Proactive Security - Part 2 (for Windows XP)

Although this is a stout defense system, I no longer trust it enough to use it for online banking and other business except for a few select credit card transactions. [See Part 3.]

1. Nothing is more important for online security than a good firewall. Your computer may be attacked in seconds without it. I use a router that includes a state-inspection hardware firewall in cascade with Online Armor, which is a multi-function software firewall.

I suggest a Linksys BEFSR41 (wired router) or WRT54GL (the wireless router I use) for your hardware firewall. Both of these include state-inspection firewalls.

Online Armor handles three of the most important parts of my setup -- firewall, intrusion prevention and reduced rights for internet-facing programs. Online Armor is nominally a firewall, but it's nice to have all three functions in one program.

Element 1: A robust firewall. My opinion of Online Armor as a firewall is partly based on the results from highly-recommended tests run by Matousec, and on Scot Finnie's extensive firewall evaluation project. Your mileage may vary. ;-)

Element 2: Online Armor is a powerful intrusion prevention system. This is an important part of a pro-active defense. [alternative HIPS programs]

Element 3: Online Armor allows me to run internet-facing programs with reduced rights (see item 2 below).

I wrote up some tips on using Online Armor: Learning to use Online is challenging, and you might prefer another good firewall. ;-)

2. I run internet-facing programs with reduced rights. This is an essential part of online security for Windows XP. You are much more secure running as a "Normal" user (reduced rights). But it's just too frustrating to to do that because so many Windows programs won't run right unless you're running under an Administrator account. The compromise is to run as an Administrator, but reduce the access rights of your internet-facing programs. I use Online Armor to reduce program rights, but there are good alternative methods

3. No defense is "bullet-proof". I keep my data backed up, and I make up-to-date drive images (I use TrueImage) as insurance. No defense system is complete without precautions like these.

4. I run Sunbelt Software's new VIPRE, which combines antivirus and antimalware scanning protection. This is my only supplemental security program for this security setup. VIPRE was designed from the ground up to minimize the drain on system resources. And their support people are all located in Tampa Bay, Florida. ;-)

"You can't put two four cylinder engines together and try to make a V8, you actually have to design something from scratch." — Alex Eckelberry, Sunbelt CEO

Make sure that you uninstall any other antivirus/antimalware programs before you install VIPRE. Also, let VIPRE disable Windows Defender (which Microsoft may replace with another program some day).

VIPRE uses a unique virtual "sandbox" to run unknown files. If they exhibit malicious behavior, it's contained within the sandbox, which is deleted. Nothing is allowed to change the underlying computer system. [review]

5. Keeping up to date on security threats and remaining vigilant is nearly as important as having a stout firewall. I strive to do that at all times. ;-)

6. I do virtually all my browsing with Mozilla Firefox, and I have the WOT (Web of Trust) Firefox add-on installed. WOT looks for bogus links in webpages, and also in Gmail, Windows Live Hotmail and Yahoo! Mail. Don't surf without it. [advisory tale]

Now there's something for you Internet Explorer users. It's called "SmartScreen Filter", and the protection it delivers is very similar to that from WOT. That is, if you wait for the upcoming release of IE8. Or you could install RC1, the first "release candidate" for IE8, which should be refined enough for you to take a (small) chance on.

7. I maintain tight security settings for Firefox, Thunderbird and other internet-facing programs. [detailed instructions]

8. I use Gmail, which blocks executables and scans attachments for viruses.

9. I keep Windows and all key programs -- not just internet-facing ones -- patched and up to date. It used to be that keeping Windows patched was the only thing that was critical. Now, cyber criminals are targeting programs that connect online — browsers, email clients, security software, instant messaging programs, media players — and also programs that open attachments — Word, Excel and PowerPoint, Adobe Reader, photo viewers, etc. I use Secunia's (free) "Personal Software Inspector" (PSI) to monitor all my software for updates. [how to use] [Secunia Forum] [alternatives]

10. I run F-Secure's Online Scanner once a week to check for rootkits and other malware that might have snuck in. It requires small custom add-ons for Firefox or Internet Explorer. Be sure to read the FAQ before installing the Online Scanner.

11. I've switched to OpenDNS: Your DNS server is a critical your Internet security. The DNS server that your ISP provides is usually just an afterthought. It is seldom up to date, and often not secure. The OpenDNS.com service is run as a business, not a burden, and the operators are passionate about what they do. OpenDNS also speeds up website acquisition, and pro-actively improves security by blocking phishing and other malicious sites. Real people there examine suspected phishing sites to determine if they are legitimate or scams. [instructions] [more] [video]

Important Tips:

How to work with this security setup

There are some tricky aspects of making this security setup work for you. Online Armor, and other powerful security software, locks things down to the point that you sometimes can't do some ordinary tasks with your computer. I've provided some tips to remove some of the obscurity that makes it difficult for many users to work with this setup and those programs.

Tips for working with this security setup >>>

Bulletproof your browser:

And other internet-facing programs