Windows PC Security


These simple tips are your first line of defense. If they seem too complicated or are much effort, just do as much as you understand or as much as you feel comfortable doing. These are recommendations, not gospel.


Do you have anti-virus software? Is it configured to run all the time so it checks every file you access? Do you update it regularly (like every week or at a minimum every month)? If you have any doubts at all, I suggest you launch your antivirus program, get the latest update, then scan your entire hard drive. It may take an hour, but it will be worth it. All the popular antivirus programs can be configured to automatically check for and download new virus signature files. Find out how to make your antivirus update itself so you don't have to worry about it.

If you don't have an antivirus program, or you can't figure out how to make it work, you can get immediate free online virus testing here:

Most good antivirus programs cost between 30 and 40 dollars. You'll find the price can jump up to 50 or 60 dollars if other features like spam protection, firewall, or encryption is included. Most of the programs force you to cough up the same amount of money every year if you want to keep getting updates. It's the price of security. If you don't have anti-virus, go buy it now. Seriously. Get up, leave the house, and go to the nearest computer store. The three companies you'll probably find in your store (McAfee, Symantec, and Trend Micro) all have excellent antivirus programs.

If you don't have the money right now, several companies offer antivirus totally free for personal use:

If you only have a single file you suspect might be infected, you can test it here:

If you have a virus that your antivirus program can detect but can't remove, you may need to try a few advanced removal methods.

Have you kept your computer updated every month with all the security patches? Go here:
If you haven't done this before, be prepared to download about 40 megabytes of patches. Even more if you go to and get the latest patches for any Microsoft Office programs you might use. Windows can be configured to automatically download and install updates. If you don't want to remember to check for updates every month (and if you run Windows 2000 or XP), you can automate the process. Check your "Control Panel" for the "Automatic Updates" applet. The Windows Update site should have offered it to you, but if you didn't get it there, you can get it here:

Just because you install all the patches doesn't mean you've closed the other obvious security holes. Luckily, Microsoft has provided the Microsoft Baseline Security Analyzer to point out the things you really should take care of.  Of course, it's all Microsoft's opinion! For example, I set my IE "Restricted Sites" zone up to be more restrictive (and more secure) than Microsoft's settings. The Security Analyzer suggested that I go back to Microsoft's recommended settings.

You may have "spyware" installed on your computer. The only reason spyware isn't classed as a virus is that it doesn't replicate. But it does mess your computer up, track everywhere you go on the web, deliver advertisements you don't want to see, hijack your browser's home page, and maybe even steal your passwords. PC Magazine has a nice article comparing several different anti-spyware programs. I use three separate anti-spyware programs (listed below). Spybot and Ad-aware are the best at finding and removing problems, and Microsoft is the best at real-time protection. Be sure the first thing you do with all these programs is allow them to check for updates! After you've done all your cleaning, reboot your computer and clean it again! Keep doing this until no further improvements are noted. After everything else gives you a clean bill of health, you can run the PestPatrol online scan to see if anything else remains. PestPatrol won't remove the "pests" it finds in the free online version, but you can follow their detailed directions to remove any remaining spyware.

If you have a spyware program that you can detect but can't remove, you may need to try a few advanced removal methods.


    Running the HostsInstall script is an easy way to install a "hosts" file and configure your computer to use it properly.  A hosts file is a way to prevent your computer from connecting to known "bad" web sites. Sites that track your movement. Sites that annoy you with popup ads. Sites that try to install viruses or trojans. It won't protect you against everything, but it's an easy way to protect against the obvious!
    The HostsInstall script is configured to download, merge, and sort nine different popular "hosts" files. For flexibility, you can easily modify the list of web sites whose hosts files you want to use. For fast operation, the script runs everything through a database for the sort and merge operations. To keep you running, the script confirms the state of your "DNS Service" (which must be disabled). For convenience, you'll get more than the usual "white list" and "black list" configuration options. For easy searching, the script produces a "hosts" file that is sorted by domain name (not text-sorted machine names like most other lists). Finally, (and most importantly) this is an open-source script you're free to modify.
    Recommended: If you have a "hosts" or "PAC" file, you'll probably end up with error messages in your browser unless you have a specialized web server program. I recommend "Homer" from "". Of course, I offer an automated Homer download and installation script that will... urrr... download and install Homer automatically.
    If you'd prefer to manually install a hosts file yourself, I recommend you look at these sites: mvps, wikipedia, hostsfile, and hosts-file.


