How can I make a Windows PC bullet-proof for home users?

windows security virus malware

17,148

Solution 1

Probably the best advice I've ever heard on the topic is: Stop running as an administrator.

Solution 2

I get very grumpy when I see these questions, because too many people just want to change the computer, and not the user (when it's the user that causes the issues, invariably).

Consider: Almost every network has a NAT device in place between the LAN and the Internet. This stops random crap from just wandering in, so the overwhelming majority of machines are going to be just fine.

Only when the user is in place is it an issue. My solution: fix the user.

My list to keep your Mom's PC bulletproof:

Educate her on computer security, and computer usage:
- Don't teach her how to accomplish certain tasks ('click here, etc'). Teach her WHAT and WHY. Think about when you open a new program for the first time. Most computer literate people will have a good idea about how to use it straight up. This is because you understand WHAT you want to achieve, and WHY you want to achieve it. The HOW follows very quickly after, because you are familiar with the HOW from other programs. Ever swapped email clients? You'll know what I mean.
- The golden rule: If you don't know, don't do it.
- Secondary to the golden rule: Read what the error message is telling you, and think about what you have done to cause it - don't just throw up your arms and swear
- Educate her that just because something is free, she doesn't have sign up for it, or try and install it.
Install Google Chrome - Fast, lean browsing machine.
Install your choice of free anti-virus. Something with a low amount of harassment is good.
Ensure automatic updates are turned on, and that your mother knows how to deal with them. Accept them, install them, reboot the computer.

My parents ran a Windows XP machine for 4 years with no software firewall - running just Firefox and AVG. They were checking their email, doing online banking, playing some Guild Wars online, and they had no viruses. I've had plenty of challenges from random people who tried to find viruses on my computers, but they always just end up wasting their time.

Solution 3

I don't like just providing links as answers but have a look at this comprehensive lock down guide.

Windows XP Professional Configuration Checklist Details

Verify that all disk partitions are formatted with NTFS
Protect file shares
Use Internet Connection Sharing for shared Internet connections
Enable Internet Connection Firewall
Make sure windows update runs regularly
Use software restriction policies
Use account passwords
Disable unnecessary services
Disable or delete unnecessary accounts
Make sure the Guest account is disabled
Set stronger password policies
Set account lockout policy
Install anti-virus software and updates
Keep up-to-date on the latest security updates
Do not run with administrator privileges by default
Don't use WEP for wireless networks

Solution 4

Besides teaching her to avoid installing silly things, I don't really see a way.

Of course, have the system updated and with an anti-virus (eventually a firewall).

But in general, if you want to avoid "family-tech-support", there is no real way. Because if you start adding things to block content, block what she can do, you won't be called for the "tech-support", but for the "why can't I do that ?".

Solution 5

Buy her a Mac, seriously all of my family have moved over to Apple Mac's and it's so much easier to fix (if anything ever goes wrong, which doesn't happen often).

Alternatively if she/you can't afford that install Ubuntu.

You can mark this answer as "not useful" but when it comes down to it Windows isn't meant for mum's or anyone who's incompetent with computers.

View more solutions

17,148

Andrew Garrison

Updated on September 17, 2022

Comments

Andrew Garrison over 1 year

I realize that virus-proof on a Windows PC is far fetched, but in the interest of keeping time spent as the "family-tech-support" to a minimum, I am looking for ideas to lock a computer down to the point that it is very hard to collect ad-ware/spyware, malware, or viruses.

Assume the user is my mom, who rarely, if ever, needs administrator access and mostly uses the computer for MS Office and web browsing.
- Admin almost 15 years
  
  Encase it in lead ;)
- Admin almost 15 years
  
  I was thinking Kevlar!
- Admin almost 15 years
  
  Unplug the Internet connection.
- Admin almost 15 years
  
  not really, discussion over there doesn't expand into software, mostly about configuring windows for safety
- Admin almost 15 years
  
  Woah, did my question just get merged?
- Admin over 14 years
  
  Unplug the power cable.
- Admin almost 14 years
  
  Power it with Kryptonite!
- Admin over 13 years
  
  Throw it out the window!
- Admin over 13 years
  
  Switch to Ubuntu
- Admin over 13 years
  
  A mother's computer is likely not going to get anything on it.. Just their standard websites. Many of them hardly surf the web. Or do so very conservatively.
- Admin almost 11 years
  
  Like Aki said, get her off the vulnerable OS. Ubuntu will let her use Open Office, Firefox, and a myriad of media players.
Kirill Strizhak almost 15 years

Yes, probably your answer is better :] If user want's to install something, then he will do it... The most effective way is to educate a user. Unfortunately, that is also the most time and effort consuming way. I just some times run out of patience :(
Kenneth Cochran almost 15 years

nsa.gov/ia/guidance/security_configuration_guides/… Has a host of guides on locking down different operating systems.
Admin almost 15 years

This is the easiest and fastest way. RANU.
Admin almost 15 years

Where did all my grandkids pictures go?
Axxmasterr almost 15 years

This method is perfect for some people. I have encountered people who seem to forget everything you teach them. So it is brand new every single time. These folks could spin your wheels for hours if you let them. Virtualization and Imaging are a good way to cap your level of effort supporting someone like this.
Kirill Strizhak almost 15 years

@Will: Yessss, grandkids pictures... :] Well, I can tell about VMWare: you can set up a shared folder with the hosting OS where you can drop of all of the user files. You can do it after it is screwed up to backup all user data, or before to let user save his data there. Plus, you can do snapshots often. So there will always be some state saved with all files intact.
Ivo Flipse almost 15 years

