Proactive Security - Part 2 (Windows 7 or Vista)

Although this is a stout defense system, I no longer trust it enough to use it for online banking and other business except for a few select credit card transactions. [See Part 3.]

1. Nothing is more important for online security than a firewall. Your computer may be attacked within seconds without it. I use the Windows 7 firewall in cascade with a router that includes a state-inspection hardware firewall.

Update: I now use the two-way firewall in VIPRE Premium (below) as my software firewall.

I use a Linksys BEFSR41 (wired) or WRT54GL (wireless) for my hardware firewall. Both of these include state-inspection firewalls. It's also critically important to set your router up securely.

2. I run Windows 7 as a "Standard User", which makes Windows 7 much more secure. [instructions] [Microsoft's version] [data]

It is essential to set User Account Control (UAC) to "Always notify" to make running as a Standard User effective. [Start > Control Panel > Action Center > "Change User Account Control settings."] Most malware attacks are blocked under a Standard User account with this UAC setting. Do this for both your Standard User and Administrator accounts.

Installing programs: When you install programs, elevate your own account to "Administrator" rather than using "Switch User". Saves a lot of grief.

Process:
1) Click your account icon, located just above your account name at the right side of the start menu, and it will take you directly to the User Accounts control.
2) Click "Change your account type", supply an Administrator password and change your working account to "Administrator".
3) Install and start the new program(s). (I find it good practice to right-click the install file, and select "Run as administrator" to make sure there are no residual access restrictions.)
4) Don't forget to change your primary account back to "Standard User".

3. Since no defense is "bullet-proof", I keep my data backed up. I also create up-to-date drive images, using the Windows 7 "Backup and Restore" facility for that.

4. I run Sunbelt Software's new VIPRE Antivirus Premium, which combines antivirus and antimalware with intrusion protection plus a 2-way firewall. This is the only major security software I use with Windows 7.

I recommend that you use the standard version of VIPRE, or not activate Process Protection in the premium version, unless you're prepared to handle significant interaction with that intrusion prevention service.

Make sure that you uninstall any other antivirus/antimalware programs before you install VIPRE. Also, let VIPRE disable Windows Defender (which Microsoft may replace with another program some day).

VIPRE uses a unique virtual "sandbox" to run unknown files. If they exhibit malicious behavior, it's contained within the sandbox, which is deleted. Nothing is allowed to change the underlying computer system. [review]

VIPRE was designed from the ground up to minimize drain on system resources. And their support people are all located in Tampa Bay, Florida. ;-)

5. Keeping up to date on security threats and remaining vigilant is nearly as important as having a stout firewall. I strive to do that at all times. ;-)

6. I do virtually all my browsing with Mozilla Firefox, and I have the WOT (Web of Trust) Firefox add-on installed. WOT looks for bogus links in webpages, and also in Gmail, Windows Live Hotmail and Yahoo! Mail. Don't surf without it. [advisory tale]

Now there's something for you Internet Explorer users too. It's called "SmartScreen Filter", and the protection it delivers is very similar to that from WOT. That is, if you wait for the upcoming release of IE8. Or you could install RC1, the first "release candidate" for IE8, which should be refined enough for you to take a (small) chance on.

7. I maintain tight security settings for Firefox, Thunderbird and other internet-facing programs. [detailed instructions]

8. I use Gmail, which blocks executables and scans attachments for viruses.

9. I keep Windows and all key programs -- not just internet-facing ones -- patched and up to date. It used to be that keeping Windows patched was the only thing that was critical. Now, cyber criminals are targeting programs that connect online — browsers, email clients, security software, instant messaging programs, media players — and also programs that open attachments — Word, Excel and PowerPoint, Adobe Reader, photo viewers, etc. I use Secunia's (free) "Personal Software Inspector" (PSI) to monitor all my software for updates. [how to use] [Secunia Forum] [alternatives]

10. I run F-Secure's Online Scanner once a week to check for rootkits and other malware that might have snuck in. It requires small custom add-ons for Firefox or Internet Explorer. Be sure to read the FAQ before installing the Online Scanner.

11. I've switched the DNS server I use to ClearCloud DNS: Your DNS server is a critical your Internet security. ClearCloud DNS relies on a database of known malware sites to block access from your computer.

Sunbelt processes 100,000 to 1 million [malware] samples each day. We analyze the activity of every sample and watch to see if a file tries to "phone home" and download malicious files, send sensitive data about you or your computer to its home base, or engage in other malicious activity. These addresses of bad websites are saved into a database that is used by ClearCloud.

OpenDNS is another DNS service that pro-actively improves security by blocking access to phishing and other malicious sites. Real people there examine suspected phishing sites to determine if they are legitimate or scams.