How to Secure Windows

In previous OS News articles, I’ve
claimed that mature computers up to ten years old can be
refurbished and made useful. My last article
identified and evaluated
different ways to refurbish these
computers.
One approach is to keep the existing Windows install and clean it
up. This has the advantage of retaining the Windows license and
software, the
installed
applications, and the existing drivers. But it
takes some work. In this article we’ll see what this entails.Cleaning up an unknown Windows system requires three steps, performed
in
this order:

  1. Security
  2. Anonymization
  3. Performance tuning

This article discusses security and anonymization. Next month’s article
covers performance tuning. This article is based on
myfreeguideHow To Secure Windows and
Your Privacy
.
The guide was published two years ago but is still relevant to cleaning
up Windows. I’ll
leave out
the
screen illustrations in the guide, as well as its more detailed
techniques.

We’ll cover the highlights here.
The goal is to answer this question — how can you secure a
Windows computer about which you can make no assumptions?

Orientation

This article assumes you’ve already decided to revitalize Windows. If
you’re interested in whether cleaning up an existing Windows install is
a good way to refurbish a computer, see the discussions inprevious
articles
in this series.

I’ll assume you are securing
Windows XP, since XP was
Microsoft’s primary consumer offering from 2001 to 2007. The tips
in this article also apply to Windows 7 and Vista, but the
examples
arebased on XP.

I assume that the copy of Windows you want to secure is on an
“unknowncomputer.” By this I mean a computer that is
previously unknown to you, so you can not make any assumptions about
it.
If you’re refurbishing a “known” computer, for example, an old
machine you haul out of your own basement or attic, you may be able
to skip some of the steps.

It’s important to understand that due to the ways in which rootkits and like
technologies operate, you can never be
theoretically certain that an unknown Windows computer you clean up is
completely secure. Only wiping the disk and cleanly installing an
operating system absolutely guarantees security. But from a
practical standpoint, the procedures in this article ensure adequate
security for normal situations.

Before you can secure Windows, if you’re working with an
unknown computer you might have to circumvent password
protection. While there are several different approaches to this
problem, I’ve had excellent results with the free programOffline NT Password and
Registry Editor
.
The program deletes the Administrator password
so
you can log on to the Administrator account without entering a
password. You’ll
need a user login with Administrator rights to secure Windows.

Be sure to reset the Administrator account password after you
gain access. Obviously, Windows passwords don’t offer much protection
if someone has physical access to the computer. But they’re still vital
to protect against unauthorized remote access. (To secure
your data against someone who can physically access the computer, use
Windows’ built-in encryption
or a competing free encryption
program.)

You can secure and anonymize Windows without buying any software. All
the programs mentioned in this article are free, except one which is
specifically
noted.

It’s
always a
good idea toback up Windows prior to changing it. Use Windows’ System Restoreor
System Protection feature to make a backup or “restore point” for
Windows: Start
-> All Programs -> Accessories -> System Tools -> System
Restore
.

Firewall

The first step to securing Windows is verifying that it has a
functioning firewall.
Firewalls
prevent unauthorized connection to the computer from the
outside. An internet-connected Windows computer without a firewall will
be quickly compromised. You don’t want to spend time cleaning up
Windows by running anti-malware programs until you’ve secured it with a
functioning firewall.

Windows XP came with either of two different firewalls
(depending on the release). Both secured the computer against incoming
connections, but neither could block unauthorized outgoing connections.
Windows 7
and Vista bundle a firewall that can also block outgoing
connections,
but by default this
feature is disabled. Windows ME, 98, and 95 did not come
with
firewalls.

In addition to protection against
incoming penetration attempts, you need outgoing firewall protection
tosecure an unknown
computer.
Otherwise, if
the computer is already
compromised and
sending out information, you will have no way to know it.
The
bundled
XP firewall will not
tell you.
Nor will the Windows 7 and Vista firewalls — unless they have been
specifically configured to block unauthorized outgoing connections.
Read how to enable outbound Windows 7 and Vista firewall
protectionhere
and here.

Outbound filtering can not guarantee that no information is sent from
a
compromised computer to the outside world, but it can stop many such
attempts. See this TechNet article
if you’re interested in the details about where outbound firewall
protection helps and what it can not stop.

