A long time ago I wrote a security guide for Windows XP to help the average home users cleanup their PCs and help keep them clean. I’ve recently updated it for modern software and operating systems. I hope this is helpful for those of you that need it. I haven’t had the time to fully proofread it so bear with me if there are some typos. You can download the PDF version of this guide here: Securing Windows
Overview
This little article is designed to help you protect yourself and your Windows based computer from the dark side of the internet (i.e. hackers, hijackers, viruses, spyware, phishing, etc.). I’ll be covering software you should be using, tweaks you can make to that software and safe browsing practices. I am by no means an expert on the subject. However, I’ve had to deal with most of these issues in depth as various points in the past few years. I maintain several computer systems, both for myself and for the business I work for. So even though I’m not a trained professional I have the benefit of more experience than I’d really like to have with it. This article is currently being updated as of 09/14/2010 to reflect some recent changes in the software I use.
Introduction
Today’s world is full of people who would rather hijack your life and siphon off everything you own and have ever worked for in lieu of getting a job and earning their keep. You also have plenty of people that just want to try their hand at destroying a few unsuspecting people’s peace of mind just for kicks. Let’s also not forget about the increasing dangers of identity theft, all the unsolicited junk mail piling up in your inbox, all the porn popping up on screen when your children are browsing some innocuous website, etc. The list goes on and on.
We’re going to try to cut back on some of that by cleaning up your computer, installing some software to help avoid such problems in the future, tweaking a few things you may already have, and trying to educate you on safe browsing practices. It can be a lot of work to set up and a lot of effort to learn what you are doing. It’s even more difficult to discipline yourself to actually do these things. Believe me, I should know. Even now, after dealing with these issues for several years, I still slip up from time to time out of pure laziness. But in a world that is becoming increasingly networked, where you shop online, and bank online, you can’t afford not to put the effort into protecting yourself.
So let’s get started and hopefully after all is said and done you’ll be in a safer and more secure internet environment than you were to start with.
Initial Cleanup
First of all, we want to start by cleaning up your PC as much as we can before taking steps to insure it doesn’t become further contaminated. So let’s take this step by step.
1) Make sure Automatic Updates are turned on. To do this in Windows XP, click the Start button and select the Control Panel. Double Click the Automatic Updates icon. In Vista/Win7 you can click Start and type Automatic Updates in the search box to find it. Make sure Automatic is selected from the list and set a convenient time of day to install updates. Apply your settings. This should, and I say should because Windows doesn’t always manage Automatic Updates well, allow your computer to download and install the latest critical security updates from Microsoft automatically in the background as you surf the Web.
Just to be certain, we are going to manually run Windows Update to make sure your system is currently up to date.
To do this in Windows XP, open Internet Explorer. Click on the Safety menu and select Windows Update. The website will scan your computer and notify you if you need to update the installation software to use the site. Just follow the onscreen instructions. When you finally get to a screen with two buttons labeled Express and Custom, select the Custom button. After a few moments of scanning you should be at a screen where you can select which updates to apply to your computer. High Priority updates should all be selected automatically. If they aren’t make sure to select them yourself. You also have several categories on the left for optional software downloads as well as hardware driver updates. You can choose any optional software you may want at this time as well, but I’d stick to just the High Priority items at this point. Generally I recommend you avoid the hardware updates. I use them as a warning that something may be out of date on my system but never install hardware updates from Windows Update. It tends to cause no end of problems. Find such updates at the hardware manufacturer’s website instead if needed. Once you’ve made your selections click on the Review and install updates link. Click the Install Updates button. Now just set back and let Windows Update do its thing, answering any prompts it may throw at you as it completes. Reboot your computer if prompted to do so.
In Vista/Win7 you can click the Start Button and type Windows Update to find your updates. You can’t do this via a website in Vista/Win7. Updates come through a built in interface. Once in this dialogue you should click the link on the left to have it check for new updates to make sure it’s found everything currently available. Again, all critical updates should be automatically selected. You can use the available links to see any optional updates for your system. Hardware updates work better in Vista/Win7 but for the most part you are better off going to the manufacturer’s site to find them.
