Windows security recommendations

by Jim Prall, May, 2010
back to my main page

This page is directed at users who manage their own computer or laptop running Microsoft Windows. Many different software risks threaten the reliable and secure use of Windows: viruses, trojans, network worms, spyware, browser "hijacks", and deceptive "phishing" websites. Anyone who uses Windows with administrator rights needs to pay attention to managing and mitigating these risks.

Software intrusions involve some computer code installing itself in your system without your consent or knowledge. These may arrive any number of ways (roughly in order they arose historically):

1) as a hidden 'autorun' on removable media such as floppy, CD, DVD or memory stick;
2) as a macro within a Word or Excel file
3) as email attachments sent from another infected system;
4) as a hidden add-on hidden within a seemingly benign free package offered for download on the internet ('spyware');
5) as a file offered on peer-to-peer (P2P) file sharing network, labelled as something attactive ("Britney Spears Nude!", "Full Windows 7 CRACKED" or "Adobe Ultimate Keygen") but in fact containing the intrusion code;
6) as a network attack from another computer, exploiting an unpatched defect in the networking code of your system (a "worm");
7) as code hidden in websites that is executed by your web browser to modify your system;

Route 1 was prevalent in early days when people shared files by floppy disk; antivirus software now checks for this, and far fewer floppy disks are being exchanged; unfortunately it has come back with the advent of USB memory sticks.
Route 2 became less prevalent since Microsoft removed the option to write macros that could execute silently on opening with no option for the user to agree or disagree.
The risk from route 3, email attachments, is being mitigated by email service providers either scanning or just removing attachments types that are a potential threat: .EXE, .SCR, .BAT and even .ZIP (potentially hiding a .EXE inside). This has inconvenienced users sometimes. If you are collaborating via email in developing code, you can email source code but not Windows executables - they will have to recompile from the source at their end.
Both #4 and #5 create the need for "real time" anti-virus scanning, where each request to create a new file triggers an AV scan of the content of the new file. This imposes some performance penalty on normal use - but nothing compared to the loss of use when an infection gets through. User judgment is also called for: think twice before downloading and steer clear of P2P file sharing - the latter is not permitted over UofT and ECE network facilities.
Threat #6 calls for two precautions: (a) only connect to the internet with a firewall - most home routers and wireless APs include one; and (b) keep your system patched at all times with the free Windows Update / Microsoft Update service. Set the updates to install automatically. If you leave it on manual, the risk is that you'll keep postponing them, and then the latest network intrusion will be able to get into your PC - patching after that is too late. Threat #7 is very prevalent currently. It relies on the fact that you don't have to take any action to download executable code embedded in a website in the form of ActiveX, javascript, and the like. These "drive-by downloads" take effect just from viewing a page, including content added in from a separate site such as by ad syndication. It may not be an obviously risky site such as "hackers haven" or "pirate cove" - sites with legitimate content may have been attacked and had the exploit code hidden within their normally benign pages.
This is happening more often lately, and it is creating a lot of extra support calls as Windows PCs keep getting infected, even when they have antivirus and anti-spyware software working. Antivirus software generally does not come into play when a web-based code exploit is running - the AV does not scan javascripts or ActiveX.
There are browser plug-ins available to restrict the activity of such active content, such as NoScript for Firefox; you may find you need to allow javascript on pages where it is legitimately needed; the difficulty is deciding when it is safe, which these tools cannot tell you.

What you can do

The usual advice applies, of course: have good antivirus and anti-spyware programs installed, keep them current with live updates, and monitor their status (are the updates still working? Is there anything showing up in the logs or 'threat history'?) Also keep your browsers up to the latest version, as all browsers have security flaws discovered from time to time, and the update is the only way to secure them. But perhaps the one thing you can control, which so many users overlook, is this:

DO NOT BROWSE THE WEB AS ADMINISTRATOR

Let me state that another way:

To use a web browser in an account with administrator rights is a recipe for infection

Or another way:

If the account you use to browse the web has administrator rights, your PC has spyware. Now. Already.

Q. What is the right way to operate in Windows?
A. Have a standard/limited user account as your main account, and only browse the web in that account. Keep all your documents there. Use Administrator only to install or update software and system components. Reading email, browsing and downloading documents should only be done within the standard user account. The key difference is that when Administrator happens on a page with hidden intrusive code in active content such as javascript or ActiveX, the code has full access to modify C:\Windows, update the registry, etc. By contrast, a standard user account viewing the same page will leave the exploit code unable to make the changes it tries to apply.

Another reason to keep Windows secure

Do you take your laptop back and forth between the office and home or other locations? Do you use a USB memory key or portable HD to move data between Windows computers? If so, any virus that infects your USB key or your laptop elsewhere could potentially spread through our network when you connect here, impacting your colleagues and costing time and effort to remove. The ECE firewall can block network intrusions from outside, but it is powerless to stop people carrying infected media or laptops inside its perimeter.

