Windows XP Security - Protecting a Clean PC

Part two in a series on Windows XP Security. This article focus on keeping a clean PC clean - from malware. We're going to start with the assumption that we have a newly loaded Windows XP machine, preferably from the manufacturer's recovery CD, not yet connected to the internet. Possibly even from a cleanup on an infected machine, using techniques described in the first article in the series.

The steps below can be done in virtually any order, however do not place the clean machine directly on the internet without having installed a hardware router.  Don't wait to do it later, you're not as fast as the bad guys - they're automated.  Also, some may question the necessity of installing this many tools.  Each covers primarily one space and together they implement what is known as "defense in depth".

As with the first article's selections, the tools chosen may not represent an absolute best in breed, but focus on tool availability (aka "free") and potential acceptance for the "average" Windows PC user.   Based on personal experience with these recommendations, I believe they are within the grasp of all moderately experienced computer owners.

1. Install a hardware router in between your home network and the cable modem. Even if you only have one machine. Even if that machine is wired. Even if you don't think you can do hardware. This will greatly remove threat and network load on your PC because of the firewall implementation in the router. One I've recommended and installed for friends and family which is absolutely foolproof is the Cisco - Linksys E1000
2. Install all updates from http://windowsupdate.microsoft.com   Configure automatic updates to occur on a scheduled basis, using the link on the site. Note the firewall warning below.
3. Set a system restore point following the instructions at http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx . This can be done multiple times when known good configurations are achieved and in theory reverted to in the event of system corruption.  This is a good point to make the first one.  Learn how to restore from one too, before you need to.
4. Install a firewall that blocks outbound connnections. This is noisy at first because each first time you start an application the firewall will ask you if you want to allow the connection. If you can be certain that the requested action is the direct result of an an application you started, create a rule for it and you won't be asked again. One caveat is that you may have to manually run system updates as the firewall can block this process. Well worth it. My recommendation here is: Comodo - http://www.comodo.com/home/download/download.php?prod=firewall 
5. Install Microsoft Security Essentials. This contains anti-virus and anti-spyware from the mother ship, for free. http://www.microsoft.com/security_essentials/  Note that the vast majority of anti-virus applications on the internet are frauds. They themselves are malware. Choose from a major vendor or a trusted freeware evaluation.  These protections focus on free software tools. Particularly in the anti-virus space, there are excellent paid alternatives such as (in alphabetical order) Kaspersky, McAfee, Nod32, Symantec and Trend Micro.  Your ISP may provide one as well.
6. Install a monitor that watches when applications are added to one of multiple startup areas on your PC. You will be asked for permission before the application (or malware) can imbed itself there. Don't just say "No" to malware attempting to install an auto-start however, you'll still need to deal with the malware running somewhere on your machine.  One warning to this is that some programs that have auto-updaters will attempt to have their "Check for updates" program install each time they're loaded. It can be a nuisance, but the trade off is improved performance and free memory. You choose. My recommendation here is:  Startup Monitor  http://www.mlin.net/StartupMonitor.shtml 
7. Switch from Internet Explorer to Firefox. I'm not going to wade into the fervor that surrounds this one, however there are several add-ons to Firefox that I feel make the difference for the average user. Install Firefox from Mozilla, then the following add-ons: AdBlock Plus and optionally NoScript. NoScript may disable valid functionality on sites that you want to re-enable on a per-site basis (the discussion can get complicated quickly on this one). Like the firewall, this activity will be less over time, but helps reduce some browser based exploits on untrusted sites.  http://www.mozilla.com/en-US/products/download.html 
8. Install McAfee SiteAdvisor to provide a first level threat rating of sites returned in Google searches. http://www.siteadvisor.com/  This ties directly to a safe computing recommendation (for the next article) - never type a url directly - search for it, then click the correct result.
9. Install Microsoft DropMyRights and configure to be able to run Firefox, Internet Explorer, and Outlook Express for example, with non-administrator icons. http://msdn2.microsoft.com/en-us/library/ms972827.aspx The following article de-mystifies implementation http://cybercoyote.org/security/drop.shtml  An alternative which is even better is to run everything as a non-admin, as described below.
10. Run as non-administrator.  This really should be first (second behind the hardware router/firewall) but is last because of the amount of software to be installed listed above.  In daily computer usage, new programs are almost never installed and so administrator rights are not needed and in practice are almost always a bad thing. Open the Control Panel, start the User Accounts applet and create a new account.  Give it administrator level rights.  Log in as the new administrator account, open the User Accounts applet again and drop your original account to a standard User.  Insure that the Guest account is disabled.  Insure that all accounts have non trivial, different passwords.  Log in to the original account.  You're done, start surfing.  If you ever find the need to run as an administrator, don't login to the administrator account, instead right click the program and select Run As... choosing the created administrator account.

One step not listed in above because it isn't really a preventative step is backing up your data.  Select a program and process that is workable for you.  Then execute it on a regular basis.  How often depends on how frequently your data changes and how much you can afford to lose.   I would personally recommend backing up to an external hard drive.  Others favor a burning to DVD's with offsite storage rotation.  Just do something.

While we're at it, if you're using a constantly on desktop PC, consider investing in a Uninterruptible Power Supply (UPS).  Not only will they provide battery backup in the case of power failures, they can condition line voltage to extend the life and reliability of your equipment.


Additional information on protecting your Windows PC can be found at http://www.microsoft.com/security/pypc.aspx and many more places on the web.  Remember "Google is your friend."

Disclaimer - no warranty is expressed or implied by this article.  Proceed at your own risk.  Understand all directions and consequences before using any tools or making any system modifications.  I have no affiliation with any product, service, or retail establishment listed above as they are given for illustration purposes only.