IT Jobs
How to secure Vista
What the manual doesn't tell you.
By Robert Vamosi | PC World
Published: 15:52 GMT, 15 January 09
While Windows Vista may be Microsoft's most secure operating system ever, it's far from completely secure. In its fresh-from-the-box configuration, Vista still leaves a chance for your personal data to leak out to the Web through Windows Firewall, or for some nefarious bot to tweak your browser settings without your knowing.
But by making a few judicious changes using the security tools within Windows Vista - and in some cases by adding a few pieces of free software - you can lock down your operating system like a pro.
Use Windows Security Centre as a Starting Point
For a quick overview of your security settings, the Windows Security Centre is where you'll find the status of your system firewall, auto update, malware protection, and other security settings. Click Start, Control Panel, Security Centre, or you can simply click the shield icon in the task tray. If you see any red or yellow, you are not fully protected. For example, if you have not yet installed an antivirus product on your machine, or if your current antivirus product is out-of-date, the Malware section of the Security Centre should be yellow.
Windows does not offer a built-in antivirus utility, so you'll want to install your own. For free anti-virus, I recommend AVG Anti-Virus 8.
Use Windows Defender as a Diagnostic Tool
The Malware section also covers anti-spyware protection, and for that Windows Vista includes Windows Defender. The anti-spyware protection in your antivirus program usually trumps the protection Microsoft provides, but there are several good reasons to keep Windows Defender enabled. One is that every anti-spyware program uses a different definition of what is and what is not spyware, so redundant protection can actually offer some benefit.
Another reason to keep Windows Defender enabled: diagnostics. Click Tools, and choose Software Explorer from the resulting pane. You can display lists of applications from several categories such as Currently Running Programs, Network Connected Programs, and Winsock Service Providers, but Startup Programs is perhaps the most useful. Click on any name in the left window, and full details will appear in the right pane. By highlighting, you can remove, disable, or enable any of the programs listed.
Disable the Start Up menu
Windows Vista keeps track of all the documents and programs you launch in the Start Up menu. This can be convenient for some users, but it can also compromise your privacy if you share a computer within an office or household. Fortunately Windows Vista provides an easy way to tweak this setting. To protect your privacy, follow these steps:
Right click on the taskbar and select Properties.Click on the Start Menu tab.Uncheck Store and display a list of recently opened files. Uncheck Store and display a list of recently opened programs. Click OK.
Get Two-Way Firewall Protection
No desktop should be without a personal firewall, but even if the Security Centre says you're protected, you may not be. The Windows Firewall within Vista blocks all incoming traffic that might be malicious or suspicious - and that's good. But outbound protection is not enabled by default. That's a dangerous situation if some new malicious software finds its way onto your PC. Microsoft did include the tools for Windows Vista to have a true two-way firewall, but finding the setting is a little complicated. (Hint: Don't go looking in the Windows Firewall settings dialog box.)
To get two-way protection in Windows Vista, click on the Start button; in the search space, type wf.msc and press Enter. Click on the Windows Firewall with Advanced Security icon. This management interface displays the inbound and outbound rules. Click on Windows Firewalls Properties. You should now see a dialog box with several tabs. For each profile - Domain, Private, and Public - change the setting to Block, and then click OK.
Even if you do this tweak, I recommend adding a more robust third-party firewall. I suggest either Comodo Firewall Pro or ZoneAlarm, both of which are free and fare very well in independent firewall testing.
Lock Out Unwanted Guests
If you share your computer with others (and even if you don't), Windows Vista includes a neat way to keep unwanted guests from guessing your system administrator password. When you set up users and declare one user as administrator (with full privileges), Windows Vista allows outsiders unlimited guesses at the password you chose. Here's how to limit the guesses.
Click Start, type Local Security Policy.Click Account Lockout Policy. Choose Account Lockout Threshold. At the prompt, enter the number of invalid log-ins you'll accept (say, 3).Click OK and close.
Now Audit Your Attackers
With the Account Lockout policy in place, you can now enable auditing to see any account attacks. To turn on auditing for failed log-on events, do the following:
Click the Start button, type secpol.msc, and click the secpol icon. Click on Local Policies and then Audit Policy. Right-click on Audit account logon events policy and select Properties. Check the Failure box and click OK. Right-click on Audit logon events policy and select Properties. Check the Failure box and click OK. Close the Local Security Policy window.
You can then use the Event Viewer (by running eventvwr.msc) to view the logs under Windows Logs and Security.
Secure Your Internet Explorer Settings
The Windows Security Centre will also report whether your Internet Explorer 7 (or IE 8) security settings are at their recommended levels. If the screen shows this section as red, you can adjust the settings within the browser itself.
Within Internet Explorer, click Tools in the menu bar. From the drop-down menu, click Internet Options. Choose the Security tab. Within the Security tab, click Custom Level.
Here you'll see a window with all the security options for the browser. If any are below the recommended level (if, say, some kind of malware reconfigured your browser settings), these options will be highlighted in red. To change an individual setting, click the appropriate radio button. To reset them all, use the button near the bottom of the tab. You can also change the overall security setting for Internet Explorer from the default Medium-High setting to the recommended High or Medium, if you wish. Click OK to save and close.
Use OpenDNS
Domain Name System (DNS) servers act as a phone book. When you type "pcworld.com" in the address bar, for instance, Internet Explorer sends that common-name request to your Internet service provider's DNS servers to be converted into a series of numbers, or an IP address. Lately, DNS servers have come under attack, with criminals seeking to redirect common DNS preferences to servers that their interests control. One way to stop such abuse is to use OpenDNS.
Go to Start, Control Panel, Network and Internet, and then click Network and Sharing Centre. Under the tasks listed on the left, click Manage Network Connections. In the Manage Network Connections window, do the following.
Right-click on the icon representing your network card. Click Properties. Click Internet Protocol Version 4.Click the Properties button. Select the Use the following DNS server addresses radio button. Type in a primary address of 208.67.222.222. Type in a secondary address of 208.67.220.220. Click OK.
Live With User Account Control
One area where some people might want to see the Windows Security Centre turn red is User Account Control (UAC), perhaps the most controversial security feature within Windows Vista. Designed to keep rogue remote software from automatically installing (among other things), UAC has a tendency to thwart legitimate software installations by interrupting the process several times with useless messages. In Windows 7 you'll be able to set UAC to the level you want. Until then, you do have some options.
One is to disable UAC. I would caution against that, since UAC is meant to warn you of potential danger. Instead, install TweakUAC, a free utility that offers the ability to turn UAC on or off as well as an intermediate "quiet" mode that keeps UAC on but suppresses administration elevation prompts. With TweakUAC in quiet mode, UAC will appear to be off to those running as administrator accounts, while people with standard user accounts will still be prompted.
.gif)
Add your commentComments