2) Now let’s make sure Windows Firewall is enabled (only if you aren’t running a different firewall application.) A decade ago running a firewall on a personal PC was considered overkill and a waste of time. Now, it’s essential. Windows XP/Vista/Win7 all have a built in firewall that blocks inbound connections, i.e. those originating on the internet and connecting to your PC. They aren’t as good when it comes to outbound protection, though the Vista/Win7 firewall is a huge improvement over the one in XP. This isn’t the best setup but it’s good enough for most people. Ideally you want control over outbound traffic as well, but we’ll get to that a bit later.
To enable Windows XP’s built in firewall, open Control Panel once again and double click Windows Firewall. Make sure ON is selected and click OK. Note: If you currently run another software firewall or a security suite that includes a firewall, you should leave Windows Firewall disabled. You should NOT run more than one firewall at once. If you aren’t sure whether you have another firewall enabled, return to Control Panel and double click the Security Center icon. If this icon does not appear go back to step 1 and ensure you have installed Service Pack 2 for Windows XP. Click the dropdown arrow next to the Firewall setting and it should tell you what firewall you are currently running.
In Vista/Win7 click the Start button and type Windows Firewall in the search box. You’ll see a link on the left to turn the firewall on or off.
3) Next we are going to download and install Spyware Blaster. You can download it from the creator’s page here: http://javacoolsoftware.com/
Run the installer and follow the onscreen instructions. When you get to the main screen make sure you Enable All Protection. From now on pretty much all you need to do here is click the Updates button and Check for Updates button after that. It’ll download any updates available. Now choose to enable all protections. This program works by adjusting certain browser settings to block malicious content before it is ever executed.
You should update this program weekly.
4) Now we are going to install CCleaner. Download it from here: http://www.filehippo.com/download_ccleaner/ and run the installer. On the Install Options page you can unselect options 3, 4, and 6 as they serve virtually no purpose. The others are up to personal preference.
Now let’s run CCleaner. On the main screen, make sure the Cleaner tab is selected. Under the Cleaner Settings, you’ll have Windows and Applications tabs. You can customize the areas you want to clean here. The defaults are fine for most people. Click the Analyze button. This may take a minute but CCleaner will now find all the left over junk on your system you might not even know you have. The first time you’ll likely have a surprisingly large amount of crap, most of which has been building up in your system’s Temp folder. Once CCleaner is done analyzing click the Run Cleaner button to delete all that it has found. Now click on the Registry tab on the left. Uncheck Unused File Extensions and leave everything else checked. Click the Scan for Issues button. This will find a lot of leftover junk from your registry that needs to be cleaned out and optimized. When the scan is done click Fix Selected Issues. You’ll be prompted to create a backup of your registry. Do so. You can use this backup to restore settings if anything should happen to go wrong. Click Fix All Selected Issues on the next screen and confirm the action. Now repeat the scan and fix process again and again until you get a clean scan with no issues reported. This usually takes 2 or three scans. Now click the Tools tab on the left. There isn’t much to cover here. There is an uninstaller that lets you uninstall programs just like the add/remove dialogue in Control Panel. There is also a Startup panel that lets you see what programs run when your system boots up and also lets you delete those entries, preventing the programs from running. It’s best to leave these alone if you don’t have a specific reason to adjust them.
You should run this program weekly and use the Cleaner and Registry functions.
5) At this point the junk built up on your system should be pretty well cleaned up but we are going to run a couple more programs to ensure that all the really nasty stuff, like malware and spyware, get cleaned out. There is a program call SuperAntiSpyware, that does a very good job at this. Find it here: http://www.superantispyware.com/ I suggest you download the free version. The paid version is quite good as well if you need it. It provides real time protection against spyware infections by putting up active shields that block the bad programs before they can execute.
Run the setup program and accept all the default options. When the program opens, click Check for Updates to make sure you have the latest definitions. Now click the Scan for Harmful Software button. Choose the drives you want to scan. Select the Complete Scan option and click next. This operation will probably take a good bit of time to complete. If anything is found, follow the onscreen instructions to remove it. Basically you’ll just make sure that whatever is found has selected for removal and then hit the next button to proceed.
After your initial scan I’d recommend running this program at least once a month. Check for Updates and run a Quick Scan. There is also a portable version of this program now that can be downloaded when needed and run without having to install it. You may wish to use this option and have just Malwarebytes, another program that we’ll go over next, installed full time.
