©
mechBgon's guide to building your first PC from parts   : )

  1. Start

  2. Case prep 1

  3. Case prep 2

  4. Data and power cables

  5. Serial ATA stuff

  6. General motherboard/CPU info

  7. Testing & installing the motherboard assembly

  8. Installing the hard drive

  9. Final connections

  10. Security during Windows Setup

  11. Best practices for ongoing security

  12. Resources (drivers, diagnostics, links, online antivirus scans, antispyware resources)

  13. A brief visual glossary

Previous: Security during Windows Setup

How (and why) to secure your Windows PC

Use a layered defense.

Layered defense means that you don't rely on just one type of defense (such as antivirus software). Instead, you use multiple overlapping layers of defense. Some of the most powerful layers of defense are already built into Windows (or even built into your hardware!). You don't need to download them, buy them, or even install them... you just need to start using them.

Shortcuts to the suggested layers (or just scroll down the page)

  1. Use non-Administrator user accounts

  2. Use a firewall and a router

  3. Enable Automatic Updates and upgrade to the Microsoft Update engine

  4. Uninstall software you don't use

  5. Use Secunia's checkup to fix vulnerable software

  6. Enable full Data Execution Prevention

  7. Use antivirus software

  8. Disable or restrict AutoPlay

  9. Avoid trojan-horse programs

  10. Avoid phishing scams

  11. Avoid scareware scams

  12. Back up your important data

  13. Vista and Windows XP users: update Internet Explorer to version 8

  14. Vista and 7 users: keep UAC enabled

  15. Vista and 7 users: enable a protective feature called "SEHOP"

  16. Advanced users: try Software Restriction Policy

Why should I secure my system? It's just a home computer, dude. If it gets infected, I'll just delete the infection and everything will be fine again.

If your computer gets compromised, it can do significant harm that you won't be able to undo by deleting the infection. Remember the old saying an ounce of prevention is worth a pound of cure? You don't want the bad guys to be able to:

  • delete your music, videos and documents
  • steal your World Of Warcraft or Steam account
  • steal your game CD keys, or a copy of your Windows installation key
  • drain your PayPal account, and/or use it to drain your bank account
  • steal your credit-card information using a keystroke logger
  • steal your eBay credentials to sell non-existent stuff under your name

Suggested defense strategy for home computers

  1. Don't use an Administrator user account when you don't need to

    Use a non-Administrator user account whenever possible. This arbitrarily stops or cripples most "inside" attacks from viruses and spyware that attack Windows itself, and other software you use. Windows Vista and Windows 7 are particularly designed to make it practical to be a non-Administrator, so if you use Vista or 7, it'll make this step far easier. Srsly, if you've been considering an upgrade from Windows XP to Vista or 7, this is another reason to do it.

    If you have some "problem" software that doesn't work with your non-Administrator account on Windows XP or Windows 2000, see these tips.

    If you allow other people to use your computer, then make a separate non-Administrator account just for visitors to use, so they're not logging onto one of your own user accounts with access to your own stuff. Don't let them use the Administrator account.

    If a non-Admin user account won't work for me, what other options should I look at? You could use a program like Sandboxie to run high-risk programs (particularly web browsers, email, Instant Messaging, and media players) in a "sandbox" where all the changes get discarded at the end of the session. Another option is to use DropMyRights to run specific programs at a non-Administrator level.

  2. Use firewalls

    Firewalls prevent other computers from making unauthorized network contact with your computer. These unwanted probes could come from worm-infected computers that are trying to infect your computer, or from human or automated hacking attacks that attempt to access your computer.

    When possible, use a router as a perimeter firewall to shield your network and your computers from outside intrusion. Then use the Windows Firewall (or another software firewall) as your computer's own firewall, to protect your computer from other computers that might be on the local network, or that might attempt an ad hoc connection using wireless networking.

    If you use a dial-up connection to the Internet, then you can't use a router, but you can still use a software firewall. Your software firewall can also protect your computer when you're on someone else's network (such as public wireless, or at a LAN party or hotel); in those situations, use the "No exceptions" or "Block all incoming connections" checkbox as shown below for Windows XP, or the "Public" setting on Windows Vista and Windows 7:

    Note: a hardware firewall and a software firewall work great together, but don't try to use more than one software firewall at the same time, since they may clash. Also, see my router page for important tips on preventing your router or modem from being subverted.

  3. Keep Windows up-to-date, and get the Microsoft Update engine upgrade

    Enable Automatic Updates (you can reach this setting by right-clicking My Computer and choosing Properties, and then click System Protection on Vista or Windows 7 systems).

