The 6 Best Ways to Secure Windows

Introduction
Step 1. Install Windows updates automatically
Step 2. Make your primary account a limited user account
Step 3. Use Firefox with the NoScript extension
Step 4. Read up on social engineering and how to avoid being the victim of it
Step 5. Do not pirate software, music, or movies
Step 6. Avoid all “antivirus” or “security suite” software

Introduction

Out of the top three consumer-oriented software platforms (Windows, Mac OS X, various Linux distributions), Windows is my least favorite operating system, but I’m no Windows hater. A lot of times I hear Mac and Linux users saying they switched because they were tired of viruses and malware in Windows.

While it’s true that Mac OS X and most Linux distros make it easy to keep your operating system secure with their default settings, you can make Windows just as secure, and that’s what this six-step guide is for.

If you follow these instructions carefully, you should pretty much never get malware (spyware, adware, viruses, trojans, rogue viruses, worms) in Windows.

The screenshots use Windows 7, but the same principles apply to Windows Vista and Windows XP as well. The steps may just be slightly different (especially for Windows XP). If you’re still using Windows 98, pay for an upgrade to Windows 7; or if you’re too cheap for that, just switch to Linux. There’s almost nothing Windows 98 can do that Linux can’t, and Windows 98 no longer receives security updates (it also has no limited user accounts).

You can click on the screenshot thumbnails if you want to see larger versions.

Step 1. Install Windows updates automatically

In early 2009, there was a lot of paranoia about the Conficker worm, which was supposedly going to do scary things and which had already infected 10 million computers. Which users had to worry about Conficker? The Windows users who did not install Windows updates. A full month before that iteration of Conficker became active, Microsoft had already released a patch for the flaw Conficker exploited.

Windows Updates can be just annoying prompts to install a new version of “Windows Genuine Advantage.” More often than not, though, they are actual security updates that patch flaws and security holes in the Windows operating system. It is a good idea to set these updates to install regularly.


Go to the Start Menu > Control Panel > System and Security


Then under Windows Update, select Turn automatic updating on or off


Make sure updates are set to install automatically. Then click OK.

Step 2. Make your primary account a limited user account

Have you ever had your Windows installation infected so thoroughly (registry, dlls, startup programs, other system files) that it was apparent it would take less time to reinstall Windows than it would to try to clean out all the malware that destroyed Windows? Are you kicking yourself because the infection came through one or two clicks of the mouse?

Well, that’s because Windows, by default, makes the primary user a full system administrator. In newer versions (Windows Vista and Windows 7), there is something called User Account Control. It’s that annoying “Are you sure? Are you sure?” prompt you get that you end up conditioning yourself to always click “Yes” to.

By using primarily a limited user account, you can feel free to click on what you want and not worry about infecting system files. When you want to finally install software, you can do so by temporarily authenticating as the administrator account.

First, we’re going to create a new administrator account.


Under System and Security in the Control Panel, select User Accounts and Family Safety and then Add or remove user accounts


This is that annoying User Account Control prompt I was talking about before. Click Yes.


Click Create a new account and then make sure the new account is going to be an Administrator account and click Create Account.

With the soon-to-be-regular account called Susan, I’m going to be naming the new administrator account SuperSusan so I know it’s a special account I shouldn’t be using on a regular basis.

And, by the way, even Microsoft recommends you use a standard (or limited) user account. You can click on Why is a standard account recommended? for more details about that.


Now click on the newly-created administrator account name and then select Create password


Make sure your password for this new account is significantly complicated. It should contain no dictionary words or personally identifiable information (birthdays, social security numbers). It should have numbers, lowercase letters, uppercase letters, and punctuation in it, though.

So you don’t forget your password, go ahead and write it down on a sticky note somewhere near your computer. The greatest threat to your security is an online threat, not another family member. Besides, anyone with physical access to your computer and a little know-how can easily reset your password, anyway.

When you’re done, click Create password


Log out of your normal user account and log in as the new administrator account. It is not enough to switch users in this case. Make sure you properly log off.


Go to Start Menu > Control Panel > User Accounts and Family Safety > User Accounts


Click on Manage another account


Click Yes and then select your normal user account


Click Change the account type, select Standard user (also known as a “limited user”), and then click Change Account Type.


