In previous OS News articles, I’ve
claimed that mature computers up to ten years old can be
refurbished and made useful. My last article
identified and evaluated
different ways to refurbish these
computers.
One approach is to keep the existing Windows install and clean it
up. This has the advantage of retaining the Windows license and
software, the
installed
applications, and the existing drivers. But it
takes some work. In this article we’ll see what this entails.Cleaning up an unknown Windows system requires three steps, performed
in
this order:
- Security
- Anonymization
- Performance tuning
This article discusses security and anonymization. Next month’s article
covers performance tuning. This article is based on
myfreeguideHow To Secure Windows and
Your Privacy.
The guide was published two years ago but is still relevant to cleaning
up Windows. I’ll
leave out
the
screen illustrations in the guide, as well as its more detailed
techniques.
We’ll cover the highlights here.
The goal is to answer this question — how can you secure a
Windows computer about which you can make no assumptions?
Orientation
This article assumes you’ve already decided to revitalize Windows. If
you’re interested in whether cleaning up an existing Windows install is
a good way to refurbish a computer, see the discussions inprevious
articles in this series.
I’ll assume you are securing
Windows XP, since XP was
Microsoft’s primary consumer offering from 2001 to 2007. The tips
in this article also apply to Windows 7 and Vista, but the
examples
arebased on XP.
I assume that the copy of Windows you want to secure is on an
“unknowncomputer.” By this I mean a computer that is
previously unknown to you, so you can not make any assumptions about
it.
If you’re refurbishing a “known” computer, for example, an old
machine you haul out of your own basement or attic, you may be able
to skip some of the steps.
It’s important to understand that due to the ways in which rootkits and like
technologies operate, you can never be
theoretically certain that an unknown Windows computer you clean up is
completely secure. Only wiping the disk and cleanly installing an
operating system absolutely guarantees security. But from a
practical standpoint, the procedures in this article ensure adequate
security for normal situations.
Before you can secure Windows, if you’re working with an
unknown computer you might have to circumvent password
protection. While there are several different approaches to this
problem, I’ve had excellent results with the free programOffline NT Password and
Registry Editor.
The program deletes the Administrator password
so
you can log on to the Administrator account without entering a
password. You’ll
need a user login with Administrator rights to secure Windows.
Be sure to reset the Administrator account password after you
gain access. Obviously, Windows passwords don’t offer much protection
if someone has physical access to the computer. But they’re still vital
to protect against unauthorized remote access. (To secure
your data against someone who can physically access the computer, use
Windows’ built-in encryption
or a competing free encryption
program.)
You can secure and anonymize Windows without buying any software. All
the programs mentioned in this article are free, except one which is
specifically
noted.
It’s
always a
good idea toback up Windows prior to changing it. Use Windows’ System Restoreor
System Protection feature to make a backup or “restore point” for
Windows: Start
-> All Programs -> Accessories -> System Tools -> System
Restore.
Firewall
The first step to securing Windows is verifying that it has a
functioning firewall.
Firewalls
prevent unauthorized connection to the computer from the
outside. An internet-connected Windows computer without a firewall will
be quickly compromised. You don’t want to spend time cleaning up
Windows by running anti-malware programs until you’ve secured it with a
functioning firewall.
Windows XP came with either of two different firewalls
(depending on the release). Both secured the computer against incoming
connections, but neither could block unauthorized outgoing connections.
Windows 7
and Vista bundle a firewall that can also block outgoing
connections,
but by default this
feature is disabled. Windows ME, 98, and 95 did not come
with
firewalls.
In addition to protection against
incoming penetration attempts, you need outgoing firewall protection
tosecure an unknown
computer. Otherwise, if
the computer is already
compromised and
sending out information, you will have no way to know it. The
bundled
XP firewall will not
tell you.
Nor will the Windows 7 and Vista firewalls — unless they have been
specifically configured to block unauthorized outgoing connections.
Read how to enable outbound Windows 7 and Vista firewall
protectionhere
and here.
Outbound filtering can not guarantee that no information is sent from
a
compromised computer to the outside world, but it can stop many such
attempts. See this TechNet article
if you’re interested in the details about where outbound firewall
protection helps and what it can not stop.
If you
are refurbishing XP and need a bi-directional firewall for full two-way
protection you might try the free programs
listed at The Free Country:
I’ve
foundZoneAlarm
easy to set up and largely
self-configuring. Gizmo’s Freeware offers good reviews of free software
including firewalls
and also presents user
feedback on which they think best.
