FAIR PAY

 

A Guide to Security and Privacy for Windows XP Home Edition


General Security Tips for Windows

Having secured your copy of Windows, you must now try to keep it secure in future.

Configure Windows Update to automatically download and install updates, and/or regularly log on as the Admin-level user and use the Windows Update option in the Start menu. Windows lacks the convenient central repository model of software updating that Linux has, so most non-Microsoft programs will not receive security updates from performing a Windows Update. The free Secunia PSI program may be useful in keeping track of security updates for both Windows and other programs you may have installed. Pay attention to its notifications and install any updates as required, especially if they're Windows updates, or any program that has any contact with the internet. Don't forget about the less obvious examples of this, such as Adobe Acrobat and Flash (both of which have had some serious vulnerabilities uncovered in recent months).

After installing a program or game, consider checking Windows Update to see if there's a security update related to the program you just installed. This is particularly important if the program or game has internet access or if, during installation, it installs a programming language or interface framework such as DirectX, .NET, Microsoft Visual C++ etc.

Bear in mind that much of what I've advised above involves gathering information or downloads from the internet. You may need to gather information and downloads from a suspect or compromised system before reinstalling a clean system. Ideally, you will install a new and hardened-as-much-possible system to download and learn what you need before finally installing a secure system.

After Windows Update forces a major update, consider checking firewall, network settings and services. Sometimes these updates (notably, service packs) enable or re-enable things that have previously been disabled, or add new features.

Even though virus-checkers generally run an 'on-demand' service, checking files as they're downloaded or used, it is a good idea to run a full scan regularly. For extra security, boot Windows in Safe Mode and run the scan from there. Running in safe mode may increase the chances of detection by disabling features of malicious software designed to conceal code from anti-virus software.

Some programs have their own updaters built-in. Make sure they're enabled or that you check them regularly. Mozilla Firefox and Thunderbird have their update features on their Help...About pages, though they should operate automatically. Note that some updaters won't work properly unless the program in question is running under a superuser account. This is why it's worthwhile checking them occasionally or using Secunia PSI.

If you're running an Nvidia graphics card, and installed their recent driver software, then you may have installed their 'Nvidia Update' software, which will have established a service, punched a hole in your firewall (if you're using the Windows firewall) and even created a new user account. I'm loathe to suggest anything that reduces an automated ability to update outdated software, but this seems to be going a little too far, in my opinion. Consider uninstalling the "Nvidia Update" program and ensure that it deletes the firewall exception and user account. If you do this, you should be sure to check nVidia's site regularly for updates.

Configuring Zone Alarm

If you decide to use Zone Alarm, rather than Windows Firewall or another third-party firewall, then for a balance of ease-of-use and security I suggest taking the following approach.

Between version 9 and version 10, Zone Alarm changed to a more 'user friendly' interface. The downside to this is that it removed a number of the useful customisable options.

Fortunately, previous versions of Zone Alarm can be downloaded from the Checkpoint website. I recommend the last version 9 edition which, at the time of writing, is labled 9.2.102.000, which actually downloads version 9.2.106.000, which arrives in a file named 92.106.000_en.exe.

Select a custom installation (note that the installer will install a browser toolbar by default, which people often prefer to avoid). When asked during installation, add zones to the 'Internet Zone', rather than the 'Trusted Zone'. Set the SmartDefence Advisor to Manual, but allow Zone Alarm to scan and configure programs automatically. Later, visit the Program Control... Programs menu and prune the permissions to be more strict. In general, programs should be made to ask for permission if they wish to act as servers in the trusted or internet zone. Disable auto-updating to prevent Zone Alarm's nagging to upgrade to version 10. Although it's generally not recommended to run older versions of software, the Checkpoint release history shows no security upgrades between version 9 and 10, and I can't find any mention of a 9.2.106.000 (or 9.2.102.000) vulnerability on the CVE website, nor on the internet in general. So it's probably safe to use.