6) Next we’ll install and run Malwarebytes, another free spyware/malware remover. Get it at http://www.malwarebytes.org
Download the program and install it. Once this is done it will prompt you to check for program and definition updates. Do so. Afterwards you should be at the main screen. Click on the Update tab and Check For Updates. After this click the Scanner tab and do a Full system scan. This works very much like SuperAntiSpyware did. Just follow the onscreen instructions to remove anything it finds.
I recommend you run this program at least once a month as well. Update it and run a Quick Scan. You can do this weekly if you like since MBAM runs a Quick Scan in less than 20 minutes most of the time. MBAM also has a paid version that provides active shields against infection if you think you need it.
7) PC Decrapifier
This is a program of special interest. You can find it at http://www.pcdecrapifier.com . This program is specifically designed for new prebuilt computers but you can use it on existing machines as well. PC Decrapifier was designed for use mainly on Dell and HP systems but works just as well on any computer that has the software it scans for. PC Decrapifier is a simple utility that scans your computer for the “junk” software that most manufacturers install on a new system as part of the advertising package that allows you to buy such computers so cheap. AOL, McAfee, and Norton are just a few examples. Once the scan is complete the program will give you to option to uninstall the software you don’t want using a series of built in uninstallers proven to be more effective than many of the uninstallers that come with the software you are removing. This is a fast way to clean up the junk on a new rig. It’s also a good way to get rid of annoying software like the Norton and McAfee Security Suites that have to be uninstalled in a specific order to avoid problems during removal. After using this program I’d recommend you reboot your computer and run CCleaner to get rid of any left over temp files and registry entries.
Security Software
Now that we’ve (hopefully) gotten your system cleaned up, we’ll move on to securing it from future intrusions by malicious software. There are several core components to any good security system. We’ll take them one step at a time. Keep in mind that some of these programs may be available in packages along with some of the other programs. This depends on the type of software and whether the companies in question offer a Security Suite.
1) Anti-virus software is the first component we are going to discuss. The first thing you want to do is make certain whether you are or aren’t currently running anti-virus software. Most prebuilt computer companies include at least a trial of some popular products. Norton/Symantec, McAfee, and Trend Micro may be familiar names to you.
Once you ascertain whether or not you have AV software currently installed, you need to make sure it is up to date. If your subscriptions are expired then your AV isn’t protecting you as well as it should be. If you have AV software currently installed and up to date, and you are happy with its performance then skip on to the next step in this guide. If not, we’ll discuss a few alternatives below.
Let’s assume you don’t have a good AV installed. You’ll need to obtain one. You have three major options in this case. First, you can purchase good AV software. Second, you can use one of the free ones available for download on the Web. Third you can check with your internet provider to see if they offer a free security package. Many do now days.
First of all let’s consider this little question. Paid versus free, which is better? The answer is, paid software is better, provided that you purchase the correct software. Let’s face it. These companies can’t make any profit and stay in business if they make free software just as good as the paid versions. That being said, the free software is just fine for most people when combined with good security practices.
Let’s take a look at a few popular AV options.
NOD32 (paid)
NOD32 is one of the best paid AV software you can buy. It has extremely good detection rates, frequent updates, is low on memory usage, can be configured for very tight security, and offers protection from viruses, malware, spyware, and even rootkits. There is a standalone anti-virus and a security suite available which includes a firewall. If I were to recommend paid AV software this would be the one. For more information on it please see the official website at http://www.eset.com and http://www.wilderssecurity.com , the official support forum. The only drawback I can think of to NOD32 is that their customer support is a bit lackluster. They have very smart people designing their products, but not the most sociable and helpful customer service.
