mechBgon's guide for first-time PC builders... Best practices for ongoing security

How to secure your Windows PC

Use a layered defense.

Don't rely on just one type of defense (such as antivirus software). Use multiple overlapping layers of defense. Some of the most powerful layers of defense are already built into Windows, or even built into your hardware. Make full use of them. Your digital assets generally don't come back once they're stolen, so don't wait for the bad guys to make the first move.

It's 2013. Should I get Windows 7 or Windows 8 for my new build?

From a security standpoint, Windows 8 is the clear choice, and be sure to get 64-bit. I don't blame you if you don't like the schizophrenic Windows 8 dual user interface, but there are many Start Menu replacements you can get for free or under $5 that will give you a Windows 7-style user experience while you keep the security benefits of Windows 8. I personally use StartIsBack.

OK, I'll get 64-bit Windows 8 for better security. If I'm building a new computer, is there anything else I should look for?

Get a motherboard that supports Secure Boot Secure Boot prevents a particularly nasty type of malware called a "bootkit." Before you install Windows, enable the Secure Boot option in the BIOS and ensure the motherboard's boot menu is set to UEFI only, no "legacy" option.
- How do I know if a motherboard supports Secure Boot? To begin with, it must have a UEFI BIOS, but that doesn't guarantee Secure Boot capability by itself. Using Gigabyte as an example, you can look up the motherboard you're interested in, then view the release notes for the motherboard's BIOS on their download page to see if there's a BIOS version that supports Secure Boot, in which case you may need to update the BIOS.
  
  If you don't see Secure Boot in the BIOS release-notes history, maybe the BIOS has always supported it, in which case you could confirm that by downloading the motherboard manual and looking for Secure Boot in the BIOS chapter. Alternately, you could email the motherboard maker to ask them. Secure Boot is a valuable feature, so I think it's worth the effort. I will occasionally update the list below with any manufacturers' published lists of Secure Boot-capable desktop motherboards as I discover them.
  - Gigabyte tells me the GA-Z77 family have Secure Boot BIOSes available or planned.
  - Intel's Secure Boot desktop motherboards
- How do I confirm Secure Boot is working? Run Windows PowerShell by right-clicking it and choosing "Run as Administrator," then run the command Confirm-SecureBootUEFI. If the result is TRUE then you're good. If you get any other result, then ensure Secure Boot is enabled in the BIOS and that you installed Windows with your BIOS set to UEFI Only (not Legacy) in the BIOS's boot options.
- I heard Secure Boot is evil because Microsoft is trying to lock out Linux users That's FUD. Secure Boot is the work of the UEFI consortium, whose members include several major Linux vendors. If Secure Boot is interfering with your plans, you can switch it off in the BIOS any time you want to. Microsoft isn't trying to lock out anyone but malware authors.
Get a CPU that supports Supervisor Mode Execution Prevention As of early 2013, this means an Intel processor with an Ivy Bridge core. SMEP is a new type of Data Execution Prevention that stops some types of privilege-escalation attacks at the CPU hardware, if the OS supports SMEP. Windows 8 does. Windows 7 does not.
Get Windows 8 Professional if you want to use Software Restriction Policy or Bitlocker The vanilla Windows 8 (non-Pro) doesn't have those options. Depending on how far you want to take your security, you might regret saving a few dollars by not buying Win8 Pro.
Consider a biometric fingerprint reader Near the end of this page, I added a section about biometrics, an affordable hardware add-on that helps you take your password security practices up a notch.

