My secure windows

Let's split this up in several parts (there is some sense of priority in the following list, I hope I will be able to convey why):
  1. Here is ProcessGuard, a category of its own: able to generically prevent some of even the most modern intrusions.
  2. Here is the Firewall section, which aims to provide you with some fine-grained control over what goes in and out (and where).
  3. You'll want an Antivirus Scanner.
  4. Then there's a host of diverse small tools which can make your Windows much more secure. They go from anti-adware tools to registry monitors and more.
  5. Possibly you'll want an Antitrojan Scanner also.
  6. Finally, before we delve into the details, a few words of general importance demand your attention:

    Of course, the single most important aspect to secure windows, is to secure your own computing habits. "Safe hex" can almost(*) make all tools presented here superfluous. Unfortunately, safe computing practices are very much a matter of common sense and consideration. To spell some of it out in detail requires covering so many aspects of your computer setup and of your habits, that this I am going to do it at a later time, on another page. Just do not click on everything wihtout thinking about it, in particular don't execute programs of sources you don't trust (but think about how many things could be a program and how many things can amount to executing it), use another browser than InternetExplorer (how about MozillaFirefox or Opera) and another mailer than Outlook(Express) (how about MozillaThunderbird, TheBat! or Becky).
    (* There are people who say that safe hex involves ditching MS Windows. Well, while there is something to it, that is beyond our scope here, so I suggest a compromise by saying that safe hex "almost" makes all the other stuff superflous. But do consider the contention and if you have the time, try to browse the net for more information, or even for alternatives. I have migrated to linux for quite some time now and I'm really happy I don't have to worry every time another windows worm makes it to the headlines. (Which is not to say that one needn't be careful on other platforms as well, but you get the idea...))

    As for which Windows versions I can recommend, I'd say both Windows98SE and Windows 2000. While Windows98 is somewhat outdated, it is an operating system that is not designed to be used over a network. In other words, while an attacker could exploit all sorts of flaws, he can never gain "remote administration" - with on-board means, that is (which means that he still can try to get some remote administration software (backdoor) on your Win98 box, but he will not be able to do it with the Software delivered with Windows98 alone).
    Windows 2000 on the other hand is somewhat right in the golden middle between NT and XP: By design, all the NT lineage (i.e. from NT 3.5 up to 2003) offers many ways to be accessed via some network. The ambition of every attacker will be to exploit some feature exposed to the net, in order to gain administrative privileged. Without, of course, sitting on the keyboard. (That's the critical security threshold for the Win95 lineage. In fact, even attackers sitting right at the keyboard of the WinNT machine will have to overcome considerable obstacles in order to elevate their privileges.
    Now, Windows 2000 (W2k) has plugged many of the gaping holes that weve been present in the older NT (3.5, 3.51 and 4.0) versions, but it has not the spooky, not-to-be-so-easily-trusted "features" of XP and newer.
    That's my personal view and other people will probably tell you differently. Maybe it is possibly to make sure that one need not worry about those hidden aspects of XP, only I can't be bothered to spend the effort necessary to make it sure.

    Zum Seitenanfang


    ProcessGuard

    I'm currently reworking this section - because of the imminent release of ProcessGuard's version 3.000 - and I have decided to put it onto a separate page. For now, the old version (2.000) has its review still here, and the new one - which is being reviewed based on a private beta build - is discussed here.

    Zum Seitenanfang


    Firewall

    Since there is a page with general information about firewalls at this site already, I will focus on a particular product, Look'n'Stop, that I recommend as personal firewall.

    (A separate firewall (and NAT) router is a great thing to have, too, and not much more expensive than some piece of software anymore. I will try to find some more information about it to refer you to... ###FIXME###)

    Zum Seitenanfang


    Antivirus Scanner

    If you ask me, a good antivirus scanner is a must-have as well: While a firewall and/or an anti-trojan scanner can prevent malicious programs from sending valuable and confidential information out to somewhere, or to have your computer "0wned" and remotely controlled, and while ProcessGuard (see above) can prevent your running windows system from being hijacked, they all will help you very little when a virus is coming your way, which simply wants to infect all other possible files it finds, and then bomb i.e. have your computer just crash and possibly delete everything on a certain date. (There are also File Alteration Monitors, but they should be regarded as an addition, not as a replacement to a virus scanner.) Additionally, good Antivirus scanners also cover other malware to some extent, so, depending on how you assess your threat level and the sensitivity of your computer, it might spare you a dedicated Anti-Trojan Scanner.
    When you then ask, if there are special things to keep in mind, here's my two cents: You should have a resident virus scanner that does scan every file (maybe only files of a certain type) as soon as it is accessed (i.e. downloaded, opened, executed etc.).
    You should not have two such resident scanners active at the same time, since they tend to compete for something like "Who scans it first?" (that's what called a race condition), a situation where almost inevitably problems occur, the least of which are "Couldn't scan file xy, because no access was possible"-Warnings.
    On the other hand, it does not hurt to have an additional set of scanners in the drawer that you can use to scan your system "on-demand", i.e. when you're in doubt about a possible infection. (Regular scans of your download directory or a quick right-click-context-menu scan of a single file or directory are further options you probably want to have.) In real life, you also like to get a second opinion from time to time. As there are a couple of scanners available for free - and a couple more of them if you are using them only for private purposes, there's nothing that speaks agains keeping some of them available. Only - again - don't scan with two scanners at the same time (and while you're on-demand-scanning, temporarily disable the resident on-access scanner).

    Here's a list of good AV scanners (in no particular order):
    First, the two most recognized commercial ones:

    Then, the more or less free ones: Finally, there are a couple of scanners that are available for free in a linux version. You could think about setting up a linux box to do some routine scans of your windows network - if you have one. I hope to be able to do a page about this as well.

    Zum Seitenanfang


    More tools, for more specific tasks

    Zum Seitenanfang


    Anti-Trojan Scanner

    As noted above, in my humble opinion, whether or not you need a trojan scanner depends on how sensitive the information on your computer is, how easy you can refrain from working with it for a couple of days (say, when you need to re-install everything), and how your "threat level" should be assessed (which means how likely and how attractive are you as a target for a hacker? If you're a bank, SCO or Microsoft (just to name two arbitrary examples) then you can assume there are a lot of people after you. But if you're a flatrate surfer and file-sharer with any of the larger ISPs or simply an AOL'er, that does mean that you're on the default "look-for-easy-targets-here"-list of most hackers.
    As with Antivirus scanners, there are a few - although not as many - Antitrojan scanners available for free (maybe only for private use, maybe only a "lite" version with a restricted set of features). Generally, if you want strong anti-trojan protection, you are going to have to pay for it.
    So, until I can work more on it, here's a list (again, in no particular order - or let's say no simple order, but I won't explain it until later) of very good Anti-Trojan scanners, the last two of which have a free "lite" version.

    Zum Seitenanfang