I’m a Linux guy, but sometimes I’m hired to “do something” to a Windows workstation or server to make it minimally secure. Take some time with Windows to lock it down, remove the malware, and replace the insecure default applications with safer alternatives.
First, let me blow some steam: Why is it necessary to do these things? Any decent operating system comes out of the box secure and with a well stocked repository of useful and safe applications. Why then waste your time patching up a kludge like Windows?
I should also define the scope of our discussion. I here present one-off things you can do to a single computer running Windows to improve its security. I do not here consider the broader picture, but you should: router and network setup and monitoring, external firewalling, user training and monitoring, and organizational best practices are outside the scope of this article but should not be ignored.
With that out of the way, let’s get to work.
Your first step should be to confirm that the client really wants what he is asking for. Some end users self-diagnose every Windows problem as a virus infection. More than once I have been asked to “make it secure” when in fact the unstated expectation was to address recurring BSODs or improve performance. Help such clients to understand that securing a Windows box means expending additional system resources (virus scanner, malware scanner, et al.) and that this can be expected to reduce performance rather than improve it.
Next, consider whether the box might profit from formatting the disk and performing a clean install before continuing. This insures that you are starting from a secure and stable base. Additionally, Windows becomes unstable over time, so I recommend an annual format and clean install as a preventive measure in any case. Other good candidates for formatting are older versions of Windows that will soon reach end of support, and installations of questionable origin.
Before I leave for the client’s site or touch his computer, there are a number of preparatory things I do. Some are mandatory for security reasons; other things are optional but make the job go smoother.
You really have to do at least this:
- Everything described in the section “Just before leaving for the work site” in the virus scanning notes.
- Download a good firewall.
It’s not obligatory, but I also like to download all the other software I plan to install (see below) before leaving my office. This lets me spend my time on site installing and configuring, not waiting for downloads. I also like to create the Registry patch described below. Then I burn all the software I’ve downloaded plus the Registry patch to a CD, which I give to the client when I finish my work.
If the client does not have a working UPS on site, bring one with you. Some of the things we’ll be doing will not recover gracefully from a power failure.
MAKE A DISK IMAGE
If you or the client have a storage device large enough, then use Clonezilla or another imaging tool to clone the drive before doing anything. This disk image is not for permanent archive; it’s just to save your butt if something goes horribly wrong. We’ll make an archive image when we finish.
TODO: Provide a separate article recommending antiviruses.
For workstations, enable and run Windows Update (Control Panel – Windows Update – Change Configuration). Enable important updates and set the desired frequency (daily at noon might be a good choice for an office computer). Enable recommended updates and Microsoft Updates. Press Accept. Review the dialog window for any optional updates that need your approval and take action as appropriate.
Educate the user that even with automatic updating enabled, some updates will not be installed without explicit approval. Demonstrate how to do this (Control Panel – Windows Update) and encourage the user to periodically check.
TODO: For servers, investigate Windows Server Update Services (WSUS) to manage and distribute updates to local Windows workstations. It sounds like a good idea, but presumably requires the server to have an Internet connection, which strikes me as very dangerous. My preference is to use an external hardware firewall that completely isolates the server from the Internet.
CONFIGURE USER ACCOUNTS
On a workstation, make the primary user account a standard user account. Educate the user that when he attempts to perform an administrative task, the credential prompt is presented. The user must enter an administrator user name and password, and then click Yes to perform the task. Strongly discourage the user from logging in and performing routine tasks as an administrator. In an enterprise setting, the end users usually shouldn’t have the administrator password at all, only IT staff.
On Windows Vista or later, make sure User Account Control is enabled and on the highest setting for both standard users and administrators. Then do the same for any other user who will use the workstation such that every user gets his own account.
Enable the limited privilege guest account built in to Windows. Give it a simple password, or perhaps none at all. Educate the user that allowing unauthorized people to use the workstation is not a good idea, but when it is necessary then the guest account rather than the user account should be used.
A server shouldn’t be touched except to perform administrative tasks, so creating nonadministrative accounts can be skipped. A server should be in a locked room or cabinet.
TWEAK THE BOX
With the client’s consent, disable autorun.
Remove unneeded Windows components. In Windows XP, open Control Panel – Add or Remove Programs – Add or Remove Windows Components. In Vista and 7, open Control Panel – Programs and Characteristics – Activate or Deactivate Windows Characteristics.
