Recommendations for securing a Windows laptop

Trojan

I'm looking for recommendations for securing a Windows laptop. I want to give these to a non-techie user (they're a typical Windows and Office user).

It will be used for SOHO use (Word, Excel, Skype, email, etc) with no mission critical data but things like timesheets and personal accounts. It is rarely brought outside the home if ever.

The machine is running Windows Vista, is brand new, doesn't have anti-virus installed but is fully patched up to date.

It should require reinstalling less than once every 24 months. (I believe in wipe & reinstalling every 12 months or less).

My recommendations include:

• keep up to date with all windows patches
• buy NOD32 or Avira AV
• use Firefox with AdBlockPlus (for security reasons), not IE*
• don't download untrusted software (anyone got guidelines?)
• enable windows password
• turn on bios password
• setup regular backup to external HDD
• optional: turn on onboard hdd encryption (advice?)

Ok, that's the basics. What do you guys disagree with and what further steps would you suggest to keep this machine secure, given normal usage patterns?

probe

Trojan wrote: »

I'm looking for recommendations for securing a Windows laptop. I want to give these to a non-techie user (they're a typical Windows and Office user).

It will be used for SOHO use (Word, Excel, Skype, email, etc) with no mission critical data but things like timesheets and personal accounts. It is rarely brought outside the home if ever.

The machine is running Windows Vista, is brand new, doesn't have anti-virus installed but is fully patched up to date.

It should require reinstalling less than once every 24 months. (I believe in wipe & reinstalling every 12 months or less).

My recommendations include:

• keep up to date with all windows patches
• buy NOD32 or Avira AV
• use Firefox with AdBlockPlus (for security reasons), not IE*
• don't download untrusted software (anyone got guidelines?)
• enable windows password
• turn on bios password
• setup regular backup to external HDD
• optional: turn on onboard hdd encryption (advice?)

Ok, that's the basics. What do you guys disagree with and what further steps would you suggest to keep this machine secure, given normal usage patterns?

1) Keep it inside a router/firewall box running NAT. Windows firewall can be manipulated easily by software. Switch off UPnP in the router. Skype fiddles with Windows firewall for one!

2) Switch off file sharing and printer sharing in Windows if possible.

3) Install Secunia to keep non-Windows software up to date.

4) I'd set Firefox to delete cookies on exit and to block third party cookies and install https://addons.mozilla.org/en-US/firefox/addon/6623 - setting it to wipe flash cookies every 2 minutes! [Privacy rather than security - but there is some area of gray overlap].

5) Don't use Outlook as an email client - too many malicious emails are crafted to take advantage of its vulnerabilities. Suggest http://www.mozillamessaging.com/en-US/thunderbird instead. FREE.

As for downloading untrusted software - all software is potentially dangerous! How many big security vulnerabilities have there been in Acrobat reader, and MS Office!? (PS Switch off Javascript and enable "enhanced security" in Acrobat reader if it is installed). OpenOffice is safer than MS Office and is FREE! http://www.openoffice.org

Martyr

Trojan wrote:

It will be used for SOHO use (Word, Excel, Skype, email, etc) with no mission critical data but things like timesheets and personal accounts. It is rarely brought outside the home if ever.

Take away administrator privileges?

Then should some malware get executed, It'll have a little impact on health of operating system.

don't download untrusted software (anyone got guidelines?)

You could look into a host based intrusion detection package.
It uses signatures to identify trusted applications..etc

Cisco Security Agent is quite good, but its not free ....unfortunately.

ntlbell

bios password's are pretty pointless imo.

if someone gets physical access to the laptop they're not going to make any difference.

Unless this person is planning on keeping very very very sensitive information on the hdd i don't see any point in doing full HD encryption

I think what you planned to do + the recomendations so far or more than enough especially secuina lovely little app.

Screaming Monkey

ntlbell wrote: »

bios password's are pretty pointless imo.

hmm...I always put Bios/HDD password on friends and familys laptops, usually a simple unique password, its a "fu*k you" to general laptop thieves, more people should do it.

ntlbell

Screaming Monkey wrote: »

hmm...I always put Bios/HDD password on friends and familys laptops, usually a simple unique password, its a "fu*k you" to general laptop thieves, more people should do it.

I don't understand.

They have no problems dealing with bios/hdd passwords.

believe me.

The fu*ck you will generally be on family and friends when they can't remember their own

in my experience general laptop thieves are lot more clever than the general laptop user...

Gavin

If you are just running office on it, you could reasonably install Ubuntu and use crossover office. It works fairly seamlessly, no problems with viruses/general crap.

BIOS passwords are slightly awkward on laptops if it's difficult to access the CMOS battery

edit - Also. A HDD password is difficult to remove.

Capt'n Midnight

if just for browsing / email / office then ubuntu instead of windows

BIOS password security varies depending on the brand,
but it offers more security than windows passwords , and if you use the same for HDD it means on most laptops user just needs to enter one password on power on , encryption means you need backups since it sorta interferes with data recovery


remove unneeded services and apps and network options

consider replacing acrobat reader with foxit reader etc.