[olug] OT: "Securing" a WinXP Home Edition Machine
Phil Brutsche
phil at brutsche.us
Sat Feb 5 01:40:27 UTC 2005
Jake Churchill wrote:
> Black Ice for a firewall
IMO you should remove such thoughts from your head immediately.
You're taking the wrong standpoint in securing the machine.
By the time the malicious software has executed on the machine, it's
already too late, the firewall software is no longer functioning. Ditto
for AV software and anti-spyware software.
You need to keep the malicious software from running in the first place,
which is *really* hard, considering some the tendency of some people to
download and install random "freeware".
The *best* way to protect a Windows machine is:
* The built-in XP firewall is *more* than good enough, if you disagree
get a Linksys tonka toy or the equivalent. Most host-based firewalls
are worthless and are trivially bypassed, especially when the user
has admin rights (see bullet 3).
* Up-to-date AV software. Trend Micro is a good choice, and even works
correctly when the user doesn't have admin rights ;) (once again
bulllet 3)
* Do not, under any circumstances, run with Admin privileges!
Do you do everything as root on your *NIX boxes? No, you don't. You
"su" or "sudo" to get root when you need it.
So why don't you do the same on a Windows box? XP users can use FUS
(fast user switching) to switch over to an admin acount when you need to
install something.
It's not easy, considering the high number of clueless Windows
developers out there. But I can speak for experience that is *highly*
effective at keeping a machine clean. 40+ Windows machines are under my
care, and over 3 years I have had *zero* spyware infestations.
--
Phil Brutsche
phil at brutsche.us
More information about the OLUG
mailing list