Shortcuts to the suggested layers (or just scroll down the page)

Use non-Administrator user accounts
Use a firewall and a router
Enable Automatic Updates and upgrade to the Microsoft Update engine
Uninstall software you don't use
Use Secunia's checkup to fix vulnerable software
NEW! Use the free Microsoft EMET security enhancement kit
Win7 and Vista users: update Internet Explorer to the latest version
Win7, Win8 and Vista users: keep UAC enabled
Use antivirus software
Disable or restrict AutoPlay
Recognize trojan-horse programs
Recognize phishing scams
Recognize scareware scams
Back up your important data
Advanced users: try Software Restriction Policy or Parental Controls
Additional easy tips

Suggested defense strategy for home computers

Don't use an Admin-level user account when you don't need Admin-level powers
Ideally, you do this step when you install Windows. The first user account is an Admin account by necessity. Create a second one, a Standard User account, to use for normal daily use. This limits the damage that a malware attack can accomplish. If you've been using a Computer Administrator account as your normal daily account, then create a new Administrator-level account, and then switch your own account(s) to Standard User. Don't use the Admin-level account for anything but Admin work.
Use firewalls
Firewalls prevent other computers from making unauthorized network contact with your computer. These unwanted probes could come from worm-infected computers that are trying to infect your computer, or from human or automated hacking attacks that attempt to access your computer.

When possible, use a router as a perimeter firewall to shield your whole network from outside intrusion. Then use the Windows Firewall (or another software firewall) as your computer's own firewall, to protect your computer from other computers that might be on the local network, or that might attempt an ad hoc connection using wireless networking.

If you use a dial-up connection to the Internet, then you can't use a router, but you can still use a software firewall. Your software firewall can also protect your computer when you're on someone else's network (such as public wireless, or at a LAN party or hotel); in those situations, use the "No exceptions" or "Block all incoming connections" checkbox as shown below for Windows XP, or the "Public" setting on Windows Vista and Windows 7:

Note: a hardware firewall and a software firewall work great together, but don't try to use more than one software firewall at the same time, since they may clash.

Routers need security, too! In brief, you should secure your router by:
1. Changing the default password to something else that isn't extremely easy to crack
2. Updating the router's firmware with the latest version from the manufacturer's website
3. If you're using wireless, then configure the router to use WPA2 encryption, not weak WEP or WPA encryption
4. If you're not using wireless, then disable it
5. Turn off your router's Universal Plug 'n Play (UPnP) feature unless you need it. If you do need UPnP, verify that it's not vulnerable by using Rapid7's handy one-click "Scan My Router" test.
Upgrade to the Microsoft Update engine, instead of just Windows Update
Enable Automatic Updates (click Start > All Programs > Windows Update).

Also, upgrade your Automatic Updates software to the full Microsoft Update engine, by going to the Microsoft Update website to get the upgrade. This keeps all your Microsoft software updated, not just Windows itself.

Microsoft Update will update more stuff than Windows Update does
Eliminate unnecessary "attack surface" by uninstalling software you don't need
The bad guys can't exploit something that isn't there, so uninstall software you don't use, by going to Start > Control Panel > Programs. Sun Java is heavily exploited, so remove all instances of Java unless you absolutely have to have it for something. Media players such as QuickTime and RealPlayer, instant-messaging and VOIP programs, email programs, web browsers, and other widely-used software are often exploited by the bad guys as well. If you don't need it, uninstall it.

Java. Not even once.
Keep your other software up-to-date
Use Secunia's free Personal Software Inspector at least once a month. By default, the PSI software starts up with Windows, but you can disable that behavior if you just want to use it for periodic checkups... open PSI and click Configuration > Settings, where you can disable automatic startup.

Statistically, less than 2% of Secunia's users are already fully up-to-date on the first try. How about you?
Install Microsoft's mitigation toolkit, called EMET
Microsoft created a free easy-to-use utility that has two functions: it lets you easily enable all the protective features on your version of Windows, and it lets you apply enhanced protective techniques to any programs you choose. Whether you've got Windows XP, Windows Vista or Windows 7, EMET provides extra protection.

Run EMET, click the "Configure System" button, and I recommend using the settings shown in the picture below. If you have old software that has issues with DEP, then you can change system DEP to "Application Opt-Out" and make exceptions on a case-by-case basis.

