HOWTO: Harden a Home Microsoft Windows Computer

1. Get a Hardware Firewall

I connect to the Internet via a cable modem.

I share my internet connection with my roommates via a cable modem router by Linksys. A cable modem router the added benefit of being a primitive hardware firewall.

If you take this approach, make sure everyone on your home network follows these instructions so they don't infect your computer remotely.

2. Reinstall your computer

I do this every six months. This is a good way to insure you regularly get rid of all adware/malware/spyware.

If you are running Microsoft Windows, you should run Windows XP or Windows 2000. Other versions of Windows are not fully supported. See:
http://www.microsoft.com/windows/lifecycle/default.mspx

2.1. Download the latest service pack and write it to CDROM

  1. Browse to http://www.microsoft.com/windows/lifecycle/servicepacks.mspx
  2. Search for the service pack for your operating system.
  3. Select the English Network Install or the English Version for IT Professionals and Developers
  4. Download the file (it should be over 100 MB)
  5. Write the file to CDROM (you will need it later)

2.2. Backup your computer

2.2.1. Address book

Need to write this section

2.2.2. Email

Need to write this section

2.2.3. My Documents

For each user on the system, write a copy of My Documents to CDROM

2.3. Install windows

Need to write this section

Select the "reformat" option

2.4. Install the service pack from CDROM you downloaded earlier

2.5. Enable your operating system's firewall

3. Enable the automatic updates

This is the easiest and best way to prevent crackers from installing their programs on your computer.

Microsoft provides security updates for free with an easy to use interface so why not take advantage of this?

The steps to enable this process are:
  1. Control Panel->Automatic Updates
  2. Check "Keep my computer up to date"
  3. Check "Download the updates automatically and notify me when they are ready to be installed"
Periodically a bubble will pop open in the bottom right of the screen saying updates available. Double click on it and follow the instructions.

Note that installed adware/malware/spyware can interfere with this automatic update process.

4. Disable ActiveX

Note to self: I need to re-write this section
  1. Start Internet Explorer
  2. Open window item Tools->Internet Options
  3. Click the Security tab
  4. Disable ActiveX on the Internet Zone
    1. Click "Internet"
    2. Click "Custom Level"
    3. Disable everything containing ActiveX
    4. Click OK
  5. Disable ActiveX on the "Local Intranet" Zone
    1. Click on "Local Intranet"
    2. Click "Custom Level"
    3. Disable everything containing ActiveX
    4. Click OK
  6. Allow Windows Update
    1. Click "Trusted sites"
    2. Click "Sites..."
    3. Add the following sites:
    4. Click OK
  7. Click OK

5. Use FireFox instead of Internet Explorer to browse the Internet

Internet Explorer has known exploits that Microsoft has not fixed.

As FireFox has a smaller user base and many more eyes looking at the code base, there are less exploits available for it.

Visit mozilla.org for more information and download updates regularly.

6. Install a Software Firewall

Windows XP Service Pack 2 comes with a good software firewall.

Here is the most popular and free for personal use firewall:

7. Install anti-spyware programs

Here are the most popular and free for personal use anti-spyware applications:

8. Install an anti-virus application

Unfortunately, due to the complexity and necessary regular updates of virus definition files, this is not free. You will need one from the following list:

9. Modify your computer usage

9.1. Only download and run applications from Internet sources that you trust 100%

Only download applications from vendor sites such as microsoft.com.

Downloading and running applications from p2p services such as kaaza is just plain stupid. Pictures are OK, files ending in .exe are not.

FYI, Kaaza is riddled with spyware so don't install it in the first place.

9.2. Don't run email attachments, even if you know the person

A simple rule of thumb is don't double click or detach email attachments.

Pictures (which are OK to view in an email message) will be displayed in most email clients.

Never detach or double click on an email attachment ending in .exe, .com or .bat. These are special suffixes to files that mean the file is a program. If run, the author of the program can do whatever they want with your computer.

Note that if you get an email from someone you know, you still can't trust the email as it could have been automatically sent via malware installed on their PC.

9.3. Never view video files ending in .wmv (Windows Media Video)

There is a way to embed programs in .wmv files.

If you are downloading files from the Internet and have the choice of file format, select the non-.wmv files.

This goes double for p2p networks.

10. Definitions

Adware - A program that is placed on your computer without the owner's permission or knowledge that will pop up adds periodically

Crackers - A person who writes adware/malware/spyware or breaks into networks. The motivation to do this is for profit, respect from peers or to relieve boredom

Hacker - A person who likes to solve problems. A white hat hacker helps society by contributing to it. A black hat hacker will solve problems for antisocial purposes (see cracker).

Firewall - a network filter that connects two networks together with different zones of trust.

Malware - A program that is placed on your computer without the owner's permission or knowledge that does bad things. Examples include viruses, worms, adware or spyware.

Network Firewall - a physical box that connects your computer to your network connection that functions as a firewall

Spam Zombie - Computers running software (malware) written and controlled remotely by crackers to send unsolicited email. If you don't harden your computer, it's likely a cracker will turn your computer into this.

Spyware - A program that is placed on your computer without the owner's permission or knowledge that will track the computer users web browsing habits and/or keystrokes.

Virus - Mostly obsoleted. Programs (malware) a written to attach themselves to files. The viruses are passed by transferring the file to a second host via email, a network share, by a floppy disk, ... Once a host is infected with a virus, the author of the virus can do whatever they want to the system.

Worms - Programs written by crackers that exploit vulnerabilities in the operating system or application of the host they attack over a network. Once the host has been compromised, a worm will copy itself to the new host and will attempt to infect additional hosts. A worm may further modify the host by turning it into a spam zombie or by installing other malware.