Windows Security Guide

Update: though much of this guide is still relevant, some parts are outdated. This guide is in need of an overall revamp, which might happen soon. If you have any suggestions, feel free to comment. May 2007

06.12.04

The following are recommendations for securing and using your Microsoft Windows operating system, compiled from years of use and observation. In a nutshell:

  1. Use common sense.
  2. Use and update antivirus software.
  3. Run Windows Update service frequently.
  4. Use a browser other than Internet Explorer.
  5. Use a software firewall.
  6. Scan for Adware/Spyware.
  7. Run as a “limited” user.
  8. Know what’s on your system.
  9. Probe your ports.
  10. Alternatives.
  11. Make backups.

1. Use common sense.

Rule number one of internet security: What you don’t know CAN hurt you. Due to the massive popularity of Microsoft Windows, and its inherent insecurity, it pays to be in control of your PC, not the other way around.

The internet is full of malicious people and programs, who want nothing more than to scam you or break into your computer. Ever received an e-mail from eBay, PayPal, or a bank asking you to “confirm your account” by entering passwords, credit card numbers, or social security numbers? It’s a scam, and if you comply, you’re almost guaranteed to become a victim of identity theft. Be smart. Question everything.

Ever received a virus as an e-mail attachment? Sure, we all have. Sometimes I receive several in one day. NEVER open an e-mail attachment unless you KNOW what it is, and why it was sent. Your friends are not immune. Don’t open an attachment just because it came from a friend. Many viruses masquerade as patches sent from Microsoft. News flash: Microsoft does NOT send patches via e-mail. Delete it immediately if you receive one.

Use Outlook or Outlook Express? Be especially careful. Many people humorously dub “Outlook” as “Lookout” because the majority of e-mail viruses target the soft underbelly of Outlook. If you use Outlook or OE, be sure to disable the “preview pane” under the “View” menu. This way, an infected attachment will not automatically execute when you click that e-mail message.

2. Use and update antivirus software.

This is critical. Running a Windows operating system on the internet without antivirus software is comparable to swimming through shark-infested waters with an open wound. Just as importantly, make sure you UPDATE the antivirus software. New viruses come out everyday, and antivirus software is only as effective as its latest virus definitions. Most new antivirus software comes with either an “automatic” or “scheduled” update feature. Know what you have and verify that it’s working!

Inevitably, the “What antivirus software should I use?” question arises. The answer is that it doesn’t really matter. Most people use and recommend big names like Norton or McAfee, but these are not the only options. You don’t even have to pay for antivirus software. My favorite free programs are AVG [http://www.grisoft.com], Avast [http://www.avast.com], and Antivir [http://www.free-av.com/]. No matter what program you use, never install more than one antivirus program.

[KU specific: KU has a site-license with Sophos antivirus, which means that students, faculty, and staff can download and install their software for free. See http://www.ku.edu/acs/virus for more information.]

3. Run Windows Update service frequently.

This is equally as critical as running antivirus software. New vulnerabilities are discovered frequently in Windows operating systems, and it’s important to patch those vulnerabilities as quickly as possible by visiting the Windows Update web site. One way to do this is to launch Internet Explorer, click the “Tools” menu, and click “Windows Update.” Make sure to install all of the “Critical” updates, but scan through the “Recommended” updates as well.

If you use Windows XP, you can set your system to automatically download and install updates at a time you specify. Right-click on “My Computer” and then click “Properties.” In the new window, click the “Automatic Updates” tab. Click the radio button for the option to download and install the updates everyday at a specific time. Choose your time, and click OK. Hint: Make sure your computer is usually on at the time you specify.

If you use Microsoft Office, you should also check for security updates. [http://office.microsoft.com/home/default.aspx]

4. Use a browser other than Internet Explorer.

Most people equate “Internet Explorer” with the Internet, and this is a crying shame, because IE is a terrible web browser with a horrendous security record. Do you like pop-ups? No? Then don’t use IE. Some forms of spyware can automatically install when you visit malicious sites with IE. IE is also easily “hijacked” by malicious programs.

There is also a moral implication involved here. In a nutshell, there is a group called the World Wide Web Consortium [http://www.w3c.org] that sets standards for how web browsers should behave and render HTML (the “code” behind web sites). Microsoft has completely ignored w3c, deciding instead to set their own standards. This has lead to a schism in web design, in that some designers code exclusively for IE, and others code for standards-compliant browsers.