I heard there's a secret setting! TELL ME MORE. Yes, you can set the system ASLR to "Always On" if you edit a Registry key, but if your video-card drivers can't handle forced ASLR, then the system may BSOD during boot. Before you try it, update your video drivers to the latest version, create a System Restore point, and make sure you know how to use System Restore in a non-booting scenario. The Registry key to change is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET and change EnableUnsafeSettings to 1. If you're building a new system with a current or recent video card, you should be OK. If it boots without a problem, then keep using ASLR at "Always On."

Now click the "Configure Apps" button at the bottom of the window, and use EMET to provide extra protection to these types of programs, which you can find by browsing your Program Files and Program Files (x86) directories:
- All your Web browsers: Internet Explorer, FireFox, Opera, Chrome, Safari, etc. Protect IE even if you usually browse with something else yourself. On 64-bit systems, note that there's an Internet Explorer in both Program Files and Program Files (x86), so add them both.
- All your media players: VLC, Windows Media Player, RealPlayer, QuickTime, DiVX Player, etc
- All your Instant Messaging programs
- All your PDF readers: Adobe Reader, Foxit Reader, etc
- All your productivity software: find the executable files for your office software, such as Works, Word, Excel, PowerPoint, Publisher, or the OpenOffice equivalents, and add them.
- Sun Java, now Oracle Java due to a change of ownership (and if you don't really need Java, just uninstall it)
- P2P programs
- VoIP programs: Skype, etc
- Email programs: Outlook Express, Thunderbird, etc
- Any other programs you'd like to add. It won't hurt to add extras; for example, you can add all the executables in Adobe Reader's folder, not just AcroRd32.exe.
If you have old software that consistently causes Data Execution Prevention errors, you can change system-wide DEP to "Application Opt-Out" and use your Administrator account to make exceptions when necessary. In the picture above, you see that I added some "problem" programs to the exception list using the Add... button.
Upgrade to the latest version of Internet Explorer
Regardless of what your main web browser is, you should still install the latest version of Internet Explorer for security reasons. You can download it from this page.
Windows Vista, Windows 7 and Windows 8 users: don't disable UAC (User Account Control). Set it to "Always Notify."
Some of the best security enhancements in Windows Vista and Windows 7 depend on the User Account Control (UAC) system. If you disable UAC, you lose more than just the Continue / Cancel prompts that some people find bothersome; you're also losing file-system & Registry virtualization and Protected Mode. Set it to the "Always Notify" setting, as shown above. This change will stop certain attacks that would succeed if you were using the default setting.
Use antivirus software
Do install a current-generation antivirus program and keep it up-to-date. Run a full system scan every week or so. If you want a good free one, try Microsoft's own Microsoft Security Essentials (this is built into Windows 8 as "Windows Defender"). Update: Dude! Microsoft Security Essentials is now free for small businesses to use up to ten copies, not just home users!

Don't assume that your antivirus software makes you invincible! Nothing could be further from the truth! Use the other steps in this guide to protect your computer from attacks that your antivirus software doesn't recognize.
Disable or restrict AutoPlay
Your computer might be attacked automatically if someone connects an infected portable device to it. For example:
- USB thumb drives / flash drives
- memory cards
- CD or DVD discs
- external hard drives
- digital picture frames
- MP3 players
- other USB and Firewire devices that can store data
- ...or even a network share on another computer!
To eliminate this method of attack, simply disable AutoPlay.
Don't be fooled into running a Trojan Horse program on your computer
When you download and install software, you are lowering your own defenses and putting yourself at the mercy of the software's author. Don't do this lightly, because the bad guys will be happy to bypass all your security measures with a Trojan Horse attack, targeting you as the weak point in the computer's defenses. Do not expect your antivirus software to detect all Trojan Horse programs; that is not realistic thinking.

