WINDOWS SECURITY REQUIREMENTS
I cannot stress how important it is that you read this article and implement the
Your computer is under constant attack from people that want to steal your personal data,
use your computer to send out spam, or use your computer to attack others. This is done
by placing a variety of bad programs on your computer collectively called malware.
Some of these programs are called viruses, Trojan horses, worms, keyboard loggers, etc.
Most of them are designed to run without your knowledge, although some are designed to
destroy the data on your hard drive.
If you elect to not follow these recommendations, here is what may happen:
1. Your personal information could be at risk.
2. Your computer will eventually run very slowly.
3. All of your data and programs may be erased.
4. Your computer may be used to send out spam.
5. Your computer may be used to attack others,
Back in 2003, the common belief was that you did not have to worry about anything if
you never opened an email attachment or did nothing more than connect to your bank
site. Although it is still very important that you do not open any unexpected attachments,
there are many other ways that you can get infected with malware. Some of these are:
1. Just connecting to internet with an unprotected computer will result in malware
infesting your computer in a matter of minutes. This is done by malware that is
constantly scanning the internet, looking for a computer to connect to.
2. Just reading an email message – no attachment necessary – especially if the email
uses html as it is easy to embed the malware within the html code. If an email
message is nice an colorful and contains smilies or other icons, you need to turn off
the html email feature in your email program.
3. Just connecting to a corrupted internet site can result in malware being downloaded
to your computer. Sometimes the malware is hidden in an image on the website.
Your browser automatically opens and displays the image, but the image also
contains a small program that will then download more malware.
4. Downloading some shareware and freeware programs. You have to be especially
careful of programs that claim to be anti-spyware programs.
Back when the internet and Windows were designed, no one thought that the internet
would be used for such bad purposes. Consequently, there are a lot of ways that are
constantly being discovered to infect your computer.
Unfortunately, if you use Windows and connect your computer to internet – even for
short periods of time – you need to become somewhat of a security expert and keep
updated on the most recent issues. If you are not willing to do this – and you still want to
use a computer – you may want to consider getting an Apple computer or using Linux on
your present computer when you connect to internet.
HOW TO PROTECT YOUR COMPUTER
There are numerous “security suites” that try to address most of the security issues.
However, this “one-stop” approach is (to date) definitely NOT recommended for the
1. There is not one anti-spyware program that catches everything.
2. Some of these programs do not update nearly often enough. (In fact, one popular
antivirus program will not even let you retrieve updates manually).
3. Some of these programs use detection engines that are not current and are themselves
subject to attack.
4. Almost all of these programs suffer from extreme “bloatware” and slow down your
5. None of the suites give you the “best of the best” protection for all forms of malware.
Instead, I recommend a “layered” approach that will allow you to use the current “best”
programs and then easily change programs as needs dictate. The best part of this is that
the overall cost will likely be less also. So, let’s get started.
The first thing that you need is a firewall. A good firewall will prevent your computer
from unauthorized access from internet and will also prevent unauthorized programs
from accessing internet and sending personal information to the bad guys. If you connect
to the internet via broadband using Ethernet, you need a hardware firewall. All of the
popular routers / wireless routers include a firewall. The firewall will look at all
incoming data from internet and will only let through information that you requested.
However, it only works on incoming data and it assumes that all outgoing data is ok and
lets it through. This is where a software firewall comes into play. EVERYONE needs a
good software firewall, even if you have a hardware firewall. Users that connect via dial-
up or cell phone will only be able to use a software firewall. The good news is that a
software firewall will monitor both incoming and outgoing data and protect your
computer from unauthorized access in both directions. (IMPT NOTE – the software
firewall included with XP SP2 only protects you from incoming data, it does not monitor
outgoing data. Do not use the XP SP2 firewall). The bad news is that some malware is
able to turn off some of the more popular software firewalls. It is for this reason that I do
NOT recommend ZoneAlarm as there is malware that can detect it and turn it off. I use
Sygate and have been happy with it. Other possibilities include Kerio and TinyFirewall.
Note that you can have both hardware and software firewalls, but you should only have
ONE software firewall. Trying to run more than one software firewall can cause
Let’s cut to the chase. There are only two antivirus programs that I recommend. The
best is a pay product called NOD32 from Eset. It is lightweight, fast and efficient and
gets updated several times a day. Most importantly, it is one of a few antivirus programs
that is not susceptible to the magic byte / jpeg method of fooling virus detection. For a
free antivirus program, I recommend AVG Free edition.
However, whatever you choose, there are some other important considerations. Most
antivirus product editions work best with XP. If you investigate, you will find that the
good antivirus products made for XP catch 100% of the viruses, but their performance
falls off (sometimes drastically) for prior versions of windows. The second thing that
you need to know is that many antivirus products only update once per week – even if
you try a manual update. The third thing you need to know is that virus detection engines
have (and must) change over time as new malware is developed. Just keeping the virus
definitions updated on your two-year old program is not sufficient. Get the latest edition
every year, or check your edition and make sure it is current.
Also, note that you can run only one antivirus program at a time.