Test the Firewall
When you are done configuring the firewall, test how well the computer
resists outside penetration by
running the free ShieldsUp!
program.
ShieldsUp! probes your computer and tells you about any security
vulnerabilities it finds. (Those
concerned about privacy might also find it enlightening to see the
identifying system information your computer passes
to any web site you visit.)
Verify that your firewall blocks unauthorized outgoing connections by
downloading the free LeakTest
program from the same web site. Only firewalls offering
bi-directional protection will pass LeakTest.
Malware
Once you’ve secured your perimeter you’re ready to identify and
eliminate
malware from your computer. Malware
includes viruses, trojans, keyloggers, dialers, rootkits,
botware, spyware, worms, and adware. I recommend installing and
running
a number of free anti-malware programs, one after another, using this
procedure:
- Download the anti-malware program
- Install it (verifying no conflicts occur with existing
anti-malware) - Update it to the latest anti-malware definitions or “signature
files” - Full-scan the disk(s) with the program
- Remove infections (automatically and/or manually)
- If infections were found, re-run the same program to verify they
are successfully removed
Install and run anti-malware programs serially — rather than in
parallel — to avoid possible program conflicts. It can be very
confusing when asked to identify which infections or potential
infections to remove when confronted with a long list of them from
several
programs running at once. The serial approach also makes handling
false positives easier. So while running anti-malware programs
one after another takes more time, it’s a more accurate way
to ensure you’ve identified and removed all malware.
If a program finds some malware and automatically removes it, re-run
that
same program a second time to ensure that the malware was successfully
removed. If you find persistent infections the anti-malware can not
automatically remove, you may have to get involved in the process
yourself with an analytical program like Trend Micro’s HiJackThis.
Why should you run multiple anti-malware programs? No anti-malware program has a 100%
detection rate. Anti-malware
programshave different
strengths and best identify differentthreats.
Often people tell me “I rely only on XYZ Anti-Malware and don’t need to
run any other program, because XYZ tells me my system is clean. Just
use XYZ Anti-Malware and you don’t need any other
anti-malware program.” This is fallacious reasoning. All the clean scan
by XYZ Anti-Malware tells you is that it
can’t
find any infections. This doesn’t guarantee your system is free
of infection. If you don’t understand this then
read about the complexities of malware detection at the AV Comparatives
web
site. Orglance at this
list showing how detection rates vary and that no program
approaches a 100% detection rate.
The table below lists effective free anti-malware tools I’ve used. The
two
middle columns of the table tell whether the free
version of the product provides real-time and/or batch disk-scanning
capabilities. You initially deep-scan the disks to clean a
computer. Then going forward, you’ll also want to install real-time
protection. Free products frequently change
their coverage so the two middle columns may become outdated if you’re
reading this article some time after it was published.
With apologies to the vendors, I’ve listed the popular short names for
their products instead of the longer formal product names. The links go
directly to each vendor’s web site. At most of them you simply click
the
“downloads” tab to download their free product.
Product: |
Free Real-Time Protection? |
Free Disk Scanner? |
Comments: |
Ad-aware |
Some (processes protection only) |
yes |
Best known for adware prevention, detection & removal |
avast! |
yes |
yes |
Good general purpose program |
Avira |
yes |
yes |
Good general purpose program |
AVG |
yes |
yes |
Good general purpose program |
a2 (or a-squared) now known as Emsisoft Anti-Malware |
no |
yes |
Good general purpose scanner. Real-time protection was dropped from the most recent free version. |
Clamwin |
Some (email only) |
yes |
Slower scanner than some of the others but thorough and yields usefully different results. |
HiJackThis | no |
yes |
Best product for manual removal of infections that other products can not automatically remove. Requires your involvement and expertise. |
Malwarebytes | no |
yes |
Good general purpose scanner |
RootKitRevealer | no | yes | Specialized but keys on a very important threat — rootkits. Requires your involvement and expertise. |
Spybot Search and Destroy |
yes |
yes |
Best known for spyware detection & removal |
SpywareBlaster |
yes |
no |
Best known for Internet Explorer and Active X defense |
SpywareGuard |
yes |
no |
Best known for spyware prevention |
WinPatrol |
yes |
no |
Best known for intrusion prevention |
Find good summaries of free anti-malware programs at The Free
Country’s web pages on anti-virus,
spyware
&
browser protection, and intrusion
prevention programs. Gizmo’s Freeware has a nice list
of what they consider the better free programs as well as comparisons
and reviews. CNet’s download
site for free software also offers good product evaluations.
