You are here: FAQs > Securing Windows Computers

Wizcrafts Computer Services

Specializing in Computer Networking, Security and Troubleshooting

Securing Your Windows Computers from Internet Threats

No matter what flavor of Windows you may be running there are people in the world who have nothing better to do than to unleash all manner of hostile programs designed to take over control of your computer, damage your files or operating system, invade your privacy with spyware and popup ads - and/or steal personal data, recruit your computer as a zombie to be used in Distributed Denial of Service (DDoS) attacks, and most recently, to plant software on it which turns it into a spam relay. So, what is a body to do to prevent these hostile programs from getting in to do their nefarious deeds?

Here is a checklist of things to do to secure your computer against Internet threats:

  1. First and foremost, install and learn to configure a hardware firewall (ex: a broadband router with a built-in configurable firewall), and/or a software firewall (built into Windows XP and newer) to block all unnecessary incoming connection attempts.
  2. If you have Windows XP and don't want to mess around with an add-on firewall, you should enable the Windows Firewall that is included with your operating system (Control Panel > Security Center > "Manage security settings for" > Windows Firewall > General tab > On). It is especially important to block all incoming requests to TCP and UDP port 135, and TCP ports 137, 139, 445, 1026 and 1027, among others that are commonly used to take over vulnerable computers. Note that the Windows XP Firewall blocks all incoming connection attempts, including filesharing and instant messaging programs, so you may need to create exemptions for certain applications on your computer to allow incoming TCP communications ("Manage security settings for" > Windows Firewall > Exceptions tab).
  3. If your computer has any version of Windows from Windows 95 OSR2 onward it is equipped with a start-menu item called "Windows Update." Use it regularly! It only takes a minute or so to check for security patches, service packs and driver updates using Windows Update, time well spent that could plug holes in the system that a hacker is about to exploit, such as the MsBlaster Worm. Microsoft released a patch on Windows Update, a month before the Worm was released, to plug a code loophole that allowed hostile programs to be uploaded to victims' computers, crashing hundreds of thousands of Windows XP machines around the world, as they attempted to spread the Worm to others. Of course, the machines whose owners had applied the patch did not participate in the Blaster mayhem, nor did the computers with firewalls that blocked incoming TCP connections.
  4. Subscribe to Microsoft Technet Security Newsletters and bulletins, which alert you when a new patch has been posted. Or, do the next step:
  5. If your operating is Windows XP SP-3, or newer, and has a legitimate Windows license, it is capable of obtaining Automatic Updates from Microsoft while it is online (Windows Updates are normally pushed out on the 2nd Tuesday of every month, and sometimes, also on the 4th Tuesday, or even completely out-of-cycle). If you are not comfortable with fetching the manual Windows Updates, learn to activate the Automatic Updates (Control Panel > Automatic Updates, or Security Center > Automatic Updates) feature and accept the license terms to apply the patches.
  6. Purchase and install a major anti-virus program which offers automatic live updates. Let it download new anti-virus definitions in the background, but remember to manually check for program updates that cannot be applied via the auto-update feature. Then set your task scheduler to run full virus scans every week. Also, check the options to ensure that it is always running in the background to auto-protect you against opening infected files from downloads, CDs, or floppy disks. Most current anti-virus products also scan incoming and outgoing email for Viruses, Worms, or Trojan Horse programs.
  7. DO NOT OPEN EMAIL ATTACHMENTS, unless they have been scanned, with current virus definitions, and found to be clean, AND are expected. Always be ultra suspicious of unsolicited attached files, even if they appear to have come from someone with whom you have had prior email contact. Many many Worms are programmed to search your Windows Addressbook for names that are then inserted into the To and From fields of the emails they send out.
  8. If you are not expecting to receive any email attachments, and are using Outlook Express as your email client, and it has been upgraded to version 6 or later, it has an checkable option to disallow downloading any email attachments. Furthermore, Outlook Express should have its security setting set to the Restricted Sites Zone.
  9. I personally use a separate program to screen all incoming mail, as it sits on the mail server. This program has options to check the source of the email against various spam blacklists, has a feature to add any piece of mail to either the Friends list or Blacklist, or ditto for the entire sending Domain. It offers user configurable filters to detect spam or viruses by subject, body, From or To field, or the entire headers, and can hide them from being displayed. This program marks spam for blacklisting, deleting and even bouncing and can automatically delete previously identified spam messages off the server, so you never see or download them. This shameless plug is for Mailwasher Pro, from Firetrust Limited in New Zealand. I am an affiliate for this product and I absolutely swear by it. If you purchase Mailwasher through my link and have questions about configuring it, feel free to contact me and I will try to help you out. I have an extensive writeup about Mailwasher Pro, here.
  10. Beware of "Social Engineering" in emails which try to fool you into either activating an attached file, or clicking on a link to their website, where hostile code may compromise your computer, if you haven't applied ALL of the patches for it. Some old and new users ("newbies") are so far behind with patches and updates that they can be tricked into allowing viruses, Trojans, or Worms in by simply previewing a specially crafted email or hostile coded website. Some of these exploits were patched by Microsoft over two years ago and are still being used against people who don't think it could ever happen to them.
  11. Beware of freeware programs, like certain well known filesharing programs, that may come bundled with (spyware) programs from other companies, which may spy on where you surf the web, note what ads you view or click on, and which may cause popup and popunder windows to appear out of nowhere, while you are online, or create new (red or yellow) text links to their own advertisers while you view a website like this one, which is actually stealing possible revenue from the website you were visiting, if they run affiliate ads (like I do).
  12. There are some excellent spyware immunization, detection and removal programs on the Internet. Some are free, others require you to buy a license (usually to activate automated features). I personally use and recommend Malwarebytes' Anti-Malware (a.k.a. MBAM), Spybot Search and Destroy and Microsoft Security Essentials. I post notices about security vulnerabilities and preventative measures, on my blog. I recommend running MBAM once a week, after using the Update button to check for and install new definitions, then Spybot Search and Destroy, again after running its updater. You'll be amazed at some of the crap that may have been snuck onto you 'puter, while you were happily browsing the Internet (or sleeping with you always-on cable or dsl modem). Think about some of those little popunders that you might have clicked on OK, just to get rid of them. BIG MISTAKE BUBBA. Install, update and run an anti-spyware program as soon as possible!
  13. If you use a fileswapping program to download program files, don't be surprised if some of them contain Trojan Horse programs, or viruses. Many current Worms are spread through the shared folders of people who use Limewire and BitTorrent filesharing clients. If you download anything from anybody, anywhere, anyhow, scan it for viruses before double-clicking on it!
  14. You can ward off almost all of these Internet threats by running your daily browsing account as a Limited User (Windows 2000, NT, XP, and newer), or as a "Standard User" in Windows Vista and 7 (with UAC on), instead of as a computer administrator. Viruses, worms, trojans, backdoors, browser hijackers and rootkits cannot fully install without Administrator account privileges (you could still be tricked into revealing your Admin credentials). By reducing your system privileges you limit the damage that can be done by any threat that infiltrates your defenses. See my article about user privileges, here.

