Problem solve Get help with specific problems with your technologies, process and projects.

Malware prevention: From reduced privileges to secure PC builds

There are many, equally critical steps you must take to protect Windows from viruses, spyware and other threats. Malware guru Kurt Dillard offers tools and best practices to help you reduce user privileges, secure new builds, avoid untrustworthy code and more.

Previous tips in this series have advised you to avoid malware by not logging in to Windows with accounts that have administrative privileges. This precaution cannot be overstated. However, there are many other equally critical steps you must take to protect Windows from malware. I'll explain all of these steps here.

   Initial steps to lock down Windows
   Run Windows with reduced privileges
   Don't run code from untrustworthy sources
   Protect new computers during builds
   Additional resources

  Initial steps to lock down Windows  Return to Table of Contents

The following are some basic steps you should always take to lock down Windows.

  • Run both a hardware firewall for your entire network and software firewalls on each host such as the Windows Firewall included with Windows XP Service Pack 2.
  • Keep Windows and all of your other software up to date on patches and service packs by using tools like Automatic Updates if you only have a few systems, or Windows Server Update Services if you manage numerous computers.
  • Use modern antivirus software with the most current signature libraries, for more information about antivirus vendors, see the Microsoft Antivirus Partners page.
  • Use up-to-date spyware protection tools such as Microsoft's Windows AntiSpyware.

  Run Windows with reduced privileges  Return to Table of Contents

As you well know, applications will fail when executed by someone without administrative privileges. Dealing with this inconvenience can be simple at times. For instance, it is common for computer games to store data files in "%system root%\program files" under the game's subfolder rather than in the user's profile. By granting the unprivileged account "Full Control" for the program's subdirectory, you should be able to run the game regardless of privilege level.

Here are other resources to make it easier to run applications with reduced privileges:

  • Windows 2000 and later versions have a tool called RunAs that allows you to run specific programs using an administrator account after logging in with an unprivileged account.
  • MakeMeAdmin is a great work around to use when you log in with an unprivileged account. It allows you to execute specific programs with administrator privileges. You may want to take a look at more articles on Aaron Margosis' blog as he discusses this topic at length.
  • DropMyRights takes the opposite approach, when you log in with an administrator account, use this tool to drop your privileges when executing the riskiest applications, such as browsers and e-mail clients. If you're managing a large network you may want to look at the Group Policy-enabled version of DropMyRights.

Keep in mind that some Web sites will fail when you browse to them as an unprivileged user. For example, SSL-enabled sites, or sites that use certain ActiveX controls will not work. PrivBar is a handy tool to keep track of which copies of Internet Explorer are running with administrator privileges and which are not.

  Run Windows with reduced privileges  Return to Table of Contents

The next piece of advice may seem obvious to those of us in the security community: Don't run code from sources you cannot trust. You can significantly reduce your risk in this area by avoiding suspect Web sites that offer inappropriate content or pirated software and by being extremely careful when using peer-to-peer file-sharing services. You should also understand what phishing attacks are and how to avoid them. Next, whether at home or at work you should use strong passwords, or even better, use smart cards and other types of strong authentication.

  Protect new computers during builds  Return to Table of Contents

When setting up a new computer remember that there are many automated worms active on the Internet and even on many corporate networks. Therefore you should take some simple steps to protect that system until you've implemented the countermeasures noted previously:

  • If using network-based installation techniques, such as Remote Installation Services, create a network dedicated to building new systems that does not allow direct communication with potentially dangerous networks.
  • If using some other type of automated build process, such as disk imaging with SysPrep, configure the image with a software firewall.
  • If building manually from installation media, either build the system off the network and enable the firewall before connecting to the network or build the system while its protected by a hardware firewall.

Fortunately, the Windows Firewall is enabled by default in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Most computer vendors shipping systems pre-installed with Windows XP and Windows Server 2003 include the latest service pack.

  Additional resources  Return to Table of Contents

Here are a few additional resources created for IT professionals to help lock down Windows:

About the author: Kurt Dillard is a program manager with Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including Windows Server 2003 Security Guide and Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. He has also co-authored two books on computer software and operating systems.

More information from

  • Prevention Guide: Detecting and removing rootkits in Windows
  • Tip: Recognize your wares: Spyware vs. adware
  • Learning Guide: Malware

  • Dig Deeper on Windows 10 security and management

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.