Windows optimize

Secure your computer after a Windows install or reinstall

Alan Norton details five ways to better secure your Microsoft Windows computer immediately following a clean install until all the important security updates can be installed.

If you read my article 10 things you should do before, during, and after reinstalling Windows you will be aware that I mentioned five ways to get the important updates and the latest Windows service pack and five ways to install the same. While writing the article it became apparent to me that there was a security risk immediately following a reinstall of Windows.

Microsoft recommends that you connect to the Internet to get the important security updates and service pack. But the catch-22 is that your computer is more vulnerable until the security updates are installed. That left me wondering if there was a better way to secure my PC when it was at its most vulnerable -- immediately following a clean install.

The best and easiest solution would be to simply download the security updates before a reinstall. This cumulative self-executable security update file simply does not exist on the Microsoft download site. I've seen Microsoft security update files available for download at various Web sites, but this is one of the few times that a third-party solution won't work. You simply can't trust replacing your core system files to anyone but Microsoft.

So I set out to find a proactive way to secure my computer immediately following an install or reinstall. I detail five ways (Table A) to better secure your computer until all the important security updates can be installed. They range from simple to complex and from less secure to more secure. This document refers specifically to Vista, but the concepts apply to all versions of Windows.

This blog post is also available in PDF format in a TechRepublic download.

Five ways

Table A - The Five Vista Install/Reinstall Security Options

Option

Microsoft Approved

Update Type

Advantages

Disadvantages

Option

One

 

(Stand-alone)

Y

Manual

SP1

Only choice for stand-alone computers not connected to a network. No security issues other than with the applications you run. Does not install the latest drivers and updates.

Option Two

 

Windows Firewall and Defender

(default)

Y

Windows Update

Automatic. Latest drivers and updates downloaded. Exposes computer to attacks without security updates and SP1 in place.

Option Three

 

Windows Firewall and Defender

(default)

Y

Windows Update

 

Manual

SP1

Limits time connected to Internet before installing SP1. Requires exposing computer to attacks without security updates in place.

Option

 Four

 

Windows Firewall and Defender

(default)

N

Manual

SP1

 

Windows Update

Installs SP1 without having to connect to the Internet. Does not install the latest drivers and updates up front. A poor option if you have Vista-incompatible hardware.

Option Five

 

Firewall Application

Blocking

Y

Windows Update

More secure. Latest drivers and updates downloaded. Possible way to better secure Windows until SP1 and all security updates can be installed. More difficult to implement.

Options three, four, and five offer a more secure way to retrieve SP1 and the important update files. Option five is potentially the most secure and is the most difficult to implement.

Option one

Stand-alone computer users must follow this option. Since the computer will not be connected to a network, there are no online threats to worry about. You will still need to consider the risks involved when running any applications. The service pack, if any, will have to be installed manually.

Option two

This is the standard default option for Windows. Most of you have always used this option to update your PC following an install or reinstall.

If you select this option, you will have to rely solely on Vista's built-in Windows Firewall and Windows Defender. The security updates you will be downloading fix known security vulnerabilities with Internet Explorer, MS Mail, and Windows Media Player. Until the security updates are installed, you should consider not browsing the Web, reading your e-mails, listening to MP3s, or starting any other applications that connect to the Internet.

Option three

The comments in option two also apply to option three. This option requires you to connect to the Internet to get the latest security updates. Then do a manual install of the latest service pack. By installing SP1 manually you reduce the amount of time you have to be connected to the Internet.

Option four

The comments in option two also apply to option four. Option four is similar to option three but installs the security updates contained in SP1 before having to connect to the Internet. By installing SP1 manually, you also reduce the amount of time you have to be connected to the Internet.

I have tried Option four, and it seemed to work well for me without any major problems, even though it is not Microsoft approved. I was able to experience firsthand some of the problems that can be experienced by manually installing SP1 prior to a Windows Update scan. Be aware that if you choose this option it is possible that any problems may require you to reformat the target partition and reload Windows from scratch again. You can also try manually installing SP1 in safe mode if you experience any problems.

Option five

This option involves configuring a firewall to block all network traffic except traffic to the Windows Update server. Actually implementing this requires advanced knowledge of the Microsoft Management Console (MMC) and the Windows Firewall with Advanced Security MMC snap-in or another third-party firewall that supports application blocking. To be honest, I tried to set up a new inbound rule in Windows Firewall with Advanced Security and gave up after a few hours of fruitless effort.

A good third-party firewall is an alternative option that may provide better security while Windows Update is busy retrieving and installing important updates. In the hands of the right person, a third-party firewall like Comodo Internet Security (CIS) is more secure than Windows Firewall and Defender. And third-party firewalls can solve the transparency problem that Vista's firewall has.

