Security

Securing your home computer

A user recently asked me what I would recommend to keep his home computer as secure as the ones at our office. Here's the list of considerations I gave him.

A user recently asked me what I would recommend to keep his home computer as secure as the ones at our office. Here's the list of considerations I gave him.

-------------------------------------------------------------------------------------------------------------------

I was recently asked by one of my users, "Why do the computers at the office seem to fend off the malicious threats that always seem to invade my home computer?"

I have a pretty strict personal policy against giving help and advice to people concerning their home computers, but after a brief conversation with this person, I decided to give him a list of things to do at home that would go a long way to securing his personal computer. In some cases, he asked me to recommend brands or products, but instead of giving him any particular product recommendations, I recommended a particular store instead and told him to ask the sales associate. (I didn't want to get THAT involved.)

Anyway, here's the list of considerations I gave him. I have, however, expanded on them a bit for this blog piece. And depending on the operating system and types of products a person uses, some of these might offer redundant protection -- or another level of protection, depending on how you look at it. While this might seem elementary to a lot of us old-timers, it's certainly worth a review from time to time.

1. Updated software: Configuring the auto-update to run on a regular basis is the best way to make sure it gets done. Mine are scheduled to run at 3 AM. I know it might pose an inconvenience to find that your computer has rebooted in the middle of the night (especially if you failed to save a document!), but it's one way to make sure that Microsoft's regular security updates actually do get installed. It's too easy to put it off. Updates to the operating system, MS Office, Internet Explorer, and so on are released for a reason. The quicker they get installed, the better. It's the biggest reason I keep my computer running all night. 2. Anti-virus software: You would think that this is a no-brainer, but I've often run across people who either don't have it or don't keep it updated. Doing both is an absolute must. We could argue all day about which product is the best, but they'll be no argument when I suggest that anything is better than nothing. I've never been a huge fan of off-the-shelf Norton products, but I've had great luck with the corporate edition. Stopping short of recommending a particular product, I did advise him to avoid the suites. And installing it isn't enough. Make sure it's also configured to automatically download the vital software and virus-definition updates. I also do this on a daily basis. 3. Anti-spyware software: Again, there will be arguments and discussions about which is the best, but it's another must-have. 4. Software firewall: Having something like Zone Alarm installed will prevent all sorts of malicious malware from finding its way onto your computer, not to mention preventing those annoying pop-ups. 5. Hardware firewall: For home use, a firewall router is adequate. The person who initially asked me about this had a router, but not a firewall router. No wonder he was getting inundated with pop-ups and such. And while it might be a bit of a stretch (or maybe not), keeping it updated is something that I would recommend. I recently threw out an old Linksys firewall router when I could no longer update its firmware, and I replaced it with a newer Cisco model (Cisco actually bought Linksys). I have the BEFSX41 model, and it's performing quite nicely. 6. Passwords: I recently wrote a blog piece on passwords. Their proper use provides yet another level of protection for a home computer. 7. Phishing e-mails: The reason they keep coming is because they're so successful in duping people out of their personal information. Learn to recognize them, and never respond to them. Always assume that any e-mail that requests personal information is a phishing e-mail. 8. Free Internet downloads: I know this isn't always possible, and I suppose I'm not talking about ALL free Internet downloads, but use good judgment on what you should and shouldn't download. For example, I have an Internet Poker site that I prefer, one that offered a free download, and it's perfectly safe and legitimate. But others I wouldn't touch with a ten foot pole. And those free registry cleaners, free spyware scanning tools, and so on, often do more harm than good. In fact, I would venture to guess that the majority of such things are malware themselves! 9. Backup, backup, and backup: My home computer is probably not unlike most people's, with the usual documents, pictures, music, e-mail, and so on. However, where mine is probably different than most people's is the presence of a two-tiered back-up system. Do you realize how many home users don't back up their data at all? I have an extra internal hard drive for storage of a daily backup. This is also an automatic process, just like the Microsoft updates, in which a simple batch file incrementally copies (via xcopy) targeted directories (folders) from Point A to Point B. Point B is, of course, the extra internal hard drive. I also have an external hard drive with a USB interface that I plug in on a regular basis and globally copy my saved data from Point B to Point C. 10. System documentation: In case you ever do need to restore or reinstall, it's vital to have quick, easy, and accurate access to the software CDs and serial numbers, the hardware CDs and documentation, and so on. I recommend a 3-ring binder with pocket inserts for operating system and software CDs, including the hardware CDs and documentation. Personally, I even go as far as keeping my original boxes, cutting them up so I can put them into a sleeve with the rest of the documentation. I also keep all my configuration information in there.