If you
are refurbishing XP and need a bi-directional firewall for full two-way
protection you might try the free programs
listed at The Free Country:

I’ve
foundZoneAlarm
easy to set up and largely
self-configuring. Gizmo’s Freeware offers good reviews of free software
including firewalls
and also presents
user
feedback on which they think best.

Test the Firewall

When you are done configuring the firewall, test how well the computer
resists outside penetration by
running the free ShieldsUp!
program
.
ShieldsUp! probes your computer and tells you about any security
vulnerabilities it finds. (Those
concerned about privacy might also find it enlightening to see the
identifying system information your computer passes
to any web site you visit.)

Verify that your firewall blocks unauthorized outgoing connections by
downloading the free LeakTest
program from the same web site. Only firewalls offering
bi-directional protection will pass LeakTest.

Malware

Once you’ve secured your perimeter you’re ready to identify and
eliminate
malware from your computer. Malware
includes viruses, trojans, keyloggers, dialers, rootkits,
botware, spyware, worms, and adware. I recommend installing and
running
a number of free anti-malware programs, one after another, using this
procedure:

  1. Download the anti-malware program
  2. Install it (verifying no conflicts occur with existing
    anti-malware)
  3. Update it to the latest anti-malware definitions or “signature
    files”
  4. Full-scan the disk(s) with the program
  5. Remove infections (automatically and/or manually)
  6. If infections were found, re-run the same program to verify they
    are successfully removed

Install and run anti-malware programs serially — rather than in
parallel — to avoid possible program conflicts. It can be very
confusing when asked to identify which infections or potential
infections to remove when confronted with a long list of them from
several
programs running at once. The serial approach also makes handling
false positives easier. So while running anti-malware programs
one after another takes more time, it’s a more accurate way
to ensure you’ve identified and removed all malware.

If a program finds some malware and automatically removes it, re-run
that
same program a second time to ensure that the malware was successfully
removed. If you find persistent infections the anti-malware can not
automatically remove, you may have to get involved in the process
yourself with an analytical program like Trend Micro’s HiJackThis.

Why should you run multiple anti-malware programs? No anti-malware program has a 100%
detection rate
. Anti-malware
programshave different
strengths
and best identify differentthreats.

Often people tell me “I rely only on XYZ Anti-Malware and don’t need to
run any other program, because XYZ tells me my system is clean. Just
use XYZ Anti-Malware and you don’t need any other
anti-malware program.” This is fallacious reasoning. All the clean scan
by XYZ Anti-Malware tells you is that it
can’t
find any infections. This doesn’t guarantee your system is free
of infection. If you don’t understand this then
read about the complexities of malware detection at the AV Comparatives
web
site.
Orglance at this
list
showing how detection rates vary and that no program
approaches a 100% detection rate.

The table below lists effective free anti-malware tools I’ve used. The
two
middle columns of the table tell whether the free
version of the product provides real-time and/or batch disk-scanning
capabilities. You initially deep-scan the disks to clean a
computer. Then going forward, you’ll also want to install real-time
protection. Free products frequently change
their coverage so the two middle columns may become outdated if you’re
reading this article some time after it was published.

With apologies to the vendors, I’ve listed the popular short names for
their products instead of the longer formal product names. The links go
directly to each vendor’s web site. At most of them you simply click
the
“downloads” tab to download their free product.

Product:
Free
Real-Time

Protection?
Free


Disk Scanner?

Comments:
Ad-aware
Some (processes protection only)
yes
Best known for adware
prevention, detection & removal
avast!
yes
yes
Good general purpose program
Avira
yes
yes
Good general purpose program
AVG
yes
yes
Good general purpose program
a2 (or
a-squared)


now known as Emsisoft Anti-Malware
no
yes
Good general purpose scanner.
Real-time protection was dropped from the most recent free version.
Clamwin
Some

(email only)
yes
Slower scanner than some of the
others but thorough and yields usefully different results.
HiJackThis no
yes
Best product for manual removal
of infections that other products can not automatically remove.
Requires
your involvement and expertise.
Malwarebytes no
yes
Good general purpose scanner
RootKitRevealer no yes Specialized but keys on a very important threat — rootkits.
Requires your involvement and expertise.
Spybot Search and
Destroy

yes
yes
Best known for spyware detection
& removal
SpywareBlaster
yes
no
Best known for Internet Explorer
and Active X defense
SpywareGuard
yes
no
Best known for spyware prevention
WinPatrol
yes
no
Best known for intrusion
prevention

Find good summaries of free anti-malware programs at The Free
Country’s web pages on anti-virus,
spyware
&
browser protection,
and intrusion
prevention
programs. Gizmo’s Freeware has a nice list
of what they consider the better free programs as well as comparisons
and reviews. CNet’s download
site
for free software also offers good product evaluations.