    Also, upgrade your Automatic Updates software to the full Microsoft Update engine. To get Microsoft Update, go to the Microsoft Update website once to get the upgrade, then return to the Microsoft Update site to see what Service Packs and other updates are available for your Microsoft software.

    Microsoft Update will update more stuff than the stock Windows Update does

  4. Eliminate unnecessary "attack surface" by uninstalling software you don't need

    The bad guys can't exploit something that isn't there, so uninstall software you don't use, by going to Start > Control Panel > Add/Remove Programs (or just "Programs" on Vista and Windows 7 systems). Media players such as QuickTime and RealPlayer, instant-messaging and VOIP programs, email programs, web browsers, Sun Java and other widely-used software are often exploited by the bad guys. With unused software removed, your system will have more disk space and may run faster, too.

  5. Keep your other software up-to-date

    Use Secunia's free Personal Software Inspector at least once a month. Secunia's statistics show that 98% of the systems checked with PSI are missing some security updates, so this is definitely worth your time.

    Statistically, less than 2% of Secunia's users are already fully up-to-date on the first try. How about you?

  6. Fully enable your computer's Data Execution Prevention feature

    You can reach this setting by right-clicking My Computer on the desktop screen or the Start menu, choosing Properties (and then clicking System Protection if you have Windows Vista or 7), and then doing what's shown in this picture. If a program is terminated by the Data Execution Prevention, you'll see an alert that says so.

    If legitimate programs consistently cause Data Execution Prevention errors, use your Administrator account to make exceptions when necessary. In the picture above, you see that I added some "problem" programs to the exception list using the Add... button.

  7. Use antivirus software

    Do install a current-generation antivirus program and keep it up-to-date. Run a full system scan every week or so. If you want a good free one, try Microsoft's own Microsoft Security Essentials.

    Don't assume that your antivirus software makes you invincible! Use the other steps in this guide to protect your computer from attacks that your antivirus software doesn't recognize.

  8. Disable or restrict AutoPlay

    Your computer might be attacked automatically if someone connects an infected portable device to it. For example:

    • USB thumb drives / flash drives
    • memory cards
    • CD or DVD discs
    • external hard drives
    • digital picture frames
    • MP3 players
    • other USB and Firewire devices that can store data

    To eliminate this method of attack, disable or restrict AutoPlay. If you use Windows XP or Vista, then also apply this new security update that gives them the same AutoPlay behavior as Windows 7.

  9. Don't be fooled into running a Trojan Horse program on your computer

    When you download and install software, you are lowering your own defenses and putting yourself at the mercy of the software's author. Don't do this lightly, because the bad guys will be happy to bypass all your security measures with a Trojan Horse attack, targeting you as the weak point in the computer's defenses. Do not expect your antivirus software to detect all Trojan Horse programs; that is not realistic thinking.

    One common Trojan Horse attack is a web page that claims you need to download something before you can watch a video or view a picture (see the example picture below). They might claim you need a codec, a Flash Player update, an ActiveX update, etc. Are you going to take that bait?

    This is a trap!

    Absolutely do not mess around with warez (illegal software), key generators, cracks, or any executable files you got from a P2P / file-sharing network; these are extreme risks. Also avoid websites that feature warez, serials, cracks or pornography, because those categories of websites are most likely to have malicious exploits built into them.

  10. Phish: recognize fake emails and websites that try to steal your information

    User education is the best defense against phishing. One common phishing technique is to send you an email claiming to be from a website like PayPal or EBay, Facebook, MySpace, or perhaps the IRS, Steam, or World Of Warcraft. The email contains a link to a faked version of the real website, where they hope you'll enter your log-in credentials or other private information, before you discover it's not the real website.

    • Be skeptical Don't take any email at face value, no matter how official it looks. You should fully expect the scammers to send you authentic-looking emails posing as the Better Business Bureau, World Of Warcraft, Steam, MySpace, Facebook, the FBI, the IRS, PayPal, EBay, your bank, your credit-card company, your Internet provider, your retirement fund, etc.

    • Don't click links in emails If you get an email containing a clickable link, don't click the link. Open a new Web browser and manually type in the real address of any site you need to visit.

    • Don't be flustered by an urgent "call to action" Phishing emails often contain some sort of urgent language, to get an immediate reaction. For example, they might claim that your account has been suspended. Again, be skeptical, and don't take them at face value. If there's any doubt, then open a separate web browser, go to the real website by manually typing the address, and verify any claims for yourself.