In the worst-case scenario, if, in the very least, you have numbers 9 and 10, you can restore your system -- complete with your current data. But with proper implementation of numbers 1 through 8, it'll probably never come to that.

48 comments
reisen55
reisen55

I recommend this highly. Two drives: Drive C - operating system Drive D - Storage, everything else. On drive D I keep not only documents, spreadsheets, etc, but also copies of installable applications, notes, drivers, etc and also GHOST image of the operating system drive upstairs!!!! Restoration is easy. Redundant copy of Drive D also maintained, one on a networked station downstairs and USB drives. ***** As I support corporate computers, I fear home computers and do not enjoy working on them, tooooooo many things can be so bad and weird there, and home users do not understand what a rebuild entails, or hours of diagnostics performed. Then put little Tommy back on it again ......

Jacky Howe
Jacky Howe

I totally agree with you, but can I add a bit to it, as to me Joe this is to me one of the most overlooked areas in Home Security. Once it is setup you have greater control of Cookies and it only takes a couple of clicks. I had a Client ring me the other night saying that she couldn't access her Bank. When I had shown her the advantages of taking the time to allow or disalow Cookies on Trusted or Untrusted sites she Blocked the bloody Bank because she didn't Trust it. Take control of Cookies in Internet Explorer 1. Open Internet Explorer 2. Select Tools 3. Select Internet Options 4. Select Privacy 5. Under Cookies put a tick in the box Override automatic cookie handling 6. Then it is Prompt, Prompt and tick Always allow session cookies What are session cookies? Session cookies are small pieces of information stored in the memory of your computer to uniquely identify your current session. This cookie does not contain any personal information about you, nor is it stored on your computer's hard-drive. It is removed from the memory of your computer when you press the 'Logoff' button or shut down the browser window. To allow Cookies in Internet Explorer if the site is unnecessarily Blocked. 1. Open Internet Explorer 2. Select Tools 3. Select Internet Options 4. Select Privacy 5. Select Sites 6. Under Managed websites scroll down to the Site and double left mouse click on it 7. It should now be visible in Address of website 8. Select Allow 9. Select OK and OK again

andre.j.hawkins
andre.j.hawkins

If you ever access your computer from a different location using remote desktop, make sure you don't secure it with just a user name and password. LogMeIn just released a Partnership with PhoneFactor. PhoneFactor is a strong authentication solution that utilizes your phone as a second factor. The coolest part is it's also fraud detection in realtime. For example your employee may have guessed your user name and password and when he tries to login he can't because it will ring your phone and you will have to grant him access. You can download PhoneFactor for LogMeIn or any other application at the PhoneFactor website. I've had really good luck so far and it's super fast for 2nd authentication. Say good bye to all those tokens. andre

ed
ed

I see several comments here suggesting that Bittorrent is a safer alternative to P2P. Is that so? If so, why?

richard
richard

Agree with the sentiment behind point 8 (avoid free downloads) - but condeming "the majority" might be going too far. Some (the majority?) of decent apps and utilites I use are open/free ware. On point 9 - don't backup everything! Set up Microsoft Sync Toy http://software.techrepublic.com.com/abstract.aspx?&kw=sync+toy&docid=278607 (or - one I prefer - Toucan http://software.techrepublic.com.com/abstract.aspx?docid=371604)to mirror folders - these copies items changed or added since the previous backup. Both are FREE :-)

wanttocancel
wanttocancel

I tell home users not to download any P2P software like Limewire, Kazza or Bearshare. Many of those applications are riddled with viruses and/or malware or if they're not the downloads are.

gil_gosseyn
gil_gosseyn

If you want to make Internet Explorer safer, use Firefox. And add the No Script, AdBlock Plus, and FlashBlock extensions.

Joe_R
Joe_R

Thanks for including the control of cookies to the list. It's a great addition.

Joe_R
Joe_R

Thanks for posting

seanferd
seanferd

They aren't uploads from random users. The good stuff, you have to pay for. edit: So it is fully legal as well.

Joe_R
Joe_R

There is a lot of good free stuff out there. The key, I suppose, is learning to identify it.

gbhall
gbhall

I found SyncToy less than adequate for that task, and personally use SyncBackSE at http://www.2brightsparks.com/. They used to (maybe still do) a freeware version, but the paid-for version is cheap but extremely capable, perhaps too much so for your average user, but ideal for the more expert. One point about partitioned drives. yes, they make restoration of the C: drive simpler and faster without any data on it, but the other thing people sometimes think it does is protect their data from loss. Not so, as a complete drive failure takes down all the partitions. I would say from my experience that only about 50% of the time can you recover a second partition by mounting in another PC. No - as well as two partitions it is very important to have two drives.

