Securing a Windows computer

I’m a Linux guy, but sometimes I’m hired to “do something” to a Windows workstation or server to make it minimally secure. Take some time with Windows to lock it down, remove the malware, and replace the insecure default applications with safer alternatives.

First, let me blow some steam: Why is it necessary to do these things? Any decent operating system comes out of the box secure and with a well stocked repository of useful and safe applications. Why then waste your time patching up a kludge like Windows?

I should also define the scope of our discussion. I here present one-off things you can do to a single computer running Windows to improve its security. I do not here consider the broader picture, but you should: router and network setup and monitoring, external firewalling, user training and monitoring, and organizational best practices are outside the scope of this article but should not be ignored.

With that out of the way, let’s get to work.

Your first step should be to confirm that the client really wants what he is asking for. Some end users self-diagnose every Windows problem as a virus infection. More than once I have been asked to “make it secure” when in fact the unstated expectation was to address recurring BSODs or improve performance. Help such clients to understand that securing a Windows box means expending additional system resources (virus scanner, malware scanner, et al.) and that this can be expected to reduce performance rather than improve it.

Next, consider whether the box might profit from formatting the disk and performing a clean install before continuing. This insures that you are starting from a secure and stable base. Additionally, Windows becomes unstable over time, so I recommend an annual format and clean install as a preventive measure in any case. Other good candidates for formatting are older versions of Windows that will soon reach end of support, and installations of questionable origin.

Before I leave for the client’s site or touch his computer, there are a number of preparatory things I do. Some are mandatory for security reasons; other things are optional but make the job go smoother.

You really have to do at least this:

  • Everything described in the section “Just before leaving for the work site” in the virus scanning notes.
  • Download a good firewall.

It’s not obligatory, but I also like to download all the other software I plan to install (see below) before leaving my office. This lets me spend my time on site installing and configuring, not waiting for downloads. I also like to create the Registry patch described below. Then I burn all the software I’ve downloaded plus the Registry patch to a CD, which I give to the client when I finish my work.

If the client does not have a working UPS on site, bring one with you. Some of the things we’ll be doing will not recover gracefully from a power failure.

If you or the client have a storage device large enough, then use Clonezilla or another imaging tool to clone the drive before doing anything. This disk image is not for permanent archive; it’s just to save your butt if something goes horribly wrong. We’ll make an archive image when we finish.

Install an antivirus, malware scanner, and firewall. If you suspect a preexisting infection, first boot into a live system and do a first scan from there.

TODO: Provide a separate article recommending antiviruses.

For workstations, enable and run Windows Update (Control Panel – Windows Update – Change Configuration). Enable important updates and set the desired frequency (daily at noon might be a good choice for an office computer). Enable recommended updates and Microsoft Updates. Press Accept. Review the dialog window for any optional updates that need your approval and take action as appropriate.

Educate the user that even with automatic updating enabled, some updates will not be installed without explicit approval. Demonstrate how to do this (Control Panel – Windows Update) and encourage the user to periodically check.

TODO: For servers, investigate Windows Server Update Services (WSUS) to manage and distribute updates to local Windows workstations. It sounds like a good idea, but presumably requires the server to have an Internet connection, which strikes me as very dangerous. My preference is to use an external hardware firewall that completely isolates the server from the Internet.

On a workstation, make the primary user account a standard user account. Educate the user that when he attempts to perform an administrative task, the credential prompt is presented. The user must enter an administrator user name and password, and then click Yes to perform the task. Strongly discourage the user from logging in and performing routine tasks as an administrator. In an enterprise setting, the end users usually shouldn’t have the administrator password at all, only IT staff.

On Windows Vista or later, make sure User Account Control is enabled and on the highest setting for both standard users and administrators. Then do the same for any other user who will use the workstation such that every user gets his own account.

Enable the limited privilege guest account built in to Windows. Give it a simple password, or perhaps none at all. Educate the user that allowing unauthorized people to use the workstation is not a good idea, but when it is necessary then the guest account rather than the user account should be used.

A server shouldn’t be touched except to perform administrative tasks, so creating nonadministrative accounts can be skipped. A server should be in a locked room or cabinet.

With the client’s consent, disable autorun.

Remove unneeded Windows components. In Windows XP, open Control Panel – Add or Remove Programs – Add or Remove Windows Components. In Vista and 7, open Control Panel – Programs and Characteristics – Activate or Deactivate Windows Characteristics.

Disable “Hide extensions for known file types” in the Windows file explorer. In XP, this is found in Tools – Folder Options – View – Advanced Configuration. In Vista and Windows 7, see Organize – Folder and Search Options – View – Advanced Configuration. Otherwise you’ll have gullible end users double clicking on malware named “sexy_lingerie.jpg.exe”.