Kaspersky (paid)
This is the next paid software I’d recommend. It is very popular and has most of the benefits that NOD32 boasts as well. It is also currently available in a security suit. Several companies offer Kaspersky as a relabeled part of their own security software. Kaspersky’s main drawback is higher memory usage than NOD32. Learn more about Kaspersky at http://www.kaspersky.com
MSE – Microsoft Security Essential (free)
MSE is an effort from Microsoft to provide a free anti-spyware and anti-virus solution. Originally it wasn’t the greatest piece of code but it has since improved to the point where is comes as one of the three highest recommended free A/V programs. MSE has very good integration with Windows of course. It downloads updates at least once a day and has very good detection of “in the wild” threats, which means new variations of malicious software that have not been added to a definition file yet. It is also very good at removing some of the more difficult malware items. The main drawbacks of MSE are that its scan time is extremely slow compared to others and it doesn’t update definitions as frequently. Still, it’s very good for the average home user since it has a basic interface and is designed as a set and forget solution for those not so tech savvy individuals. Find more info here: http://www.microsoft.com/security_essentials/
Avast (paid and free versions)
Avast is another very good AV with both free and paid versions. The free version is one of the best free AVs you’ll find. I’ve used it on a few systems with no problems. Avast has some of the best functionality you’ll find in the free A/Vs. It provides more shields than any of the others and is easy on your system resources. Scan times are also very good and it offers a boot time scan that can be used to remove harmful software that is difficult to get rid of from within Windows. Find out more about this software at http://www.avast.com.
Avira (paid and free versions)
Avira is another highly recommended piece of software. I felt the need to mention it even though I don’t personally use it. I can’t off much insight on it as a result. I know it lacks some of the shields that Avast does, has had some update issues in the past, and has a slow scan time. It is touted as have some of the best detection and removal rates though. More info at: http://www.free-av.com/en/trialpay_download/1/avira_antivir_personal__free_antivirus.html
Each of these solutions should have installation instructions available at their websites. Just keep in mind that it is important to uninstall any previous AV or security suit software prior to installing a new solution. It is generally not a good idea to run more than one active piece of AV software.
2) Firewalls
A firewall is a piece of software (or hardware) that filters incoming/outgoing traffic from the internet or local network.
Windows XP/Vista/Win7 all have a built in software firewall that is adequate for most people but by no means the best option. The built in firewall functions by blocking most incoming connections, while allowing all outgoing connection, i.e. the ones you initiate yourself as well as the ones software on your computer may initiate for you, such as queries for updates.
Ideally you want to have control over the outbound connections as well as the inbound connections to avoid malicious software that may have already infected your system from wreaking more havoc than it already has. Without a firewall that allows you to control outgoing traffic, software on your computer could connect to a source on the internet to download additional malicious code or it could gather personal data stored on your computer and transmit it to a recipient on the internet. All these things can be avoided by having a firewall that alerts you when something on your computer tries to connect to something outside of your computer and gives you the option to allow the connection or to deny the connection.
A good software firewall will also have a learning mode that allows you to set rules (usually on the fly) to remember the decisions you make concerning a particular program. By remembering these decisions the firewall can automatically allow or deny these connections the next time the program asks for permission without having to bother you again. After a week or so of “teaching” your firewall what to allow and what to deny you’ll seldom ever see the pop-up warnings about programs trying to connect. You will still encounter them when installing new programs of course. The firewall will have to learn these rules just like it learns rules for the software already on your system. Often times when you install an updated version of software you will have to re-confirm the decisions you’ve already made concerning that particular program because components of the software have effectively changed to newer and different components.
It all seems like a hassle at first but once you get use to it and teach the firewall the rules you need it to know, it really isn’t too bad at all. The hardest part is figuring out exactly what is trying to connect. Not all programs label their components in a way that makes it easy to understand exactly what is trying to get through your firewall. Google is your friend when you run into this situation. You may need to research some obscure entries when you are getting started. Some basic rules to keep in mind are: 1) Never except an incoming connection that you haven’t solicited unless you know exactly what it is, and 2) Outgoing connections that occur as soon as you do something on the PC are probably a result of what you just did, but outbound connections that appear with no action on your part are likely initiated by software on your computer and you’ll have to decide whether that software has a legitimate need to access the internet or not.
It’s also worth noting that many software firewalls now have built in HIPS protection, which makes them even better at protecting your PC and even harder to understand. HIPS basically monitors the software on your computer and alerts you when a piece of software is trying to change something about your PC or other software. Many malicious programs attempt to modify parts of the OS or other software (like your security software) to allow easier access to your personal data and allow the malicious code to wreak havoc on your system. HIPS does a pretty good job of preventing this so long as you can figure out what you should be allowing and what you should be blocking.
Now let’s get down to some recommended firewalls.