I’ve excluded Microsoft’s own tools from the above chart because I
don’t
have experience with them all. Microsoft’s anti-malware programs have
evolved from Windows Live
OneCare
(once known as Windows OneCare Live), to Windows Defender
(once known as Microsoft Anti-Spyware), to their current offering, Microsoft
Security
Essentials
(also known as MSE). Along the way
Windows Update (once known as Automatic Updates) downloaded and
installed the Microsoft
Malicious
Software Removal Tool
(also known as MSRT).

Whew! That’s
a long and winding road. The good news is that with its current free
product, MSE,
Microsoft has drawn a bead on malware with a very effective
product. Kudos to Microsoft for making MSE freely available. MSE is not
bundled with Windows so you have to download and
install it.

Spyware and Adware

The next step in securing your unknown PC is to identify and prune
unneeded processes
from the:

  • Startup list
  • Systray
  • Services
  • Scheduler

Spyware and adware often lurk in
these locations.Typical consumer computers are chock full of
unneeded programs, at least a few of whichare usually spyware.
Use the free program WinPatrol
to manage and
clean all four of these locations.

The same thought applies to Internet Explorer. You want to review its
installed
add-ons — Browser Help Objects (BHO’s), toolbars, and extensions.
WinPatrol makes
it easy to disable and eliminate whatever you don’t want. A
typical Windows user’s computer is jam packed with IE add-ons, most of
which the users don’t even realize are present.

Cleaning up these four areasbenefits performance as
well as security.

Software Updates

A key vector through which malware strikes is through common software
applications that many consumers neglect to keep updated. These include
Windows itself, Adobe PDF and flash video, browsers like Internet
Explorer and Firefox, email readers like Outlook and Outlook Express,
media players like RealPlayer, and other
widely-used applications. You need to update software to the latest
fixes to ensure security going forward.

Start with Windows and download and install all possible Microsoft
updates. What’s available will depend on your Windows verison and
release. If you have a computer that has not been used in awhile, you
might find that Windows updates come in several waves (groupings), each
of which will be applied and require a reboot before the next wave of
updates. It’s not unusual to spend a very long day downloading and
installing Windows updates on a neglected computer.

One big issue to consider in revitalizing Windows is whether and when
Microsoft ends support for the version of the product with which you’re
working. Windows XP is in the midst
of Microsoft’s de-support process. Other Windows versions are already
de-supported. If this concerns you,check the discussion
in my previous article on the larger issues of selecting operating
systems for refurbishing. (This article assumes you’ve already decided
to secure
Windows and helps you do it.)

After
Windows update, move on to updating common programs. While you’re at
it, verify that the “automatic updates” option is enabled for each.
Or for better control, consolidate and manageall
application updates through the Windows Scheduler.

If you have many programs to update you might run the free Secunia
Software
Inspector
. It detects and reports on
out-of-date programs and helps ensure that all ^aEURoebug
fixes^aEUR are applied.

Standard Windows Security Settings

Given an unknown computer,
you can’t assume that the previous user(s) followed any of the
“standard” Windows security advice of whichyou’re aware.
For
example, check Share settings for files, disks, and printers; look for
well-known security holes that have come up over the years like Windows
Messenger or other IM tools; check for remote access through Services
like Remote Assistance and Terminal services; configure Internet
Explorer how you normally would in regards to active scripting and
similar security issues; disable
auto-run for CDs, DVDs, and USB memory sticks; turn off automatic
message
preview in Outlook; check
for bit-torrent shared disks or folders. Whatever
you normally change in Windows to secure it for yourself, you must
check and set on this computer you’re revitalizing.

Your list
of “standard” Windows security settings may differ from what I’ve
listed here.
The point is that you need to set Windows security settings on any
revitalized computer just as you would your own.

