Talk about a headline that gets the fanboys' attention! 
Now that Windows 7 has been out long enough to have a service pack, perhaps it's time to dig out the tips and tricks on making a secure Windows installation. Yes, I did just use "secure" and "Windows" in the same sentence, and next to each other as well!
Is it even possible to have a reasonably secure Windows machine? And how does one define "reasonably secure?" Well, for the first question the answer is "yes." As for the second, we'll define "reasonably secure" as "the machine will be strongly resistant to all present and known forms of malware that targets the Windows platform, to the extent that in most cases the user has to literally permit the malware to install before anything adverse can happen."
With that definition in mind, what do we do first?
Before we get into that, a quick note: I'll be discussing Windows 7 specifically here. These same rules apply to other versions of Windows as well but the locations and names for things will probably differ.
For starters, on Windows 7 there are out-of-the-box protections we can implement.
Tip 1: You're the administrator of your machine, but you don't need to be admin all the time. Use at least two user accounts to isolate system administration from daily use.
Tip 2: Take advantage of UAC (User Account Control) but make it easier to live with by setting it to the second-highest setting.
The first two here will automagically make your system a little tougher to bust into and will make it harder for you to do something dumb that compromises security. But, let's lock things down even more, shall we?
Tip 3: Install good anti-malware applications.
Tip 4: Install a good application firewall.
So, by now you're using a non-administrator account on a machine that has anti-malware defenses installed. You're already most of the way there!
The next thing to deal with are the attack targets, the programs malware writers attack in order to push their program code onto your machine. Taking care of these, in and of themselves, will remove greater than 90% of the malware risks associated with Windows! (The rest you're covering with the tips above.)
Tip 5: Don't use Microsoft's Internet software.
Microsoft isn't the only software company that gets hit with security concerns. Just ask Adobe about the Acrobat vulnerabilities. Let's take care of that as well, shall we?
Tip 6: Update all of your software. Do it often.
Your machine is now hardened. You've isolated everyday use from administrative access, protective software is monitoring the system and dealing with threats, and you're not using popular targets for malware. Everything's being updated to keep up with the latest threats. But one things remains...
The weakest link in IT security still has to be addressed...
You.
Tip 7: Beefing Up The Meatware 1: Pay attention to where you're surfing!
Tip 7: Beefing Up The Meatware 2: Email attachments are never your friend.
Tip 8: Beefing Up The Meatware 3: Watch what you download!
Tip 9: Beefing Up The Meatware 4: Never trust emails that ask you to log into a website!
Tip 10: Beefing Up The Meatware 5: Use strong, unique passwords!
Hardened system security. Hardened malware defenses. Hardened meatware. Secure it all and you're golden! If you follow these tips, you'll probably never get a malware infection no matter what platform you use.
Now that Windows 7 has been out long enough to have a service pack, perhaps it's time to dig out the tips and tricks on making a secure Windows installation. Yes, I did just use "secure" and "Windows" in the same sentence, and next to each other as well!
Is it even possible to have a reasonably secure Windows machine? And how does one define "reasonably secure?" Well, for the first question the answer is "yes." As for the second, we'll define "reasonably secure" as "the machine will be strongly resistant to all present and known forms of malware that targets the Windows platform, to the extent that in most cases the user has to literally permit the malware to install before anything adverse can happen."
With that definition in mind, what do we do first?
Before we get into that, a quick note: I'll be discussing Windows 7 specifically here. These same rules apply to other versions of Windows as well but the locations and names for things will probably differ.
For starters, on Windows 7 there are out-of-the-box protections we can implement.
Tip 1: You're the administrator of your machine, but you don't need to be admin all the time. Use at least two user accounts to isolate system administration from daily use.
When you install Windows, the installation process will ask for a username and password to act as the initial administrator account. Choose a username that you feel is appropriate for an admin account but not an everyday-user account, and select a strong password for that account. (More on password strength in a bit.) Once you successfully install Windows, open Control Panel, then open User Accounts and Family Safety, then click Add or remove user accounts. Create a new user account for yourself for normal, everyday use. From then on, log onto the computer with that everyday account.
