How to secure Windows: Pre- and post-installation

Windows has garnered something of a reputation with both the media and the IT security industry for being a lot less than perfect. To be fair, it is a reputation well-earned. Windows and related products are designed first and foremost for ease of use.

Everything else, and that includes security, comes further down the feature list. Of course, that is not to say that there aren't numerous things that can be done to improve Windows security.

How to secure Windows: Preinstallation
Securing Windows really needs to start even before installing the OS. Sounds daft, but stick with me. Barack Obama came under fire during the U.S. presidential election campaign for using the phrase "lipstick on a pig" but that is exactly what installing Windows without giving prior consideration to security issues is like in terms of securing your computer.

Settings can be tweaked all day long after the event, but if you've put Windows on a pig it will just turn into a Windows-powered pig.

Avoid the 'oink factor' by always ensuring the following:

The Internet connection must be robustly secured, via router firewall for example, before installation.

Only install Windows onto a clean machine; never upgrade, as this can leave potential permission weaknesses with regards to Windows Registry keys and files.

Always make sure the machine is set to boot from the hard drive only, and create separate system and data partitions upon it.

Vista Firewall Advanced Security MCC Be sure to protect Vista immediately by only allowing specific applications to make it through the firewall barrier. This can be done by creating exceptions via 'Control Panel --Windows -- Firewall -- Change Settings' to arrive at the appropriate exceptions tab. The 'Change scope' button can be used to define and limit the range of the exception by IP address or network. Fire up the Windows Firewall with Advanced Security MMC interface by running wf.msc, and it's even possible to define port ranges by number and protocol.

How to secure Windows: Post-installation
OK, once installed, regardless which version of Windows is in use, there are some security best practice defaults that bear repeating:

• Apply all hotfixes, patches and updates as a No. 1 priority.
• Never, never leave a password entry blank and always, always make it a strong one. Administrator accounts are a magnet for malicious hackers, so protect them with the strongest possible passwords.
• Talking of which, use the Security Policy tool in Windows XP and later versions of Windows to rename the real administrator account to something less obvious, while creating a decoy administrator account that has no group memberships and no real power.
• If a service is not explicitly allowed, then access to it should be blocked or the service itself disabled. Certainly disable file and print sharing for Microsoft networks (NetBIOS and SMB services) barring a good reason not to do so.
• Configure built-in antivirus and malware software, or alternatively, install and configure your own preferred choice in security software. With either choice, be sure to keep the software updated!

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Tech tips Securing Windows services to prevent hacker attacks Windows security: Remote Desktop, hosts file and keyboard lock down How to detect and remove rootkits with Windows encryption How to prevent SQL Server and Internet Explorer hack attacks Windows password security: System tools and policy Integrating biometric authentication with Active Directory Microsoft Baseline Security Analyzer: Do updates offer improved Windows security? Windows registry forensics guide: Investigating hacker activities Understanding multifactor authentication features in IAM suites More built-in Windows commands for system analysis Endpoint Protection Marshal and 8e6 combine to control Web and mail communications Securing Windows services to prevent hacker attacks UTMs creep into the enterprise market, despite some resistance Major security revamp seals NHS trust against data leakage Q&A: Paul Dorey on DLP, deperimeterisation Microsoft Baseline Security Analyzer: Do updates offer improved Windows security? Malicious spam soars to new level Sophos adds browser and virtualisation blocking features William Hill bets on PGP for encryption Brits lose their fear of encryption – slowly RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Computer Misuse Act 1990  (SearchSecurityUK.com) Regulation of Investigatory Powers Act  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.