My favorite alternative browser is called Firefox [http://www.getfirefox.com]. It’s free, it supports tabbed-browsing, it blocks pop-ups, and it is standards-compliant. I strongly suggest that you try it. The only reason to use IE is for Windows Update, since Microsoft does not support browsers not based on the IE-core (big surprise).

5. Use a software firewall.

A software firewall serves two purposes: It prevents unauthorized access INTO your operating system, and prevents information from LEAVING your operating system without your permission.

Without getting into too much detail, most attacks from outside come through “ports.” If your computer is behind a hardware firewall (such as at a major university or business), most ports should automatically be blocked. A software firewall provides an added layer of protection against port attacks.

Some Windows software loves to “dial home” to Microsoft or another company and report information about your computer and surfing habits. Sometimes this is justified, but sometimes it’s downright unnecessary and should be considered a violation of privacy. A correctly-configured software firewall will allow you to determine what information is sent from your computer into the unknown. Remember, your computer is not a television. Information travels both ways.

My personal favorite software firewall is called ZoneAlarm [http://www.zonelabs.com]. You can download a free version, or you can try a demo for a paid version. If you think you may be behind a hardware firewall, or are part of a larger network of computers (such as at a major university), contact your system administrator about the necessity of a software firewall. The sys admin may also have recommendations for the configuration of a software firewall.

[For advanced users: If you are feeling savvy, disable unnecessary Windows services. For a terrific guide on what services are running, their descriptions, and whether or not to disable them, visit Black Viper's site [http://majorgeeks.com/page.php?id=12]. Read it, decide what to disable, and lock down your system.]

6. Scan for Adware/Spyware.

If you use Windows, you need to know about Adware and Spyware. Adware is usually pretty harmless, but sometimes annoying. It usually comes bundled as third-party applications with freely downloadable programs, such as KaZaa. The purpose of Adware is to display advertisements, often in the form of annoying pop-up windows. When you installed that free screensaver program, did you actually read the license agreement? No? Congratulations! You’re now infested with Adware.

Spyware is much more serious. This includes programs that read “cookies” (text files with information about your surfing habits), key loggers (programs that record every key you press – Logged into a bank account recently?), and other malicious programs that I generically refer to as “internet flotsam.” Again, did you actually READ the license agreement when you installed that fancy cursors program? Collectively, too much adware and spyware can slow even a fast computer down to a crawl.

To exterminate Adware/Spyware, download Ad-aware [http://www.lavasoft.de] and/or Spybot [http://www.safer-networking.org]. Update them, and run them at least once a week. You’ll be surprised at what they catch. Be careful about what you delete with these programs. Some ‘free’ programs (mainly file-sharing programs) will not function properly after their adware is removed. Still, I recommend that you delete everything they catch and then uninstall the offending programs. Be smart about what you install in the first place, and you won’t have too many problems of this nature.

7. Run as a “limited” user.

The default user in Windows XP is called the “administrator.” Newly-created user accounts have administrative privileges by default. This means that you can install software, delete the Windows folder, format your hard drive, and do just about anything else that you want. If you get infected by a virus, it can also do whatever it wants without asking your permission. This is a major reason why almost all viruses target Windows.

An often-neglected, but excellent security measure is to do your daily tasks as a limited user rather than an administrator. Limited users are prohibited against installing new software, they cannot access protected system files, and generally are protected against doing something stupid or allowing someone/something else to do it for them. This means that a malicious program will do drastically less damage under a “limited” user account.

To do this, simply go to the Control Panel (Start — Settings) and select “User Accounts”. Click on “Create a new Account”, give it a name, select “Limited User”, and assign a password. You may need to copy your documents into the “Shared Documents” folder or into the “My Documents” folder of your new profile (generally found in “C:\Documents and settings\your_username\My Documents” Then log off and log on to your new limited account and give it a whirl.

If you need to install new software or make major changes to your system, simply log out and log back into your original account. Note: Some older software may not work well under a limited account. Your best bet is to set up a limited account and try it.

Hint: If your computer has already passed through the hands of a capable systems administrator, this should not be a concern for you.

8. Know what’s on your system.

If you have followed my advice so far, you are already more secure than 95 percent of Windows users. However, there are still more things that you can do.

By default, Windows hides file extensions for known file types. While this may seem convenient, it can present a security concern. Malicious programs frequently take advantage of these hidden extensions by fooling the user into thinking it’s a different type of file. For example, you open a text file on your desktop called “patch.txt.” The next thing you know, a window opens that reads, “yuo just been pwned by l33t hax0r!” Then your hard drive is erased. Whoops! What you did not know was that the “patch.txt” file was actually an executable called “patch.txt.exe,” but Windows hid the last part from you because it was a “known file type.”