Tip 2: Take advantage of UAC (User Account Control) but make it easier to live with by setting it to the second-highest setting.
People that come from older versions of Windows hate UAC because it interferes with getting things done. However, the UNIX world (and by extension the various Linux distributions as well) have always lived with being prompted for a "root" password before being allowed to make any significant system changes. UAC basically emulates the functionality of Linux tools like sudo by requiring that an administrator manually and specifically approve doing anything potentially harmful, but the way it ships in Windows 7 is more annoying than helpful.
Setting UAC to the second-highest setting still allows it to work as intended but stops UAC from dimming (and locking out) the whole desktop. When you do something on your non-admin account that requires administrator approval, UAC will ask you for the admin password, just as Linux will if you have to have elevated privileges to make a change.
Setting UAC to the second-highest setting still allows it to work as intended but stops UAC from dimming (and locking out) the whole desktop. When you do something on your non-admin account that requires administrator approval, UAC will ask you for the admin password, just as Linux will if you have to have elevated privileges to make a change.
The first two here will automagically make your system a little tougher to bust into and will make it harder for you to do something dumb that compromises security. But, let's lock things down even more, shall we?
Tip 3: Install good anti-malware applications.
The whole purpose of anti-malware apps is to stop malware from getting a toehold even if you do something dumb. There are plenty of players in this market segment and many of them are terrible, but there are some shining stars:
Avoid anything from McAfee, which has always been a joke in the IT security world for its high false-positive rates and low detection rates. (Interestingly, Intel bought McAfee out recently.)
- Microsoft's own MSE - Microsoft Security Essentials - is shockingly good ("shockingly" in that "hey, Microsoft wrote a security app that works well?"), and free for Windows 7 users. It's a very popular choice to use in conjunction with another product, but stacking anti-malware apps is risky so beware.
- Avast is one of the better antivirus apps out there in the freeware space if you want to run separate antivirus/firewall/anti-rootkit products instead of going with a unified solution.
- Kaspersky Labs' offerings and ESET's NOD32 are excellent choices for pay/subscription protection and they offer unified "do it all" packages for one-stop securing.
- Zemana Anti-KeyLogger is a great add-on that stacks well with other anti-malware applications. It detects and blocks keyloggers, screen capture apps, and other forms of data thieves. It's a pay-to-use product with a free trial.
Avoid anything from McAfee, which has always been a joke in the IT security world for its high false-positive rates and low detection rates. (Interestingly, Intel bought McAfee out recently.)
Tip 4: Install a good application firewall.
Windows comes with a built-in firewall but it's pretty basic-slash-primitive. Grab a good application firewall, or use an anti-malware suite that includes one. That way, if you pick up an infected application that somehow escapes the antivirus software's notice the firewall can block it from "phoning home" and possibly making things worse.
So, by now you're using a non-administrator account on a machine that has anti-malware defenses installed. You're already most of the way there!
The next thing to deal with are the attack targets, the programs malware writers attack in order to push their program code onto your machine. Taking care of these, in and of themselves, will remove greater than 90% of the malware risks associated with Windows! (The rest you're covering with the tips above.)
Tip 5: Don't use Microsoft's Internet software.
This may sound strange, but the biggest culprits for malware infections on Windows are Microsoft's Internet products: Internet Explorer, Outlook, Outlook Express, and Windows Mail. Malware writers target security holes in these applications in particular because Microsoft stupidly wrote them to be inherently trusting when it comes to what data they receive.
Better replacements for Internet Explorer include Firefox (currently the most popular), Apple Safari and the derivative Google Chrome, and Opera. Note that popularity also makes you a target - malware writers have already started targeting Firefox so make sure you keep up with updates.