If you are looking for a firewall for simple everyday protection or for easily creating inbound and outbound network rules, Comodo Internet Security fits the bill and then some. And the full-blown version with anti-virus protection and Defense+ is totally free.

If you do use a third-party firewall like CIS, you will have to understand how to properly configure the firewall and what application alert prompts to allow and which to deny. This is not the level of knowledge you can expect from the average user. Even tech pros can find using such a firewall challenging. You can dial back the settings in Comodo Internet Security but at the cost of reduced security.

How highly is Comodo Internet Security rated? The CNET editors rate it five stars. You can download the 32- and 64-bit versions from the Comodo Web site.

Installing CIS and not running any apps that connect to the Internet should safely secure your computer until all the important security updates are in place. If you want to lock down your network traffic further, it can be done using network rules, but you need to understand some firewall basics first.

Basic firewall theory

There are two ways that personal software-based firewalls fundamentally work. They can start with a solid wall in place, and specific network or application rules can be added that poke holes in the wall. Or they can start as a bare foundation, and specific network or application rules can be put in place to build the wall.

The first technique is used by most of today's firewalls -- and you can see why. If you are using the second type of firewall and you don't build your firewall rules properly, you can let in uninvited visitors.

By using the first type of firewall you can create network rules to allow inbound/outbound network traffic. By default, a firewall of this type with no network rules will block all inbound and outbound traffic.

Using the second type of firewall you can create network rules to block inbound/outbound network traffic. By default, a firewall of this type with no network rules will allow all inbound and outbound traffic.

Comodo Internet Security implements the first type of firewall strategy. It can block or allow network traffic by:

  • Application layer
  • IP address
  • Port
  • Host Name
  • MAC Address

If you are new to firewalls and network rules, you will almost certainly be confused by in and out network connections and Source and destination computers. It is confusing. First, don't think in or out. Think inbound connections and outbound connections instead.

A good analogy is a telephone call. For an inbound connection call that you receive, the source is the phone making the call and the destination is your phone. For an outbound connection call that you make, the source is your phone and the destination is whomever you are calling.

In this analogy, the phone number is the IP address and the device receiving the call is the port. For example, you could have both a phone and a fax machine using the same phone number. OK, you probably don't have more than one device, but you get the point. Remember this analogy when setting up your network rules.

Using Comodo Internet Security with Defense+, I developed a method to block applications and sent the script to Comodo for a sanity check. Comodo was kind enough to have their Senior Research Scientist look at my script. He sent me a method that is much better than my solution. It will block all Internet traffic to all applications except Windows Update, and you won't even have to worry about any pop-up alerts. Here are the relatively simple steps that he sent me.

Make sure that your modem or the Internet cable is not connected to the Internet.

  1. Install CIS and restart the computer.
  2. Open the Comodo Internet Security status window.
  3. Click the Firewall icon at the top of the window.
  4. Click the Advanced button in the left pane.
  5. Click on the Network Security Policy link (Figure A).

Figure A

The CIS Network Security Policy Application Rules Window looks like this before you add any network rules.

  1. Click on the Windows Updater Applications entry and drag and drop it to the top so that it is the FIRST entry in the policy.
  2. Click the Add button.
  3. Click the Select drop-down button, then click Running Processes followed by System under Windows Operating System, and then click the Select button.
  4. Click the Use a Predefined Policy radio button, click the drop-down arrow, and choose Trusted Application. If there is already a rule entry for the system, it can be modified. Click the Apply button.
  5. Click the Add button again.
  6. Click the Select drop-down button and then click File Groups->All Applications.
  7. Click the Use a Predefined Policy radio button, click the drop-down arrow, and select Blocked Application if not already selected. Click the Apply button.
  8. Click the Apply button in the Network Security Window.

Be sure that the blocked All Applications rule created in steps 10-12 is the LAST entry. Double-check that the order of the rules in the Network Security Rules Window matches the order in Figure B.

Figure B

This is the CIS Network Security Policy Application Rules Window after we moved the Windows Updater Applications entry, added the trusted System, and blocked All Applications network rules.
Important! After all security updates and the latest service pack are downloaded and installed, the blocked All Applications rule created in the steps 10-12 must be deleted to allow the normal operation of the firewall. Highlight the network rule and use the Remove button to delete it. You can optionally also delete the trusted System rule created in steps 7-9.

You will need to disable Windows Firewall if you are installing a third-party firewall. Please read Installing and Configuring Comodo Internet Security with Defense+ for instructions on how to do this and for more information about how to install CIS.

Partition imaging

As it was so kindly pointed out to me more than once in the forum for the 10 things you should do before, during, and after reinstalling Windows article, an image of the Windows operating system can be made when you have it installed and configured the way you like. There is a legitimate and compelling reason to image your system after an install or reinstall. A system image can be created and used in the future to reinstall Windows with both the latest service pack and all security updates up to the image creation date already in place. And there is a way to do it with freeware -- at least for owners of Maxtor or Seagate hard drives.

