Securing Windows Vista
Securing Windows Vista or any operating system including Linux and Mac OS X is vital. Most of our lives revolve around our laptops or desktops, not to mention the data you have stored. This is a thorough security primer to securing Vista, both the freeware route and the commercial route. This is also the last part of the OS that you would want to neglect. The guide is in three parts, applications and security centre, the internet, and basic steps that do not fit in the other categories. I would also recommend a 64-bit version of Vista as it has hardware based DEP along with Kernel Patchguard, among support for other features.
ANTIVIRUS SOFTWARE/SECURITY CENTRE
You need a main app that provides on demand protection. I've listed some I would buy myself. Some would argue that you don't need any protection but any protection is better than nothing, even reactive apps like the following software.
Commercial: If you want to go the commercial route, which I recommend as a standard suite has close to everything you need, then check out the "Internet Security" suites from these vendors that I would choose:
Norton 360 - Lightweight, very quiet, quick scan times via Norton Insight.
Kaspersky - More technical, bit heavier in RAM usage then Norton, solid alternative and one I will be choosing when my current subscription to Norton 360 expires. Yes, I've gotten bored with choosing Symantec. Some have reported problems, but the engine has been re-written.
G-Data - The heaviest of the lot but has the strongest detection rates. I would wait until it has become more established.
Whatever you choose, look at various reviews, especially those at avcomparatives and avtest, not just various reviews online. Remember, the protection is useless if you do not update it. Then it's just a pretty frontend for an outdated detection engine. Update every time you connect to the internet and frequently after that.
With this in place, I would then download an on demand spyware scanner such as Malwarebytes or SuperAntiSpyware. These are purely for a backup scan if your computer has been infected and your main app is not disinfecting properly. These have no "on demand" detection but that isn't the point. They will pick up what your main app misses. If you frequently traverse dubious websites daily, then scan weekly with these 2 scanners. Again, they are purely scanners, nothing more and if you have bought a suite, you don't need the extra features $$$ they offer.
For a freeware suite, things get slightly more difficult. You need a number of apps and you also need to remember to keep them updated. I would recommend a number of apps to stay clean:
ANTIVIRUS: Avira AntiVir free has the best detection rates. As with AVG and Avast, it has no firewall. It would be my first free choice. 32/64 bit compatible.
FIREWALL: If you have a laptop and frequently move around with it a good firewall choice is Agnitium Outpost Free. However its x86 only. If you have x64 then get Comodo Firewall. It's a good firewall but its alerts are annoying until it "learns" what your everyday apps are.
ANTISPYWARE: For this, I would recommend Windows Defender as an on-demand scanner and SuperAntiSpyware as a weekly backup scanner. 32/64 bit.
Following this, you should see the security centre all in green like so after a reboot or three:
As you can see, everything is the way it should be.
I could begin by quoting statistics from varying browsers but I use Internet Explorer 8 at default settings. The key here is simple - watch what you click. To start checking the level of security, check your addons by starting IE8, and then going to Tools, Manage Addons. You will see something like this, assuming you use IE8, if not go to the next section:
Select "All-Addons". If any look strange Google the name of them and then scan with any of the apps listed above. Also, look at disabling those add-ons that have a long load time. Next select the Shockwave Flash Object if you have it installed. Right-click it and select properties:
Select Remove all sites to clear the addons. Then next time you are on a site, you can choose whether or not to allow the addon to run for that site. Also make sure Internet Protected Mode is on:
As for the rest, triple check whatever you are downloading and what sites you are accessing. If you bought a suite, it will probably have a toolbar with added features. Also, run IE8 32-bit as the extra feature and most toolbars don't work with 64-bit IE8 yet.
Here are some hints that apply to both sections as well as elsewhere:
· Don't disable UAC, if you have re-enable it. You lose IE8's protected mode and the services that Vista runs now run with less integrity (service hardening). In effect, you reduce your system's security to XP, so from a security standpoint, why did you purchase Vista?
· If you have Vista Ultimate or Enterprise use Bitlocker along with a TPM (trusted platform module) chip to secure Vista. This is another tutorial topic but using it is relatively simple.
