Security for a Home Computer running MS-Windows

This page holds the main things everyone running MS-Windows at home or in a small business should do to be secure. The single most effective security tool is a hardware NAT router. The 2nd most effective security tool is your brain.

My list is in order of importance for broadband Internet connections. Some folks might disagree with my order. The data in here is not meant for business computers running on a large corporate network and really isn’t sufficient for a mobile computer. If you are a road warrior, extreme care is needed which is beyond what I can cover here.

Hardware Firewall / Router

Cost = $25 US
If you are connected to the Internet by high-speed, you need another level of protection, a hardware firewall. This costs about $25 US for something called a router. They are often called a DSL Router or a Cable Modem Router and you can find them at almost any home electronics store – Best Buy, Circuit City, Micro Center, Fry’s, Radio Shack, Office Depot, etc. You can also order them online at Amazon.com. For home networking, a router and a hardware firewall are the same device. In a business, they are usually different devices.

Read the provided instructions, enable NAT – Network Address Translation – and don’t open any incoming ports. Update the firmware of this device whenever a security problem is publicized or if you experience a specific problem. This device is the single greatest protection for an Internet connected computer! D-Link, Linksys, and Netgear are the manufacturers of choice, but really any no-name version ought to be fine too. I’m using a Buffalo brand today with DD-WRT firmware. Unless you specifically need wireless networking, do not buy a wireless router. They add an additional layer of complexity that isn’t worth the extra effort if you don’t need it. For a good description of this, see Steve Gibson’s writeup. Steve has a number of good items on his site and concentrates on security issues. See my WiFi Router Security Article for more details on how to configure your wifi router securely.

Software Firewall

Cost = Free
Info on how malware can’t be stopped.
Install a software firewall and update the software at least every 6 months. If you are using MS-Vista or Windows7, the built in software firewall is fine and can be automatically updated . If you are using WinXP SP2 or later, the built-in software firewall is not enough protection. We want both inbound AND outbound firewall protection in a firewall.

There are other software firewalls available which will work fine. A number of folks who I respect have recommended Tiny Firewall. This software may not be free any longer. Avoid BlackICE, it has been hacked a number of times. Avoid Norton Internet Security, it tries to be too much and has lost that it needs to be a good firewall first. "Avoid ZoneAlarm* due to bloat.

Run Current Anti-Virus Software

Cost = Free
For a long time, you had to purchase Anti-virus software to have reasonable protection. Not any more. Microsoft has released MSE, Microsoft Security Essentials. It is not included with your operating system, so you need to download and install it, but it works well. Independent anti-virus comparisons have found MSE to be near the top in finding and protecting against viruses.

Previously, I’ve used AVG Free Anti-virus and AntiVir Personal. These are both free, but AVG Free interfered with WiFi connectivity on a Vista laptop, so I removed it.

McAfee, Norton, TrendNet, and other purchased anti-virus software is not needed for a home user who doesn’t perform high risk internet activities.

An article from 2006 on PCWorld AV Rankings.

TO BE CLEAR, NO ANTIVIRUS SOFTWARE WILL PROTECT YOUR COMPUTER 100%. I’d estimate that even the best AV software is only 90% effective. You should know the risks. Now you do.

Apply Patches from Microsoft

Cost = Free
As updates are available from Microsoft, apply the “critical updates” from update.microsoft.com site. If you aren’t really computer savvy or just don’t want to be bothered, it would be best to allow automatic updates so you won’t forget. Perhaps this item should be number 1 on this list? I allow automatic updates for 1 of my MS-Windows systems, but manually patch as needed for the other. Also, if you are running an OS older than WinXP-SP3, you should update ASAP.

Don’t ever open and/or run an email attachment claiming to be a patch from Microsoft even if it appears to come from a legitimate source. Only get patches from auto-update or directly from the Microsoft Update web site. Microsoft will never email a patch to you.

Don’t use Internet Explorer

Cost = Free
Check out more my detailed suggestions for Web Browser Security Settings.
Use Mozilla or Firefox 3.x instead. Some people may suggest Opera or Google’s Chrome browsers. I cannot recommend them at this point. Firefox is free and provides many enhanced capabilities to prevent pop-up ads, running of insecure scripts, and block images from nasty web sites. It simply isn’t safe to use IE for general Internet browsing. FireFox will also check if an update is available and prompt you to update. This is good. Any ActiveX or OCX controls on the general Internet should be disabled in your browser too. A few sites might only work with IE such as your on-line bank or broker, but this happens less and less. Mine have been working with Firefox for over 10 years now. As long as you go only there, using IE is OK, but don’t go anywhere else and always type in the link to those sites yourself, every time.

