Saturday, June 19, 2010

Ways to Secure and Optimize Microsoft Windows Computers

Windows has a long history of security problems, performance issues and exploitable weaknesses, due to its design and implementation. Many of these issues can be mitigated, controlled or eliminated by performing these actions:

1. Build new systems with all updates and security fixes built-in. This is called a monolithic "bare metal" clean install, whereby all updates and service packs are slipstreamed into the initial installation media so that when setup has completed, the system is totally up-to-date and does NOT need to visit Windows/Microsoft Update website to download any additional patches. Also, the default services (background processes running) are reconfigured to turn OFF any and all that are unnecessary or that provide attack vectors to hackers. Service trimming also results in systems that run faster and more reliably, and that have less capability to be infected or compromised. These systems are inherently more secure and reliable than vendor purchased or store-bought (retail) PCs, as they have been updated, reconfigured and secured PRIOR to ever being connected to any network, especially the Internet.

1A. This same process can be applied to EXISTING PCs by preserving all data, reformatting the hard drives and reinstalling Windows and required applications. The backed-up data is restored and the system operates more securely, more reliably and significantly faster than before.

2. On existing systems, it is imperative that they have all updates, security patches and hotfixes installed as soon as possible. Providing the system is not already infected or compromised, these updates will further harden the system and protect it from intrusion. Windows Update and Microsoft Update are the two main sources on the Web to analyze systems and download required patches, though there are other sources from both Microsoft as well as third trusted parties.

2A. Existing systems should be examined to determine whether any running services should be terminated or deactivated. Services are set to one of three levels - automatic, manual, and disabled. Sometimes it's advisable to alter the state of a service from automatic to manual, so instead of starting up at every boot, it runs only when needed by the system. Disabling a service will prevent it from ever running, and is an excellent method to secure and protect a Windows system.

3. Performance can be significantly enhanced with regular filesystem maintenance, like deletion of temporary files and internet caches, defragmentation of hard drives to better organize and collect files, registry examination, optimization and repair, prefetch folder cleanup and reorganization, temporary folder and premium swapfile placement, virtual memory settings, and more. These changes can result in systems that boot faster, shut down faster, and operate more smoothly and with fewer errors (BSODs, lockups, spontaneous restarts, and the like).

4. Security software MUST be employed as additional layers of protection for Windows PCs. Even fully patched and up-to-date systems are still prone to user errors and drive-by malware installations.

4A. Foremost is anti-virus running in real-time, available to scan all user and filesystem activity and scan for infections or dangerous programs. This is especially important on systems that have access to the web, and doubly important for all PCs running Internet Explorer as the default browser.

4B. Some kind of anti-spyware that can do real-time checks of the system to prevent the installation of rogue software that can subvert all other protective measures (like fake anti-virus or security apps that look just like the real things). If bad software gets on a system, it's Game Over, so we MUST prevent this at all times. User training will only go so far, and the system must be able to defend itself at all times, even at the expense of performance.

4C. Some kind of software firewall will control both unsolicited inbound connection attempts as well as suspicious outbound connections. This can also be controlled by using an expanded, read-only hosts file or a freeware program like Peerblock which will prevent the system from connecting to IP addresses known to be dangerous or problematic.

5. Regular (non real-time) scans for these items will provide another layer of security, so that if somehow, some way real-time protections are ineffective or faulty, the daily or weekly scans will expose anything that might have gotten into the system. There are many very capable applications like Spybot and Malwarebytes AntiMalware that can cleanup (as well as protect) a Windows box, and other tools like Viper and Norman can cleanse systems already infected by booting from a clean boot disk (CD or DVD) and scanning the entire hard drive.

6. A real-time network segment monitoring system, not connected to the internet, can be a great tool that observes all local network activity, examines firewall entries, and sounds alerts via email or IM in the event of a suspicious data transfer or LAN action. This monitor runs inside the firewall on the LAN, analyzing and logging all activity. Even if something is found later, having evaded all the above defenses (like sabotage or employee hacking), a log will be maintained that can be used to trace and identify the nature of any unauthorized activities or actions.

7. There is the notion that Linux PCs are less prone to security problems than Windows systems, and this is largely correct. The idea, however, that Linux systems are immune or impervious to viruses, malware, phishing or penetration is a myth, as ALL systems are inherently insecure and imperfect. By using Linux at the workstation, we avoid client-side, user issues like ActiveX and Internet Explorer security holes, HTML integration into the operating system (Outlook Express and Outlook are affected by HTML exploits), and the general attraction of Windows as an exploitable target due to its dominant installed base (as well as other evil motivations).

7A. Linux operates on a more secure level by making users sign in at boot time, and run as a user, NOT administrator, and requesting a password for any action that would change the system or affect its security or stability. Windows Vista and Windows Seven have added a User Access Control, but this is easily circumventable by malware, and can be (and often is) deactivated entirely by users who tire of the constant request to verify whether what they are doing is indeed what they really want to be doing.

7B. Linux at the server can save considerable amounts of money, and while it may be more challenging to setup and administer, the initial licensing cost savings can be a significant offset. The savings in vulnerability likely outweighs the purchase savings by avoiding completely the inherent weaknesses present in the Windows platform. For example, prior to Vista and Seven, Windows users operated as full administrators by default, having complete and total control over everything on their systems, a capability shared by all programs (good and bad) installed on those systems.

This is only one approach to securing and optimizing Windows systems. Because of their pervasiveness in the world of technology, and due to the ever changing nature of the threats and their sources, we must reevaluate and retest our methods and processes continually to have any chance of remaining safe and secure in our computing. Be vigilant, stay aware, presume problems and have a multi-layered remediation plan available with properly trained people and capable, updated tools ready to be used anytime they are needed.

This is my method, my approach, and my perspective. Your mileage may vary (YMMV).

Thanks for reading. See you again next time.