How to secure Windows: Pre- and post-installation

Windows has garnered something of a reputation with both the media and the IT security industry for being a lot less than perfect. To be fair, it is a reputation well-earned. Windows and related products are designed first and foremost for ease of use.

Everything else, and that includes security, comes further down the feature list. Of course, that is not to say that there aren't numerous things that can be done to improve Windows security.

How to secure Windows: Preinstallation
Securing Windows really needs to start even before installing the OS. Sounds daft, but stick with me. Barack Obama came under fire during the U.S. presidential election campaign for using the phrase "lipstick on a pig" but that is exactly what installing Windows without giving prior consideration to security issues is like in terms of securing your computer.

Settings can be tweaked all day long after the event, but if you've put Windows on a pig it will just turn into a Windows-powered pig.

Avoid the 'oink factor' by always ensuring the following:

The Internet connection must be robustly secured, via router firewall for example, before installation.

Only install Windows onto a clean machine; never upgrade, as this can leave potential permission weaknesses with regards to Windows Registry keys and files.

Always make sure the machine is set to boot from the hard drive only, and create separate system and data partitions upon it.

Vista Firewall Advanced Security MCC Be sure to protect Vista immediately by only allowing specific applications to make it through the firewall barrier. This can be done by creating exceptions via 'Control Panel --Windows -- Firewall -- Change Settings' to arrive at the appropriate exceptions tab. The 'Change scope' button can be used to define and limit the range of the exception by IP address or network. Fire up the Windows Firewall with Advanced Security MMC interface by running wf.msc, and it's even possible to define port ranges by number and protocol.

How to secure Windows: Post-installation
OK, once installed, regardless which version of Windows is in use, there are some security best practice defaults that bear repeating:

• Apply all hotfixes, patches and updates as a No. 1 priority.
• Never, never leave a password entry blank and always, always make it a strong one. Administrator accounts are a magnet for malicious hackers, so protect them with the strongest possible passwords.
• Talking of which, use the Security Policy tool in Windows XP and later versions of Windows to rename the real administrator account to something less obvious, while creating a decoy administrator account that has no group memberships and no real power.
• If a service is not explicitly allowed, then access to it should be blocked or the service itself disabled. Certainly disable file and print sharing for Microsoft networks (NetBIOS and SMB services) barring a good reason not to do so.
• Configure built-in antivirus and malware software, or alternatively, install and configure your own preferred choice in security software. With either choice, be sure to keep the software updated!

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Tech tips Code complexity analysis: How to keep it simple How to use Windows XP Mode in Windows 7 Understand role-based access control in Microsoft Exchange 2010 Avoid common Web application firewall configuration errors SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks How to automate and apply Microsoft Windows 7 AppLocker rules How to use Microsoft Windows 7 AppLocker for whitelisting applications Should you disable IE ESC, or manage it in Windows servers? Scanning with N-Stalker offers basic Web application security assessment Endpoint and NAC Protection Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads Four things to remember about server virtualization security concerns RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Computer Misuse Act 1990  (SearchSecurityUK.com) Regulation of Investigatory Powers Act  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.