Tip

Malware prevention: From reduced privileges to secure PC builds

Previous tips in this series have advised you to avoid malware by not logging in to Windows with accounts that have administrative privileges. This precaution cannot be overstated. However, there are many other equally critical steps you must take to protect Windows from malware. I'll explain all of these steps here.

TABLE OF CONTENTS
   Initial steps to lock down Windows
   Run Windows with reduced privileges
   Don't run code from untrustworthy sources
   Protect new computers during builds
   Additional resources

  Initial steps to lock down Windows Return to Table of Contents

The following are some basic steps you should always take to lock down Windows.

  • Run both a hardware firewall for your entire network and software firewalls on each host such as the Windows Firewall included with Windows XP Service Pack 2.
  • Keep Windows and all of your other software up to date on patches and service packs by using tools like Automatic Updates if you only have a few systems, or Windows Server Update Services if you manage numerous computers.
  • Use modern antivirus software with the most current signature libraries, for more information about antivirus vendors, see the Microsoft Antivirus Partners page.
  • Use up-to-date spyware protection tools such as Microsoft's Windows AntiSpyware.

  Run Windows with reduced privileges Return to Table of Contents

As you well know, applications will fail when executed by someone without administrative privileges. Dealing with this inconvenience can be simple at times. For instance, it is common for computer games to store data files in "%system root%\program files" under the game's subfolder rather than in the user's profile. By granting the unprivileged account "Full Control" for the program's subdirectory, you should be able to run the game regardless of privilege level.

Here are other resources to make it easier to run applications with reduced privileges:

  • Windows 2000 and later versions have a tool called RunAs that allows you to run specific programs using an administrator account after logging in with an unprivileged account.
  • MakeMeAdmin is a great work around to use when you log in with an unprivileged account. It allows you to execute specific programs with administrator privileges. You may want to take a look at more articles on Aaron Margosis' blog as he discusses this topic at length.
  • DropMyRights takes the opposite approach, when you log in with an administrator account, use this tool to drop your privileges when executing the riskiest applications, such as browsers and e-mail clients. If you're managing a large network you may want to look at the Group Policy-enabled version of DropMyRights.

Keep in mind that some Web sites will fail when you browse to them as an unprivileged user. For example, SSL-enabled sites, or sites that use certain ActiveX controls will not work. PrivBar is a handy tool to keep track of which copies of Internet Explorer are running with administrator privileges and which are not.

  Run Windows with reduced privileges Return to Table of Contents

The next piece of advice may seem obvious to those of us in the security community: Don't run code from sources you cannot trust. You can significantly reduce your risk in this area by avoiding suspect Web sites that offer inappropriate content or pirated software and by being extremely careful when using peer-to-peer file-sharing services. You should also understand what phishing attacks are and how to avoid them. Next, whether at home or at work you should use strong passwords, or even better, use smart cards and other types of strong authentication.

  Protect new computers during builds Return to Table of Contents

When setting up a new computer remember that there are many automated worms active on the Internet and even on many corporate networks. Therefore you should take some simple steps to protect that system until you've implemented the countermeasures noted previously:

  • If using network-based installation techniques, such as Remote Installation Services, create a network dedicated to building new systems that does not allow direct communication with potentially dangerous networks.
  • If using some other type of automated build process, such as disk imaging with SysPrep, configure the image with a software firewall.
  • If building manually from installation media, either build the system off the network and enable the firewall before connecting to the network or build the system while its protected by a hardware firewall.

Fortunately, the Windows Firewall is enabled by default in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Most computer vendors shipping systems pre-installed with Windows XP and Windows Server 2003 include the latest service pack.

  Additional resources Return to Table of Contents

Here are a few additional resources created for IT professionals to help lock down Windows:

About the author: Kurt Dillard is a program manager with Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including Windows Server 2003 Security Guide and Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. He has also co-authored two books on computer software and operating systems.


More information from SearchWindowsSecurity.com

  • Prevention Guide: Detecting and removing rootkits in Windows
  • Tip: Recognize your wares: Spyware vs. adware
  • Learning Guide: Malware


  • This was first published in July 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.