Update 8/24/06: TURN OFF JAVASCRIPT*

New techniques leveraging standard JavaScript capabilities have been proven to allow bad things to get into your computer or trick you into allowing something bad to run. Firefox has a plug-in, NoScript, which allows site-by-site control of JavaScript. I browse with JavaScript disabled by default and only enable it on sites that I trust like my bank or broker. For example, I do not trust Google.com. If a site doesn’t work at all without JavaScript, it probably isn’t secure anyway.

Famous Security Writer, Brian Krebs, says you should use NoScript too .

Block Flash

Using NoScript also blocks Adobe Flash. Flash has a number of security issues that have been used to gain access to our computers. With NoScript running, you can choose which flash elements that you’d like to see. For example, flash on youtube and hulu are probably ok, but Flash on freePorn4You.com probably is not safe.

Don’t use the built-into-the-browser program to save usernames or passwords for important web site logins like your bank or broker. This information can easily be pulled from a corrupted computer over the Internet and used to steal your life savings. Contact your broker about using 2 phase authentication. RSA SecurID is the industry standard for this technology. See below concerning the use of Password Manager software.

Avoid ActiveX / OCX Controls

Avoid ActiveX enabled browsers like IE. Lacking that, lock down your IE Internet Zone settings to prevent all scripting, controls, and cookies, then specifically add the domains on the Internet to your Trusted Zone that you really trust, like your bank, broker, Microsoft, Intel, and driver manufacturers. Internet Explorer will always be used for some things under the covers on MS-Windows computers, so be certain to properly change the internet security settings. Media Center and Quicken use IE to perform online tasks. I’m certain other programs do as well, regardless of what your default web browser is set to be.

In Firefox ActiveX isn’t possible without specific user action to install a plug-in. Do not install that plugin. It is also a good idea to install an extension which blocks all scripting in these browsers by default, then as you find web sites don’t work, allow the specific site scripting.

Firefox Extensions that I use

  1. NoScript — stops JavaScript, but allows you to enable it on a site by site basis
  2. Adblock
  3. SwitchProxy Tool
  4. TreeStyleTabs
  5. Sage – RSS Reader
  6. ReadItLater

Keep Browser Plugins Current

We all know to keep our systems patched, but that isn’t always easy. Mozilla has come up with an easy way for everyone to check their browser for out of date plugins. This applies to Firefox web browsers, but it also works for EI, Safari, Opera and perhaps other browsers.
So, open a new browser tab and go check your plugins http://www.mozilla.com/plugincheck/ now.

Don’t use Adobe Products

Cost = Free
For most home users, the only Adobe program you will have loaded is the Adobe Acrobat Reader to let you open PDF files. Adobe has been very bad at providing security updates for all their programs, including Acrobat Reader. Over 50% of all corporate computer network attacks are by using PDF files and that attack vector is expected to increase. What should you do? Use an alternate PDF reading program like Foxit or PDF-XChange. Be certain to use the Free versions. For a home user, you don’t need the extras that the commercial versions provide. Also, go into the settings for which ever PDF viewer software you have selected and disable external program launching AND JavaScript. These settings will make opening most PDF files completely risk free.

Some folks will say they need to use Adobe PhotoShop or Elements for work or hobby. Just because you use it, doesn’t mean there aren’t risks. You have to accept that risk when you choose to use any program, including those from Adobe.

Don’t use Microsoft Outlook or Outlook Express

Cost = Free
Outlook and Outlook Express are constantly attacked to gain access to your computer via email. Rather, use Thunderbird, Claws, Zimbra, or almost any other email client or webmail service instead. This software is free and provides many enhanced features like

  • spam filters
  • image filtering
  • JavaScript control and
  • Phishing/Scam blocking.
    Be certain to configure it as securely as possible with SMTP/TLS and SSL-based IMAPS protocols to encrypt email traffic between you and your server. If you are on a laptop and cannot configure TLS or SSL connections, then you should use a VPN.

Thunderbird has Bayesian spam filtering built in. You just need to turn it on and train it.

For email, I don’t allow anything except 7-bit clean ASCII text. Since I’m in the USA and never receive non-English email, this is fine. I also do not allow javascript or images to be displayed inside email. This prevents tracking bugs in images which can be used to confirm an email address and when the email was opened. Last, I don’t ever return Receipt Requested notices.

Block Spyware/Ad Networks

Cost = Free
After you switch to Firefox and install the AdBlock extension, you’ll block many internet ads. When you visit a website regularly, please allow ads from that site to be viewed in your browser. This helps those site make money through advertising. Don’t those websites deserve your support?
For further protection that is under YOUR CONTROL, inserting your own HOSTS file that contains bad areas of the Internet, to prevent your computer from even going to those hosts.

By adding large lists of known ad network and Spyware sites into your hosts file and mapping the domain names to the 127.0.0.1, which is an IP address that always points back to your own machine, you will block these sites from being able to be reached. This has two benefits; one being that it can make your browsing speed up as you no longer have to wait while you download ads from ad network sites and because your browsing will be more secure as you will not be able to reach known malicious sites.