    • Display email as plain text If you use an email program like Outlook Express, Outlook, Thunderbird or Windows Mail to view email, set it to display email as plain text (see the program's Help file if necessary). Email won't look as pretty, but it unmasks faked links and content.

  11. Scareware: recognize fraudulent "security" websites and fake "security scanner" rip-offs

    Sooner or later, it's likely that you'll encounter a scam website that makes hysterical claims that your computer is infected, and that you need to run their "scanner" to fix it. These scams are often accompanied by a slick-looking animated "scanner" that reports fictional "infections." Invariably, the victim is asked to pay money to register the bogus "scanner," so it can remove the fictional "infections."

    The bad guys create new versions of these scams every day, and they're cleverly made. Your first response should be to press CTRL ALT DEL, start Task Manager, go to the Processes tab, click on your web browser's process, and click END TASK to terminate the browser. The picture below shows why: it's a web page designed to look like your own My Computer window. Closing your browser ensures you're not being fooled by these types of tactics.

    Above: one example of a fake "security scanner" website that is designed to fool, alarm, and defraud people. There are endless variants of these. This particular scam website is cleverly designed to look like your "My Computer" window, but it's all just an animated picture. I recorded a live demonstration of that site on YouTube, too. Check it out : )

    These frauds may also make a special effort to look like a genuine Microsoft Security Center (check out this blog post at Microsoft for some pictures of a faked Security Center), or they borrow color schemes, wording, icons and logos from well-recognized brands like Symantec and Microsoft. Expect these tactics. Don't be alarmed. Close the website using Task Manager... do you remember how, without looking up the page for the instructions? Try it right now.

  12. Back up your data!

    If your computer died RIGHT NOW, or malware deleted important files, do you have a backup copy of your important stuff?

    Well, do you?

    Be wise. Establish a backup system, such as an external hard drive, and use it.

    What's a suggested backup software?

    1. The simplest option is to copy your important files to a backup drive manually, using Windows Explorer.

      • For Windows Vista or Windows 7, go to C:\Users\ and copy the folder that belongs to your user account.
      • For Windows XP or Windows 2000, go to C:\Documents and Settings and copy the folder that belongs to your user account.

      These "profile" folders contain the Documents, Pictures, Videos, Favorites, Downloads and Desktop folders for each individual user account. If you have additional files in other locations, don't forget to back them up too.

    2. The free Microsoft SyncToy is another option for Windows XP and Vista. First install the .NET 2.0 Framework, then install SyncToy. You tell SyncToy what folders you want to back up, and it can create and maintain a copy of them on another drive.

    3. Many versions of Windows have a built-in Backup utility (Windows XP Home Edition does not have it, however). Go to Start > All Programs > Accessories > System Tools > Backup.

    4. Acronis TrueImage Home is a good commercial backup program, if you're looking for something deluxe.

  13. Windows Vista and Windows XP users: upgrade to Internet Explorer 8

    You might use a different web browser if you prefer, but you should still update your system by installing Internet Explorer 8 in place of Internet Explorer 7 or 6. You can download it from this page.

  14. Windows Vista and Windows 7 users: don't disable UAC (User Account Control)

    Some of the best security enhancements in Windows Vista depend on the User Account Control (UAC) system. If you disable UAC, you lose more than just the Continue / Cancel prompts that some people find bothersome; you're also losing file-system & Registry virtualization and Protected Mode.

    Tip: if you have issues creating or modifying files and folders, causing repeated UAC prompts, ask at a Forum for help adjusting the file-system permissions to actually fix the underlying issue.

  15. Windows Vista and Windows 7: enable a protective feature called SEHOP

    After installing Service Pack 1 on Windows Vista, or for any version of Windows 7, you can enable a new security option called Structured Exception Handling Overwrite Protection. how to enable and disable SEHOP If this causes problems with your software, you can disable SEHOP again.

  16. Advanced users: use Software Restriction Policy

    Software Restriction Policy works great when combined with a non-Administrator account. You can use Software Restriction Policy if you have any of these Windows versions:

    • Windows Vista Business, Ultimate, or Enterprise
    • Windows XP Professional, or Media Center Edition
    • Windows 7 Professional, Ultimate, or Enterprise

    Software Restriction Policy is only suggested for advanced users because it does introduce some complications, and can require troubleshooting to overcome them.