One common Trojan Horse attack is a web page that claims you need to download something before you can watch a video or view a picture (see the example picture below). They might claim you need a codec, a Flash Player update, an ActiveX update, etc. The bad guys keep using this simple tactic because people keep falling for it.

This is a trap!
Absolutely do not mess around with warez (illegal software), key generators, cracks, or any executable files you got from a P2P / file-sharing network; these are extreme risks. Also avoid websites that feature warez, serials, cracks or pornography, because those categories of websites are most likely to have malicious exploits built into them.
Phish: recognize fake emails and websites that try to steal your information
User education is the best defense against phishing. One common phishing technique is to send you an email claiming to be from a website like PayPal or EBay, Facebook, MySpace, or perhaps the IRS, Steam, or World Of Warcraft. The email contains a link to a faked version of the real website, where they hope you'll enter your log-in credentials or other private information, before you discover it's not the real website.
- Be skeptical Don't take any email at face value, no matter how official it looks. You should fully expect the scammers to send you authentic-looking emails posing as the Better Business Bureau, World Of Warcraft, Steam, MySpace, Facebook, the FBI, the IRS, PayPal, EBay, your bank, your credit-card company, your Internet provider, your retirement fund, etc.
- Don't click links in emails If you get an email containing a clickable link, don't click the link. Open a new Web browser and manually type in the real address of any site you need to visit.
- Don't be flustered by an urgent "call to action" Phishing emails often contain some sort of urgent language, to get an immediate reaction. For example, they might claim that your account has been suspended. Again, be skeptical, and don't take them at face value. If there's any doubt, then open a separate web browser, go to the real website by manually typing the address, and verify any claims for yourself.
- Display email as plain text If you use an email program like Outlook Express, Outlook, Thunderbird or Windows Mail to view email, set it to display email as plain text (see the program's Help file if necessary). Email won't look as pretty, but it unmasks faked links and content.
Scareware: recognize fraudulent "security" websites and fake "security scanner" rip-offs
Sooner or later, you'll encounter a scam website that makes hysterical claims that your computer is infected, and that you need to run their "scanner" to fix it. These scams are often accompanied by a slick-looking animated "scanner" that reports fictional "infections." Invariably, the victim is asked to pay money to register the bogus "scanner," so it can remove the fictional "infections."

The bad guys create new versions of these scams every day, and they're cleverly made. Don't freak out. Press CTRL ALT DEL, start Task Manager, go to the Processes tab, click on your web browser's process, and click END TASK to terminate the browser. The picture below shows why: it's a web page designed to look like your own My Computer window. Closing your browser ensures you're not being fooled by these types of tactics.

Above: one example of a fake "security scanner" website that is designed to fool, alarm, and defraud people. There are endless variants of these. This particular scam website is cleverly designed to look like your "My Computer" window, but it's all just an animated picture. I recorded a live demonstration of that site on YouTube, too. Check it out : )

These frauds may also make a special effort to look like a genuine Microsoft Security Center (check out this blog post at Microsoft for some pictures of a faked Security Center), or they borrow color schemes, wording, icons and logos from well-recognized brands like Symantec and Microsoft. Expect these tactics. Don't be alarmed, just close the web browser using Task Manager... do you remember how, without looking up the page for the instructions?
Back up your data!
If your computer died RIGHT NOW, or malware deleted important files, do you have a backup copy of your important stuff?

Well, do you?

Be wise. Establish a backup system, such as an external hard drive, and use it.

What's a suggested backup software? The simplest option is to copy your important files to a backup drive manually, using Windows Explorer. Go to C:\Users\ and copy the folder that belongs to your user account. These "profile" folders contain the Documents, Pictures, Videos, Favorites, Downloads and Desktop folders for each individual user account. If you have additional files in other locations, don't forget to back them up too.

Many versions of Windows have a built-in Backup utility you can enable. On Windows 8, you can connect an external drive and configure it for File History, which you'll find in Control Panel > System and Security > File History.

