How to setup a brand new Windows computer
- Make sure your computer isn't on the internet
- Introduction
- What is a "unprivileged user"?
- Create an unprivileged user
- Log in using the new unpriviledged user
- What you need to know about software
- Recommended software
- Patches and Windows Update
- Harden Microsoft Internet Explorer
- Harden Firefox
- Clean up startup programs in the registry
- Learn how to be a "smart surfer"
- Specific software settings
- Antivirus software
- Changelog
- Conventions used
1. Make sure your computer isn't on the internet
For all you Dilbert fans out there, the assumption here is that you're not reading this on your new computer. Use something else!
2. Introduction
Windows has alot of default settings that make things "easy", but they make your computer more vulnerable. As you read thru this document you'll learn how to change a few of these default settings to help make your new computer more secure.
You can't 100% protect any computer that's connected to the internet I don't care how hard you try... the goal is simply to minimize it. With safe practices and a decently hardened computer I think it's realistic to expect approximately 3 years of life before you have to have it rebuilt (not replaced, just "redone" by someone).
3. What is a "unprivileged user"?
Currently your computer has one account: Administrator which happens to be a member of the Administrator group (Windows security is managed by users and groups).
Depending on how the manufacturer setup your computer it might give you an opportunity to create additional users. It's important to understand that these users will also be a member of the Administrator group.
This is a security risk, because if "something" tries to do something bad to your computer, they do so under the privileges of the currently logged in user . Another words, if I'm a virus... I'm going to hope you are using an administrative account.
The solution is to make sure you have a user that is not a member of the administrators group and always log into the computer using this account. This will drastically make your computer safer against attack, though you will have to deal with the hastle of having to temporarily log in as Adminstrator to do things like:
- Install software
- Change the clock time
- Write to files outside of: My Documents
- Change system settings
- Configure hardware or networking
4. Create an unprivileged user
-
Open the Control Panel from the start menu
-
Select Administrative Tools from the Control Panel
-
Select Computer Management from Administrative Tools
-
Expand Local Users and Groups
-
If you have created any users already you will see them here
Above is what most fresh installations of Windows XP will look like.
-
Right click on Users and select New User...
-
Fill out the form, mine looks like this:
When finished click Create.
-
Right click on the user you just created and select
Properties
Then select the Member Of tab
-
Take note that the user is only a member of the
Users group
5. Log in using the new unpriviledged user
6. What you need to know about software
Software on your computer is installed in different ways. Some is installed by the manufacturer (Dell, HP, Gateway), some is installed by the operating system or it's subsystems. Windows update is a good example of this, as it's sort of part of the operating system, and it installs stuff for you (patches and things). The rest is usually installed by you. Here's where it gets important. Software is usually installed by double clicking on a setup file such as "setup.exe". Usually this is followed by a series of prompts which some people referr to as a "wizard". Either way the result is that your system has new files and settings which represent the software you just installed.
What's confusing is when software gets installed... but how it got there is a mystery. For example, let's say you have "Gator" installed on your computer and it's driving you nuts. You likely don't remember installing it, nor anyone else. It could have been installed several different ways but I do happen to know that installing "Comet Cursor" I think it was, would also install "Gator" without really telling you. This is extremely significant because it illustrates that when you install something, it might do things that you don't expect. It's very important to think before you install something, because clicking on that "setup.exe" file ultimately lets the person who wrote the software have complete control over your system for the duration that it's being installed.
Below you'll find a list of software packages that are considered at least by me to be professional and trustworthy.