    Let's suppose there are sites you don't want your kids to see. It's kind of like the word "corn", except it starts with a "p". You understand? Well, using a Proxy Auto Configuration (PAC) file,  you can block 80 to 90 percent of all these sites for free and without installing any special software. 
    As an adult, why should you care? Graphic content aside, those sites are like a mine field. Far too many of them try to install bad things on your computer. You may have already discovered how easy it is to end up at one of those sites accidentally while searching or by following a link from an email! For your own sake, you should block Internet Explorer from those types of sites.
    Let's be honest. Nothing is perfect. Some things are going to slip through the filter. Others are going to be blocked when they shouldn't be. But the advantage of having a PAC file on your computer is that you can open it with Notepad and make changes. Add things. Take things away. Customize it.
    Recommended: If you have a "hosts" or "PAC" file, you'll probably end up with error messages in your browser unless you have a specialized web server program. I recommend "Homer" from "". Of course, I offer an automated Homer download and installation script that will... urrr... download and install Homer automatically.

I have no idea what program you use to read email, but it's probably your largest security hole! Anything made by Microsoft is a bad bet. There, I said it. Now you know how I feel about Microsoft! Microsoft Outlook, Outlook Express, and Internet Explorer are very popular. Because they are popular, they're also the biggest target for the bad guys out there! If you absolutely insist on using a Microsoft product to view your email, go into the Tools menu and configure it to run in the "Restricted" security zone for email. You should also change the "Restricted" zone settings to be even more secure than Microsoft's defaulty (I think I'll leave that typo!) settings. In fact, any email program (Microsoft or not) should be configured to disable all features. That means no scripting, no cookies, no Java, no ActiveX, no installable fonts, and no remote images. If you're foolish enough to use web-based email, you won't be able to run in the restricted zone, because you'll need all those features to make your email web page work. But those same features can make viruses work too! You end up depending entirely on your email provider and your antivirus for security. Neither of which will help if someone sends you a new virus.

GFI has a great email security testing tool here:
This test will send you several emails, all of which try to see if your email server and email client will accept the types of emails commonly used to send bad things. In some cases, your email server may block these tests. In other cases, your email client will block the tests. If the emails get through, see if you can activate what they send you. If you can, it means someone could use a similar email message to attack you! You will either have to extra careful not to fall for similar things in the future (along with everyone else who uses your computer), or you'll have to upgrade or change your mail server (which usually means losing your existing email address) or you can upgrade your email client program (the simplest solution). In my case, out of 17 GFI tests, my mail server (Yahoo / Pacbell) blocked 8. The remaining 9 were all ignored, rendered unusable, or properly identified as executable content by my email client Thunderbird.

I recommend making yourself a smaller target by using a non-Microsoft email program. My personal preference is Mozilla or Thunderbird. However, I also use a "dumb" text-only email program to preview messages before I download them into my main mail client. Those small underpowered email programs still have their uses! Here's a few free email clients (in no particular order) you may want to consider. The ones marked for USB drives tend to be small and leave no trace behind other than in their installation directory:
Thunderbird Open source email.
Portable Thunderbird Thunderbird optimized for USB drives
Great for USB drives. Text only (html can be opened separately)
Great for USB drives. Html is converted to plain text.
Scribe Great for USB drives. Html capable with no scripting. File extensions are always visible. Executable attachments must be saved.
Phoenix Mail
Open source email.
Html email without the security risk
Multiple accounts, filtering, authentication.
Open source email -- I wrote it.

Remember -- Never open executable attachments. Even from people you know. To me, executable means anything other than a picture. Microsoft provides a list of the more common "executable" files. But even that list isn't comprehensive, because Windows Media files can also contain scripts. Unfortunately, anything that is a Microsoft file type or that is based on a Microsoft specification should be considered executable. But it's not all Microsoft! I know Adobe Acrobat PDF files can contain malicious code, and I've heard the same can be done with Shockwave animations and RealPlayer movies.