As far as hardware goes there are two general types on firewalls. The first is a simple firewall that can be found on almost any router. If you have a wired or wireless router on your network then you probably have a firewall. These are the best kind of firewalls to have for the average home user. The hardware firewall is much stricter on incoming connections than the software firewall built into Windows. It also doesn’t allow for user error. You won’t get any warning about what to allow in because it have very carefully defined rules already in place to allow for full functionality and good security. To modify these rules you’ll have to learn to forward ports to the computer you wish the connection to go to. BitTorrent clients are a good example of software you’ll need to forward ports to use correctly. For more information on making custom rules for a hardware firewall visit http://www.portforward.com where you can find instructions for various router models and various popular programs.
A router also has a marked advantage when it comes to system resources. It simply doesn’t use any. The firewall is in the router and filters data before it ever reaches your computer. It in no way affects the computer itself, only the data trying to reach the computer or the internet. You can access the settings on your router via your existing internet browser.
A router firewall does have one weak link though. Like the firewall built into Windows, a router has no outbound protection. In order to have control over your outbound connections you’ll need to use a software firewall in addition to the router.
Routers aren’t the only form of hardware firewall. There are much more advanced pieces of equipment out there. These are true hardware firewalls that can control both incoming and outgoing connections. Often times they offer subscriptions to anti-virus, anti-spyware, and anti-spam modules that install on the box instead of your computer and thus filter out all these harmful things before they ever reach your computer. These are by far the very best line of protection you can get. They are also expensive and require subscriptions. You’ll need to install some software as well in order to have full control over the device from within the operating system since you’ll need to interact with it far more often that a router because it will be controlling outbound connections for you. Overall these things are overkill for most people and should be confined to the business environments they are truly designed for.
If you really want a true hardware firewall you’ll have to do your own research. I’ve never felt the need to get one myself and the companies I’ve worked for have never needed them either so I have very little experience with them. I can only recommend you see which ones are popular seller on Newegg or Google for some more professional opinions before buying.
Let’s move on now to a couple of software firewalls. Since I’ve already covered what a software firewall does, I’ll move right ahead to recommendations on specific pieces of software. All of these by their very nature can have some issues playing nice with the software on your system. Keep that in mind if you run into any specific problems and browse the web for some answers from people who may have had similar problems with the same software.
First I’ll mention what is probably the most popular standalone firewall on the market, ZoneAlarm. You can find this at http://www.zonealarm.com . There are a few different versions. To get the free version use the Download and Buy link and choose the Free Downloads link on the menu. Personally, I don’t like ZoneAlarm. I used it for a few years back in the day, and found it to be a bit too heavy on resources and it gave me hell with P2P applications like BitTorrent and eDonkey. I can’t really attest to the quality of newer versions since I haven’t used it in well over 4 years now. I have had to remove it from a couple of laptops lately because it was killing the wireless connection.
Next in line is Comodo Internet Security. Find it at http://www.personalfirewall.comodo.com . This is my current weapon on choice. I’ve been using it for about 4 years now. It’s one of the most advanced software firewalls out there and is free to use. This firewall has HIPS protection and even an A/V modules though I don’t recommend using that part. The latest builds also feature a Sandbox that helps contain malicious software before it even has access to your system. The Sandbox feature is still in its early stages and should improve over time. It can be a bit overwhelming at first but there are several help forums such as http://www.wilderssecurity.com that can help with any issues you may have.
Online Armour has also been recommended as a very good free firewall and is easier to use than Comodo. It has paid and free versions. More information at: http://www.online-armor.com/
Also keep in mind that if you have a security suite you may have a built in firewall. Whether it’s any good or not is up to the particular brand of protection you subscribe to. Regardless, make sure of whether you already have a software firewall installed or not. You do not want to run two firewalls at once. They will cause conflicts. You can run a software firewall with a router without issue though.
3) Anti-spam
Ah Spam! The electronic equivalent to the paper junk your mail carrier stuffs your receptacle full of every day with the exception of Sundays and every day that could remotely be considered a holiday. The good thing about spam is that there are no Sundays and holidays! Wait, that’s not such a good things at all is it? What can you do to avoid this rubbish? Well let’s find out.