7. Recommended software
| Current | Recommended | Reason |
|---|---|---|
| Internet Explorer | Mozilla Firefox | Internet Explorer is the single most dangerous piece of software you can use. It has a terrible history for security problems, some of which to this day have yet to be addressed by Microsoft. Additionally it's extremely outdated and is lacking features that most other browsers have. Mozilla Firefox is an excellent software package used by millions of people. It has an excellent feature set, is very secure. REFERENCE, REFERENCE, REFERENCE |
| Outlook | Mozilla Thunderbird | Thunderbird is not as integrated with the Windows Operating system and thus is not as vulnerable to windows operating system vulnerabilities. Thunderbird is designed to be solid from a security perspective with things like defaultly not downloading images, spam and phishing detection. It also supports pretty much everything you'd ever need when it comes to email, though it does not [yet] support calendering like Outlook does with Microsoft Exchange Server. |
| Microsoft Office | OpenOffice |
Microsoft Office is a huge target. OpenOffice is an
alternative product that has an impressive set of
features and has (so far) a very good security history.
Additionally it has a few unique features that are really
nice:
|
| Instant messenger clients: AOL, Yahoo, MSN | Trillian/Gaim | You can replace all of your instant messenger software with one , and it works very well. REFERENCE |
| Windows Media Player | Winamp and VLC | Windows media player is also a target for malware. Using wimamp and VLC keeps you under the radar a bit. |
| Microsoft Hotmail | Yahoo Mail or Google Gmail | Hotmail doesn't exactly have a strong record when it comes to security |
| N/A | 7zip | There's nothing really insecure about the default Windows XP zip utility, it just doesn't work very well. 7zip is tiny, free - and is excellent. |
| Mcafee/Norton | ClamWin | There's nothing wrong with either Norton or Macfee, though they do tend to be kinda, busy? and often times people don't pay for the software after the trial expires and they wind up without any protection. ClamWin is a port of ClamAV and is free for use. |
| RealPlayer | Real Alternative | There's nothing wrong with RealPlayer really from a security perspective, but it's so annoying how it tries to take over. |
Since NOT using Internet Explorer is probably the best thing you can do to keep your computer safe, let's go thru how to install Firefox:
- Remember you need to log in as Administrator to do this.
-
Use Internet Explorer (it's all you have right now) to download
the installation file from
http://www.mozilla.com/firefox/
and click on the "Download Firefox" link.
-
When prompted, remember to Always
"Save" the file. Never choose "Run".
The file will defautly be placed on your desktop, so you know where to find it after it's finished downloading.
-
Double click on the Firefox Setup executable file placed
on your desktop to begin the installation.
Follow the prompts, taking the defaults is just fine.
- When the installation is finished, it will place an icon on your desktop that you can use to start the application. If you like to use the Quicklaunch icons, it will be there also
-
Ok, remembering our good practice here... if there's no other
software to install:
Remember to log out, and log back in as your unpriviledged user!
8. Patches and Windows Update
All you need to do is enable Windows Update to manage that for you. But because this is a brand new computer, you need to manually patch it.
It's important to understand that this should be the first time your computer has ever been plugged into the internet and the goal is to get it patched as quickly as possible.
- You need to be logged into your computer as the Administrator to install patches manually.
-
Select Windows Update from the startup menu
-
Internet Explorer will open, look for something like this
You want to click on the Express button to get high priority updates.
-
You will be presented with a list of patches that need to be
applied
Click on Install Updates to install them.
-
You will see the patches download and install...
-
When it's finished it will most likely prompt you to restart
your computer. Sometimes this isn't neccessary.
-
When your computer has finished rebooting, repeat this process
over and over until you see this when looking for new updates:
-
Click on Windows Update from the start menu like you did before,
and look toward the right this time
-
If it says Turn on Automatic Updates then click on it
and select a time that your computer is likely to be turned on.
- You're all finished, click OK and log in as your unpriviledged user :)
9. Harden Microsoft Internet Explorer
- Install the Google toolbar as it will block popups. This will limit the number of Phishing dialog boxes that will popup, which if clicked on could install malware of some kind.
10. Harden Firefox
11. Clean up startup programs in the registry
12. Learn how to be a "smart surfer"
- Downloading
- Clicking
- Phishing
13. Specific software settings
14. Antivirus software
This document was originally created on 06/16/2007
- This howto currently only applies to Windows XP
- You do hate popups... don't you?
Disclaimer:
This page is not endorsed by gentoo.org or any other cool
cats. Any information provided in this document is to be used
at your own risk.