To disable this “feature,” open any folder, such as My Documents. Click the “Tools” menu, click “Folder Options,” and then click the “View” tab. Look down the list until you see a checkmark labeled “Hide Extensions for Known File Types”. Remove the check from that box. Windows will now display ALL file extensions, placing you in the driver’s seat.

9. Probe your ports.

Now it is time to test your fully patched system. Even if you think you are fully protected, new vulnerabilities are found almost daily. It pays to have constant vigilance.

Remember the “port attacks” mentioned under item five? Let’s see how secure your operating system is. Open a web browser and surf to http://www.grc.com. This is a site maintained by a security guru named Steve Gibson. Click on “Shields Up!” Scroll down to “Hot Spots,” and click on “Shields Up!” again. Click on “Proceed” and then select “All Service Ports.” Wait a few minutes while you watch the ensuing test. Green results are best, blue is ok, and red means trouble, unless you know what you are doing (such as running a web server). Ideally, you should have all green results.

You can test your antivirus software by downloading the EICAR test virus [http://www.trendmicro.com/en/security/test/overview.htm]. Note: This is not a virus, but merely a test file that your antivirus software should recognize as a virus. Try to download the file to your hard drive. If your antivirus software does not catch it, check the settings to make sure it is actively scanning files. If your software still does not catch it, try different antivirus software ASAP!

10. Alternatives.

I have already mentioned an alternative to Internet Explorer, but there are also alternatives to other widely-used Windows programs. For example, I strongly recommend using a different mail client over Outlook due to security reasons mentioned under item one. Thunderbird [http://mozilla.org/products/thunderbird] and Eudora [http://www.eudora.com] are excellent (and free) alternatives.

Would you like a free alternative to Microsoft Office? Try OpenOffice [http://www.openoffice.org].
How about a free instant messaging client with no advertisements that is compatible with AIM (Oscar and TOC protocols), ICQ, MSN Messenger, Yahoo, IRC, Jabber, Gadu-Gadu, and the Zephyr networks? Try Pidgin [http://pidgin.im/pidgin/home/].

If you have made it through this entire guide, and feel utterly disgusted and overwhelmed about Windows security, you should at least know that there are also alternatives to the entire Microsoft Windows operating system. Mac OS X [http://www.apple.com/macosx] and Linux [http://www.ubuntu.com] are two alternatives. Neither are without flaws, but both have a more strongly implemented security policy than Windows.

11. Make backups.

No matter what operating system you use, it is critical to back up your data. There is no excuse not to have backups. Your hard drive could die. Your computer could be cracked by an unscrupulous person. You could get a destructive virus. There could be a flash flood. Do I make myself clear?

There are several methods of creating backups. Is your computer capable of “burning” CDs? If so, purchase some CD-R or CD-RW discs and back up your critical data. Remember to keep those discs in a safe place. You could also consider purchasing an extra hard drive (internal or external) for data storage. Most newer computers are now capable of “burning” DVDs. If you are lucky enough to have one, this is an excellent method of backing up data, as DVDs have considerably more storage space than CDs.

Are you on a network? If so, you might be able to store critical data on a server. Speak to your network administrator for more details.

[KU specific: You may be able to back up data to a network file server. Open "My Network Places" and view your workgroup computers. Look for a computer with your department name. For instance, if you're located in Murphy Hall, connect to the MUSIC_DANCE server. Enter your username and password. If successful, you can then save files to the server. Contact your local administrator if you need assistance.]

If you made it through this guide, you are well on your way to a more secure system. Remember that no computer is invulnerable, and it is important to always be aware of new security vulnerabilities. After all, the safest computer is one that is disconnected from the internet (or at the bottom of a landfill).

—- Brian Bondari —-
© 2004

3 thoughts on “Windows Security Guide

  1. very interesting and helpful, thanks

    re: alternatives: Mac OS X

    But you would need to buy a Mac to run Mac OS X, wouldn’t you? I don’t see anything on their site about running it on a PC

  2. That’s correct, though rumor has it that it IS possible to run OS X on certain, newer computers (processors with at least SSE2 instruction sets).

    Of course, the legality of such a prospect is dubious at best, and the desired result can be accomplished with much less hassle by simply buying a Mac. I love my Macbook.

    I have no instructions on how to install OS X on a PC, but a little birdie told me that the OSX86 project might.

Comments are closed.