For email handling, Mozilla's Thunderbird (which is derived from Qualcomm's legendary mail product, Eudora Pro) is arguably the most powerful mail client available. Disable HTML mail by default for a little extra security.
Better replacements for Internet Explorer include Firefox (currently the most popular), Apple Safari and the derivative Google Chrome, and Opera. Note that popularity also makes you a target - malware writers have already started targeting Firefox so make sure you keep up with updates.
For email handling, Mozilla's Thunderbird (which is derived from Qualcomm's legendary mail product, Eudora Pro) is arguably the most powerful mail client available. Disable HTML mail by default for a little extra security.
Microsoft isn't the only software company that gets hit with security concerns. Just ask Adobe about the Acrobat vulnerabilities. Let's take care of that as well, shall we?
Tip 6: Update all of your software. Do it often.
Many software products nowadays are frequently updated, and some include automatic updating as part of the product's standard feature set. Although automatic updates can occasionally be a hassle if something is included that you may not like, in the vast majority of cases your best bet is to either let updates happen automatically or at the very least check for them weekly.
Operating system and anti-malware updates should almost always be allowed to happen automatically.
If you don't trust automatic updates (which begs the question, "if you don't trust automatic updates why are you using that software to begin with?"), set your software to notify you when updates are available and then you can inspect the changes and decide on implementation.
Operating system and anti-malware updates should almost always be allowed to happen automatically.
If you don't trust automatic updates (which begs the question, "if you don't trust automatic updates why are you using that software to begin with?"), set your software to notify you when updates are available and then you can inspect the changes and decide on implementation.
Your machine is now hardened. You've isolated everyday use from administrative access, protective software is monitoring the system and dealing with threats, and you're not using popular targets for malware. Everything's being updated to keep up with the latest threats. But one things remains...
The weakest link in IT security still has to be addressed...
You.
Tip 7: Beefing Up The Meatware 1: Pay attention to where you're surfing!
If you visit websites that often employ malware for advertising, you're asking for troubles. Porn sites in particular are popular places to pick up the virtual diseases that make up for the real ones you would have gotten from the real thing.
Many modern browsers automatically detect potentially unsafe sites and warn accordingly. Heed those warnings.
Many modern browsers automatically detect potentially unsafe sites and warn accordingly. Heed those warnings.
Tip 7: Beefing Up The Meatware 2: Email attachments are never your friend.
Never, ever, ever trust an email attachment that you didn't expect to receive, even if it supposedly comes from someone you know. If you're the type that loves to open attached files, get out of that habit. Have your friends warn you in advance if they plan to send an attachment, and delete anything you get that comes in unexpectedly.
Tip 8: Beefing Up The Meatware 3: Watch what you download!
If you download a lot of files, be sure to only download from trustworthy sources, preferably those that auto-scan their files. Scan the downloads again yourself before opening them.
Again, most modern browsers have automatic download scanning available. Use it!
Again, most modern browsers have automatic download scanning available. Use it!
Tip 9: Beefing Up The Meatware 4: Never trust emails that ask you to log into a website!
The most common scam currently is "phishing," which involves tricking a user into revealing login credentials (that'd be your username and password) for something else, such as an online bank or popular video game. The operators of the real sites will never, ever ask you for your passwords via email. Never, ever visit a website through a mail link without verifying where that link goes, and be careful as what a link says and where it actually goes can differ!
If an email advises you to log into an account you have somewhere, manually go to that website yourself (read: use your own bookmark or type in the address manually - do not click a "login here" link in an email) and do what you need to do.
If an email advises you to log into an account you have somewhere, manually go to that website yourself (read: use your own bookmark or type in the address manually - do not click a "login here" link in an email) and do what you need to do.
Tip 10: Beefing Up The Meatware 5: Use strong, unique passwords!
One of the biggest problems with security is the fact that we humans aren't built for it. We cannot reliably remember numbers longer than seven digits, and due to our penchant for pattern recognition we are easily confused by complex things that lack clearly discernible patterns. Worse still, we're creatures of habit and tend to reuse or repeat things a lot.
