, web sites aplenty, magazines…
But hey, I guess if you like playing the same games year after year, you really don’t have much to complain about.
Ironically, I donβt play that much games during a year. The last thing I want to do when I come home is to get back on the PS2 and start playing. However, I try a lot of games for a few minutes, and people often show me stuff, just so I keep abreast of what others are doing. Iβll usually play through 2 or 3 games a year, tops. Considering this, I try to select the best games I can. Donβt get me wrong, we agree that thereβs a lot of crap, but there are quite a few good games out there as well…
I’m curious which games you’re talking and when the golden age was. Examples?
Well, now that we are officially off-topic (hey, the article author’s the one who started it!)…
Best videogame ever (for me): Tempest. I’m actually trying to find a vintage Tempest machine, but the few I’ve seen were horribly expensive.
Other great games from that era: Stargate, Robotron:2084, Joust, Ladybug, Gyruss…man, I could go on all day!
“Seriously, the more innovative games (which are often from Japan) are often found on PS2 and Gamecube. ”
Unless you’re a Star Wars fan in which case you’re left out in the cold.
Temporarily, I was the most popular kid in the neighborhood when I got my Atari 2600. Then I got an Intellivision II. Then somebody else got a Colecovision and my popularity waned…
After that, it was Dino Eggs and Fahrenheit 451 on the Commodore 64.
I imagine we’re showing ours right about now.
you can count on it… but I ought to admit that I fit perfectly in the same “period” (to put a friendly name).
π
Don’t forget The TI99/4A and it’s fabulous Parsec. (that did it…)
Actually, it’d be sold as a sequel, and people would know what theyβd be getting.
Right, so you’re telling me that all those games using the Quake 3 engine were sequels?
That said, itβs true that publishers will often try to duplicate the success of groundbreaking games, and this will stifle creativity and innovation. However, itβs unfair to over-generalize like you do.
Um, no it isn’t … just LOOK at the games on the shelf today. A whole lot of crap, very little quality.
Ah, thatβs your problem, you should own a PS2 instead! π
Actually, I had a PS2 and sold it. I plan to do the same thing with the Xbox, but haven’t gotten around to it yet. On the other hand, I may put a mod chip in there so I can play some real games on the 46′ Toshiba.
I’m curious which games you’re talking and when the golden age was. Examples?
My first console was an Atari 2600, if that tells you anything. Favorite game of all time – Robotron 2084 – the closest thing I have found to digital crack so far
When my dad came to visit for the holidays, I put in Atari Anthology and introduced him to Yars Revenge. It was close to his bedtime, but he kept forgoing sleep for just ‘one more game’, and that is gaming at its best. VERY few games today have that sort of addictive nature to them.
It’s been a while since we last met online. I only post here from time to time now. How’s it going?
I don’t dispute the dominance the consoles have over the gaming market, after all, it pretty much is the gaming market. I am simply firing back at those mac heads who are quick to dismiss windows as an unacceptable gaming platform, among other things, and then further say “that’s what the consoles are for.” I pretty much only play FPS’s and RTS games, which makes my choice of windows as a gaming platform pretty clear. But no doubt, the consoles have always been, and will always be the gaming mainstream as you pointed out.
I don’t have Admin privileges on my Windows box at work, and yet I am productive…I mean, really, what amount of time a day do you normally spend installing software? Furthermore, I’m not sure how that would qualify as “productive” time…”productive” time is when you use applications, not when you install them, IMHO.
You’re right, “productive” time varies from person to person. I am talking my home productivity. For me, that means using apps, installing/uninstalling them, backing up my DVDs, bootskinning, uxtheming, having fun with it, etc. I remembered having difficulty doing some of those things without admin priveledges. So, I said screw it and gave myself admin rights and that was that. It’s been so long since I have been logged in with other than administrative rights, that I can hardly remember (last time I tried I was using 2000 Pro I believe). The point was, to this day, I have been running with admin rights and all has been well with me security-wise.
Good to see you again, a nun he moos.
Right, so you’re telling me that all those games using the Quake 3 engine were sequels?
Allow me to quote you on this: “Take last year’s game, add a couple of new weapons/levels and maybe increase the polygon count using the same engine”. What you’re describing here is a sequel, not just a new game with the same engine. Case in point: Half-Life vs. Quake. They did not simply add new weapons/levels – they had completely new weapons (with different behaviors) and completely new levels – in fact, a new setting. The art direction was totally new, there were lots of new gameplay mechanics and the story…well, there WAS a story, contrary to Quake. To me, Half-Life is not a pumped-up copy of Quake, but rather a complete game in and of itself, that just happens to use the Quake engine.
Um, no it isn’t … just LOOK at the games on the shelf today. A whole lot of crap, very little quality.
Well, to be fair, you have to play those games to judge them, not just look at the box. It depends on what you like, I guess. But, by definition, quality games will be more scarce than crap games.
VERY few games today have that sort of addictive nature to them.