Advanced users: use Software Restriction Policy or Parental Controls

Software Restriction Policy works great when combined with a non-Administrator account. For versions of Windows that don't feature Software Restriction Policy, try the Parental Controls feature to accomplish a similar effect.

Additional tips

Windows 8 users: enable Enhanced Protected Mode EPM is enabled by default for the "Metro-style" version of Internet Explorer, but not the "Desktop-style" version. So start up the desktop version of IE, click the gear icon at the upper right, go to Internet Options > Advanced tab, and enable Enhanced Protected Mode, then restart the computer. If IE is not your primary browser, do this anyway. If you encounter a website that isn't EPM-compatible (usually because it relies on a plug-in that isn't EPM-compatible), then IE will offer you the option to disable EPM for that site, in which case IE would use standard Protected Mode for that website.

Windows 8 users: use the built-in PDF reader Windows 8 comes with a very secure PDF reader that updates itself using Windows Update so you don't have to. Give it a try before you install any other PDF reader. If it's not going to get the job done, then use the latest version of Adobe Reader and use the security tweaks shown below.

Windows 7 or Vista users: use Adobe Reader 11 for PDF files Adobe Reader got a major security overhaul with version 10, and even more tweaks with version 11, so uninstall any previous versions using Start > Control Panel > Uninstall a program and then install Reader 11. Also, disable its JavaScript setting, which you'll find in its menu under Edit > Preferences > JavaScript, as shown below, and see if it still works OK for your needs. This is a per-user setting, so do it for each user account on your system:

Keep this box unchecked unless it causes problems for you

Configure the Security (Enhanced) section like this, to put additional limitations on PDF content. You can override Protected View with one click if you need to:
Uninstall Java unless you really can't live without it To be blunt, Java is dangerous. Go to Start > Control Panel > Uninstall a program and uninstall it, unless you have an insurmountable need for it. And if that's the case, one practical way to minimize Java-related risk is to install a second browser, enable Java in it, and use it only for sites that require Java. Disable Java entirely in your daily-driver browser.
Don't use simple passwords at websites, and don't use the same password at multiple websites The danger isn't what you might think. If an attacker compromises a site's back-end server and swipes your password in encrypted form, he has all the time in the world to crack the encryption, and then he can log on as you on his first attempt, not by brute-forcing or guessing. Your password needs enough length and complexity to resist these offline cracking attacks for weeks at a time.

If one of your passwords does get cracked, and it's the same one you use elsewhere, then you could soon have a full-scale identity-theft crisis going on. Use strong passwords; it's entirely realistic to be using 16-character passwords for important sites like your bank or email. Avoid using dictionary words, even in "mangl3d" form, if you can avoid it. Consider using a password-manager program like LastPass or KeePass.

What about biometrics, like a fingerprint reader? There are benefits and drawbacks to biometrics. I think the proper perspective is that they simplify the use of different passwords for every site, and complex passwords that would be too difficult to use reliably if you had to type them. They also simplify the use of strong passwords for Windows log-on and elevation prompts, and no one can determine your password by "shoulder-surfing" while you type it.

If you'd like to try biometrics, pick up an Eikon fingerprint reader from Ebay, and download the free version of TrueSuite Premium from Authentec's site here. Save this download and the license key, because Authentec may stop providing it at some point. Avoid the old design of fingerprint readers, you want one like the ones shown below (or the TrueMe, which is basically the Solo). If your computer is a laptop with a built-in Authentec/UPEK swipe sensor, then you're all set; just try the free Authentec software I linked to above. tech specs on some of the Eikon family

avoid this type
I use Eikons at work and at home, and can remark on some drawbacks. Obviously I can't use them with chemical-resistant gloves on, and sometimes I injure my usual finger and have to re-register its temporarily-damaged fingerprint or fall back on a different finger. Also, if I change a password at a website, I have to change the stored password individually on each of my fingerprint readers.

Browser security: what about alternate Web browsers?