There are HOSTs file that are already made that you can download which contain a large list of known ads servers, banner sites, sites that give tracking cookies, contain web bugs, or infect you with hijackers. Listed below are web sites that produce these types of hosts files:

These sites each explain a little more about how this works.

An administrative user can copy a new hosts file into the SYSTEMROOT/windows/system32/drivers/etc directory and be a little more secure. When most UNIX users talk able this file, they will call it the /etc/hosts file or etc-hosts file because that is where it is placed on every *NIX machine. It is the same format and serves the exact same purpose as on Windows.

If you choose to download these files, please backup your original by renaming it to hosts.orig and saving the downloaded HOSTS file in its place. Using a HOSTS file such as these is highly recommended to protect your computer.
There’s no place like 127.0.0.1.

Spam Filtering

Cost = Free
If you aren’t using Thunderbird, install SpamBayes to protect you from the nastiest spam on the Internet. This program can be configured to work with any POP3 or IMAP based email services on the Internet. Highly recommended!

Don’t post your real email address to public lists – here a quick reference on munging your email address in a way that is easy for a human to figure out, but tough for a computer to solve.

Related to spam is avoiding instant messaging viruses. AOL, Yahoo, MSN, and Skype all provide IM. The problem is that these networks constantly have security issues and allow anyone on their Messaging server to transfer files thru a back door to your system. The IM client already has an approved open Internet connection, so your firewall(s) are ineffective. Microsoft Security Team statement on IM viruses.

Good Passwords Plus a Password Manager

Cost = Free
A Windows system without a good password is like leaving your car unlocked parked in a bad neighborhood. For your main Windows login account and password,

  1. Don’t use any words that you might find in a dictionary.
  2. Don’t use any numbers like your house number, SSN, Birthday, Anniversary, etc.
  3. DO mix numbers and punctuation with letters
  4. DO use upper and lowercase letters
  5. DO think of a sentence with 8-20 words (or syllables) and use the characters for each word or syllable as a character in your password
  6. DO change your password every 2-3 months; I change mine on Tuesday mornings so avoid forgetting over a weekend and not having enough practice entering it.
  7. DO use a different user account and password for every web site login that is important.

In 2009 I finally realized that using a Password Manager was a great idea. An article on KeePassX.

Get a good password from here or here, but please use generated, random passwords with 25+ characters. Once you start using a password manager, you’ll never need to remember more than just a few passwords again.

I use a different account and password for every company I do business with. None are the same. In fact, I create a different email alias for each too. This allows me to determine when a company sells my information, since spam begins to come to that email address. For example, a large computer chain with the initials MC has allowed my account with them to get spammed – I don’t shop there anymore, and no, I don’t need any Viagra either.

Turn off Services that you don’t need

Cost = Free
By default, Windows is very easy to network with other computers in your house. If you don’t have any other computers or don’t share files between them over a network, then you have no need for those services to be running. It just makes it easy for a cracker to get into your system. Think of every service you run as a door. Some doors are open, some are closed, and others are closed and locked. The best door, if you have to have one, is a door that can’t be seen unless you know it is there. To learn more about which services are needed on your system, check out BlackViper’s site.

You may prefer to let a program enable and disable your services based on questions that humans can answer. Vista Services Optimizer, VSO does this.
In short,

  1. Don’t run IIS – ever
  2. Don’t enable File Sharing outside your home network
  3. Don’t enable Printer Sharing outside your home network
  4. Don’t run MS-SQL Server – ever (home users)

Monitor all programs for Updates

Cost = Free
Now you are more secure than 99% (a guess) of the computers out there, but this isn’t all you need to do. Crackers are always searching for ways to get into your machine. You need to stay up to date with all your defenses. Plan to update all this software every 6 months. In some cases, running compromised software is worse than not running anything.

Newer versions of Firefox will check your extensions and add-ons for updates. If you are using either that have known attacks, they will be disabled by FireFox. Smart.

There are software tools like FileHippo.com that help you keep track and update on your MS-Windows computer. I honestly don’t use MS-Windows enough anymore to worry about that and have never used those services. There are other, similar update tracking services too. If you run a Linux-based computer with APT, staying current for OS and applications is really, really easy .

Test your security

Cost = Free
Gibson Research Corporation, GRC, offers a free service to test your network security with a simple port scan. Be sure to use it! It is listed under Test your Shields. Be sure to have all ports closed, filtered, or stealth. The best choice for testing now is All Service Ports at the bottom of the page. I have a few open (which I carefully secure), my ISP blocks a few, my hardware firewall blocks everything else, and my software firewall blocks everything incoming and outgoing that I didn’t approve. Thanks Steve for this great service!!!