Steps to keeping Windows intrusions out

1) Enable automatic updates in Microsoft Update or Windows Update; run a Windows Update manually and check that there are no critical updates needed or waiting to be applied. Reboot if needed.
2) You must have Symantec Enpoint Protection v.11 or Symantec Antivirus v.10.1.x installed and keep the definitions up to date. Free for UofT faculty, staff and students for office and home use, from antivirus.utoronto.ca by entering your UTORid and password. Please take advantage of our site license, and install SAV on every Windows PC you use (including virtual machines!). Leave it set to use LiveUpdate to keep definitions up to date. Also check regularly that the date of your definitions is still current -- many viruses as well as the Conficker/Downadup worm try to disable LiveUpdate, WindowsUpdate, and access to antivirus sites.
If you haven't done full scan lately, make time for one this week. Have your laptop plugged in so you don't run out of battery during the scan.
3) You should have Windows Defender installed and updated. It is built in with Vista and Windows 7, or a free download from Microsoft for XP if you don't already have it. Run a full scan with this as well.
4) You should have SpyBot Search & Destroy v.1.6.2 installed. This is a free download from www.safer-networking.org Here again, a full scan every month or less is a good practice.
5) Have the following plug-ins installed for every browser that you use for which versions are available:
- Site Advisor (free version)
- Web of Trust
- Netcraft Anti-Phishing Toolbar
6) You should use a hardware router with built-in firewall for your home connection. Most personal routers, wired or wireless, already include this. This is far safer than connecting a single computer directly to the internet via either DSL or cable.
7) All user logins (accounts) on your computer must have strong passwords. One network worm targeting Windows was able to spread over a network or the internet by remote access to other Windows PCs with weak or blank passwords. Even PCs with the latest patches are not safe if accounts have weak or blank passwords! No account should have the password unassigned, or set to "123", "password", the account name, or similar guessable password. Network worms often make repeated attempts at remote logins using common passwords. Don't let them get in because of this.
Create a password not in any dictionary: you could combine more than one word, mix in numbers and punctuation: dog4sale$5 is memorable but hard for a virus to guess. Even if you tape the password to your monitor at home, that's still more secure against network attacks!)
8) Do not browse the web or do daily work, email and USB transfers using any login that has Administrator rights. This is a broad invitation to harmful content on various websites to intrude silently into your PC while you are online. Set up a "standard" or "limited" user account for your daily work, especially web access, and use accounts with administrator ONLY for installing software, patches, updates, and system administration. The 'fast user switching' feature allows you to leave your standard account logged in while you temporarily switch to an Admin account to do an update or install software. This is quite easy once you get set up for 'fast user switching'. (In Vista it is even easier as any installer or major change of settings will prompt for the administrator password for just that one function. Yes, I know Apple made fun of this in their TV ad with the guard wearing dark glasses: "You are coming to a sad realization - cancel or allow?" However this is actually sound practice, given the alternatives.)
9) Consider changing the Folder options to "show hidden files" (under the 'view' tab). This will add large numbers of "dimmed" or pale icons all over your computer; these are 'hidden' files used by Windows for settings, etc. Watch for the appearance of a dimmed file named "Autorun.inf" at the top level on any removeable drive (USB key, portable hard disk) or on any shared network volume. If you find one here in ECE, disconnect the device or network share, and contact ECEHELP right away. If you find one at home or elsewhere, examine the Autorun.inf file based on this page on the F-Secure website: When is AUTORUN.INF really an AUTORUN.INF? Basically a legitimate autorun.inf will have a few lines of normal text commands starting with [autorun] then lines such as ICON=somename.ico and OPEN=somename.exe. In contrast, the Downadup worm payload is filled with many lines of binary gibberish (all commented out by have semicolon in the first column!) then an OPEN= command to a random filename in the recycle bin or similar strange place. (Note than commercial software DVD and CD installer discs may often have Autorun.inf files for the legitimate purpose of starting up the installation on insertion without the user needing to look for it. That can't be this virus since the installer media is not modifiable.) Some USB keys also may have a legitimate Autorun.inf file designed to tell Windows what driver to use or other options to apply when mounting the drive. Again, look for a normal, legible file with [autorun] and open= for a legible file name, not something cryptic in the recycle bin.
9) If you don't have any third-party firewall software such as McAfee, Norton Internet Security, etc, you should consider installing the free version of ZoneAlarm. (Don't install more than one firewall or antivirus system.) ZoneAlarm is somewhat "busy", with more alerts than most people might like to get, and will likely require added configuration to permit connecting to our VPN, remote licenses, etc., but on a laptop used on multiple connections it can add a further layer of security. It will ask you before allowing any new type of outgoing connection - something not covered by either a home router or by the very simple firewall built into Windows. NOTE: If you rely on the ECE VPN, Remote Desktop, or remote license access, be prepared to work on configuring ZoneAlarm to allow these. We may advise you to disable ZoneAlarm if any of these stops working when ZoneAlarm is installed.

If Already Infected

If you suspect an infection, unplug the network cable immediately. If you need internet access to work on the infection, use any other computer available if at all possible. Check your USB keys for a hidden "Autorun.inf" file. One tool offered to remove this worm is the F-Secure removal tool at: F-Downadup The current update of the Windows Malicious Software Removal Tool, delivered via Windows Update, also claims to be able to remove it. Bear in mind that this worm is polymorphic and uses the internet for self-updating with unknown additional malicious code, potentially always varying depending on the decisions of the worm's remote operators. This also helps them evade defenses like Antivirus, firewall rules, etc. It is best not to reconnect to the internet until you're sure the worm is removed. Watch out for cache, System Restore, and files that hide in memory and keep replacing any bad files as they are removed.