Programs and Utilities to Improve Security


NAT Router: The first thing everyone should do with a cable or DSL service it to install a router. The router keeps things from the internet from probing your computer. Check your router connection with:
ShieldsUp
Shields up is a service offered by Gibson Research Corporation that tests your connection. You want the ports of your router to be stealthed. From the GRC home page, select ShieldsUP! from under the Services menu.
test at grc.com

(free)


Software Firewall: make sure that you have a software firewall installed and operation. XP and Vista both have firewalls. To insure that they are on, check the security settings in the Control Panel. Windows Firewall is also accessed from the Control Panel.

DNS Settings: The Domain Name Server is the utility that allows your computer to find a web site when you type in something like www.dow.com. It converts what you type to a number like 194.145.145.12. There are free services that improve the safety of DNS by keeping you away from sites that are known bad actors and that respond to DNS threats faster than your ISP. 

DNS can be configured at an individual computer or from your router.  Changing settings on your router means that all computers on your local network will be using the selected DNS server.

I strongly recommend using OpenDNS. This requires that you change the DNS settings on your router from the default to the settings for OpenDNS. The instructions are pretty good on the site.
OpenDNS
OpenDNS replaces your default DNS server and provides additional protection against sties that are know to be bad. Since it intercepts the outgoing traffic, it protects you irrespective of what program is trying to reach out to the internet
follow instructions at opendns.com

(free)

Google Public DNS
Google Public DNS is a free, global Domain Name System (DNS) resolution service, that you can use as an alternative to your current DNS provider. follow instructions at google.com

(free)

DNS testing
Testing DNS requires that you install a program on your computer to probe DNS speed.  I like DNS Benchmark from GRC (for Windows only).  It is small, fast and throrough.   Namebench is available for Windows, Mac and Linux.  I haven't tested it, but it comes from Google.

GRC DNS benchmark

Namebench

(free)


Internet Software:
One of the best things to do to improve security is to move away from Microsoft products. Because they are built in to so many computers and users don't change, they are the target of malicious hackers more than other programs. Additionally, the use of ActiveX programming by Microsoft is generally considered by many to be a security risk. The options that I prefer are:
Firefox
Firefox is an open source web browser. Firefox added tabbed browsing at version 3. It allows many add-ins give additional functionality. It is available for PC, Mac OSX and linux. The user experience is virtually indistinguishable on the different platforms. Statistics for December 2008 report that Firefox is used by over 40% of internet users. This level of popularity means that most everything on the net will be Firefox compatible. There are occasional sites that require ActiveX components that will not run in Firefox. Unfortunately, this means that Internet Explorer must be maintained on PCs.
get it from mozilla.com

(free)

Thunderbird
Thunderbird is the open source email and newsgroup complement to Firefox.
get it from mozilla.com

(free)

Chrome Google Chrome is Google's browser.  Nice look and does great job with images and video.   Does not yet have the add-in ability of Firefox. google.com/chrome

(free)

Locking Down
Internet
Explorer
Internet Explorer is such an integral part of Windows that it can't fully be avoided or deleted.  It is used in updating Windows, as well as other software.  It is also used by Microsoft mail programs.  I recommend rendering it almost useless by locking it down using these directions. IE_lockdown

Most problems exploit weaknesses in the browser or browser user. There are several things that you can and should do to improve the security of browsing. The steps described here are intended to prevent you from getting infected with malicious software.

Google Safe Browsing:  

Safe Browsing
Service to let you check websites for known malware.
Safe browsing.

(free)

Browser Settings:  

Check Browser Settings
Site uses javascript to check and report settings. supportdetails.com

(free)

Browser Settings /Add-ins: Add-ins to Firefox allow you to customize the browser experience.  These are readily available from the Tools>Addins menu.  Several settings should be changed as well to increase safety in any browser.   The options that I prefer are:

Cookies
Cookies are little bits of information exchanged between the server and you most commonly to save information about you as you navigate around a site.  It is how Amazon knows its you when you first call up the site.  It is also how you can be tracked as you move about the net.
turn off third party cookies at a minimum


Default file
location
Saving executables to the desktop can be dangerous since it is easy to trick the computer into running them. 
change the default location for saving files to a folder or, as I prefer, make the browser always ask where to put files
NoScript Scripts are programs that come in a web page.  They do many powerful things, but can also mess with your computer.  NoScript is an example of security being a trade-off with convenience; it can get in the way and it requires some set-up.  The idea is that you can set sites that you know and use often to let scripts run, but for all other sites, you block scripting.  One key it to turn off notification or it is painful. noscript.net or from within Firefox

(free)

PDF Download PDF download pops a window any time a pdf is clicked on, not so much for security as convenience.  By allowing you to choose whether the browser should open the pdf or whether it should simply be downloaded, stability is improved.  No more waiting while a gigabyte pdf downloads by mistake.  Also available for Internet Explorer pdfdownload.org or from within Firefox

(free)

foxit Adobe Acrobat Reader has become increasingly bloated and prone to severe attacks.  Foxit is a PDF reader that replaces Acrobat Reader both as an add-in and as the stand-alone application. foxitsoftware.com
(free)


Anti-Virus: Never buy anti-virus software!!!  Microsoft now provides anti-virus software.  I recommend using Microsoft Security Essentials.  Anti-virus scans incoming e-mails for bad stuff and periodically scans the entire computer for malicious software. Most ISPs - that's your cable or phone company - will offer free security software. Do not purchase security software from a store. It will likely be a waste of money and the chances are that you will get a product that has traits that are somewhat onerous. Norton, for example, used to be very good. It is now bloated, slow to update and reduces performance unacceptably. I have been very pleased with AVG Anti-virus, which has a free version for home use.  I don't see a reason to pay based on the information I have found and my experience.