Browser security: what about alternate Web browsers? whoa, he's writin' an essay! :o

Use an alternate browser instead of Internet Explorer if you prefer, but don't make it your answer to security. All web browsers, and their add-ons and plug-ins, will always have exploitable security vulnerabilities. The first step in browser security is not to trade one set of browser vulnerabilities for another set, but rather to put ALL of them into a cage, by depriving the browser of Administrator-level privileges at a minimum.

The second step to browser security is still not to trade one set of browser vulnerabilities for another set... it's to make sure your browser add-ons / plug-ins are up-to-date. A perfectly-secure browser can still be used to exploit a vulnerable version of Flash Player, QuickTime Player, etc. Browser extensions are the big "attack surface" today, not the browser itself. This was brilliantly demonstrated by Flash-driven "clipboard hijacking" attacks in 2008 that worked on Linux, Mac and Windows, regardless of the web browser.

On Windows Vista and Windows 7, Internet Explorer enjoys security tweaks you won't get with any other web browser, and they cover both the browser and the add-ons, so Internet Explorer is an especially desirable browser on Vista and Windows 7 systems. In my opinion as an experienced malware hunter, this sets a new standard for browser security on Windows systems. Your move.

Internet Explorer runs in Protected Mode by default on Windows Vista. For more information on Protected Mode, try this moderately-technical TechNet article.

Windows Vista and Windows 7 run Internet Explorer at the lowest Integrity level available, as an additional proactive damage-containment countermeasure. If you're interested in Windows Integrity Control, see this 2-page article at SecurityFocus.

Advanced countermeasures: preventing malicious scripts, Java applets, and ActiveX controls from running Security-oriented users of the FireFox web browser like the NoScript extension to limit script execution to just "approved" websites. That's definitely a meaningful reduction in "attack surface," and Internet Explorer has actually had that capability since IE 5.01, released about ten years ago. If you'd like to try it out, here's a narrated YouTube video showing how to implement that restriction by using Internet Explorer's security Zones. It's not without its hassles, but that's true of any type of "whitelisting."

In addition to selectively disabling Javascript / active scripting as shown in the video, you can also use the Zones to selectively disable ActiveX and Java applets (Java is different than Javascript). If you have Internet Explorer 7 or 8, ActiveX is already disabled for all ActiveX controls except the ones you've "opted in" yourself. more information on ActiveX opt-in

Remember that legitimate mainstream websites are routinely hacked, so don't assume that these techniques protect you from all scripted attacks. But whether you prefer Internet Explorer or some other browser, restricting Javascript, Java applets and ActiveX controls to just a whitelist of trusted sites is certainly a security enhancement, if you can live with the maintenance of it.

Why don't you don't list any antispyware programs? Every other security guide seems to list three or four!

If you use the layered defense I've shown above, starting with a non-Administrator user account, then it's extremely unlikely that you'd need antispyware programs. If you want to install some anyway, here are some reputable free ones. Do note that the techniques used to "immunize" web browsers can cause them to be slower.

Eliminating tracking cookies Anti-spyware software and some antivirus software will detect "tracking cookies." They're not dangerous, but you can almost completely eliminate tracking cookies by disabling third-party cookies in your Web browser. In Internet Explorer, click Tools > Internet Options, set the slider to Medium-high, and then click the Advanced button on the Privacy tab. FireFox and other browsers can also block third-party cookies. I haven't found any drawback to this.

I heard the Windows Firewall isn't very good For the purpose of keeping other computers (even those sharing your router) from attacking your own computer, it's fine. Windows won't let your non-Administrator account (or something exploiting your non-Administrator account) mess with the Windows Firewall settings either, making it especially tamper-resistant.

Some people want a "two-way" firewall that'll ask them before letting a program use the Internet connection, but these historically have been easy to fool, so I wouldn't place too much confidence in that capability. I use the Windows Firewall and simply maintain tight control of what's on the computer in the first place.

OK, I admit it... I browse risky websites. Any tips? In addition to the other steps listed above, create a separate non-Administrator user account just for high-risk usage. Edit the file-system security on your storage drives so this account doesn't have access to them. If something does get control of the account, it won't be able to get at your important files to delete them, encrypt them to hold for ransom, or steal copies of them. When I hunt malware in the wild, I do so from a separate non-Administrator account named "Malware Research." Again, if you have Windows Vista or Windows 7, this is a great use for Internet Explorer in Protected Mode (which is the default setting).

Anything else? Since this is a guide to building a new computer, I strongly suggest getting a 64-bit CPU and a 64-bit version of Windows Vista or Windows 7. Vista and 7 are substantially more secure than Windows XP by design, and the 64-bit versions are the most secure of all. See the previous page for information on Vista or 7.

Next: Resources