Log out of the administrator account and log back into your normal (now standard or limited) user account. You should never have to log in as the administrator directly again.

Step 3. Use Firefox with the NoScript extension

I see a lot of confused Windows users wondering which web browser is “the safest.” Is it Opera? Is it Chrome? Is it Firefox? Internet Explorer? Safari?

The truth is that if you use any modern web browser with its default settings, they’re all about the same in terms of safety. They all have pop-up blockers that block 95% of pop-ups. They all have warnings about potential spoofing websites. They all get regular security updates when flaws are discovered, and every browser has flaws. There is no perpetually invincible web browser.

If you use Firefox in combination with the NoScript extension, that’s about as secure as you’re going to get, though, since NoScript by default blocks JavaScript, Flash, and just about everything else interactive on websites unless you explicitly whitelist specific sites.

Think of your computer as an exclusive nightclub. Do you think it’s easier to secure your party by having a bouncer outside the club who screens all incoming guests, or by allowing anyone inside the club and then having bouncers inside trying to drag people out? Well, NoScript is your bouncer outsider. It’ll block everything, and then it’s up to you to let trusted websites in on a case-by-case basis.


To install NoScript, in Firefox, go to Tools > Add-ons and then click on Get Add-ons and then Browse All Add-ons


You’ll be taken to the Mozilla add-ons website. Search for noscript.


Once you’ve found it, click on Add to Firefox and then Install Now (after a three-second delay, the button will appear as clickable).


You’ll be prompted to restart Firefox to activate the NoScript extension. Go ahead and restart Firefox.


Now you’re web browser is as secure as possible. Of course, this may seem annoying at first.

Convenience and security are always at odds. It may be convenient to have thousands of dollars of cash on you at all times, because it’s always easily accessible, but if you get mugged or pickpocketed then all of your money is gone. It’s slightly less convenient to keep most of your money in a bank, but it’s a lot safer in the bank (and also insured up to a certain amount, in case the bank gets robbed).

For the first two weeks you use NoScript, it may seem pointless. It may seem as if you’re just whitelisting every single site you visit. Don’t give up. After a while, you’ll realize you’ve whitelisted just about every site you do visit regularly, and then you can spend a lot less time whitelisting (or keeping blacklisted) potentially shady websites you stumble upon on a less regular basis.

Step 4. Read up on social engineering and how to avoid being the victim of it

Have you ever heard the term trojan virus, gotten scared, and thought “I hope I never get one of those”?

Well, the good news is that you don’t ever have to get a trojan. Trojans don’t just happen. You choose to install them yourself. Trojans are becoming increasingly the most popular kind of malware, and they can thrive on any operating sytem (Windows, Mac, Linux), because they exploit a security flaw the operating systems cannot patch—the user.

That’s you. You are potentially the biggest security hole for your computing experience.

Trojans and phishing scams rely on something called social engineering, which is just a fancy term for tricking someone into lowering security guards.

It can be someone calling up and pretending to be your IT support department in order to get your password. It can be someone pretending to be your bank to get your private personal information. It can be a pop-up window pretending to be an antivirus scanner that’s found malware on your computer (and if you pay the scammers $50, they’ll remove the non-existent malware for you… or actually install real malware now that you’ve been tricked into installing it).

You wouldn’t hand your car keys over to fake valet. Don’t hand over the keys to your computer to a fake… anything (fake pirated commercial program, fake warning about malware, fake credit card company request for information verification).


Do yourself a favor. The absolute most important step to take in securing your computer is making yourself an educated user. Google the term social engineering and read the first ten results of that search thoroughly.

Step 5. Do not pirate software, music, or movies

I’m not saying if you pirate software, music, and movies that you will definitely contract malware, but by not pirating all that stuff, you lower your chances significantly of installing a trojan or some other kind of malware.

If you’re hard up for cash, the best way to look for trustworthy free stuff is to look for open source stuff.

The website Open Source Windows has lots of great free (and malware-free) software. No pop-ups. No trial periods. No scams. No activation keys. No exhorbitant costs.

You can also find some more-obscure open source projects at Source Forge.


Here’s an example of installing an open source instant messaging client.