Nice checklist!
Joel Coehoorn almost 15 years

Need to add "run as standard user" or "do not run with administrator privileges by default"
mukesh almost 15 years

That list has problems for home users... ICS behind most home routers leads to double NATing. SRP is pretty administration heavy (I believe it's better in win7). Also, not having an account password helps the account not be remotely accessable.
Andrew Garrison almost 15 years

@Doubt - your comment should be an answer.
user1686 almost 15 years

Easiest? On Windows XP? You must be joking. (I once tried that.)
Kirill Strizhak almost 15 years

@grawity: umm, try harder? :] Ok, sorry. Bad joke, just couldn't resist ;) Yes it is not as easy as it sounds, and requires some tweaking. But, imho, it has the greatest impact that only maybe hiding behind NAT and firewall may come close to.
NoCarrier almost 15 years

out of curiosity.. how is x64 anymore secure than 32bit?
RBerteig almost 15 years

@NoCarrier, two reasons leap to mind. First, the 64-bit kernel requires that all device drivers be signed so it is much harder to inject hostile code into the kernel itself. Second, at the moment, there are fewer x64 machines out there, so there are fewer attacks against them in the wild. As more systems go 64-bit, the dynamics will change...
Treb almost 15 years

Yup, easy. Even my mom and dad can do it.
Kevin M almost 15 years

Friends don't let friends use GeekSquad. Oh wait. What you're doing is making her not a friend.
Steven A. Lowe almost 15 years

@[Kevin]: GeekSquad is a lot cheaper than I am
fromano almost 15 years

-1 - Not an answer to this question.
fromano almost 15 years

You'll probably get more calls running with NoScript than you would every 3-6 months when something bad happens. "Why doesn't [every internet site] work?"
Andrew Garrison almost 15 years

I agree that educating the user is ultimately the best thing to do, unfortunately it is not feasible in all situations.
EvilChookie almost 15 years

I'd disagree - the only time it's not feasible to educate someone is when they don't want to learn.
Manu almost 15 years

I disagree. I've tried it, but a lot of windows programs are poorly coded, and asume you've got the default windows with the default everything. I also tried moving the "my documents" folders to another drive, and some programs just wrote on C: ...
mukesh almost 15 years

Another factor is Kernel Patch Protection, which makes it harder for malware to bind to random points in the kernel.
DilbertDave almost 15 years

Huh! How did this end up here - I was answering another (related) question ;-)
fretje almost 15 years

@DilbertDave: I've flagged it for "moderator attention" for being a dupe, and apparently a mod has merged the two questions.
DilbertDave almost 15 years

That will explain it then - Hope my response still makes sense ;-)
mmyers almost 15 years

I do this, but I really miss "sudo".
Paul Nathan almost 15 years

knowledge > automation
macbirdie over 14 years

I always replace the crappy software with better software, that respects my choices of account privileges and well-known-folder locations. Vista's UAC caused many software authors to improve their applications.
macbirdie over 14 years

mmyers - use sudowin ;)
Garik over 14 years

Changing OS is not going minimize the family tech support required, quite the opposite.
Peter Mortensen over 14 years

What is GP? General Protection?
Matt Rogish over 14 years

+1 I did this as well a few years ago. Not only did it drop my tech support calls to ZERO (seriously!) my mom absolutely loves her iMac w/iTunes, FireFox, and Mail.
Gnoupi over 14 years

Said already several times, but I guess always nice to repeat.
CTarczon over 14 years

yes, firefox is the same everywhere. Non-techie people don't care that much how button they have to click to start it look. They don't really see the difference. And simple fact that there are no viruses and nothing can go wrong except hardware failure makes it so much easier to work with.
Petra over 14 years

It used to be a real problem to run without admin rights however since the annoying UAC prompt in vista a lot of the big companies have reengineered their software to not need admin rights so often. If you haven't tried it for a couple of years it might be time to try again.
Jay R. over 14 years

As a counterpart to educating the user, maybe if the user refuses education, you should just take the computer away. We don't just let any random yahoo jump in a car and drive it, do we? ...oh wait.
EvilChookie over 14 years

@Jay: Typically most people who drive need to be licensed to drive. Bad drivers are typically the result of bad instruction. In my opinion, bad drivers = bad instruction (or lack thereof). Problems with computers = bad instruction (or lack thereof).
Zoredache almost 14 years

+1 for Deepfreeze. Works really good if you setup a second thawed partition and redirect the desktop/documents/data folders to the thawed partition.
barlop over 13 years

"Read what the error message is telling you". Techies may be advised to not take the meaning of the error message description too seriously, but google the error message. End users sometimes do take it too seriously. Or they say "Computer says I can't do this".
Django Reinhardt about 13 years

I have to say, I agree with this to a degree. You shouldn't have to learn about security and advanced settings to use a computer. No other household tech requires such knowledge, and really it's about time computers caught up. That said, your list of things to learn sound very reasonable, IMO.
Caspar over 12 years

On the topic of lockdown - TrustNoExe implements a whitelist of executables
Dennis over 12 years

I would agree if someone said that this doesn't answer the actual question, but I think deserves to be in the list of solutions. I have switched 4 families (plus my fam of 7 to Ubuntu). I switched them not because they are computer geeks but because they are totally non-technical and I got tired of endless support calls. Once I find a distro upgrade that is worth it I bring them up to date, otherwise I just let them run day after day, month after month. They typically 1) Browse, 2) Music+Videos, 3) Office type work.
Darth Egregious about 11 years

Can't agree with the chrome recommendation. Chrome is neither fast nor clean anymore. Try an unencumbered browser like firefox.
Alex S about 8 years

Would love it if a similar guideline was posted for Win 7, 8.1 and 10