MVP-HELP for Windows

...where you can have fun AND be secure

Blog

Windows Security Checklist: To Do and Do Not

Posted on March 1, 2009 at 4:41 PM

Windows Security Checklist: To Do and Do Not (revised)

by Larry Stevenson, aka Prince_Serendip, MVP - Consumer Security
First Published: December 5, 2004
Revised and Updated: Sunday, March 1, 2009

 

No one application nor technique can protect you at 100%, but you can still get pretty close to that. When these guidelines are followed by Windows users, it can bring their chances of being infected by malwares almost to zero. We have done Firewalls and Antivirus applications. Now we begin our next installment of the Windows Security Checklist: To Do and Do Not.

 

It is not as complicated as it may first appear, although there is a lot of information to absorb. The  experts at Spywarehammer.com can help you if you have questions about any of these techniques and applications. The applications featured here are compatible with all Windows platforms, unless otherwise noted.

 

Be very cautious if you feel you must use any P2P (peer-to-peer) network service for sharing/swapping files across the Internet. In fact, we would prefer you do NOT use P2Ps such as BitTorrent, BearShare, BitComet, etc at all, as these can be conduits for malware. These programs may not have malware in them, but when you share files with other computers, you also share their dirt. Mud pies anyone?

 

Do not expose any drive folder other than the one chosen for access by these services. Secure your sensitive files on any computer you use to connect to the Internet. Do not place private files in folders that are configured as shared. Keep your virus scanner and firewall on at all times. Better yet, use a File/Folder Access Protection application to lock access to all other areas of your hard drive. Applications you could use are: WinPatrol: http://www.winpatrol.com/  FileChecker: http://www.javacoolsoftware.com/filechecker.html and WinGuard Pro: http://www.winguardpro.com/

 

Secure your Instant Messages (IMs). A good idea is to use an IM encryption utility to secure your MSN, Yahoo, or AIM messages. Some encryption utilities require use on both ends. ZoneLabs Extreme Security: http://www.zonealarm.com/security/en-us/zonealarm-extreme-security.htm and
Trillian Pro/Basic: http://www.ceruleanstudios.com/downloads/ provide encryption security for Instant Messaging. Trillian Basic is free.

 

Disable file transfers in IM programs, as this feature can enable the sharing of more than you intend, unless you're prepared to prevent it. MSN, AIM, .NET Messenger, and others let you disable file transfers from the Preferences or Options menus. If someone wants to send you an image or file, be certain it's a trusted source, otherwise use e-mail to verify that their request is valid.

 

Do remember that even though only one computer is actually making the internet connection, any other computer sharing that connection, or which is sharing files on a network, needs the same protection.

 

Do require a login user name and password for every computer connected to your Local Area Network (LAN). For any hard drives that are configured as shared: Windows XP and Vista users - do not configure share permissions to allow "anonymous logon" or any access by groups or users outside your LAN.

 

Do not let a downloaded application or any downloaded executable to launch on its own unless you're certain it's from a trusted source. Be cautious of downloading files that end in exe, bat, vbs, and com. Scan them with your antivirus or anti-malware applications BEFORE unzipping and opening them. Most anti-malware applications allow individual file scans by right-clicking them. Do not expect their real-time monitors to catch them all.

 

Do not accept and run an ActiveX Control or Java Class unless it comes signed and from a trusted site. It is best to force your browser to prompt you for permission. If you are using Internet Explorer, these settings are located under Control Panel > Internet Options > Security > Internet - Custom Level. Mozilla, Firefox, and Opera users are prompted by default.

 

If you are using Internet Explorer disable "Allow software to run or install even if the signature is invalid" so your browser will be forced to prompt you if additional components are needed in order to display certain content. This setting is located under Control Panel > Internet Options > Advanced - Security.

 

Do not enable JavaScript for e-mail or e-mail attachments. While JavaScript may be fine for Internet browsing, it can be dangerous when enabled for e-mail. For more detailed instructions on how to disable JavaScript in Outlook and Outlook Express please go to: http://www.emailprivacy.info/disable_javascript

 

Disable HTML and USE PLAIN TEXT for e-mail. Use an e-mail content filter for web bugs and embedded content originating from a server other than the one belonging to the sender of the e-mail. Current e-mail worms can execute just by your viewing HTML-formatted content. Disable preview panes when accessing your mail. Check here for instructions to turn it off on Outlook and Outlook Express: http://apcsnh.com/vacm/previewpaneoff.html

 

Always view e-mail attachments seperately and only after they have been scanned for malware. Downloading them won't hurt your computer, if they are infected. It's only when you open them that they deliver their dirt. Even after proper scanning there's still a chance that they can infect your computer if their dirt evades your anti-malware scanners.

 

Do not submit secure forms (https) on insecure servers. Watch the address bar at the top of your browser when filling out forms online. If it begins with "http:" do NOT fill out and submit the form, if it's asking for private or personal information.

 

Do not ever use e-mail to send private financial information such as credit card or bank account numbers, or your SSN/SIN (US/Canada). Even if you use encryption and the e-mail is for legitimate business, you cannot be certain that the recipient will protect this information once it is delivered and unencrypted.

 

Never respond to e-mail asking for private information. Telephone your financial institutions, and ASK them about it. Any e-mail you receive requesting your credit card or bank account numbers, or SSN/SIN either by e-mail or by a web site link is likely to be an identity theft scam. Never click on any links in such e-mail messages. Many banks will NEVER e-mail you about personal banking purposes. If in doubt, check it out!

 

Be sure your browser is SSL-capable (Secure Socket Layer) and the encryption strength, or cypher strength, is not less than 128-bit. Most secure websites for banking and credit card companies will not accept browsers with less.

 

As always, keep your operating system (OS) and browser up-to-date, in addition to any service or application that has access to the Internet. Apply updates and patches from Microsoft, as they are released. To learn more about what is being updated on a timely basis please go to Calendar of Updates at: http://www.calendarofupdates.com/updates/calendar.html

 

Best regards and always take care of your security.


This document is provided "AS-IS" without warranty, and confers no rights.

Categories: Security Articles