Note that for the script that automatically starts downloading the file (without manually clicking the download link), you’ll have to whitelist the site from the NoScript icon. You’ll also have to do this the first time you watch a video at YouTube or Hulu or the first time you try to book airline tickets on a site like Expedia or Priceline.


Once you’ve saved the file to your downloads folder, in order to install it—now that you’re a standard (or limited) user—you’ll have to right-click the file and select Run as administrator


You’ll then be prompted for the super-user or administrator’s password you set earlier. Enter that and you can continue.

In addition to open source software, there are also writings, pictures, and music released under freer-than-traditional-copyright licenses. You can find more information about this at Creative Commons.

There’s also free (and legal) music at Jamendo. Really, though, if you need commercial music, Amazon’s MP3 store has reasonable prices, and even several hundred free sample tracks.

Step 6. Avoid all “antivirus” or “security suite” software

Although this doesn’t directly make your Windows installation more secure, it is a good idea for several reasons:

  • If you already have solid security in place, pretend security (Norton, McAfee, AVG, Avast, MalwareBytes, Kapersky, etc.) just takes up extra hard drive space and sometimes extra system resources. This means you have less storage space for your actual files (music, movies, documents, pictures). It can also mean your computer doesn’t run as fast as it would otherwise.
  • So-called antivirus and antispyware programs encourage complacency. Rather than being proactive about security by locking down the system and educating the user on how to avoid social engineering–based attacks, these placebos make people think they’re “protected” while wasting space, resources, and possibly money.
  • If you constantly rely on these security suites to protect you, you’re more likely to fall for rogue viruses pretending to be antivirus scans.
  • There are two ways antimalware tries to protect you—by keeping a list of known offenders and comparing files to that known list, and by trying to guess what might be an offending file or application. The list of known offenders can never keep up with actual new offenders. And guesses lead to a lot of false positives, making users unnecessarily paranoid (about tracking cookies, for example).

Of course there are always folks who will say “But I want to just run it just in case….” In this case, there is no just in case. If you follow all five of the previous steps carefully, antivirus will do nothing to protect you. And if you refuse to follow all five of the previous steps carefully, antivirus will also do nothing to protect you.

It would be like a soldier suiting up with heavy armor and kevlar and then adding a razor-thin layer of tissue to the top as “just in case” protection against bullets. If you have armor and kevlar, that’s the best protection you have against bullets. The tissue won’t be offering additional protection. And if you don’t have the armor and kevlar, again the tissue won’t offer additional protection.

The armor and kevlar in this analogy are the first five steps in this tutorial. The tissue is “antivirus” software, security suites, and all that other garbage that offers you no protection.

Hopefully you’ve found this tutorial helpful. As you can see, security woes are no reason to switch away from Windows. If you have a genuine interest in exploring Mac OS X or Linux, though, I think you’ll find them both rewarding computing experiences in their own respective ways.

19 thoughts on “The 6 Best Ways to Secure Windows”

  1. Yes! Someone else who says no to antivirus. Being relatively computer-savy I never felt a big need for antivirus. Recently when an antivirus program was being even more of a nuisance than usual, I realized education is far, far better than so-called security software.

  2. “Step 1. Install Windows updates automatically”
    Agreed on this. For other people’s computers, I usually set it up to install automatically. On mine, I just download automatically and choose when to install. I do that because Windows has the hideous habit of just going ahead and rebooting the computer for you without asking when you have it set to automatically install them. What terrible behavior.

    “Step 2. Make your primary account a limited user account”
    Tried this on XP and it was miserable. That OS is just not at all designed to handle that, and I went back to a full administrator account, despite knowing full well how bad that is. This is actually doable on Vista (and Windows 7) though, and that’s how I have my Vista install set up. For all its faults, at least that is a big step in the right direction. Of course, the UAC prompts are annoying and poorly implemented compared to using sudo in OS X or Ubuntu, plus they’ve predictably gone and broken it in Windows 7. Oh well.

    “Step 3. Use Firefox with the NoScript extension”
    I do this, but I would only subject someone I was setting a computer up for if I wanted them to run screaming back to IE. I’ve had great success converting non-geek computer people to Firefox, but I have no doubt that NoScript would be a dealbreaker. Which is a shame, because it is a great extension, and it does make things a lot safer. But FlashBlock is about where I draw the line as far as difficulty of use in extensions I set up for people’s Firefox installs.