Disable “Hide extensions for known file types” in the Windows file explorer. In XP, this is found in Tools – Folder Options – View – Advanced Configuration. In Vista and Windows 7, see Organize – Folder and Search Options – View – Advanced Configuration. Otherwise you’ll have gullible end users double clicking on malware named “sexy_lingerie.jpg.exe”.
INSTALL AND REMOVE APPLICATIONS
Install and configure appropriate applications. What I install depends on the circumstances and is done in consultation with the client, but in general I recommend:
- More secure alternatives to popular attack vectors (for example, this one)
- Open source alternatives to closed source applications (open source tends to have a better security record)
- Multiplatform alternatives to Windows-only applications (to minimize platform lock-in)
For workstations I often recommend:
- File compression utility: 7-Zip, to replace WinZip, WinRAR, et al. Open source. Once installed, run 7-Zip (in Visa and later, do this as Administrator). Open Tools – Options – System and associate all file extensions with 7-Zip.
- Image viewer: IrfanView, to replace the shoddily written abandonware bundled with scanners and digital cameras. Proprietary; no charge for noncommercial use.
- IM client: Pidgin, to replace Windows Live Messenger, Yahoo Messenger, et al. Open source and multiplatform. If you’re feeling helpful you might help the end user configure his accounts.
- Media player: SMPlayer, to replace Windows Media Player. Open source and multiplatform.
- Music player: Quod Libet, to replace WinAmp et al. Open source and multiplatform.
- Office suite: LibreOffice, to replace Microsoft Office. Open source and multiplatform.
- PDF viewer: Sumatra, to replace Acrobat Reader. Open source.
- Web browser: Opera (highest security; my choice) or Firefox (open source), to replace Internet Explorer. Both multiplatform.
Make the newly installed programs the default for their type and associate them with their respective file extensions. In Windows XP, this is found in Control Panel – Add or Remove Programs – Configure Access and Default Programs, and choose the Personalized configuration. In Vista and later, this is found in Control Panel – Default Programs. Go through the sections in turn. In the section “Change configuration of autorun”, insure that the action for software and games is set to anything except install or run.
Once the new applications have been installed, consider what to do about the old applications. Insecure code left on the machine is a security risk even if the end-user does not open the application, so ideally should be removed. However, users need time to learn a new application and quite reasonably want the old one to be available as a fallback in the meantime. For this reason I usually limit myself to educating the client about the security implications of applications and encourage him to later remove anything no longer used.
Remove all unused or otherwise unneeded applications. On Windows 8, this includes Windows Store apps.
Servers are a special case. The best thing to do is obtain the client’s authorization to remove all applications and services not absolutely needed. A server should have no desktop applications whatsoever, and have only those services needed.
Once you’ve finished installing, removing, and tightening applications, then install Secunia PSI to automatically update applications.
On Windows 8, have Windows Store apps automatically update themselves. My experience is that automatic updating isn’t very reliable and you’ll have to periodically check and manually update them in any case.
CHECK LOGS AND TWEAK SOME MORE
Review relevant logs for issues to resolve.
In the Windows file explorer, right-click on the main hard disk (e.g. C:) and select Properties. In the General tab, press “Free up space” and select any appropriate options. In the Tools tab, run “Check for errors” and “Defragment”. Repeat these steps for all other local hard disks.
Run BleachBit or another system cleaner.
MAKE A FINAL DISK IMAGE AND FINISH
Make another disk image. Unlike the first, this one should be given to the client and saved indefinitely as a “restore system” image.
Inform the client that the box is now reasonably secure but to keep it so will require periodic attention. Some clients will prefer to enter into a service agreement with you and have you perform these checks.
EPILOGUE: RECOVERING FROM FUTURE DISASTERS
Now that your client has a disk image of a secure system and recent backups of all user files, he is protected. When disaster strikes, simply restore the disk image and the latest clean backup, and be fully recovered in less than an hour.
These notes refer to Windows XP, Vista, Seven, and Eight, and were last updated 26 January 2014.
Blowing away bloatware is written from the perspective of removing bloatware from a newly purchased name brand computer, but is a good guide to performing a clean install of Windows generally.
Application software for Windows
KDE on Windows Project
Many official Gnome projects have Windows ports; see the relevant project site. My experience with their Windows ports has been spotty, however.
Update management, security patches, and software licensing issues
Windows Update Explained (Microsoft publication, docx format)
Windows Genuine Disadvantage (Security Focus column)
Microsoft responds on patches to Windows users
Microsoft Security Update Guide (Microsoft publication, PDF format)
User Account Best Practices
User Account Control in Windows 7 Best Practices (Microsoft TechNet)