Hyperlinks, Google and Social Networks

Google scans its listings for viruses and malware. Sites that carry detected malware will be flagged up, or even removed from the listings. Links provided via social networking sites such as Facebook or Twitter may not have this protection. Twitter's limited number of characters per message also encourages privacy-busting hyperlink practices, which I've mentioned elsewhere. The privacy issues surrounding Facebook are more well known.

Any hyperlink can be safely virus scanned in advance by using VirusTotal, though as with anything, it's unlikely to be 100% effective protection.

More Advanced Security Issues

Writeable Firmwares

Unfortunately, it's not just hard drives that can permanently store information (and therefore viruses and exploits). Computers are comprised of numerous devices, some of which have their own permanent, writeable memories. They use these to store firmwares that help the devices work. Graphics cards, hard drives, motherboards (specifically, the BIOS) and CD/DVD drives are all examples of devices that very often have writeable firmwares. The amount of space for these programs is usually quite small, making it less likely that someone could sneak in an exploit and still leave the device working - but not always, and the firmwares seem to be getting bigger all the time.

The infuriating thing about this is that for some devices, it is extremely difficult or even impossible to find clean copies of the manufacturer's firmware and the software tools required to update them. If manufacturers are going to put writeable firmwares in their hardware, then they should either provide an easy way to clean it, or else provide the hardware with a physical switch that enables and disables the computer's ability to write information into the firmware.

Motherboard and graphics card manufacturers are usually pretty good about providing firmwares and writing tools, while trustworthy sources for firmwares for drives are almost impossible to track down in my experience. Routers also have programmable memories, but usually include, or make available, the tools for updating the software.

Firmwares seem to be a neglected aspect of anti-virus activities - as far as I know, there is no anti-virus software that checks device firmware for suspicious data/activity.

Intrusion Detection

Linux has always had the free Tripwire program, and there are Windows equivalents. Tripwire-like programs scan every file on your computer (preferably from outside of the operating system, from a bootable CD for example) and store 'fingerprints' (hashes) of each file (preferably on external media that can't be accessed by the operating system, such as a memory stick that is removed after scanning). By repeating the scan and comparing the hashes, the ID software can detect any changes to files and report them. If the change is suspicious (i.e. it hasn't happened as a result of user actions or known software updates), then the operating system is suspect. A properly operated ID system of this sort ought to be extremely effective, but can be difficult to use due to the problems of identifying which changes are legitimate and the inconvenience of having to take the operating system offline for a long time while the scan runs (if an ID system doesn't scan from outside the operating system, then it's possible that an infected operating system could fool the scan and report no changes where there were some).

Virtual Machines

Virtualisation solutions are essentially emulators - the software 'container' emulates the hardware of a PC. This allows for the installation of a complete operating system inside the container - and if you like operating systems, then what could be better than having an operating system inside your operating system? The advantage of this is that the virtualised operating system can be 'snap-shotted' and rolled backwards and forwards in time. An infection picked up from a dodgy website should (in theory at least) be contained within the virtual machine and not spread to the host operating system, and then the infection can be wiped out by simply rolling the virtual machine back in time to a snapshot taken before the infection.

Windows XP running in a virtual machine
The virtual machine can then be used for all web browsing or other 'risky' activities, thus providing an extra layer of security.

Virtual Box is one such free solution and is quite easy to use. It's also a good way to test out different operating systems without messing up an existing system, or to use outdated (and therefore insecure) operating systems such as Windows 98.

Using More Than One Anti-Malware Program

Opinion on this seems to be divided. Using more than one anti-malware application that scans everything on your computer will slow down your machine, and may cause other problems. It will give extra security, though - one anti-virus app might catch something the other misses. I had personal experience of this a few years ago - an anti-malware application once discovered a trojan and its worm payload that my virus-checker couldn't see.

An alternative to running more than one anti-malware program might be to rotate through different anti-malware solutions at different times, occasionally uninstalling the current app and installing a different one, then running a full scan. Another alternative would be to install multiple anti-malware solutions, and then manually disable services that duplicate the task of scanning all files as they're accessed.