    “Step 4. Read up on social engineering and how to avoid being the victim of it”
    Yes to this, a million times yes.

    “Step 5. Do not pirate software, music, or movies”
    Ditto my comment for step 4.

    “Step 6. Avoid all ‘antivirus’ or ‘security suite’ software”
    Eh, I’d still rather see A/V running. I’ve seen things slip through on computers running these precautions. And if you can’t run all of them (because of the problem with running XP as a limited user, for example, or reluctance to deal with NoScript) it does offer some protection. Yes, it can only do so much to protect you against new stuff, but the old stuff still circulates around, and I’ve seen things get onto pretty well-maintained and secure machines. There’s free A/V out there that’s pretty well-behaved and doesn’t give a big performance hit (I use Avira Antivir personally) so I think it’s worth it.

  3. The thing with UAC is that, if you install some program on a non-admin account, you have to type the admin password. And that will force the program to put some its data to the apps data folder within the admin account folder, thus it will require admin rights ever after. Take this as an example(I know, it’s silly, but it’s a example): I install Visual studio 2008, then install dark gdk. Of course, all the thing I did on a non-admin and was forced to typed the password. Then, I run VS, just to realise that the new content wasn’t there. I have to log into the admin account to use it. But then, part of dark gdk was in non-admin account, and another was in admin account, thus the whole thing break down. And VS is something you can only install once in a lifetime(of a OS), so to actually work with it, I have to re-install the whole system, and go back to use the admin account. Bravo, M$.

  4. I once bought anti virus software after getting a virus from a duke nukem map… Needless to say the 60 dollar software did nothing to fix my virus and did nothing to prevent the next one I got from a windows vulnerability. Virus scanners are well packaged scams.

  5. If you’re going to promote not using anti-virus, you ought to tell the user to disable all Windows’ “auto-run” capabilities – anti-virus is very useful for preventing you picking up a virus/trojan from shared media on a CD-ROM or USB key (the latter is especially important at the moment!). Or only share documents/files with people who are equally computer savvy and have sufficient protections.

    I advise using antivirus to protect you from MS Word macro viruses, and other such thing which you are likely to come across during a standard working day under Windows. Sure, you could use OpenOffice for that particular threat, but what if you need the macros for work…?

    AVG has prevented my wife’s laptop from contracting a virus from a shared USB key before from a school laptop.

    Personally, I avoid using Windows as much as possible, I only use it for testing website designs under IE6/7/8 and for playing rented Blu-Rays/HD-DVDs or legitimately purchased games.

  6. I totally agree with having no anti-virus. It just slows down your computer. After all, prevention is better than cure.

    What I don’t agree with is step 5. A pirate myself, I can’t deny doing that. However, you’ll stay safe as long as you DL from reputable sources like private torrent trackers.

  7. I would propose that step #6 is a subset of step # 4. Anti-virus has become an attractive revenue stream for many, so therefore the culture of “fear” is necessary in order to continue its growth.

    By understanding that even “reputable” commercial software firms are motivated to make consumers think that there is a threat, it is reasonable to be suspicious of the real need for their AV applications.

  8. Well I agree with everything except I don’t think UAC is annoying at least not annoying as having to put your password in every time you need root permission. Honestly whats the difference at least in terms of annoying.

  9. this article is stupid saying you don’t need antivirus/firewall software the steps above will make your pc safer it defiantly doesn’t make it completely secure. user’s using a standard account no problem just find an exploit to escalate privileges there plenty to choose from. users using noscript then place malware on a popular website that users need to use javascript to use correctly or use other means like email/msn for example.
    also UAC = annoying pop up (microsoft like popups)an annoying sound a greyed out screen root = just entering a password in the console no popup or annoying sounds so uac is more annoying than root

  10. saying that people don’t need antivirus is really not a good advice for the masses and for people looking for a way to secure Windows as this article suggests. It is true that you can be pretty safe if you follow good practices and surfing habits. However, it could be VERY hard to convince ALL users to leave an antivirus behind and just surf the web following common sense.
    From a business perspective, I would NEVER tell my customers not to run any antivirus software on their pc’s and just browse ‘safe’ websites. That would NEVER work. They would be back to my shop in no time full of rogues, trojans and spyware in general.
    And as for AV making your PC’s slower…Perhaps if you run Norton… There are dozens of good free AV altnernatives that doesn’t really slow down your pc at all. Unless you have a system from 1998.
    I agree with all your other points, but #6 is plainly WRONG.

