©
mechBgon's guide to building your first PC from parts   : )

  1. Start

  2. Case prep 1

  3. Case prep 2

  4. Data and power cables

  5. Serial ATA stuff

  6. General motherboard/CPU info

  7. Testing & installing the motherboard assembly

  8. Installing the hard drive

  9. Final connections

  10. Security during Windows Setup

  11. Best practices for ongoing security

  12. Resources (drivers, diagnostics, links, online antivirus scans, antispyware resources)

  13. A brief visual glossary

Previous: Security during Windows Setup

How to secure your Windows PC

Use a layered defense. Layered defense means that you don't rely on just one type of defense (such as antivirus software). Instead, you use multiple overlapping layers of defense. Today, there is great value in proactive security measures that don't rely on signature updates to maintain good protection, so my list starts with a very powerful one: the non-Administrator user account. Try it.

Is security that big of a deal? It's just a home computer, dude. I think security of home computers is a big deal, dude. ; ) You don't want the bad guys to:

  • drain your PayPal account, and/or use it to drain your bank account!
  • steal your game CD keys or a copy of your Windows installation key
  • steal your World Of Warcraft account to auction off your stuff
  • steal your credit-card information using a keystroke logger
  • steal your eBay credentials to sell non-existent stuff under your name
  • infect your computer with embarrassing nasty pop-ups that you can't get rid of
  • use your computer to send covert Spam, or to commit non-stop click fraud
  • re-route your Internet searches through THEIR servers for financial gain

Suggested defense strategy for home computers

  1. Don't use an Administrator user account when you don't need to Log on with a non-Administrator user account whenever possible. This step is extremely effective. It arbitrarily stops or cripples most "inside" attacks from viruses and spyware that attack Windows itself, and other software you use. If you have "problem" software which doesn't want to cooperate with your non-Administrator account, see these tips. Windows Vista has much better support for non-Administrators than Windows XP, so if you can use Vista, it'll make this step far easier.

    Don't let other people use the Administrator account on your computer. Make a separate non-Administrator account for visitors to use, so they're not logging onto one of your own user accounts.

  2. Use firewalls Use a router and the Windows Firewall (or another software firewall) to keep other computers from directly "touching" your computer. Firewall protection arbitrarily stops attacks from "outside," both worms (which spread directly between computers without human involvement) and human or automated hacking attacks.

    Note: don't try to use more than one software firewall at the same time, since they may clash. Also, see my router page for important tips on preventing your router or modem from being subverted.

  3. Keep Windows up-to-date Enable Automatic Updates (you can reach this setting by right-clicking My Computer and choosing Properties).

    Also, upgrade the Automatic Updates software to Microsoft Update, which will update a wider range of Microsoft software (including any Microsoft Office-related software). To get Microsoft Update:

    • for Windows XP or Windows2000 users, go to the Microsoft Update website.

    • For Windows Vista users, click Start, type Windows Update in the Search box, and press Enter, then click Change Settings, and put a checkmark in the box for Microsoft Update, as shown below.

  4. Eliminate unnecessary "attack surface" Did your computer come with a bunch of junk you never use? Or has it got a lot of accumulated stuff you don't use anymore? Uninstall it. The bad guys cannot exploit something that isn't there. Media players, Instant Messaging and VOIP programs, email programs, web browsers, Sun Java and other popular stuff are often exploited by the bad guys.

  5. Keep your other software up-to-date (use Secunia's new Personal Software Inspector beta at least once a month). This step is VERY important.

  6. Use your computer's Data Execution Prevention feature Fully enable your computer's Data Execution Prevention. You can reach this setting by right-clicking My Computer and choosing Properties. If a program is terminated by the Data Execution Prevention, you'll see an alert that says so.

    If normal programs consistently cause Data Execution Prevention errors, use your Administrator account to make exceptions when necessary. In the picture above, you see that I added some "problem" programs to the exception list.

  7. Use antivirus software But do NOT assume antivirus software is infallible, because it isn't. Average detection rates on real-world malicious software may be far, far lower than you'd think.

  8. Disable or restrict "AutoPlay" Your computer can be attacked by a memory card, a flash drive, a burned CD or DVD, an external hard drive or an MP3 player, just like computer viruses spread themselves by infecting floppy diskettes in the old days. how to prevent AutoPlay attacks by disabling or restricting AutoPlay

  9. Do NOT install any software or add-ons you got from the Internet, unless it comes from an absolutely trustworthy author. Because when you download & install software, you cast aside your own defenses and put yourself at the mercy of the software's author. Don't do this lightly, because the bad guys will be happy to bypass all your security measures with a Trojan Horse attack, targeting YOU as the weak point in the defenses.

  10. Absolutely do not mess around with warez (illegal software), key generators, cracks, or any executable files you got from a P2P / file-sharing network; these are extreme risks. Also avoid websites that feature warez, serials, cracks or pornography, because those categories of websites are most likely to have malicious exploits built into them.

  11. BACK UP YOUR DATA. Your computer won't last forever, and some types of malware actively delete your stuff. Be wise and establish some kind of backup system, such as an external hard drive, and use it.

  12. Advanced users: use a Software Restriction Policy. Windows XP Professional Edition, Windows Vista Ultimate and Windows Vista Business allow you to use this extra safeguard.

What about alternate Web browsers? Use an alternate browser instead of Internet Explorer if you prefer, but don't make it your answer to security. Real security begins with using a non-Administrator account to run the web browser, no matter what web browser it is. There's an awful lot of alternate-browser zealots who still haven't figured this out. Be more secure than them, with whatever browser you prefer. : ) Also be aware that Internet Explorer 7 enjoys special security enhancements on Windows Vista, called "Protected Mode" and "Windows Integrity Control," making it an especially desirable browser on Vista systems.

Note: even if you don't routinely use Internet Explorer, install Internet Explorer 7 and keep it updated. This is important for security.

Why don't you don't list any antispyware programs? If you use the layered defense I've shown above, including risk avoidance, it's not very likely that you'd need antispyware programs. If you want to install some anyway, here are three reputable free ones:

Avoid the numerous bogus antispyware variants. Do not be fooled by their hysterical, fictional scare tactics that claim your computer is infected, and don't buy anything from them, no matter how slick their website or their animated "scanner" looks.

I heard the Windows Firewall isn't very good For the purpose of keeping other computers (even those sharing your router) from attacking your own computer, it's fine. Windows won't let your non-Administrator account (or something exploiting your non-Administrator account) mess with the Windows Firewall settings either, making it especially tamper-resistant.

Some people want a "two-way" firewall that'll ask them before letting a program use the Internet connection, but these historically have been easy to fool, so I wouldn't place too much confidence in that capability. I use the Windows Firewall and simply maintain tight control of what's on the computer in the first place.

Anything else? Since this is a guide to building a new computer, I strongly suggest getting a 64-bit CPU and a 64-bit version of Windows Vista. Windows Vista is substantially more secure than Windows XP by design, and the 64-bit versions of Vista are the most secure of all. See the previous page for information on Vista.

Next: Resources