While Windows Vista may be Microsoft Corp.’s most secure operating system ever, it’s far from completely secure.
In its fresh-from-the-box configuration, Vista still leaves a chance for your personal data to leak out to the Web through Windows Firewall or for some nefarious bot to tweak your browser settings without your knowledge.
But by making a few judicious changes using the security tools within Windows Vista — and in some cases by adding a few pieces of free software — you can lock down your operating system like a pro.
1. Use Windows Security Center as a starting point
For a quick overview of your security settings, the Windows Security Center is where you’ll find the status of your system firewall, auto update, malware protection and other security settings. Click Start, Control Panel, Security Center, or you can simply click the shield icon in the task tray. If you see any red or yellow, you are not fully protected.
For example, if you have not yet installed an antivirus product on your machine, or if your current antivirus product is out of date, the malware section of the Security Center should be yellow. Windows does not offer a built-in antivirus utility, so you’ll want to install your own. For free antivirus, I recommend AVG Anti-Virus 8.
2. Use Windows Defender as a diagnostic tool
The malware section of Windows Vista also protects against spyware using Windows Defender. The antispyware protection in your antivirus program usually trumps the protection Microsoft provides, but there are several good reasons to keep Windows Defender enabled. One is that every antispyware program uses a different definition of what is and is not spyware, so redundant protection can actually offer some benefit.
Another reason to keep Windows Defender enabled: diagnostics. Click Tools, and choose Software Explorer from the resulting pane. You can display lists of applications from several categories such as Currently Running Programs, Network Connected Programs and Winsock Service Providers, but Start-up Programs is perhaps the most useful. Click on any name in the left window, and full details will appear in the right pane. By highlighting, you can remove, disable or enable any of the programs listed.
3. Disable the start-up menu
Windows Vista keeps track of all the documents and programs you launch in the start-up menu. This can be convenient for some users, but it can also compromise your privacy if you share a computer within an office or household. Fortunately, Windows Vista provides an easy way to tweak this setting. To protect your privacy, follow these steps:
- Right-click on the task bar and select “Properties.”
- Click on the Start Menu tab.
- Uncheck “Store and display a list of recently opened files.”
- Uncheck “Store and display a list of recently opened programs.”
- Click “OK.”
4. Get two-way firewall protection
No desktop should be without a personal firewall, but even if the Security Center says you’re protected, you may not be. The Windows Firewall within Vista blocks all incoming traffic that might be malicious or suspicious — and that’s good. But outbound protection is not enabled by default. That’s a dangerous situation if some new malicious software finds its way onto your PC.
Microsoft did include the tools for Windows Vista to have a true two-way firewall, but finding the setting is a little complicated. (Hint: Don’t go looking the Windows Firewall settings dialog box.)
To get two-way firewall protection in Windows Vista, do the following:
- Click on the Start button; in the search space, type “wf.msc” and press Enter.
- Click on the Windows Firewall with Advanced Security icon. This management interface displays the inbound and outbound rules.
- Click on Windows Firewalls Properties. You should now see a dialog box with several tabs.
- For each profile — Domain, Private and Public — change the setting to Block, and then click OK.
Even if you do this tweak, I recommend adding a more robust third-party firewall. I suggest either Comodo Firewall Pro or ZoneAlarm, both of which are free and fare very well in independent firewall testing.
5. Lock out unwanted guests
If you share your computer with others — and even if you don’t — Windows Vista includes a neat way to keep unwanted guests from guessing your systems administrator password. When you set up users and declare one user as administrator with full privileges, Windows Vista allows outsiders unlimited guesses at the password you chose. Here’s how to limit the guesses.
- Click Start, then type “Local Security Policy.”
- Click Account Lockout Policy.
- Choose Account Lockout Threshold.
- At the prompt, enter the number of invalid log-ins you’ll accept (say, three).
- Click OK and close.
6. Now audit your attackers
With the Account Lockout policy in place, you can now enable auditing to see any account attacks. To turn on auditing for failed log-on events, do the following:
- Click the Start button, type “secpol.msc,” and click the secpol icon.
- Click on Local Policies and then Audit Policy.
- Right-click on “Audit account log-on events policy,” and select Properties.
- Check the Failure box, and click OK.
- Right-click on “Audit log-on events policy” and select Properties.
- Check the Failure box and click OK.
- Close the Local Security Policy window.
You can then use the Event Viewer (by running eventvwr.msc) to view the logs under Windows Logs and Security.
7. Secure your Internet Explorer settings
The Windows Security Center will also report whether your Internet Explorer 7 (or IE 8) security settings are at their recommended levels. If the screen shows this section as red, you can adjust the settings within the browser itself.
- Within Internet Explorer, click Tools in the menu bar.
- From the drop-down menu, click Internet Options.
- Choose the Security tab.
- Within the Security tab, click Custom Level.
Here you’ll see a window with all the security options for the browser. If any are below the recommended level (if, say, some malware reconfigured your browser settings), these options will be highlighted in red.
To change an individual setting, click the appropriate radio button. To reset them all, use the button near the bottom of the tab. You can also change the overall security setting for Internet Explorer from the default Medium-High setting to the recommended High or Medium, if you wish. Click OK to save and close.
8. Use OpenDNS
Domain Name System (DNS) servers act as a phone book. When you type “pcworld.com” in the address bar, for instance, your browser sends that common-name request to your Internet service provider’s DNS servers to be converted into a series of numbers, or an IP address.
Lately, DNS servers have come under attack, with criminals seeking to redirect common DNS preferences to servers that they control. One way to stop such abuse is to use OpenDNS.
Go to Start, Control Panel, Network and Internet, and then click Network and Sharing Center. Under the tasks listed on the left, click Manage Network Connections. In the Manage Network Connections window, do the following:
- Right-click on the icon representing your network card.
- Click Properties.
- Click Internet Protocol Version 4.
- Click the Properties button.
- Select the Use the following DNS server addresses radio button.
- Type in a primary address of 184.108.40.206.
- Type in a secondary address of 220.127.116.11.
- Click OK.
9. Live with User Account Control
One area where some people might want to see the Windows Security Center turn red is User Account Control (UAC), perhaps the most controversial security feature within Windows Vista. Designed to keep rogue remote software from automatically installing (among other things), UAC has a tendency to thwart legitimate software installations by interrupting the process several times with useless messages.
In Windows 7, you’ll be able to set UAC to the level you want. Until then, you do have some options. One is to disable UAC. I would caution against that, since UAC is meant to warn you of potential danger.
Instead, install TweakUAC, a free utility that enables you to turn UAC on or off as well as provides an intermediate “quiet” mode that keeps UAC on but suppresses administration-elevation prompts. With TweakUAC in quiet mode, UAC will appear to be off to those running as administrator accounts, while people with standard user accounts will still be prompted.
10. Check your work
Now that you’ve tweaked Windows Vista, you can keep tabs on your system’s security with the System Health Report. This diagnostic tool takes input from the Performance and Reliability Monitor and turns it into an information-packed report that can spotlight potential security problems.
- Open Control Panel.
- Click System.
- In the Tasks list, click Performance (near the bottom).
- In the resulting Tasks list, click Advanced tools (near the top).
- Click the last item on the resulting list — “Generate a system health report.”
The report will list any missing drivers that might be causing error codes, tell you whether your antivirus protection is installed and declare whether UAC is turned on. You may want to run this report once a month just to make sure everything’s still good.