MaxBlast 5 is freeware application that is essentially Acronis True Image Home lite. The Seagate version is called DiscWizard and is also free to Seagate hard drive owners. You must have a Maxtor or Seagate hard drive installed in your system in order to run MaxBlast 5 or DiscWizard.

For more information about how to create a system image using MaxBlast 5, please read Partition Imaging with MaxBlast 5.

Editor's Note: According to Stephen Lawton, Senior Director, Strategic Marketing, Acronis Inc., Acronis True Image supports hardware RAID in all of its products and software RAID is OS-dependent. It really depends on how the manufacturer implements software RAID in order to know if it's supported. The best way to determine if your software RAID is support in Acronis True Image is to boot the system from an Acronis Rescue Disk. See the accompanying discussion thread for more details.

There are two partition images that you should consider creating after a Windows install or reinstall. The first image is an image created after Windows is loaded and you have made all the changes to personalize Windows the way you like it.

The second image should be created after you have downloaded and installed all the important updates and the service pack, if any. You should also consider running an anti-virus scan set to its high or thorough setting prior to imaging. You want to create an image that is Trojan and virus free.

The final word

I thought long and hard about whether I should submit this article for publication. I realize that the security issues discussed here aren't near the top of most people's list of concerns and for good reason. It is difficult if not impossible to assess the security risk after an install or reinstall. The Vista installer warns you about additional possible security risks if you do not connect to the Internet to get the latest updates. This is a relatively insignificant issue compared to any possible security risks immediately following a clean install or reinstall of Windows.

There are still a lot of unanswered questions. I doubt if anyone including Microsoft can tell you whether Windows Firewall and Defender is sufficient to protect your computer until all the important security updates are in place. I can tell you that your computer is more vulnerable until the service pack and all the important updates are downloaded and installed.

Neither can I tell you, patient reader, what security option you should choose. Whether to use Windows Firewall and Defender or to install a third-party Firewall like Comodo Internet Security and lock down the network traffic with network security rules, I leave it entirely up to you, depending on the option you feel most comfortable with.

Author's note

I want to give a special thanks to Comodo's PR contact and their Senior Research Scientist for their invaluable help with the CIS specific network rules.

TechRepublic's Windows Vista Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista development, as well as a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Alan Norton began using PCs in 1981, when they were called microcomputers. He has worked at companies like Hughes Aircraft and CSC, where he developed client/server-based applications. Alan is currently semi-retired and starting a new career as a wri...

13 comments
wwarshaw
wwarshaw

You say that a third-party solution won't work. I disagree. I've used this many times without a problem: http://www.heise-online.co.uk/security/Do-it-yourself-Service-Pack--/features/80682 It offers updates for both Windows and Office products. Installing this, then using Windows Firewall and Defender to connect to the Windows Update site should be pretty safe, and there will be much less downloads to install. One final note - you should definitely have an anti-virus program installed before you try to connect to the internet. Once you do connect, get the virus definitions updated before doing the Windows Updates.

phil
phil

Interesting article, but it doesn't really reach a satisfactory conclusion. Two things you might have mentioned: 1. Installing the updates from behind a NAT router, whilst avoiding accessing anything other than the Windows update server, really does give quite a lot of protection. Such NAT routers are commonly supplied with ADSL connections and so may be the most practical solution for people who have one (although the NAT feature may need to be manually enabled). 2. Running a complete virus scan after all the updates are installed gives you at least some confidence that you can start accessing web pages and email. Make sure the scanner has a high detection rate (Avira Antivir Personal is free and allegedly scores well on this, at the expense of some false positives).

Alan Norton
Alan Norton

I have been informed that Acronis True Image (all versions) supports hardware RAID and that software RAID is OS dependent. I stated incorrectly in the article that hardware and software RAID is not supported. You can determine if software RAID is supported by creating and booting from a rescue disk. When testing with a MaxBlast 5 rescue disc I received an 'E000101F4 Maxtor MaxBlast has detected unsupported hard disc drives. MaxBlast does not support Windows Dynamic Discs, EZ-Drives, etc.??? error which I presume is because MaxBlast 5 couldn't see the Intel Matrix ICH7R RAID 0 and RAID 1 volumes. I received a similar error when testing with Acronis True Image Home.

Mark W. Kaelin
Mark W. Kaelin

Microsoft says you should let Windows Update run over the Internet on a fresh OS install, but that should make you at least take pause at the security implications. What steps do you take to secure a fresh install? Do you keep an updated OS image on hand? If yes, how did you update that?

Alan Norton
Alan Norton

That's a really interesting solution. There are no Vista scripts unless I just missed them. How can you be assured that the scripts are downloading updates from a Microsoft site? (Yes, I see that they claim that the updates are coming from Microsoft servers.) Thank you for providing the link.