True – but there’s a reason fot that. We’ve moved from put-another-quarter-in business model to a buy-the-new-game one. Games are now designed to generally have between 6 to 15 hours of play time.
Actually, I run as a power user at work because I don’t have admin privileges. For every day use, this works out most of the time, but sometimes I lament about the things I can’t do. So if I want to make a quick change at the system level, do I then need to shut down all my apps and log in as Administrator?
Right click -> Run As.
The only tricks with Run As are that you need to Shift+Right click on control panel icons to get the “Run As” option and that starting a copy of Explorer as Admin is rather unintuitive.
To get an Administrator level instance of Explorer, you need to “Run As” *Internet Explorer* and then chuck a drive letter into the URL bar. Hopefully Microsoft will fix this someday.
So far keeping systems patched and keeping the firewall on has kept us from any problems, but if I have a need to swith these people to Firefox or user accounts, I’m going to have to present my case trial lawyer style. What do you say in a situation like that?
Firstly, there’s basically nothing a typical user should *need* admin privileges for in a managed environment. Most applications that have trouble running as a regular user can be fixed with a bit of permissions fiddling in the relevant registry keys and filesystem. For the tiny minority that can’t, a “runas /savecred” shortcut should make end user interaction pretty much transparent.
The problem with giving users elevated privileges is not that they have Administrator access to their machines, per se, it’s when they run as an Admin *all the time*. We don’t have a huge problem with giving (most) users a *local* (obviously not Domain) Administrator account to log in with when required, but if we find people running as an admin level account *all the time* they’re in for a serious dressing down.
We simply presented it as a benefit – users wouldn’t be able to install their own software (ie: P2P, etc applications), users wouldn’t be able to (easily) hose entire machines, most malware and viruses don’t work when the user isn’t an admin, etc.
I’ve considered a move to Firefox for external web browsing (enforced at the proxy level by user-agent checking), but the lack of easy centralised management for Firefox and that annoying copy-paste bug have thus far stopped me.
really? from what ive read, it made a bit of a buzz around microsoft. for the first time, microsoft broke old application compatiblity in the name of security. most of what was broken was stuff that violates NTs security paradigm. if you really want, ill google some links for you later, but it shouldnt be too hard to find.
Most of the breakage from SP2 came from things dropping “bug compatibility” with some earlier versions of Windows, recompiling most of the system with an improved compiler (limiting buffer overflow exposure) and the firewall defaulting to “on”. I imagine there was also some tweaking of files and registry permissions.
Personally I wouldn’t consider any of that “fundamental changes”, but YMMV.
correct, that is what i was saying. with every version it becomes more powerful.
Well, not really more powerful, perhaps just more finely configured.
unixy as in multiple users with different levels of access. i remember reading that sfu was going to be integrated as well, but thats not what i was referring to π
Well, NT has supported multiple users with different levels of access since it was released, so in that case I’d have to say “no”.
actually, its a little of both. the problem is that everything is very tightly coupled in windows. things shouldnt need to write to windows, but in some cases they do.
Yes, poorly written applications – that was my point .
the registry needs to be cleaned up alot, with clear definitions of what is system stuff, and what isnt.
These things are already well defined. The problem is with developers who are still writing like their applications are only going to run on Windows 95.
program files should only be used for globally installed apps, otherwise they should go to the users folder. that kind of stuff. as i said throughout my post, microsoft is moving in this direction, and has for a long time. windows users shouldnt just ignore this stuff because they are used to a single user os. at the same time, ms is not done yet, and often the half implementation of this stuff will give extremely inconsistant results (whether or not something installs if you dont have privileges mostly depends on who made the installer right now).
Again, this is all developer issues. The basic facilities for this have been around since NT was released (with somewhat more advanced features like prompting for an admin user account introduced in Windows 2000) and were supported (albeit not enforced, for obvious reasons) even in the non-multiuser Windows 9x line.
I’d be interested to know what software you’ve got that doesn’t work with “Run As”, because I haven’t seen any for many years (and I’ve been doing the regular user/Run As thing in NT since 1996).
I call shenanigans.
I call shenanigans.
Any particular reason ?
Is Darius lithuanian? Name is lithuanian for sure
Is Darius lithuanian? Name is lithuanian for sure
Dunno … I stole the name from a friend of mine
Darius is persian
“Install a software firewall before going online: You should burn one of these to CD and have it ready before you reinstall Windows the next time.”
Why I have a real hardware firewall (not a router) I
don’t need a bloat monster like ZoneAlarm hogging my
system resources it’s annoying and it makes a bloody
mess in Windows registry.
“Install a software firewall before going online: You should burn one of these to CD and have it ready before you reinstall Windows the next time.”
Those were either/or options, meaning install a software firewall if you don’t have a hardware one. Anyway, I like to have a software firewall in addition to hardware (I use Sygate myself), because I can more easily tell which apps are trying to send outbound packets.