Checklist for Microsoft Windows computer security:

To have a secure (MS Windows) computer you need at least the following:

  • Windows XP or Vista
  • A Firewall (software or hardware, preferably both)
  • Virus protection software
  • Spyware/Malware detection software

All four of these security components need constant attention in the form of keeping them up to date, or they need to be configured to automatically update themselves. If you don't update automatically then you should check them manually on at least a weekly basis. If you do set them to automatically update then you should still check them on a monthly or quarterly basis to ensure that the updates are occurring. An additional update check needs to be performed for your application software as well.

Thus there are five areas which need to be monitored, and they are:

  • OS Updates
  • Application updates
  • Firewall updates
  • Virus protection updates
  • Spyware detection updates


OS Updates
First of all your operating system (OS) should be Windows XP, either Home or Professional. Windows Vista should also be acceptable, but I'm still running XP myself so I can't say with certainty that it's ok. None the less I've heard of no glaring security lapses in Vista (Note that the User Access Control feature that annoys so many people is a good thing). Until I start using Vista I won't comment further on its security. The remainder of this web page was written before Vista had been released. For now I'm assuming that wherever you see "XP" below you can substitute "Vista".

The security tools in XP alone make it the best version of Windows. XP has a powerful security feature known as "Automatic Updates". If you have automatic updates turned on then your computer should automatically download the latest OS patches to keep the OS up to date.

To check if the "Windows Update" feature of XP is turned on:

  • Right click on "My Computer" and click on Properties
    • (or open the System control panel under Start -> Settings -> Control Panel.)
  • Click on the "Automatic Updates" tab
  • Click on the "Automatic" radio button to turn auto updating on

If you want to manually install updates go to:
      http://windowsupdate.microsoft.com/     (you need to use Internet Explorer)
On this page you can also view the history of all the patches you've installed on your computer.


Application Updates
Applications need to be kept up to date as well. Different software companies have different ways of updating software. Usually you can find update instructions in the help menu of the application. Frequently Help -> About will show the URL of the company. Now days most programs also have a "Check for Updates" option in the Help menu, if so that's usually your best tool.


Firewalls and Firewall Updates
Software Firewalls, usually called "Personal Firewalls", are a modern necessity. However, if you have Windows Update set to Automatic, then you probably have Microsoft's built in firewall already running. To check to see if your built in firewall is running, do the following:

  • Click on Start
  • Click on Settings
  • Click on Control Panel
  • Click on Network Connections
  • Click on Local Area Connection
    • (This should bring up the Local Area Connection Status dialog.)
  • Click on the Properties button to get to the Local Area Connection Properties dialog
    • (there are several ways to get to this dialog, frequently there are paths from the networking system tray icons - your paths may differ).
  • On the Local Area Connection Properties dialog click on the Advanced tab.
  • Click on the Settings button, and make sure that your firewall is turned on.

The updates for Microsoft's built in firewall come with the OS updates.

There are also non-Microsoft software firewalls. A free version (after navigating a host of web buttons trying to direct you to the for-pay version) is ZoneAlarm from zonelabs.com . If you use ZoneAlarm it automatically shuts off Microsoft's own built in firewall, but that's ok as long as you keep Zone Alarm up to date. Zone alarm also has an automatic update feature found on the Preferences tab of the Overview window in the ZoneAlarm main dialog. You get to ZoneAlarm's main dialog by double clicking on the ZoneAlarm system tray icon. The big virus protection companies such as McAfee and Symantec also sell personal firewalls.

I used to use ZoneAlarm, but I'm now convinced that MS's built in firewall is just as good as any of the third party products with the only exception that MS does not block outgoing connections. Personally I now just use MS's built in firewall.

There are also hardware firewalls which are usually built into routers such as a wireless hub. I believe that hardware firewalls do not sufficiently replace the functionality of software firewalls so I think you should always have a software firewall such as ZoneAlarm, or MS's built in firewall. Hardware and software firewalls should peacefully coexist though so I recommend using both.


Virus Protection Software and Virus Updates
Every virus protection package that I know of has at least weekly updates. Most packages also have an automatic update feature. As long as that's on you should be ok. However, it's a good idea to check to make sure you're up to date. The first time I set up a virus protection package to update automatically it failed to make the connection, but it never told me. I was months out of date before I realized the updates were not going through. The package I use now (McAfee) has version numbers on each update so it's pretty easy to see that you have the latest version.


Spyware Detection Software and Spyware Updates
Finally there is spyware detection software. Spyware is typically installed along with other software. Most notorious "carriers" are file-sharing software packages such as Kazaa. Since I don't use this sort of software, and since I only run software obtained from trusted sources I've never had any spyware on my computer. None the less, accidents can happen, so it's worth scanning for spyware.

Microsoft also has a free spyware product called Windows Defender. It's a good spyware scanner, and it's also an excellent system analysis tool. You can get defender here:

http://www.microsoft.com/athome/security/spyware/software/default.mspx

One additional note on spyware is that some spyware detection programs are in fact spyware themselves! If you don't go with a name like Microsoft or Norton or McAfee then research the software fully and download it from a trusted site.

One site I trust is download.com. They are operated by cnet.com which is another site I trust. cnet and download.com have been around for a long time. Their reviews are worth reading when doing research on software.



Others issues and more information links

If you don't use a password:
If you have your OS set so that you don't have to type in a password then you should tell the OS to only allow the no-password accounts access to the console (ie no remote login). To do this do the following:

  • Click on Start
  • Click on Run
  • Type in "secpol.msc", and press [Enter]
    • This will open the "Local Security Settings" window.
  • In the left-side window pane double click on: "Local Policies"
  • Then, still in the left-side window pane, double click on: "Security Options"
  • In the right side window pane double click on:
                Accounts: Limit local account use of blank passwords to console login only
  • Ensure that the "Enabled" radio button is selected.

Erasing information from Hard Disks
This page is mostly dedicated to just computer security, but identity theft is also a very important issue. One issue related to both computer security and identity theft is information on your computer's hard disk. When you get rid of an old PC the hard disk in that computer will still contain a great deal of information about you. To be safe you need to make sure everything on the hard disk is completely erased. That doesn't mean simply deleting files because deleted files can be recovered. You need to write over the disk with 0's, and to be safe you need to do it a few times.

There is specialized software to do this, but I don't know a lot about it. A trusted friend has recommended:     http://dban.sourceforge.net/     You might also try doing a Google on something like "safely erase hard disk" (this is for more information about the topic - I do NOT recommend that you download software for erasing your HD without doing a lot of research on that software).

More sophisticated users can probably get away with using the SysInternals program "sdelete". You can get it here:
      http://www.microsoft.com/technet/sysinternals/Security/SDelete.mspx

Security Related Links:




Home
Bill Mellman,