No single antispyware program catches all spyware. Fortunately, you can run more than
one antispyware program at a time, and there are several that I recommend.
There are several good products out there and also some bad ones. Some of them have
come under legal attack, namely because the End User License Agreement that you
agreed to when you installed that software explicitly allowed spyware to be installed.
Some programs also have a “gentleman’s agreement” to specifically not detect certain
keylogging programs…which of course the bad guys have learned to emulate.
When it comes to good spyware programs, this is really a moving target. It really pays to
investigate recommendations from a certified testing source as I suspect that some of the
reviews and recommendations in PC magazines are either drive by advertising dollars or
incompetence in their testing procedures.
Here is what I use, which may change tomorrow:
1. Tenebril Spycatcher (free edition does not automatically update. Also, a little geeky,
but if you thoroughly explore what it is telling you, it is great).
2. Microsoft free antispyware program (only works on XP). I still use this even though
MS has had to back off a bit on detection due to lawsuits threats regarding spyware
that you agreed to have installed when you installed that shareware/freeware.)
3. Spybot Search and Destroy. Again, not quite the program that it used to be.
4. WinPatrol or Prevx (details discussed later).
There is a new class of malware that is called rootkits since it is able to install itself deep
in the kernel of your OS and NOT be detected by conventional antivirus or antispyware
programs. Without getting technical, suffice it to say that NO ONE has developed a
really good rootkit detection program. To make matters worse, if you are able to detect
it, you may not be able to remove it!
There are presently two products that attempt to detect rootkits. Rootkit Revealer is
available for free from SysInternals. It is a pretty geeky program and will likely result in
false positives. Another program is BlackLight from F-Secure. However, the only
foolproof way to detect rootkits requires two copies of Windows and a rather details
process far beyond what you or I would like to undertake. MS is trying to come up with
a workaable solution but it presently hung up with the licensing issue regarding the two
OS copy issue.
Sony developed a rootkit in early 2005 that was meant to prevent making more than three
copies of their music CD’s. This rootkit caused two major problems. First, if you
uninstalled the rootkit, Windows was rendered useless! Second, if you left the rootkit on
your computer, additional vulnerabilities were enabled.
So, what is your defense? As of this writing, the best thing that you can do is to make
absolutely certain that your computer does not have any malware (including rootkits) and
then make an image of each partition on your hard drive (HD). The only way to ensure
that your computer is 100% clean is to reinstall Windows (and all your programs and data
and of course your anti-malware programs) and THEN make your image. (Also, be
aware that System Restore is NOT the same thing and will NOT protect you from most of
these attacks.) You will use this image periodically (I do it monthly) to easily restore my
computer to a known-good state. This procedure will also protect you from HD failure,
user error, or any malware that is able to sneak through your defenses and damage your
computer. You will need a second HD to store the image on. I recommend an external
HD as this can be easily disconnected from internet. There are several good disk imaging
programs, but the one I recommend is Dantz Retrospect. A perfectly good lite version
comes with many new external hard drives. If you are purchasing an external HD, get
one that is USB2 (firewire if your computer supports it), and spins at 7200 rpm. It is also
preferable to get one that has a low seek time and also has 16MB cache, but this is not
KEEP WINDOWS AND OTHER SOFTWARE UPDATED
Microsoft issues patches and updates on the second Tuesday of the month. However,
there are several problems with this:
1. There are vulnerabilities that MS has not addressed
2. Since the patches only come out once a month, there is potentially significant time
that you are vulnerable
3. The Auto Update feature could result in at least a 5-day delay in your getting the
patches, even if you have a broadband connection and always leave your computer
on. Obviously, if you are an RV’er, you need to manually download and install the
Many WIFI public hotspots (and campgrounds) do not use any security on the radio link
from your computer to the router. This means that everything you send and receive from
your computer is freely available for anyone to intercept and read as long as they have a
computer with a wireless card and a simple program like Ethereal. Some WIFI hotspots
are encrypted with WEP. However, WEP is easily broken and the pass key is shared with
everyone on the network. WPA is a much stronger form of encryption, but it is seldom
used because early versions of WIFI cards do not support it and it is a bit of an
administrative hassle to manage the pass keys unless a Radius server is used.
However, note that if SSL (Secure Sockets Layer, developed by Netscape) is used by a
website or by your email provider, your data is protected, You can tell when a website is
using SSL as your browser will display an icon, such as a lock, and also the address bar
will start with https: instead of http:, indicated an SSL connection.
Note that if WPA is not used at your hotspot, you email id and password will be sent “in
the clear” for potentially anyone to snag. Most ISP’s (including Yahoo and Hotmail)
support secure email to ensure encrypted login and encrypted delivery of your email.
You will have to make a configuration change in your email client to take advantage of
However, another alternative is to use a pay service such as Anonymizer, PublicVPN or
HotspotVPN which actually allows your to connect to their servers via an SSL
connection. Either of these services ensures that ALL of your data is encrypted and not
available for ANYONE to decipher. If you choose a service like this, make sure that
your connection to their service is via 128 bit SSL to ensure encrypted communications.