The first thing you need to do is choose your mail provider carefully. Most ISPs (your Internet Service Provider) provide you with an email account and most now have their own spam blocking software that will help filter out a lot of junk mail before it ever gets to your computer. For those of you using a webmail provider be aware that many of these will sell your email address as soon as you open the account and you’ll be bombarded with spam from day one. Of course most of them provide spam filters as well to block all that nasty junk mail because they would never want you to be flooded with spam despite the fact that they are one of the main causes of it. Out of all the popular webmail providers I prefer Google Gmail. I see almost zero spam with them. They don’t sell your address evidently or if they do their spam filters are so good it takes care of the problem.
If you use webmail you are pretty well done with spam at this point. If you use any sort of email that allows POP3 or IMAP access for an email client like Outlook or Thunderbird there are some more steps you can take.
First, if you use Outlook, you have some good built in spam filters that are updated via Windows Update monthly. Outlook Express on the other hand has no such filter. In this case I recommend you install a better email program. Microsoft has released an updated program called Windows Live Mail to replace Outlook Express with much better functionality. You could also try Thunderbird which is covered below. Some security suites provide anti-spam along with your anti-virus and anti-spyware solutions. If you have a spam blocking suite you don’t need to install anything else. If you do not have such a suite you’ll have to find a good third party standalone spam blocker. I can’t really recommend any. All the ones I tried in the past had issues and I’ve long since ditched Outlook Express.
Next, I’d like to recommend Mozilla Thunderbird. This email client can be found at http://www.mozillamessaging.com/en-US/thunderbird/ and provides a good free email client with a built in junk mail filter that learns what you want it to keep and what you want it to trash. You’ll have to turn on the filter after installing Thunderbird and spend a couple of weeks sending spam in your inbox to the junk list and sorting through the junk folder to remove good emails from the junk list and send them back to the inbox. Once it learns what you want and what you don’t it’s usually set it and forget it, though you may want to just skim the junk folder each week to make sure nothing has gotten by.
4) Parental Controls
I’m not one for parental controls myself, but I figured I’d drop a hint or two for those who are. Microsoft has released parental controls as part of the Windows Live Essentials package, which are free to use. Get it here: http://explore.live.com/windows-live-essentials?os=other These controls should help guard your children from all the perversity on the net these days.
5) Open DNS
I’d like to mention this fine service since it is free and provides one more layer of protection. Open DNS is basically a web filtering service used by a huge number of institutions around the world. All you have to do is visit: http://www.opendns.com/ and sign up for the free service. It’ll tell you how to set up each computer on your network, or a router to cover the whole network. Basically you’ll be using their DNS servers instead of the ones your ISP provides with your internet access. You can access your account from the Open DNS website and configure multiple types of websites you would like to block. You can also allow and block specific websites. It’s a very good first line of defense. If you can’t get to the bad websites to start with they can’t hurt you.
6) Backup Software
Another good idea is to make regular backups of your whole computer. External hard drives work well for this and they are cheap now. There are also several free pieces of software available to handle the backups and better native support for system backups built into later versions of Windows. Vista and Win7 both have built in backup utilities. Win7 is far more robust with its features. This may be all you need for your backups. Windows XP has no such functionality so a third party software is definitely needed. There are a couple of free programs that are good for any of these platforms. Links are below.
Paragon (my weapon of choice): http://www.paragon-software.com/free/
Macrium Reflect: http://www.macrium.com/reflectfree.asp
7) Misc
The last thing I would recommend is that you use a browser other than Internet Explorer. IE8 is better than the last few versions have been and IE9 is on the way, touting much improved security. Past trends have shown such claims to be overblown though and other browsers remain more secure. I primarily use Mozilla Firefox. You can install the Adblock Plus extension to block most ads on the internet. You can install the NoScript extension to block Flash and Javascript from running so you can allow safe sites on a site by site basis. There are several other nice features as well. Google has also released their own browser called Chrome that has some of these extensions available as well. Opera is another decent browser to look at. Links to all these are below.
Mozilla Firefox: http://www.mozilla.com/en-US/firefox/personal.html
Google Chrome: http://www.google.com/chrome
Opera: http://www.opera.com/
Conclusion
That should be all you need for a secure system. There are ways to make it even more secure by sandboxing, shadowing, and virtualizing your computer for use on the internet. I haven’t gotten into those areas yet and don’t intend to at this time. Those practices seem overkill to me at this point, but the day may soon come when such steps also become necessary. Google those terms if you would like more information on extreme security for your PC.
Thanks for reading!
GideonD's ~ Mind in Mayhem 