Anonymization

I call the process of removing all reference to previous users of a
system anonymization.
Some don’t consider anonymizing an unknown computer worth their
time. After all, it doesn’t affect their use of it. Others consider it
essential. For example, what if the previous owner
illegally downloaded music, software,movies, photographs, or
pornography? You
want to make sure
this stuff is fully eliminated from the computer before you use it or
pass it on to someone else. Here I’ll just hit the
highlights of how to anonymize Windows.

First, securely delete the data files owned or created by
previous users. If the users followed the convention of storing their
files in the My Documents or Documents folder, it will be trivial
to
locate and delete them. The Windows Search function makes it easy to
find data
files of a particular type stored elsewhere, such as photographs,
videos, music, Office files,
etc. Be sure to delete other obsolete large files like *.zip archives
and *.iso disk images.

Use programs
like Eraser to securely
delete
files by over-writing them. Another option is the last
free
version of BCWipe.
Remember, if you don’t over-write a deleted file, it could be possibly
be retrieved later by someone using the proper un-delete
utility. This is because Windows
delete/ empty Trash
sequence just removes a directory pointer to
a disk file. It does not affect the file itself. So that file could be
un-deleted with the proper tool until Windows re-uses its space at some
random point in the future.

In the United States, law enforcement uses full-disk scanning software
that will find files on disk that have not been securely deleted
(over-written). The American courts generally consider that any files
found on the computer belong to the owner. So if you pick up an unknown
computer and do not find and securely delete any illegal files, as the
new owner you are considered
liable for those files.

You’ll want to delete the old user accounts and replace
them with
your own set of user logins. Each new account should have an
appropriate
authorization level.
Make sure all the passwords you create are good
ones — long strings, mixing together characters, digits, and special
characters, with both upper- and lower-case alphabetics. Ensure that
Windows presents a mandatory login
screen upon start-up. (I get so many donated computers that let anyone
into Windows merely by turning
on the computer.)

While it’s easy to delete old users and their files, it’s
more difficult to remove previous user information from
application configuration files and to find and delete all their
profiles. Be sure to securely delete their email if it’s stored on the
computer. Most
difficult of all is ensuring that all reference to the users is removed
from
the
Registry. You might be able to use Windows Registry Editor to search
for
their logins and names to remove their Registry
references. Or you
might find this process next to impossible. It all depends on their
previous use of the computer, and the applications they installed and
configured.

Some items you need to find and securely delete to remove all trace of
previous
users include temporary files, temporary internet files, histories,
cookies, flash cookies, DOM storage, recently typed URLs, autocomplete
form history,
search autocomplete, most recently used (MRU) lists, log files, and
Index.dat files. Windows even keeps
a list of all the web sites anyone using the computer
ever visited. This can be found in
either one or two
locations, depending on whether Internet Explorer auto-complete is
enabled.

CCleanerdeletes
most of this tracking data. CCleaner is a free program but it
automatically
installs the Yahoo! toolbar on Internet Explorer — as far as I can
tell, without asking. If you prefer to avoid this you can download an
older version of the program that eschews this behavior from FileHippo here.

Couple CCleaner with PurgeIE
for Internet
Explorer users, or its equivalent for Firefox users, PurgeFox. Both are
free for 15 days of
full use and cost $19.95 thereafter.

The free program MRU-Blaster
deletes
all most-recently used traces.

My favorite approach to anonymization isto delete all possible
traces of
previous users of the computer — remove user accounts and
their profiles, delete their files,run the Disk Clean
utility, CCleaner,PurgeIE or PurgeFox, and do a Registry scan and
edit.Then run Eraser or BCWipe
one time as the final step in the process to fully over-write all
unused
portions of the disk and securely delete any “deleted” files. Finish up
by running the Windows defragmentation
utility on the disk to increase performance.

Summary

Securing mature Windows computers takes some time but is not especially
difficult. You can do it withfree software. In this article I’ve
hit the highlights of how to do this to reuse mature computers and keep
them in service.
Securing Windows is vital for any
computer that changes hands should
the new owner keep the existing Windows install.

Because of rootkits and like technologies, you can never be
theoretically certain that an unknown Windows computer you clean up is
completely secure. Only wiping the disk and cleanly installing an
operating system absolutely guarantees full security. But from a
practical standpoint, the procedures in this article ensure adequate
security for normal situations.