The common advice about only opening attachments or clicking on links from people you know is dead wrong. Most modern worms and viruses can email themselves using a phony name collected from an address book. In other words, the mail will appear to be from someone you know. You need to apply common sense when it comes to attachments. Only open attachments or click links if you were expecting them. Even then, only open them if they are the type, size, and name you were expecting. Only open attachments or click links if the text, subject line, and author are all consistent. In other words, if a co-worker sends you an email in ALL CAPITAL LETTERS and they don't normally do that sort of thing, delete the message. If the person who sent the email uncharacteristically fell to a sixth-grade spelling level, delete the message. If the email only has one or two lines and you know the person is normally long-winded, delete the message. If you just got an new email, but this new email looks like a copy of an old email, delete the message. If in doubt, delete the message and ask the person to re-send it. Don't "reply" to the message, type a new message! Why not reply? Because if the message really isn't from them, you may actually send them the virus by replying. And and ask for an explanation! Why ask? Because if a person is infected, they might have an "auto-responder" that just re-sends the virus to everyone that emails them. By getting the person to write some explanatory text, you are establishing that you are conversing with a person, not a virus!

I know 90 percent of Windows users use Internet Explorer at the default security settings. That's why they probably have viruses, trojans, and spyware on their system. I have two browsers, and I recommend you do the same. I only use Internet Explorer to go to Microsoft's web site, my bank, and a few other trusted sites. For virtually all of my remaining browsing, I use a non-Microsoft browser:
Off By One
I configure my primary browser (FireFox) to disable virtually everything! No cookies, no JavaScript, no Java, no popups, and no remote images. It's easier to switch browsers than it is to change your security settings. You make Internet Explorer "versatile", and you make your other browser "secure".  And you only use your "versatile" browser on web sites that actually need the versatility -- and only if you absolutely trust the company that controls that web site. No, you don't use your favorite search web site with Internet Explorer. You should only conduct web searches with a secure browser.

Remember -- If you ever hit a web site that says you need a special viewer or player to see something, just say NO. The special player they are trying to get you to  install is almost guaranteed to have an advertising, spying, or zombie program hidden inside. Always download your viewers and players from trusted sites:
Real Player
Media Player
ffdshow (Allows Media Player to play DivX, XVid, MP4, and more)
OGG Vorbis/Theora (Allows Media Player to play ogg files)
XVid (You can use this instead of DivX)
Real Alternative (You can use this instead of Real Player)
QuickTime Alternative (You can use this instead of Quicktime)
VLC Media Player (You can use this instead of Microsoft Media Player)
MPUI (You can use this instead of Microsoft Media Player)

Some of the above links (Like QuickTime and DivX) are real-life online IQ tests! Look for the "Free Version" or "Free Player" or "Free Codec". The free item you want is often intentionally hidden! Don't be fooled into downloading an "Ad Supported" version or a "Free Download" or "Free Trial" of something you have to pay for later. Even though these are widely popular codecs and plugins, some of them (Real Player and QuickTime, for example) install additional hidden scheduling software and re-register file types without your permission. 

    So many people aren't sure what cookies are that I'd like to explain a bit. Cookies are a way for web sites to remember what you've just done. A web site will ask your browser for permission to "set a cookie". If your browser allows it, it will store whatever information the web site wants to store and send that same information back automatically every time it visits that web site for as long as the web site and your browser agree is appropriate.
    Cookies are great if you are shopping and are gradually adding things to your online shopping cart. In that instance, cookies are probably used to identify you so the web site can keep track of what you're picking. Cookies are also used to identify you at web sites so you don't have to log in every time. Nothing wrong with that, right?
    Unfortunately, advertising, hit counter, and web statistics companies use cookies in another way: They track you as you move around the web. They know what web sites you visit, which pages you look at, and how long you look. Add to that the fact that browsers have bugs and sometimes can be tricked into giving a cookie for one web site to another (evil) web site. So maybe somebody could get your New York Times cookie and figure out your New York Times password. If you're lazy and use that same password in other places, they may have the keys to your kingdom!
    What to do about it... Well, my advice above in the "BROWSER" section is my best advice. Disable cookies everywhere except where they are really needed. But even where they are needed, cookies should only be enabled for the web site you are viewing. If you have Mozilla or FireFox, you have an obvious option to enable cookies "for the originating web site only". As it should be! However, IE users have to dig a bit.  On IE, go to the "Tools" menu, then "Internet Options", then to the "Privacy" tab.  Hit the "Advanced" button. Place a check in the "Override automatic cookie handling" box. Set "First-Party Cookies" to "Accept" or "Prompt". I recommend "Accept". Set the "Third-Party Cookies" to "Prompt" or "Block". I recommend "Block". Only use "Prompt" if you plan on using each prompt as a reason to make an entry in your HOSTS file (mentioned above in the "HOSTS FILE" section).