All of this makes for weaker security, especially when it comes to passwords. What makes a password strong is also makes it hard-to-remember and more difficult to type.
Also, reusing passwords is never a good idea, as once a password is compromised in one location it's compromised everywhere it's used. Ideally a password should be usage-specific, meaning that you should have a unique strong password for everything that uses passwords. Your password for TB2K, for example, should never be used anywhere but TB2K. Your online bank account password should never be used anywhere but that bank's website. If you play online games, each game should have its own unique password. However, I bet at lest half of you reading this are reusing passwords. That's another habit you'll want to break.
Here's what makes an ideal strong password:
Based on those rules "H3ll0!" is a mediocre password, but "k3e9I(#U0!" would be very strong. Unfortunately these rules conflict with how the human brain works so we immediately react with thoughts like "how will I ever remember a password like that?!" The best way is old-school: a small notebook. Write each website's address and a custom-crafted site-specific strong password in it, and protect that notebook like you would a pile of money, a credit card, or checkbook. Need a password generator that makes cryptographically-secure passwords? Steve Gibson of GRC.com has you covered here - just snip out a chunk of something from the middle box if the website in question accepts symbols, or from the bottom box if the site stupidly refuses to allow non-alphanumeric password characters, write it in your notebook, use it as the password for that site, rinse and repeat.
If you'd like to see how strong your existing passwords are, Microsoft has a password checking page on their website that uses Javascript to test your password without sending it to a server. That can be poked and prodded here. There's also a (IMO better) more comprehensive password checker here and the program code to make it work can be downloaded from that website.
All of this makes for weaker security, especially when it comes to passwords. What makes a password strong is also makes it hard-to-remember and more difficult to type.
Also, reusing passwords is never a good idea, as once a password is compromised in one location it's compromised everywhere it's used. Ideally a password should be usage-specific, meaning that you should have a unique strong password for everything that uses passwords. Your password for TB2K, for example, should never be used anywhere but TB2K. Your online bank account password should never be used anywhere but that bank's website. If you play online games, each game should have its own unique password. However, I bet at lest half of you reading this are reusing passwords. That's another habit you'll want to break.
Here's what makes an ideal strong password:
- At least 8 characters long, but the longer the better.
- Contains at least one lowercase alphabetic character.
- Contains at least one UPPERCASE alphabetic character.
- Contains at least one numeric character.
- Contains at least one non-alphanumeric character.
- Does not match any words in any known language, whether as a correctly-typed word or as an obfuscated one (e.g., "l33t5p3@k").
- Does not repeat characters.
- Mixes character orders up - no more than two consecutive characters of any given type (numeric, alphabetic, symbolic) in a row.
- Does not correlate to any personal information (e.g., don't use a child's birth date).
Based on those rules "H3ll0!" is a mediocre password, but "k3e9I(#U0!" would be very strong. Unfortunately these rules conflict with how the human brain works so we immediately react with thoughts like "how will I ever remember a password like that?!" The best way is old-school: a small notebook. Write each website's address and a custom-crafted site-specific strong password in it, and protect that notebook like you would a pile of money, a credit card, or checkbook. Need a password generator that makes cryptographically-secure passwords? Steve Gibson of GRC.com has you covered here - just snip out a chunk of something from the middle box if the website in question accepts symbols, or from the bottom box if the site stupidly refuses to allow non-alphanumeric password characters, write it in your notebook, use it as the password for that site, rinse and repeat.
If you'd like to see how strong your existing passwords are, Microsoft has a password checking page on their website that uses Javascript to test your password without sending it to a server. That can be poked and prodded here. There's also a (IMO better) more comprehensive password checker here and the program code to make it work can be downloaded from that website.
Hardened system security. Hardened malware defenses. Hardened meatware. Secure it all and you're golden! If you follow these tips, you'll probably never get a malware infection no matter what platform you use.
I wanted to try out different ones and different desktops before picking one as my Main.