Microsoft Security Essentials Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software. security essentials
(free)
Malicious Software Removal Tool Every monthly security update from Microsoft includes a little utility that can be used to scan for infections.  Go to the run box and type MRT(return) to start a scan of your system. MRT.exe
(free)
AVG Free
AVG Free is a full-featured anti-virus program. Be advised, they try hard to steer you toward paying for an improved version. The links to get you to the free version pale in comparison to those pointing you toward paying.  You won't need to give a credit card number to get the free version. free.avg.com

(free)


Anti-Spyware: Anti-spyware is where you begin seeing that improving security comes at some loss of convenience. Anti-spyware attempts to stop programs from making changes to your system. It shows that it is working by periodically popping up messages when something attempts to make a change in the system. This happens when it is malware that attempts to install when you aren't expecting it and when you attempt to install a new program. If you are doing something that you think would be making a change, you accept the change. Denying system changes when you're just browsing stops malware before it can happen.

Spybot
Spybot S&D is a powerful tool for protecting and diagnosing issues with Windows. Once loaded, it prevents spyware from installing. It also allows you to determine what is being loaded at startup too. get spybot

(free)


Software Scanning: Secunia PSI is a free utility that checks to see if you have the most recent versions of software and identifies pieces of software on your system that have known vulnerabilities.

Secunia PSI
Secunia PSI keeps a database of current versions of software and it scans your computer and checks the programs installed against it. It then flags software that is out-of-date and with known vulnerabilities. secunia.com

(free)


Reducing Rights: In order for a malicious program to install, it has to make changes to the system. Changing the system requires administrator rights. In Windows, you could run at reduced rights and some folks do. I find that it is too painful to run when you aren't an administrator. Several solutions to run or limit rights are available. The ones that I've investigated are below.

DropMyRIghts: There is an intermediate solution to dropping rights that requires almost know system overhead. Microsoft published a utility that reduces the rights for just one program. Running browsers at reduced rights, especially Internet Explorer.

DropMy
Rights

DropMyRights is a utility from Microsoft that you invoke with the program that you want to run as an argument. In practice, you create a shortcut that looks like: "C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet Explorer\iexplore.exe". You can then change the icon of the shortcut such that it looks just like the original Internet Explorer. When you use the shortcut, it reduces the rights only for Internet Explorer

get dropmyrights

(free)


Sandboxing: The concept of sandboxing is that you can operate a program in a portion of the system but without full system access. I actually have only played with Sandboxing, but it looks like a nice solution.

SandBoxIE
SandboxIE is a sandboxing program that places a browser or e-mail client in a virtual cage.  It can run, but it can't reach out of the cage to mess with the rest of the computer.  Not sure if this works in Vista.  Free trial is fully functional. sandboxIE.com

(free trial)


Windows SteadyState: This utility locks your system and returns it to the safe condition. We've all used this when traveling. Most hotel kiosks that allow you to print boarding passes use this. At the end of every day, the computer is returned to its safe state.  I have played with this, but have found it too intrusive

Steady State
This is a free utility from Microsoft used most commonly for multi user machines. steadystate

(free)


Virtual Machines: The real heavyweight solution to protecting your system when surfing the web is a virtual machine. A virtual machine is a pretend computer that runs within a physical computer. Running the virtual computer makes it so that only the virtual computer is infected when you venture some place bad. VMWare
VMWare
VMWare Player allows the loading of virtual machines that have web browsers.  It is particularly useful for running Linux.  You can surf in Linux to insure that you won't be infected by Windows malware.  Many of these are available as Virtual Appliances already.  get player

(free)

Analysis Tools: If you want to see what is actually loaded in your system, I have found HijackThis very useful. It is a geek tool and probably not useful for most users.

Highjack This
Hijack This allows you to look and see if there are events occurring as the computer boots and to turn them off.  It is a real geek tool. get from Trend Micro

(free)


Network Analysis: Seeing the computers on your network is handy sometimes.

Nmap Zenmap
Zenmap allows you to probe aspects of your local network.  I find it most useful for determining what computers and devices are on a local network.  The port spec for scanning a typical network (where the router is 192.168.1.1) is:
192.168.1.0/24
get Zenmap

(free)

Quick Recovery:  If malware does strike, the best recourse is to wipe the disk and reinstall.  This is made considerably easier with utilities that create an image from which you can restore the hard drive.  Norton Ghost did this well until they tried make it run in the background all the time at version 9.  Currently I like and have tested DriveSnapshot.

Drive Snap Shot
Drive Snapshot is a utility that makes an image of your disk from within Windows. Full functioning trial is free but continued use requires payment. drivesnapshot.de

(free trial)

Remote Assistance:  If you want to help or be helped by someone remotely, check out CrossLoop.  It works like Timbuktu or NetMeeting, but is free.  To use it for free, you don't have to have an account.  Once loaded, click skip on the opening screen.  It is great.

CrossLoop
CrossLoop allows remote access of a desktop.  Very useful for helping others with stuff remotely.  crossloop.com

(free)

Resources:  Web sites and organizations

Shadow Servers
The Shadowserver Foundation is an all volunteer watchdog group that gathers, tracks, and reports on malware, botnet activity, and electronic fraud. It's mission is to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware. shadowserver.org

(free)

GRC
GRC.com is the home of many security articles and pieces of software.  Links to show notes from Security Now are also there. grc.com

(free)

disposeamail disposable email for those times when you're uncertain about the site disposeamail.com
(free)
tweakhound site / blog on all things windows including free resources for keeping a Windows computer humming tweakhound.com

By Mark Jones on 19 January 2009.  Last updated 27 December 2010.