Install and configure appropriate applications. What I install depends on the circumstances and is done in consultation with the client, but in general I recommend:

  • More secure alternatives to popular attack vectors (for example, this one)
  • Open source alternatives to closed source applications (open source tends to have a better security record)
  • Multiplatform alternatives to Windows-only applications (to minimize platform lock-in)

For workstations
For workstations I often recommend:

  • File compression utility: 7-Zip, to replace WinZip, WinRAR, et al. Open source. Once installed, run 7-Zip (in Visa and later, do this as Administrator). Open Tools – Options – System and associate all file extensions with 7-Zip.
  • Image viewer: IrfanView, to replace the shoddily written abandonware bundled with scanners and digital cameras. Proprietary; no charge for noncommercial use.
  • IM client: Pidgin, to replace Windows Live Messenger, Yahoo Messenger, et al. Open source and multiplatform. If you’re feeling helpful you might help the end user configure his accounts.
  • Media player: SMPlayer, to replace Windows Media Player. Open source and multiplatform.
  • Music player: Quod Libet, to replace WinAmp et al. Open source and multiplatform.
  • Office suite: LibreOffice, to replace Microsoft Office. Open source and multiplatform.
  • PDF viewer: Sumatra, to replace Acrobat Reader. Open source.
  • Web browser: Opera (highest security; my choice) or Firefox (open source), to replace Internet Explorer. Both multiplatform.

Make the newly installed programs the default for their type and associate them with their respective file extensions. In Windows XP, this is found in Control Panel – Add or Remove Programs – Configure Access and Default Programs, and choose the Personalized configuration. In Vista and later, this is found in Control Panel – Default Programs. Go through the sections in turn. In the section “Change configuration of autorun”, insure that the action for software and games is set to anything except install or run.

Once the new applications have been installed, consider what to do about the old applications. Insecure code left on the machine is a security risk even if the end-user does not open the application, so ideally should be removed. However, users need time to learn a new application and quite reasonably want the old one to be available as a fallback in the meantime. For this reason I usually limit myself to educating the client about the security implications of applications and encourage him to later remove anything no longer used.

Remove all unused or otherwise unneeded applications. On Windows 8, this includes Windows Store apps.

For servers
Servers are a special case. The best thing to do is obtain the client’s authorization to remove all applications and services not absolutely needed. A server should have no desktop applications whatsoever, and have only those services needed.

Once you’ve finished installing, removing, and tightening applications, then install Secunia PSI to automatically update applications.

On Windows 8, have Windows Store apps automatically update themselves. My experience is that automatic updating isn’t very reliable and you’ll have to periodically check and manually update them in any case.

Review relevant logs for issues to resolve.

Lock down Internet Explorer.

In the Windows file explorer, right-click on the main hard disk (e.g. C:) and select Properties. In the General tab, press “Free up space” and select any appropriate options. In the Tools tab, run “Check for errors” and “Defragment”. Repeat these steps for all other local hard disks.

Run BleachBit or another system cleaner.

If the client doesn’t already have a preferred backup system, I recommend SpiderOak. Online backup is often the best method, but there are also old-school local backup options.

Make another disk image. Unlike the first, this one should be given to the client and saved indefinitely as a “restore system” image.

Inform the client that the box is now reasonably secure but to keep it so will require periodic attention. Some clients will prefer to enter into a service agreement with you and have you perform these checks.

Now that your client has a disk image of a secure system and recent backups of all user files, he is protected. When disaster strikes, simply restore the disk image and the latest clean backup, and be fully recovered in less than an hour.

These notes refer to Windows XP, Vista, Seven, and Eight, and were last updated 26 January 2014.

Secunia product advisories: Click on the first letter of the name of the vendor, then find the product of interest
Why Windows is a Security Nightmare

Clean install
Blowing away bloatware is written from the perspective of removing bloatware from a newly purchased name brand computer, but is a good guide to performing a clean install of Windows generally.

Application software for Windows
KDE on Windows Project
Many official Gnome projects have Windows ports; see the relevant project site. My experience with their Windows ports has been spotty, however.

Update management, security patches, and software licensing issues
Windows Update Explained (Microsoft publication, docx format)
Windows Genuine Disadvantage (Security Focus column)
Microsoft responds on patches to Windows users
Microsoft Security Update Guide (Microsoft publication, PDF format)

User Account Best Practices
User Account Control in Windows 7 Best Practices (Microsoft TechNet)

About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

5 Responses to Securing a Windows computer

  1. anonymous says:

    The Mad Ape writes:You said "First, let me blow some steam: Why is it necessary to do these things? Any decent operating system comes out of the box secure and with a well stocked repository of useful and safe applications. Why then waste your time patching up a kludge like Windows?"I run a blog and I can tell you that these huge software corporations release products knowing that they have bugs/security flaws in them.Whether it be a rush to market or for profit it happens. Recently I had a Microsoft insider post on my blog about the inner workings of their product development.While I can't confirm the validity of the author it sure seems like he/she has been on the inside.You can read it for yourself at:

  2. wpost says:

    Thanks for the link and the reminder of why I prefer and recommend open source products. Your source echoes similar things I've heard from other insiders.

  3. Pingback: Spyware scanners for Windows | A maze of twisty little passages

  4. Pingback: Performance tuning on Windows | A maze of twisty little passages

  5. Pingback: Windows monthly security check | A maze of twisty little passages

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s