I could go on forever, but I believe that if you implement these suggestions, including turning on Automatic Windows Updates, keeping your anti-virus and anti-spyware detection programs updated automatically and running weekly or nightly scans, plus blocking all unsolicited incoming TCP and UPD traffic with a firewall, then you will enjoy a more secure computing environment.

You may feel paranoid taking all of these security precautions, but it's not paranoia when they really are out to get you!

Windows 9x security holes

Windows 95 and 98 were consumer level operating systems granting full administrator level rights to anybody who can gain access to the computer - either directly or remotely. Windows 9x computers also have a default networking setup that is very insecure. If you have, or are given a computer that is running on Windows 95 or 98, there is simply no way to secure it against modern threats, aside from never connecting it to the Internet! Most security vendors, as well as Microsoft, no longer offer programs or updates for these out-dated, out-of-support versions of Windows.

Windows 2000 and XP security issues

For those of you who are using Windows 2000 computers, please note that Microsoft no longer supports that OS at all. There are no more Windows Updates, or patches being released for that OS. As with the previously mentioned Windows 9x series, most security companies no long offer programs that install into Windows 2000 PCs. Still, malware is being written to exploit Windows 2000, especially since those computers can no longer be patched, or effectively defended. You are best to retire these old computers and purchase new ones runninmg Windows 7 (or its successors).

Last, we have our dear Windows XP computer users. XP was released in the fall of 2001. Since then it has had 3 service packs and hundreds of patches and updates issued. In keeping with their software life-cycles policies, Microsoft has already dropped all support for any version of Windows XP prior to Service Pack 3. Support for XP SP-3 computers ends on April 8, 2014. After that date there will be no more patches or updates for it. Security vendors will also be quick to drop their support for XP. After that, you will have to move up to a newer OS in order to have safe and secured computers.

Security software resources:

Learn how a firewall can protect your computers against external and internal phone-home attacks.

Back to our main FAQs page

(back to top)