Anonymizing Windows is easy on a surface level, but requires real
expertise if your goal is to completely thorough. Many consider
anonymizing of
limited concern, so I’ve only treated this topic superficially here.
But keep in mind you really do want to securely erase the previous
owner’s data files, because these might contain illegally downloaded
music, videos, photographs, software, or pornography.

Next month I’ll describe how to performance tune
unknown Windows XP systems. This will be based on my new guide that covers all Windows
versions, How
to Tune Up Windows
. Meanwhile, please comment and
share
your own techniques for securing and anonymizing mature Windows
systems.

Howard Fosdick (President, FCI) is an independent consultant who
specializes in
databases and operating systems. His hobby is refurbishing computers as
a form of social work and environmental contribution. Reach him at contactfci at the domain name of sbcglobal (period) net.




Previous Articles in this Series:
Smart
Reuse with Open Source

How refurbishing defeats planned
obsolescence
Scandal: Most
“Recycled” Computers Are Not Recycled

What happens to many “recycled”
computers?
How
to Revitalize Mature
Computers

Overview of how to revitalize
computers for reuse
Other Resources:
How
To
Secure Windows and
Your Privacy

Free e-book tells
how to secure
Windows (July 2008)
How
to Tune Up Windows
E-book tells how to performance
tune
Windows (March 2010)

75 Comments

  1. 2010-09-06 10:08 pm
  2. 2010-09-06 10:22 pm
    • 2010-09-06 10:36 pm
    • 2010-09-07 12:04 am
      • 2010-09-07 4:48 am
    • 2010-09-07 2:06 am
      • 2010-09-07 4:49 am
        • 2010-09-07 6:28 am
          • 2010-09-07 6:40 am
          • 2010-09-07 7:43 am
          • 2010-09-07 9:30 am
          • 2010-09-07 10:55 am
          • 2010-09-07 11:40 am
          • 2010-09-07 2:11 pm
          • 2010-09-07 7:17 pm
    • 2010-09-07 6:56 am
      • 2010-09-07 8:03 am
        • 2010-09-07 9:50 am
          • 2010-09-07 9:59 am
          • 2010-09-07 10:54 am
          • 2010-09-07 3:00 pm
          • 2010-09-07 9:36 pm
      • 2010-09-07 9:31 am
        • 2010-09-07 10:37 am
          • 2010-09-07 12:42 pm
          • 2010-09-07 1:18 pm
          • 2010-09-07 1:37 pm
          • 2010-09-07 2:00 pm
          • 2010-09-07 1:51 pm
  3. 2010-09-06 11:04 pm
    • 2010-09-07 12:17 pm
  4. 2010-09-06 11:45 pm
    • 2010-09-07 2:00 am
    • 2010-09-07 2:10 am
      • 2010-09-07 3:31 am
        • 2010-09-07 3:15 pm
  5. 2010-09-07 12:05 am
    • 2010-09-07 12:20 am
      • 2010-09-07 3:55 pm
    • 2010-09-07 1:28 am
      • 2010-09-07 3:55 pm
        • 2010-09-07 4:48 pm
    • 2010-09-07 1:46 am
      • 2010-09-07 4:49 am
        • 2010-09-07 7:22 am
          • 2010-09-07 4:03 pm
          • 2010-09-07 5:57 pm
          • 2010-09-07 11:37 pm
    • 2010-09-07 8:01 am
      • 2010-09-07 4:00 pm
  6. 2010-09-07 12:32 am
  7. 2010-09-07 12:50 am
  8. 2010-09-07 4:44 am
    • 2010-09-07 5:36 am
      • 2010-09-07 8:10 am
        • 2010-09-07 10:24 am
        • 2010-09-07 2:31 pm
          • 2010-09-07 7:16 pm
          • 2010-09-07 7:20 pm
          • 2010-09-07 7:42 pm
          • 2010-09-07 8:22 pm
          • 2010-09-07 8:52 pm
        • 2010-09-07 4:12 pm
  9. 2010-09-07 4:59 am
  10. 2010-09-07 7:40 am
    • 2010-09-07 11:35 am
  11. 2010-09-07 9:30 am
    • 2010-09-07 9:44 am
    • 2010-09-07 11:46 pm
      • 2010-09-08 6:54 am
  12. 2010-09-07 12:16 pm
  13. 2010-09-07 9:25 pm
    • 2010-09-09 9:15 am
      • 2010-09-09 5:53 pm
        • 2010-09-10 3:40 pm