  11. However, it could be VERY hard to convince ALL users to leave an antivirus behind and just surf the web following common sense.

    I didn’t say common sense alone will protect you. You also have to have a limited user account, install system updates regularly, and use Firefox with NoScript. If you do all that there is no way so-called “antivirus” will offer you any additional protection.

  12. The suggestion against using an AV is fine for single-user system with a smart and diligent user/owner; and it should be stated as such in this particular posting.

    Aside from this point, I generally agree with the suggestions laid down here.

    I have an AV running on my Ubuntu desktop because there is no way I can trust our employees and our students to obey these suggested rules all the time whenever they are alone with their desktops or laptops at home. Thus, their thumb drives always have to pass by me for AV scanning. Fool proof? No. But to me, a bit wiser than not having an AV at all.

  13. In Italy we say for people like you “bad master or teacher”. Psycho are you and not he cats!
    Maybe it is true or not what you say I like your advise about reading social engineering theory, I will do!
    Thanks
    Paolo

  14. I have been doing these steps for years and luckily my computers have never been infected. I do two additional steps as precautions: I point my DNS settings to OpenDNS (after creating a free account)and I also modify my host file (Windows and Ubuntu)with regular updates from http://winhelp2002.mvps.org/hosts.htm I think these two extra safeguards are really important because I feel if a computer can’t reach (if redirected) an infected or infested destination there is less chance of malware installations. This will also help as it blocks a lot of advertising which is now a source of malware.

  15. Will the steps you outlined above protect one from harmful email attachments? I’m thinking specifically about friends or family (otherwise trustworthy folks) who may have inadvertently sent something nasty to me.

    Being the prudent sort (or so I thought before reading the above), I save and scan attachments with AVG.

    Am I putting tissue on top of my kevlar?

    Thanks for the great advice above.

  16. I agree with you on the most part, but I don’t agree with “don’t pirate”. I’d say, don’t pirate games and software, and don’t pirate movies that are in .wmv format. Only music, text (just plain-text, no dynamic documents like .docx or .pdf), video, etc can be pirated without worrying about malware (of course, you still have to look out for “hawt_pr0n.wmv.exe”).

    I also don’t agree with saying “don’t use AV software period”. In today’s day and age, most computers are powerful enough to run even the most bloated AV out there (except Norton of course) relatively well. But you are right, relying on such a “miracle” solution creates bad habits. So I’d recommend installing something like Malwarebytes but NOT using scheduled scans (or with other software, real-time scans). Simply use it on-demand, so if you are downloading a pirated game that you absolutely need to have and can’t find anywhere else, but the download looks suspicious (happens to me a WHOLE lot because I love VNs), download it, and check it with AV software before running it, but STILL be suspicious of it. If it looks REALLY suspicious, install Windows without networking in VirtualBox, and run it from there.

    Another thing I’d like to add is the inherent security issues with Windows. While it’s true that you can make Windows near GNU/Linux in terms of security, you can never get completely there because of built-in security flaws in the actual NT kernel itself. 0day attacks and unpatched vulnerabilities are rampant in Windows, and well-made 0day-packed professional malware can easily be run as a limited account, even in a sandbox, and yet use a buffer overflow to get into kernel space, install a rootkit, and hide in the closed-source malware heaven that is the core of Windows. Absolutely nothing you can do can protect you from this (whereas with the Linux kernel, you can compile something like grsecurity which will give a massive increase in the natural security of the kernel). Even using Firefox with NoScript won’t give you perfect online security, because well-designed browser exploit-kits CAN bypass NoScript, although it’s pretty rare. If you wan’t 100% security while browsing, install Hardened Gentoo in VirtualBox, install Wine (with the toughest RBAC restrictions), compile DeSmuME (the Nintendo DS emulator) from source and run it in Wine, run the homebrew app DSOrganize in DeSmuME, and use DSO’s ultra-simple 1.5 MB of RAM capable web browser. ;)
    >mfw I actually did that for security for a time

Leave a Reply

Your email address will not be published. Required fields are marked *