Your computer isn’t just your problem

Cost = Free
There is a misconception that since you don’t keep any important data on your PC that you don’t need to worry about security or being cracked. If someone else uses your computer to perform a crime, the FBI will show up at your door first. Think of all this security as the same as not giving your car keys to your 14 year old son with a 12 pack of beer and saying go have fun!

Don’t trust your ISP to protect you. Even folks paying AOL premium prices aren’t protected regardless of what they might think. A socket is a socket and if they are open and you are on the Internet, then your PC is probably being attacked. You just don’t have anyway of seeing those attacks – today. For some programs, you don’t want your ISP filtering any ports, so this is a trade off between security and communications – which is what the Internet is all about.

A quote from The Boston Globe

In a technique called a “distributed denial of service attack,” vandals exploit security flaws to plant programs, called “Trojan horses,” on thousands of Internet-connected computers. They then order the Trojan horse programs to spew useless data at a targeted machine.

It’s the equivalent of having 100,000 people dial the same phone number, over and over, at the same time. Such attacks can knock a computer offline simply by swamping it with more data than it can handle.

Experts Only

Cost = Free

  • Disable all direct access to the Internet from all MS-Windows machines; have a UNIX proxy server between all MS-Windows PCs/Servers and your gateway. That includes DNS queries.
  • Netfilter/IPTables on Linux
  • Setup a Squid proxy server on Linux
  • SpamAssasin
  • Use ssh port forwarding over wireless connections for common uses (IMAP, POP3, HTTP/S)
    ssh -L8080:your.proxy.srv.domain.com:80 www.domain.com
  • Run adfilter.pl as part of your Linux proxy
  • Any UNIX variant can be used instead of Linux, but you’ll need to secure any UNIX box before placing it on the Internet. As with any computer on the Internet, an insecure Linux server can be just as bad as an insecure Windows box, maybe worse.
  • If you have a wireless network (802.11a/b/g), then for God’s sake, use WPA2 and MAC address filtering. This really isn’t enough to secure it, but it is better than nothing. WEP encryption is like closing your car door, but not locking it. It only keeps honest people honest, but can usually be broken in less than 20 minutes due to poor design of the encryption algorithm. Advanced users should disable the SSID broadcast and use some form of tunneling like ssh port forwarding for web traffic thru a proxy server for enhanced security.
  • For your WPA keys, be certain to use 20+ character, non-dictionary, keys. The latest WiFi routers include WPA2/AES encryption.

Unless you run a RADIUS server then the wireless security setting choices are, in decreasing order of preference:

  1. WPA2 + AES
  2. WPA + AES (only if all devices support it).
  3. WPA + TKIP
  4. Disabled (no security)

Turn it Off

Cost = Free
Turn it Off. If your PC isn’t on, then it can’t be cracked, but that often defeats the reason for having it. It certainly isn’t as convenient. Mine are on 24/7/365.

Another option is to unplug the network cable into your DSL or cable modem. I’ve done this once after a cracker broke into one of my systems in 1998. After I determined what had actually happened by comparing every file on the system with a backup image made a few days earlier, I was able to stop the attack attempts, disable the method of access at the router, software firewall and turn off the unpatched service. I didn’t even reboot the system before connecting it back to the router again.

Backup Your Data

Cost = Free – $1000+/month (it depends)
If you are running Microsoft Windows, you will get a virus or malware or spyware at some point. It will happen. To combat this, we all need to be backing up our systems. For an inactive home user, monthly backup is probably enough. As your computer activity increases, then your backup frequency should also increase.

When you are deciding what needs to be backed up, you’ll find 3 different types of data.

  1. Operating System
  2. Personal Settings
  3. Data

There are many methods for backing up data. I’ve listed a few for backing up Personal Settings and Data, Carbonite or Mozy or Ubuntu-One or some other online backup services are probably the easiest for most users. The problem with these is that unless you are only backing up term papers (no audio or video content), then you will probably need the paid version. If you have photos, please, please back them up too.

I’ve written on backups and disaster recovery plans many times.

Final Thoughts

Security is a trade off between convenience and ease of use. Best security practices use a layered approach. This means should one portion of your security layers fail, then the next layer will hopefully catch it. Once these suggestions are implemented, you’ll find that you really aren’t missing any of the good things that the Internet has to offer and you are blocking most of the nastiness out there. I’ve tried to suggest tools and methods that automatically maintain themselves too. This further reduces the amount of effort required by you to be mostly-secure.

Problem between the keyboard and the chair is the main security issue according to this article.

What others have to say and where to learn more.

There are many Urban legends. Please don’t forward emails to anyone when asked by a stranger. Almost all of these are bogus. Microsoft isn’t going to give anyone a $1 million and little Mikey got his new kidney already, but not by folks forwarding emails.

  • Monitoring your kids online, use Dan’s Guadian

Other Security-related pages here:

Last Update: 6/2010_