· Don't download freeware software you don't need. If you do get an open source alternative if you can. Microsoft's Windows Live is safe, as far as I can tell. I've only installed 6 extra apps onto this laptop and the 6th is Windows Live. If you do need it, read as many reviews as you can. Always download from the manufacturer's site and scan the app before you install. You can upload it to VirusTotal if you really are not sure and have a decent internet connection.
· Don't randomly open email attachments or links. Triple check each email.
· Backup the registry using the export function built into the registry. Press Win+R to open the Run menu and type regedit or type it into the start menu and press enter. Accept the UAC prompt. You'll see this:
Make sure Computer is highlighted, then select File, Export.
Choose the options above i.e. export range is all, then enter a save, click save and back it up to a safe location. The size will vary, mine was 371MB. You can also use ERUNT to back up the registry, just select the right option, its self explanatory. If you need to restore it, boot into safe mode and double click to merge the .reg file or use ERUNT's recovery option. Use the first method if you didn't change any other settings otherwise you will mess up the registry. Use ERUNT if anything has changed.
· Associate .reg files with Windows Notepad so you don't infect your registry with malicious .reg files you may find on the internet. To do this open default programs from the start menu. You'll see this:
Choose Associate a file type or protocol with a program:
Change the .reg file association to notepad by selecting the change program box and locating the notepad.exe file in C:\Windows. Do the same for .vbs and script files. If you need to add in a .reg file, right click it and select "Open with":
· Backup your files using Vista's built in backup. If you have Home Basic, it would be a better idea to purchase a backup tool, or upgrade via Anytime Upgrade, as Vista's version is limited to manual backups. Home Premium and up has automatic options:
If the computer is new, you'll see an option to set up backup, follow the wizard. It will take 10min or less and you will be thankful you did it. Remember to leave the backup drive attached or plug it in before the backup time. I would recommend a cheap 1TB external drive to back everything up. Set the schedule according to your needs.
You can also switch to using backup built into some security software. I use 360's backup, except it doesn't work with encrypted files, unlike Vista so keep this in mind with some apps.
· Update your antivirus software. Again, keep everything updated.
· x64 users have kernel patch guard protection, which Microsoft adjusted to keep antivirus vendors happy.
· If you get infected, download the free Avira rescue disc and do a scan before Windows boots. It just might enable you to run safe mode and another scanner. Its available here as a 55MB .iso, and even though it can update itself, its better to download it when you need it as the developers keep it updated.
· Run a full system scan weekly. Some antivirus software reduce this time in different times. Norton has an insight feature that identifies the stuff on your pc and calculates via the Norton community and other reports what is safe and what isn't. Around 50% of my PC needed to be scanned in terms of services rather than 100% due to this. A full system scan typically takes 35min on my 320GB 7200RPM drive that is 33% full.
· Run a full system scan weekly with malwarebytes or superantispyware. You never know what might be lurking on your pc, especially if you are on the pc/laptop online a few hours each day.
· Get Secunia PSI and make sure that as many vulnerabilities as possible are patched. Some, in my install, like the Shockwave app in Adobe Photoshop were flagged as vulnerable despite the main shockwave in IE8 being updated. If that happens to you add it to your ignore list in the app. Some programs are also insecure but there is no update for them, yet. Try out the software and see for yourself. As for me, my score is 98%.
· Enable hardware DEP. Note that is only for x64 users. If you have a 32-bit version of Vista you can use software DEP, which isn't as good. Right-click the computer in the start menu and select properties. Then click the advanced system settings link on the left and this will appear:
Select the settings option and the Data Execution Prevention tab:
Select turn on and click apply and ok. Reboot. If you have problems you can add a program here. Basically, DEP protects you from code running from certain sectors of memory.
· Finally download Sophos Anti-Rootkit right now and scan your pc for rootkits. You don't need to update it, so install it, disconnect from the internet, reboot and scan. The help file has details on what to do with the results. Remember to download the newest version if you want to rescan later on. If it detects anything, reboot and scan again.
With these steps, you are virtually safe from rubbishware that could infect your pc. Just remember what you click, what you download and from where, and keep all your apps updated!
Join Date: Jul 2009
|All Vista Versions |
|64 Bit & 32 Bit |