Lock It Down!

It is possible to lock down Windows 7 and Vista in the same way as with Windows 2000 and XP, but it's tricky to do, about as tricky as XP Home. Fortunately, however, Windows 7 and Vista are inherently quite secure out of the box. While they share many of XP's vulnerabilities, they have mitigations in place which make it extremely difficult to reliably exploit those vulnerabilities. I would describe some of these new technologies, but most of my readers wouldn't understand anyway. And thankfully, it's not necessary that you do.

Just in case these mitigations fail, there's another strong bulwark in Windows 7 and Vista to help shield you from remote attacks. Unfortunately, this barrier also happens to be an unpopular feature, User Account Control (UAC). In fact, UAC's opponents complained about it so vehemently that Microsoft defaulted it to a sort of whitelisting concept in Vista's successor, Windows 7. Since then, Microsoft has been getting complaints from the other side of the fence, as independent tests found that UAC missed 7 out of 8 viruses in this setting (0 at maximum). Some people may find it odd that an opponent of Host Intrusion Prevention Systems (HIPS) as outspoken as myself would actually support a feature like UAC. But truth is stranger than fiction sometimes, one example being the commonalities of UAC's opponents. Most of them have never used Linux or Mac OS X, both of which have had similar checkpoints since before Vista first started development under the codename of "Longhorn." Also, many of UAC's opponents have never used anything as "in your face" as a HIPS firewall, an introduction to which might actually help them to appreciate the relative quietness of UAC. And finally (and most ironically), some of UAC's loudest opponents have had little to no experience with Vista at all; they're merely going by hearsay.

Just for the record, UAC is nowhere near as noisy as a HIPS firewall. It's an ironic shame that products such as ZoneAlarm Pro and Comodo should be among the very most popular personal firewall products, in spite of being among the very most useless to a non-technical user. In order to spare oneself a great deal of "alert fatigue" and enough undue alarm to induce schizophrenia while using such a product, one must be either a security expert, or a full-time enthusiast with nothing better to do with their time than to read every single popup and research ambiguous processes before making each decision. It's not uncommon for a HIPS firewall to alert the user to "suspicious" activity as many as ten times during the installation of a new program, and ten more times after the fact. And at any time, any one of these alerts could be calling the user's attention to a real attack. This could (and does) happen when they're right in the middle of installing a new program, routinely clicking "Allow" in a flurry of alerts just to make the firewall "shut up and get on with it." People have said to me, "Zone Alarm has to be configured in the beginning, but it quiets down afterward. The only time you'll see it after that is when you install a new program or change something." My response is, "Same is the case with UAC, but it quiets down after just one alert."

UAC is not a HIPS engine. It is not designed to alert you when Internet Explorer tries to access the Internet, or when Java tries to access the trusted zone, or when Skype tries to act as a server, or when tinySpell tries to monitor keystrokes. UAC is designed to alert you when a process requires administrative privileges, and it only alerts you one time, right when you first start the program. Unless you're constantly installing/uninstalling software, or tinkering with system settings, you won't deal with UAC all that often. In fact, your average day probably wouldn't even see a UAC prompt unless Java, Adobe Reader, or Flash had to be updated; or you visited a compromised Web page. To make sure you understand the implication there, if you're surfing the Internet when UAC suddenly dims the screen and throws up an alert, red flag! It means something on the Internet is trying to make changes to your system remotely, changes which only a local administrator should be making.

Virtually everyone who uses the Web on a daily basis has already visited more than one Web site harboring a headlining rootkit like Mebroot, Conficker, or Gumblar. But I've yet to see a Windows 7 or Vista machine infected with any of these. Don't assume this means it won't happen, though. Security researchers have demonstrated that it is still possible, albeit difficult, to break through the defenses of 64-bit Windows 7 itself. If you have UAC enabled/set to max, then you'll have an extra layer of protection against remote attacks and AutoRun malware on flashdrives, and that one layer could at any moment become the sole factor that determines whether or not your system becomes a statistic. Hopefully, not another word will be necessary to convince you that UAC should not be disabled on your system. In a nutshell, my recommendations are as follows:

1. If you currently have UAC disabled, TURN IT BACK ON!!! If you have Windows 7, make sure it is set to "always notify."

2. Switch to OpenDNS. Besides making your browsing sessions safer, it may speed them up a little as well.

3. Install McAfee SiteAdvisor and/or Web of Trust (WOT) for guidance on an information superhighway that is littered with fraudulent Web sites, created by shameless reprobates who desire nothing other than to rob you for money, valuable information, and/or remote access to your computer and its resources.

Before submitting any personal information on an unfamiliar site - even your name or e-mail address - take notice to how SiteAdvisor and WOT rate the site. Even if a site is not blocked for malicious downloads, it could still put your identity at risk. And it takes a lot longer, and costs a lot more money, to repair your identity than your computer.

4. Install real-time antimalware. A lot of security products these days now have technologies designed specifically to protect against the exploitation of browser vulnerabilities, as well as cloud-based file analysis techniques to detect new threats within minutes or even seconds of initial outbreak, rather than hours to days. Unfortunately, the free versions tend to lack one or both of these features, and the ones they do have don't seem to be quite as effective as those in some of the big name products. But if you're on a budget, you may find some helpful recommendations in TechSupportAlert's wiki and forum for Best Free Antivirus Software.

If your computer is too old to handle antivirus/antispyware at all, or if it takes a long time for the screen to dim and the UAC alert to pop up, then I think it may be time for you to make a decision: 1) Remove Windows 7 or Vista, and reinstall the operating system that came with the machine. 2) Upgrade your machine. Anything with a dual-core processor and 2 GB of RAM is Premium capable, meaning it can run Windows 7 or Vista with Aero Glass. And these days, you could get a laptop with such features for as low as $279.99 at TigerDirect.

Any questions? Click here to send me an e-mail.