Microsoft Office continues to be a security problem. The fact that you can embed macros in documents is one of those really cool features that would be great if everybody was an angel. Unfortunately, we have a few devils among us! I've removed Microsoft Office from my system. Instead of Microsoft Office, I recommend the following free Office programs:
Open Office can read and create Microsoft Office documents (Word, Excel, PowerPoint, etc.), so you can continue to share documents with people using Microsoft Office. However, Open Office can do things Microsoft can't -- like save directly to the Pocket Word, Palm Document, ShockWave Flash, and Adobe Acrobat formats! The AbiWord and Atlantis programs are strictly for word processing, but handle several Office document formats. Using non-Microsoft document-handling programs also means you are immune from Microsoft macro viruses. If you don't want to use Open Office, AbiWord, or Atlantis, at least use WordPad or the free Office Viewer programs (Excel, Word, and PowerPoint) to read documents! Change your file associations so that mainline Microsoft Office products aren't the default viewers for Microsoft Office files. Office should only be used to edit documents, not to read them!

Unfortunately, Windows computers are wide open to attack on a network. It isn't just people on "broadband"! Even dial-up internet users can be attacked without doing anything other than connecting to the internet. If you're on the net, you need a firewall. I like to think I have a fairly normal setup, and I get attacked or probed an average of once a minute all day long. I think the most recent statistic is that a new Windows machine on the internet will only last twenty minutes before it is compromised.

Broadband users should get a "router" with "network address translation" (NAT). The NAT feature is the firewall. Well, real network guys will argue that definition, but the fact is that NAT will probably block 99 percent of passive attacks. The NAT feature will exist in virtually every router that is sold as a cable/dsl/broadband router, so you don't really need to worry about looking for that particular feature. I've seen prices as low as 20 dollars on closeouts, but expect to pay 50 dollars for a name brand router. Higher prices usually get you more firewall protection, with features like "stateful packet inspection" (SPI). If your budget allows, pay the extra for SPI.

All users (broadband and dial-up) should also have a software firewall. A NAT router, while it's a good start, isn't enough. A NAT router won't protect you from bad-guy web sites that return bad data or probe you as soon as you look at them. A software firewall can block those things that get past your NAT box. If you have XP, you either have to install a "real" firewall or upgrade to XP SP2. While the SP2 firewall isn't as good as a real firewall, I'm going to recommend you use the SP2 firewall rather than try to to install something else. Why? The hassle factor! The SP2 firewall is "good enough". For most people, it won't be worth the effort to try to disable it and install and manage a separate firewall. Plus, if you have questions, Microsoft will probably give you free support and you're likely to have several friends who are also familiar with the SP2 firewall. A "real" software firewall (not the Microsoft XP SP2 firewall) will help you control your outgoing connections. It makes sure any rogue application you inadvertently run won't be able to use your connection to start doing dastardly things. It also allows you to stop certain legitimate applications from "phoning home". The Microsoft SP2 firewall only controls incoming connections. Not outgoing connections. SP2 might stop you from getting attacked, but it won't help limit the damage if you make a mistake and get yourself infected through your email! Here's a few fairly popular free software firewalls:

If you have some money, search for the firewall products offered by the following manufacturers:

The following sites offer free online firewall testing. Try them all out whether you have a firewall or not. It will open your eyes! (Look for the "ShieldsUp!" link.) (Caution: Several of the "Exploit" tests can lock up your router or drop your connection! A reset or reconnect should restore things. Wow!)

Does the saying "Never invite a vampire into your home" ring any bells? No? Well, it's said that if you do, you lose all power over the vampire. Viruses and vampires have that much in common. No matter how good your firewall and antivirus is, if you're foolish enough to invite a virus past your firewall and into your home (by downloading it or by email), you're in big trouble. Major companies spend major money on firewalls and virus protection and they STILL get hit with virus and worm attacks. Why? Because they employ large numbers of stupid people and supply them with computers. No amount of technology can protect a network from a stupid person. When you get on the 'net, your brain has to be ON. You have to understand what you are doing, where you are, and remember that you are surrounded by evil. Even after you follow all the above advice, you have to approach every single internet-related task with a large and healthy dose of paranoia. Trust nothing. Verify everything. Backup often. Stay away from vampires.

Lost? Look at the site map.

Bad links? Questions? Send me mail.

Ask Jeeves