Note that there are some other services that provide another type of encryption using
IPSEC (IP Security) that establish a VPN (Virtual Private Network) tunnel between your
computer and their server. This is also a good service that will encrypt all your
communications. However, the problem with VPN services is that some wireless
network routers are set up to block VPN ports whereas the ports necessary for SSL
communications are virtually always open. The result is that often your VPN service will
not work with WIFI.
You are possibly concerned about the security of using your cell phone for internet
access. The cellular industry has adopted the Wireless Transport Layer Security model
that greatly reduces security concerns. As long as your cellular connection is digital, you
are virtually as secure as you are on a wired internet connection.
You also need to run a program such as WinPatrol or Prevx to protect you from host-file
hijacking. This is a method whereby you are directed to a “fake” website, even though
you manually typed in the proper web address.
The folks at www.iamnotageek.com run an excellent service that examines the running
processes on your PC. Download the Hijack This! Program and run it. DO NOT let it fix
anything as this can be very dangerous. Instead, open the Hijack This! Log file copy it
into the form on the HJT Help page and press the Parse button. Although the analysis is
not necessarily 100% accurate, you will have a good idea as to whether or not you have a
problem. This will not necessarily catch rootkits. There is also a wealth of information
and links to identify and remove spyware.
Go to Steve Gibson’s site at www.grc.com and download and run his excellent security
programs such as Shoot the Messenger, Decombulator and Unplug and Pray to disable
There are additional services that you could disable that I will not mention here for fear
of interfering with other programs on your computer.
Use Firebox instead of Internet Explorer. Secure each of these as follows:
Keep Internet Explorer safe: Many people find IE 6's Medium security level too
obliging to ActiveX controls and other small programs, or scripts, that the browser runs
security scans, but they also may run malicious code and give attackers access to your
system. To make IE safer, click Tools, Internet Options, Security, Custom Level, select
High from the drop-down menu at the bottom of the Security Settings dialog box, and
click Reset, Yes, OK.
Unfortunately, setting IE to the High security setting can lead to the browser's unleashing
a fusillade of warnings and permission pop-ups every time you visit a site. The solution is
to add the sites that you access often to IE's Trusted Sites list: Choose Tools, Internet
Options, Security, click the Trusted Sites icon, and then click the Sites button. Enter the
Web address, click Add, and repeat as necessary (see the Trusted Sites screen above). Be
sure to uncheck Require server verification (https:) for all sites in this zone. When you're
finished, click OK twice.
the Mozilla Foundation's free Firefox browser is to download and install the NoScript
add-in that was created by Giorgio Maone. NoScript places a warning bar at the bottom
allowing scripts on the site (permanently or temporarily), blocking scripts, and other
operations. The program can also stifle Flash animations and other Firefox plug-ins, but
keep in mind that going Flash-less means you'll be missing out on some of the Web's
richest content (along with all of those great dancing ads). Although NoScript is
freeware, the author does accept donations at www.noscript.net.
Due to all of the vulnerabilities in Outlook / Outlook Express, switch to another email
program such as Thunderbird or Eudora. Whatever email client you use, be sure that you
close the Preview window, if you program uses this.
Use the Microsoft Malicious Software Removal Tool to scan and remove the latest
threats. This is a good double-check.
When connecting to any website involving any financial transactions, ensure that SSL is
used. The browser will display a lock or other symbol to indicate that you are on a secure
website. Your address bar will show https: instead of http:. Note, sometimes the bad
guys lure you to a cloned site that will look like your bank’s site, and they will also try to
spoof the SSL certificate…you will get a popup window asking if you want to accept the
certificate that has not been verified or signed, so that you get the lock icon and https in
the address bar.
You can test your firewall for free at www.grc.com. You need to do this to ensure that it
is configured properly and protecting your computer.
Be very suspicious of any emails or warnings you get that ask you to click a link or
respond giving any of your personal information. No legitimate firm is going to ask you
for this information over internet. If for some reason you think it is legitimate, CALL the
firm and VERIFY,
It is very easy to fall for an email advising that a new version of software is available by
clicking a link that will take you to a cloned pirate page where you are really installing
malware. Go to the software website by typing in the address yourself – if there really is
a new software version available, you will be advised of it then.
There are products available that essentially put you behind a commercial firewall that
reroutes all of your traffic through their server. Every data packet is inspected by them
before it is sent to your computer. This service costs roughly $60 for the equipment and
$15/month for the service. This will not solve all of your security issues as you will still
be vulnerable via other sources, such as installing shareware on your computer.
You may also want to consider surfing the internet anonymously. An excellent free
program is available at http://www.snapfiles.com/get/multiproxy.html which will help
you with this.
I am also evaluating a program called ProcessGuard. It is available as both a free and pay
version, but the pay version is recommended for best protection. It appears to work very
well, but it requires a bit of learning and patience. For example, you have to tell it which
programs are allowed to run….or else that program will not run! Also, turning on the
Global Hook feature will stop some programs from running. However, if you don’t mind
the extra effort required, this looks like an outstanding program.