Setting up Windows

The following guide is intended to help install Windows on system in a secure manner.  The steps here are intended to limit the exposure of the system to malware during installation.  However, it does not guarantee that malware will not infect the system.  There are many known vectors used by malware, some of which are known to bypass the following steps.

Install Windows

Preform the initial power up and installation while disconnected from the network.  This will provide a clean base for the rest of the installation

Firewalled access to the Internet

Perform the initial connection to the Internet from a trusted firewalled network.  If necessary, filter access through a system with a built in firewall such as  Linux.  Connecting from behind a home router should be reasonably safe, unless you get configured in the DMZ.

Configure a secure DNS Server such as OpenDNS.  For a home server using OpenDNS create an account and select appropriate filtering.

Install Antivirus software

Install antivirus software such as AVG Free.  This software should be configured to scan incoming data.  Enable automatic updates, and configure the updates to run if an automatic update was missed.  Ensure a periodic full scan is run.

*Warning*: Current malware technologies are frequently able to get past antivirus software.  Installing this software does not fully secure the system.

Apply all Windows patches

Update Windows.  Apply all security updates, and review all other updates to determine if they should be installed.   Enable automatic updates.  Consider that  Microsoft releases monthly updates on Tuesdays when scheduling automatic updates.

Disable Autoruns

Windows will often run software automatically (autoruns), and this feature is used to spread malware.  Simply plugging in an infected flash drive will install the infection on the the target machine.  If autoruns are disabled, then this action is prevented.  The infection will still be installed if the user runs it.

The Microsoft support article http://support.microsoft.com/kb/967715 outlines the required patches and steps to disable autoruns.  Please read the warnings in the article.

Install optional software

I usually install the following software:

  • The Firefox web browser has a history of being more secure than Internet Explorer.  Security updates are released much faster than those from Microsoft.
  • OpenOffice.org provides all the office tools that the typical user will need.  This includes word processing, presentations, and spreadsheets.  Files may be imported from or exported to Microsoft Office, and several other suites.

Ensure Optional software is Updated

Most systems have a variety of optional software installed.   It should be updated before being used. This includes software such as:

  • Adobe Acrobat
  • Flash plug-in

The Secunia PSI software will help identify programs which need to be updated.  In most cases the software provides links to the required updates.  It will also provide warnings about known unresolved security problems.