PC Security: Hardening Windows Security

These spyware prevention and other malware prevention tips and ideas are designed for a Home PC running Windows XP Professional and certain tips may apply to small home network running Windows XP Professional, as such some of the

recommendations may not work for other versions of Windows. As always, it is recommended to back up the data before making any changes to your computer.

Out of the box Windows installs with certain dangerous defaults which when left alone will prove to be the biggest bottle neck when you set upon to secure your system against malware and hackers.

Use a Non-Admin Account

If there is one magic silver bullet Malware prevention solution to prevent against installation of Malware, it is using a non-admin account AKA a LUA (Least privileged User Account)AKA a limited user account when performing normal day-to-day tasks such as writing documents, browsing the Internet, reading E-mail, instant messaging etc and use an account with administrator privileges only for specific tasks that require them. This will drastically limit your exposure to Malware.

If the exploit happens to be written so that it requires admin privileges (as many do), just running as User stops it dead. But if you are running as admin, an exploit can:

install kernel-mode rootkits and/or keyloggers (which can be close to impossible to detect)
install and start services
install ActiveX controls, including IE and shell add-ins (common with spyware and adware)
access data belonging to other users
cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
replace OS and other program files with trojan horses
access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts
disable/uninstall anti-virus
cover its tracks in the event log
render your machine unbootable
if your account is an administrator on other computers on the network, the malware gains admin control over those computers as well
and lots more

So why not everybody run as a limited user ?

The downside to running as a non-admin user is that not everything works like it should. Check out this MSKB article, Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account

Why does least-privilege computing break applications?

Because of programmers who write everyday applications that require them. Why do they do this? Because using admin rights made it easier to write certain programs. It also didn't used to be a big deal. This type of development, however, encouraged all user accounts to be set up with admin privileges by default, opening the door for some of the malicious code we're fighting today.'Least Privilege' Can Be the Best

Use Effective Passwords

A weak password will not offer protection against determined hacker. So when you choose a password, don't pick one that is obvious like your name, your spouse's name or your pet's name.

Select a password that is atleast 8 charecters long. Windows accepts passwords upto 127 charecters in length!
Use a mixture of uppercase and lowercase letters, numbers, and other characters such as *, ?, or $.
If you have multiple systems, do not use the same password in all.
Never, ever write your passwords down or send them in unencrypted e-mail messages.

More tips on selecting a strong and easy to remember passwords Ten Windows Password Myths

Use a BIOS/Bootlevel Password

Once set, the bootlevel bios password is required every time your system is started. It protects your system by completely disabling it until a password is entered. Normally you can set a bootlevel password by selecting the option in your bios setup. While you are at it, also consider setting up a password for accessing the bios setup itself to prevent an unauthorized user from changing the bios settings.