Joe_R
Joe_R

Thanks for posting

OnTheRopes
OnTheRopes

I do the same thing. I've tried P2P software myself and have always had problems. That may be because I don't know what I'm doing but I think, if I'm having problems my less knowledgable customers will have problems too.

jeremial-21966916363912016372987921703527
jeremial-21966916363912016372987921703527

I have always been one that reformats and reinstalls every 3 or 4 months, even though I use all of the suggestions in your article. I just find it helps "revitalize" the asset, if you will. A couple of things I have implemented, that make things smoother for me: 1. I downloaded and installed Microsoft's Virtual PC 2007, and configured it to match my real machine. If there is a need to download and install something that I am wary of, I put it on the virtual machine for several days to a week first, before "promoting" to the host machine. This has saved me on more than one occassion, as I can always revert to a snapshot easily. 2. I took all of the apps and drivers that I need to install to get my machine back to where I like it when I reformat (printer, wireless NIC, Office, Games, etc. etc. etc.) I then downloaded the 30 day trial of Macrovision's Admin Studio product. By running a setup capture, you can condense most any setup into a single .msi file, with the activation keys, etc. built right in. This way, I find myself not having to keep all of these numbers written down, as long as I keep solid backups of the .msi files.

steveb
steveb

Second Copy is a good software backup program for home use. Doesn't cost much, easy to set up (I back up to an external drive), and just does its job automatically without bugging you all the time. I would recommend it. A good article, but the best way to stay clean is common sense. That e-mail promising you 1 million dollars if you just give them $250 and some personal info? A scam. That CNNalert or e-card that is unsolicited? A virus. (they usually want you to download and install an addon, thats the virus). Anti virus is a no brainer, scan anything you download by rightclicking the file after the download is complete and scan it before you execute or open it. Having said all this, I am still amazed at how uncommon people with common sense are. Cheers!!

SubgeniusD
SubgeniusD

Since the major security risk factor for average users is opening a web browser why has there been no mention of Linux and any browser but IE? That's it. 90% of risk factors gone.

Alzie
Alzie

For as long as I can remember my main drive has had at least 2 partitions. One for the OS and one as storage. Downloaded drivers, A/V software etc get placed on D drive. As well as pictures and any saved media. Not 100% secure but saves tons of headaches should you ever have to reformat. I also recommend a couple of safe download sites for free utilities and such.

louis.slabbert
louis.slabbert

I'll admit it. I'm an adddict. (at installing and testing freebies) But luckily I have found a way for my freebie downloading addiction to co-exist with the safety and security of my laptops. 1) If you have a iMac, MAcBook or any Apple or Linux machine around and have windows installed as a VM (test the freebies on there..), If it creates problems, you can just revert to a previous snapshot of the Virtual machine. 2) You can run filemon and regmon from sysinternals to really see what the program does (registry and file wise) 3) By Far the nicest tool I use is Anubis: http://anubis.iseclab.org/features.php which shows me exactly what the executable tries to do including network connections etc (have found a few trojans, which the AV companies did not even know about at the time, so had to submit it to them and a few days later my company's AV eventually picked it up as a Trojan) 4) Lastly if you can't care about VM's, and don't like AV software taking up all the processing power, you can install DeepFreeze and do whatever you like, and after a restart your machine will be back to its original state (read up on data retention if you actually wish to store anything on the laptop) (I've installed this on a laptop I gave to a ex-girlfriend, and didn;t want to do any support afterwards...) 5) If all else fails, keep a Acronis or Ghost Image of your machine (the way you like it), and keep your data on a external USB drive (obviously still have a backup of this drive somewhere..possibly using the FolderSync or the like. I have gone through most of these techniques during my interesting time in IT and all have helped me have fun while keeping my computer *relatively safe... If you are NOT addicted to Freebies and installing new software, my biggest and MOST effective advise would simply be: DO NOT RUN AS ADMIN (Yes capitals are shouting, sorry), http://nonadmin.editme.com/ for some info, or simply google run as limited user My two cents. Be safe, have fun!

The 'G-Man.'
The 'G-Man.'

Don't just think about the system, you need security from the power grid. A good circuit breaker or UPS is essential unless you want to risk a completely dead system. A system where possibly all the documentation in the world will not help restore.

seanferd
seanferd

Set up and use limited user accounts for normal activity. Good list.