Use an alternate browser instead of Internet Explorer if you prefer, but don't make it your answer to security. All web browsers, and their add-ons and plug-ins, will always have exploitable security vulnerabilities. My top recommendation is to use Secunia PSI to make sure your browser add-ons / plug-ins are up-to-date, because a perfectly-secure browser can still be used to exploit a vulnerable version of Java, Flash Player, QuickTime Player, etc. Browser extensions are the big "attack surface" today, not the browser itself. This was brilliantly demonstrated by Flash-driven "clipboard hijacking" attacks in 2008 that worked on Linux, Mac and Windows, regardless of the web browser. And uninstall Java completely unless you really need it for something, because it's a real exploit magnet.

So you're not going to ream Internet Explorer? What kind of security guide IS this? I'd be happy to denounce the insecurity of Internet Explorer 6. By all means, avoid using IE6. Internet Explorer 10, with Enhanced Protected Mode, AppContainer, high-entropy ASLR and the rest of its security hardening and mitigations, is excellent.

Well I still don't want to use IE, because reasons. What's an alternative? Google Chrome, because it uses sandboxing and Low-integrity mode. But I recommend getting the "corporate" version that installs properly into the Program Files directory instead of into your user profile. You'll immediately discover why this matters if you try Software Restriction Policy, because your user profile becomes a no-execute zone. And that's the way it should be. The corporate-oriented version of Chrome is here: Chrome MSI.

Why don't you don't list any antispyware programs? Every other security guide seems to list three or four!

If you use the layered defense I've shown above, starting with a non-Administrator user account, then it's extremely unlikely that you'd need antispyware programs. If you want to install some anyway, here are some reputable free ones. Do note that the techniques used to "immunize" web browsers can cause them to be slower.

SUPERantispyware (the paid version adds real-time protection)
Spybot Search & Destroy
Malwarebytes

Eliminating tracking cookies Anti-spyware software and some antivirus software will detect "tracking cookies." They're not dangerous, but you can substantially reduce tracking cookies by disabling third-party cookies in your Web browser. In Internet Explorer, click Tools > Internet Options, set the slider to Medium-high, and then click the Advanced button on the Privacy tab. FireFox and other browsers can also block third-party cookies.

Get a Tracking Protection List Internet Explorer lets you add one or more Tracking Protection Lists. In IE9 or IE10, click the gear symbol at the upper-right, choose Internet Options, and click the Manage Add-Ons button on the Programs tab. Click on Tracking Protection and you'll see what to do from there.

I heard the Windows Firewall isn't very good For the purpose of keeping other computers (even those sharing your router) from attacking your own computer, it's fine. Windows won't let your non-Administrator account (or something exploiting your non-Administrator account) mess with the Windows Firewall settings either, making it especially tamper-resistant.

Some people want a "two-way" firewall that'll ask them before letting a program use the Internet connection, but these historically have been easy to fool, so I wouldn't place too much confidence in that capability. I use the Windows Firewall and simply maintain tight control of what's on the computer in the first place.

OK, I admit it... I browse risky websites. Any tips? In addition to the other steps listed above, create a separate non-Administrator user account just for high-risk usage. Edit the file-system security on your storage drives so this account doesn't have access to them. If something does get control of the account, it won't be able to get at your important files to delete them, encrypt them to hold for ransom, or steal copies of them. When I hunt malware in the wild, I do so from a separate non-Administrator account named "Malware Research."

Anything else? Since this is a guide to building a new computer, I strongly suggest getting 64-bit Windows 8 Pro, which is capable of Software Restriction Policy, Bitlocker, and Bitlocker To Go for your portable drives, and has support for Secure Boot, SMEP, and a host of other new security tweaks in the kernel and elsewhere. As I mentioned before, if the weird user interface on Windows 8 is a problem, then you can get a Start Menu replacement like StartIsBack or Stardock's Start8 for $5 or less. Your sanity is worth it ;)

Next: Resources