Securing Windows
Let’s just accept the fact that patches are a fact of life. Operating systems and applications are always going to need fixes and updates for things ranging from the merely annoying to truly system-breaking. In the case of Windows and Microsoft applications, that’s going to be once or twice per month. We can always hope that things will be different with Vista, but I’m not holding my breath.
Your first task is going to be to fully patch Windows and any other Microsoft applications that you might have on your machine. If you are running Windows XP and have Service Pack 2, Microsoft has its “Microsoft Update” service (http://update.microsoft.com) available. This is one-stop patching for all installed Microsoft products, including driver updates. If you don’t have SP2 or are running an earlier version of Windows, you’re pretty much stuck with doing it the old-fashioned way: using Windows Update (http://windowsupdate.microsoft.com) and Office Update (http://office.microsoft.com) or downloading and installing them manually from Microsoft’s download center (www.microsoft.com/downloads/). Even at this late date, and with SP2 installed, the last time I tried to update a fresh install of Windows XP, there were more than 50 critical patches and updates and that’s not even looking at the patches to the patches.
Here’s a radical idea. No one will ever go for it, but I’ll throw it out for what it’s worth. Why can’t computer manufacturers make patching a requirement before letting a new system use the Internet? It’s not hard to block off access to any other Internet resource except an update server when a system boots up for the first time. Once the system is fully patched, the user can do whatever they want with it, but at least it will be secure “out of the box”.
Anyway, once your system is patched, you need to limit the privileges of anyone using it. For Windows XP, there are basically two types of users: administrators and users. An account with administrator privileges can do almost anything to the system while Users are more restricted in what they can do. In Windows XP, there will always be at least two administrator accounts – the actual Administrator account itself and any accounts created during the initial setup process.
My advice is to only create one account (yours) during the initial setup and hold off on creating any other accounts until after the system is fully set up and patched. My best advice would be to have only the one account created during setup as the administrator and have all other accounts be limited users, including a second account for you that only has limited user privileges. You can always switch to the administrator account for system maintenance, patching, installing applications and the like. Most things that you’re going to be doing after the initial setup won’t require administrator privileges, anyway.
On the bright side, Vista will take care of a lot of this for you. All accounts, including administrator accounts, will run with reduced privileges until the user initiates some action that requires higher privileges. At that time, the user can either furnish the appropriate credentials or cancel the action.
The whole idea behind this is that most malware has to run with the privileges of the currently logged-on user. If that user can’t do much of anything, the malware might take up knitting, but won’t be able to do much more than that.
Now that you’ve set up and patched your system, it’s time to uninstall any unwanted/unneeded applications. Most new computers come with a slew of trialware or bundled applications. Some are useful, most are not. So go through the Add/Remove Programs applet in the Control Panel and get rid of anything that you don’t need. Not only will this recover some hard disk space, but it will cut down on potential adware. Don’t forget to reboot your system afterward.
Next is installing applications. The FIRST applications you install on your system should be a security suite of some kind. I’m partial to Symantec’s products, but that’s just personal preference. Whether you go with Norton, Zone Alarm, McAfee or some other suite, make sure that you have a firewall, an antivirus program, and an antispyware program.
I haven’t tried Microsoft’s OneCare suite, but considering their track record with other products, I’m leery of it from a practical standpoint. I’m also leery of it on principal. Think about it: Microsoft is going to charge you to protect you from problems with its other products. It just sounds fishy.
After installing your security suite, run a complete system scan before installing anything else. This will insure that your system is clean at the start and anything you install later will be clean. I don’t know whether Symantec has solved this problem or not, but the beta version of their 2007 Antivirus program identified the Opera web browser as malware, promptly removed it from my system and prevented its reinstallation.
Now you can install the rest of your applications.
Your last step is going to be running a complete backup of your system. There are a few ways to do this and each has its own little problems. I use a disk imaging utility (Norton Ghost) because it backs up EVERYTHING to external media. If my system ever goes south, I can always reimage the drive and be right back where I started following my initial setup. The downside of this is that Ghost isn’t free and that any data added since the last time I ghosted the drive is gone. The Windows backup utility is a freebie (Start -> All Programs -> Accessories -> System Tools -> Backup). Its downside is that its files tend to be pretty big, they won’t automatically go to any external media other than a hard disk or tape drive, and applications don’t always come back in working order if you need to restore from the backup. But if you don’t mind purchasing the disk imaging utility, you CAN have the best of both worlds by following a couple of simple steps:
- After you install a new application and verify that your system is running normally, clean up, defrag and Ghost your system. You should maintain at least the two most recent images (that’s a belt and suspenders kind of thing).
- Religiously run the Windows Backup utility on your data folders and copy the backup file off to an external media of some sort (CD, DVD, external drive, etc.).
If your system goes south, reimage the drive and restore the most recent backup of your data folders and you should be off and running.