OnTheRopes
OnTheRopes

Nice article. Thank you. For me numbers 9 and 10 are extremely important. I'm creating a backup as I type this. Your article reminded me that it's time. For something further, I put a piece of clear cellophane tape over any important numbers on my computer and on the documentation that came with any software. It seems like those numbers rub off too easily.

kumar.jeff
kumar.jeff

Agree about PhoneFactor. The revolutionary thing to me is that it seems like one of the first 2-factor solutions that can be implemented completely by a consumer. Example: I want to get something from my home pc while I'm at work. Set up LogMeIn but that seems kind of risky. If you implement PhoneFactor on top of it, you've created a 2-factor for yourself, even if you aren't particularly technology savvy.

Racewalker
Racewalker

P-2-P is unsafe under all circumstances for the normal home user. It only needs one mistake with it and you will be infected and that includes Bittorrent. A very high percent of the logs that are seen by those who working to clean up computers on the forums have P-2-P installed. It has gone so far that many of the forums will not help a user who insists on keeping P-2-P apps on their computer because we have seen that a large percentage come back with a reinfected computer within a very short time. The three biggest problems when it comes to keeping the apps up to date are JAVA, Adobe and QuickTime. They are all difficult to keep updated for the normal user and they are all serious security risks if they are not kept up to date. The home computer that connects to a business net can be a major risk with today's well hidden infectors. The average user often has no idea that they are seriously infected with Backdoor Trojans, Password stealers and key loggers. I therefore believe that it imperative that those involved in IT at companies also think about how to protect the computers used at home by the employees.

wanttocancel
wanttocancel

I would try Bittorrent if I was you. Much safer than P2P programs but there is a learning curve. Google around for tutorials.

Joe_R
Joe_R

I actually thought it would have come sooner.

seanferd
seanferd

if you want to be secure through Unix, I'd suggest a BSD over Linux.

Joe_R
Joe_R

Thanks for posting.

Joe_R
Joe_R

Thanks for posting.

Aakash Shah
Aakash Shah

Louis: Windows be virtualized in Windows too, and not just in Mac OS or Linux :) I don't usually recommend virtualization for most users, because the concept of a computer in a computer really confuses most standard users. For the slightly tech savvy users who ask for help and want to virtualize, I suggest Sun VirtualBox (MS Virtual server is relatively slow and VMWare Server installs IIS which IMO can pose a security risk because it increases your attack vector). DeepFreeze costs money, so I recommend Windows SteadyState (www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx) which offers similar functionality as DeepFreeze and is free.

Joe_R
Joe_R

Thanks for posting.

Joe_R
Joe_R

A good UPS is a must. Many thanks.

Joe_R
Joe_R

Thanks for posting the suggestion.

Joe_R
Joe_R

Great idea, Ropes. Thanks for posting.

brian.samuela
brian.samuela

I have to agree with you Kumar, I don't really understand all this authentication stuff, but I do know that if I log in my LogMeIn account I will get a call checking it's me. I also know that it was easy to install and I feel more secure now. Less stress, more safety, I think that's the point :-)

seanferd
seanferd

Through their website. Official hosted files, etc.

coderancher
coderancher

But, I still think Bittorrent is a safer option among the file sharing programs. There are many open source Bittorrent clients that are free of adware/malware. Companies like Novell and Red Hat also use the Bittorrent network as one of the download channels for their Linux distributions. You don't see them using any of the other P2P networks. Of course, even if your file sharing client is free of malware, you still have to beware of what and from where you are downloading. Stay away from pirated/cracked commercial software.

The 'G-Man.'
The 'G-Man.'

has learning curve of around 5 minutes in my experience. It is getting the information from the final downloaded file that can cause the headache and learning curve (in some cases).

seanferd
seanferd

BSD runs almost any Linux app or desktop, and is more secure in general. I mention it in the context of security, anyway. Still, I'm wondering what desktop functionality would be missing. As far as Linux goes, OpenSuSE is ok (it has a good lineage) even with KDE, but I'm not a big fan of Ubuntu, though I do rather like Debian. I suppose it would be just fine if I spent the time to bend it to my preferences. Again, I do like Linux, but in the context of security, BSD has some strengths over Linux, and the default settings tend toward the secure as well, more so than many Linux distros. Heck, I wish Minix was at a more advanced stage. That would be sweet.

SubgeniusD
SubgeniusD

For servers (perhaps) but this is about the average user isn't it? Even PC-BSD doesn't have the desktop functionality of Ubuntu/OpenSuSe etc.

slam5
slam5

Or just take your 8 mega pixel point and shot and take a picture of the bottom.. nothing extra to buy.

knightwalker65
knightwalker65

another thing i did was to place my laptop on a scanner and make a High resolution copy of the enire bottom of the thing where all the factory stickers and numbers are

santeewelding
santeewelding

I also like your idea about the binder. I do something like that. It has saved my young ass.

Editor's Picks