Protect against worms and viruses – This step is the most obvious, but it is still one of the most critical. Few things can cause a well-functioning Windows system to become non-functional more quickly than a virus or worm infection. Protect yourself from viruses by installing antivirus software such as Norton Symantec, or Trend Micro on all of the Windows systems that you manage. If you have more than 100 systems on your network then make things easier fore yourself by deploying a corporate antivirus solution. Also, be sure to develop a plan to keep your antivirus software current by installing updates and renewing your virus definition subscriptions on a regular basis.


Protect against spyware – Spyware has quickly caught up to, and may even surpass, viruses as the leading problem plaguing users and IT department alike. Spyware installed on a system can cause it to slowdown to the point of being unusable, and can open up the system to personal data theft. Most people know how important it is to keep systems protected from viruses, but it’s become just as important to protect your system from this new class of assailant as well. For home users, Ad-Aware from Lavasoft is a good start; it’s free and easy to install. In this department, though, a single scanner doesn’t always do the trick. Another free product, Spybot Search and Destroy, is a great complement to Ad Aware as it can sometimes find spyware missed by Ad Aware, and vice versa.

Microsoft has also purchased an anti-spyware product and made it available to Windows users (Windows Defender) free of charge. Another outstanding product is Sunbelt Software’s Counterspy, which was recently selected by PC World as the #1 active spyware scanners on the market. Both the Microsoft anti-spyware product and Counterspy include active spyware defense. That means that they act very much like most antivirus products, providing proactive detection and prevention of spyware infestations. Conversely, Ad-Aware and Spybot are both passive scanners that only clean a machine after it is already infected. For the best protection, I recommend the use of one active scanner – either the Microsoft tool or Counterspy – as well as at least one passive scanner – Ad Aware or Spybot.


Enforce strong passwords – Passwords are the cornerstone of security in many applications. As it stands right now, passwords continue to be the primary means by which users authenticate to systems, including Windows systems. Because of their widespread use, and the ease with which passwords are cracked, make sure all Windows users must choose strong passwords with a mixture of symbols, letters, and numbers, and that the passwords are changed regularly.


Don’t allow (or, at least, limit) unauthorized software – In a business environment, the IT department, with the support of management and a specific policy in place, can mandate that users are now allowed to install software without the express approval of IT. For most companies, it’s easy to point out an instance in which unauthorized software has created a significant problem. For example, some users may want to install and use AOL Instant Messenger. However, with AOL Instant Messenger, too many users ignore warnings and click on unsolicited links in messages.

These links can lead to less-than-desirable sites that install malicious software on the computer. Further, by not allowing unauthorized software, IT also forces departments to funnel purchases through a single channel. This allows IT the possibility of making bulk purchases or in realizing that a particular software product is in great demand and ramping up for its support instead of having it thrust upon them unexpectedly. For non-corporate users that don’t have a central IT group, always be aware of what you’re installing; read any agreements for software that you do install and make sure you have both virus and spyware protection in place to help avoid potential problems with unknown installers.


Enable automatic updates – Each month, Microsoft releases a series of updates that fix vulnerabilities discovered in Windows and other Microsoft applications. For updates that are rated critical—meaning that the vulnerability can seriously expose the system to outside threat—patches should be applied as soon as possible after release. The easiest way to handle this is to use Automatic Updates in Windows. However, some administrators are wary of Microsoft pushing patches to their machines without intervention. In these cases, consider using WSUS (Windows Server Update Services) to act as an intermediary that allows an administrator to review and approve patches before they are automatically deployed to end-user workstations.


Use a software firewall – Windows XP SP2 includes an improved "Windows Firewall" that can greatly enhance the security of the system when enabled. Unless there’s a compelling reason to turn it off, always leave the XP firewall enabled on the interface that connects to the Internet. The best reason not to use it is if the workstations on your network already use another desktop firewall such as ZoneAlarm, which can watch all of the traffic flowing from your computer to make sure it’s valid. More advanced firewalls can even go so far as to inspect the entire contents of the traffic to make sure that it does not contain something malicious. If, for example, your computer has been compromised by a virus, these more advanced software firewalls can help prevent the virus from spreading by blocking your computer’s outgoing communications.

Make use of Internet Explorer security features – Among the major improvements in Windows XP SP2 are the new default security settings in Internet Explorer. The fact is that these improvements were sorely needed and much more needs to be done to make the program more secure for the widespread use it enjoys. In fact, as a result of FireFox’s popularity, Microsoft is slated to release Internet Explorer 7 sometime this year. Until then, consider upgrading to what has been provided in XP SP2, including the new popup blocker, better protection from malicious ActiveX controls and the prevention of unsolicited downloads. Used together, these three features provide a much safer browser experience. Better yet, you can use some of the new Group Policies to centrally manage these features.

Take advantage of Group Policy options – If you’re running Windows servers and Active Directory, one of the best ways to manage the security settings of your Windows desktops is to use Group Policies. Further, Windows XP SP2 and Windows Server 2003 SP1 provide administrators with dozens of new Group Policy options to centrally manage the new security features in Windows XP SP2. For example, SP2 includes close to 30 Group Policy options for just managing the new firewall. Whether you have XP SP2 deployed or not, you can use Group Policies to provide your user desktops with a secure and consistent, desktop computing environment.

Change the BIOS device boot order – No matter what you do to lock down Windows itself, if an unscrupulous person gains physical access to a system, he can get to the contents of the data on the disks. Of course, a determined, knowledgeable person will also eventually gain access to Windows, so you need to put up enough roadblocks to deter this kind of activity. One quick fix is to change the device boot order in each system’s BIOS so that it boots to the hard drive first and then assign a password to the BIOS so that further changes cannot be made without entering some kind of credentials.

This will prevent an intruder from being able to sit down at one of your systems and boot from a floppy, CD, DVD, or USB device. In every case, make the first boot device the hard drive, which will eventually boot Windows and ultimately require the perpetrator to enter valid credentials to gain access to the system. If you allow boot from other media, people can boot with specialized CDs, for example, that provide them with free reign to all of the data on the system.


Lock the console or logout when system is not in use – Beyond changing the boot order and setting up a BIOS password, there is something else you can do to improve physical security. One way to make sure that only authorized users gain access to a PC is for users to lock out the console (hit Ctrl-Alt-Del and then click "Lock Computer") or log out of the system at any point the user needs to step away from the desk. Of course, some users will (understandably) forget to do this once in a while, so institute a policy that automatically locks the system after a certain period of inactivity (you can easily do this with a screen saver). Yes, it might be somewhat inconvenient at the beginning, but it’s better than stolen data or a compromised system.