Alan Norton
Alan Norton

Hello Phil, Good point about a NAT router. Anyone using a hardware firewall would also be more secure. The whole point of the exercise (a Windows reinstall) was to remove all possible traces of a Trojan Horse that I found on my system. I explain this in detail in the companion article on my Web site. So I don't want to have to rely on anti-virus software to remove or quarantine a bug after it has found a way onto my system. Funny thing about that Trojan - it led to two articles here at Tech Republic! As a writer I always like to wrap up the article with a neat bow but that wasn't possible with this article. As I mention in the article there are a lot of unanswered questions and try as I might I couldn't really answer them. The best I could do is present the possible vulnerability issue and offer some ways to reduce the risks. Thank you for your well thought out feedback.

Alan Norton
Alan Norton

I want to thank Stephen Lawton and Jeffrey Warne, Acronis Inc., for the following very helpful information: "Our boot media is actually utilizing BusyBox 0.60.5 with a kernel version of 2.6.24.4-acronis. Because all of our products use the same core boot media with a different application built into it we do develop our boot media separately from the individual product. In our most recent boot media the kernel version is 2.6.27.4-acronis. Also because of the constant development of our boot media we are continuously adding new drivers and additional hardware support. If for whatever reason the hardware for a system is not detected and/or not detected properly by our boot media it is suggested that our support department be contacted so that the most recent boot media can be provided or the issue investigated. Acronis True Image Home 2009 does not support dynamic disks. As such we do not support any form of software RAID under Windows utilizing this product. Support for dynamic disk is limited to our Acronis True Image Echo Enterprise Server, Acronis True Image Echo Server for Windows, and Acronis True Image Echo Workstation products. Acronis True Image Server for Linux supports software RAIDs (md-devices). In live Linux you can back up mounted software arrays and restore them on a partition or on a previously created md-device. While restoring using bootable rescue media, Acronis True Image Server for Linux tries to detect and activate available software RAIDs. If RAID is detected, you will be able to restore your image on it. But if no RAIDs are found (or you restore on a bare metal box), Acronis True Image Server for Linux will not be able to create and activate RAID using image data. In such a case you should create RAID manually (i.e. by booting from your distribution CD first) and then restore your data from the image archive using Acronis True Image Server for Linux bootable rescue media. (http://www.acronis.com/enterprise/support/kb/articles/497/) Under Windows Acronis True Image supports all RAID arrays Windows has drivers for. The standalone version of Acronis True Image uses embedded Linux drivers for RAID arrays. There is a probability that Linux drivers for a specific RAID array have not been included yet. In this case you should try to use a special plug-in for the BartPE instead of the standalone version. This plug-in allows you to use Windows drivers for the RAID array when running Acronis True Image from BartPE bootable CD. You may also contact Acronis Support Team and report that the standalone version doesn't recognize your RAID array. Our Development Team will add drivers as soon as possible. (http://www.acronis.com/enterprise/support/kb/articles/501/)"

pgit
pgit

...in a word. Very easy to do as in the article; restrict all traffic to allow only ms updates. Better still it's on separate hardware, the windows machine never hears any attempts to initiate inbound connections.

---TK---
---TK---

I don't make the images, at my work, we have a security team that butchers XP... However at home, I install the OS, install AV, then create an image(offline). Run the updates, then make a second image... from then on its easy sailing... till I build a new system. That has been my standard for a couple years...

wwarshaw
wwarshaw

If you go to their download site: http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml The latest version (5.0) definitely has Vista scripts. As far as whether the updates are definitely coming from Microsoft, there's probably no way to be 100% certain, but I would assume that when you eventually go to the Windows Update site, it would pick up any missing updates. The whole purpose of this is to try & have your computer as updated as possible before going online, & I haven't had any problems.

pgit
pgit

Trojan. Sheesh. I'm seeing "fully protected" up to date machines get trojans, worms, you name it. Score one for "social engineering." That spate of "antivirus 2009" crap caught a lot of my users. Thankfully it wasn't damaging at it's heart. Funny thing about imaging, If you have validated windows before imaging, you can put it back on the same hardware no problem. But should any of the hardware change, you're going to get a word from microsoft. Even if it's a full version, non-OEM system to start with. Folks I know seem to come up with the same word to describe MS whenever a "validation" issue comes up...

Alan Norton
Alan Norton

Interesting - and the Express version is free. Thanks for the info.

Alan Norton
Alan Norton

But that is the point I was trying to make in the article. How can you trust any third party vendor to acquire your core system files? You really can't. It would be the perfect solution if I could be sure that the files were coming from Microsoft servers. Then again, Microsoft could just buy the scripts and provide them on their Web site - problem solved. The FAQ is in German and my German isn't good enough to understand it. Thanks for the links.