I’ve excluded Microsoft’s own tools from the above chart because I
don’t
have experience with them all. Microsoft’s anti-malware programs have
evolved from Windows Live
OneCare (once known as Windows OneCare Live), to Windows Defender
(once known as Microsoft Anti-Spyware), to their current offering, Microsoft
Security
Essentials (also known as MSE). Along the way
Windows Update (once known as Automatic Updates) downloaded and
installed the Microsoft
Malicious
Software Removal Tool (also known as MSRT).
Whew! That’s
a long and winding road. The good news is that with its current free
product, MSE,
Microsoft has drawn a bead on malware with a very effective
product. Kudos to Microsoft for making MSE freely available. MSE is not
bundled with Windows so you have to download and
install it.
Spyware and Adware
The next step in securing your unknown PC is to identify and prune
unneeded processes
from the:
- Startup list
- Systray
- Services
- Scheduler
Spyware and adware often lurk in
these locations.Typical consumer computers are chock full of
unneeded programs, at least a few of whichare usually spyware.
Use the free program WinPatrol
to manage and
clean all four of these locations.
The same thought applies to Internet Explorer. You want to review its
installed
add-ons — Browser Help Objects (BHO’s), toolbars, and extensions.
WinPatrol makes
it easy to disable and eliminate whatever you don’t want. A
typical Windows user’s computer is jam packed with IE add-ons, most of
which the users don’t even realize are present.
Cleaning up these four areasbenefits performance as
well as security.
Software Updates
A key vector through which malware strikes is through common software
applications that many consumers neglect to keep updated. These include
Windows itself, Adobe PDF and flash video, browsers like Internet
Explorer and Firefox, email readers like Outlook and Outlook Express,
media players like RealPlayer, and other
widely-used applications. You need to update software to the latest
fixes to ensure security going forward.
Start with Windows and download and install all possible Microsoft
updates. What’s available will depend on your Windows verison and
release. If you have a computer that has not been used in awhile, you
might find that Windows updates come in several waves (groupings), each
of which will be applied and require a reboot before the next wave of
updates. It’s not unusual to spend a very long day downloading and
installing Windows updates on a neglected computer.
One big issue to consider in revitalizing Windows is whether and when
Microsoft ends support for the version of the product with which you’re
working. Windows XP is in the midst
of Microsoft’s de-support process. Other Windows versions are already
de-supported. If this concerns you,check the discussion
in my previous article on the larger issues of selecting operating
systems for refurbishing. (This article assumes you’ve already decided
to secure
Windows and helps you do it.)
After
Windows update, move on to updating common programs. While you’re at
it, verify that the “automatic updates” option is enabled for each.
Or for better control, consolidate and manageall
application updates through the Windows Scheduler.
If you have many programs to update you might run the free Secunia
Software
Inspector. It detects and reports on
out-of-date programs and helps ensure that all “bug
fixes†are applied.
Standard Windows Security Settings
Given an unknown computer,
you can’t assume that the previous user(s) followed any of the
“standard” Windows security advice of whichyou’re aware.
For
example, check Share settings for files, disks, and printers; look for
well-known security holes that have come up over the years like Windows
Messenger or other IM tools; check for remote access through Services
like Remote Assistance and Terminal services; configure Internet
Explorer how you normally would in regards to active scripting and
similar security issues; disable
auto-run for CDs, DVDs, and USB memory sticks; turn off automatic
message
preview in Outlook; check
for bit-torrent shared disks or folders. Whatever
you normally change in Windows to secure it for yourself, you must
check and set on this computer you’re revitalizing.
Your list
of “standard” Windows security settings may differ from what I’ve
listed here.
The point is that you need to set Windows security settings on any
revitalized computer just as you would your own.
Anonymization
I call the process of removing all reference to previous users of a
system anonymization.
Some don’t consider anonymizing an unknown computer worth their
time. After all, it doesn’t affect their use of it. Others consider it
essential. For example, what if the previous owner
illegally downloaded music, software,movies, photographs, or
pornography? You
want to make sure
this stuff is fully eliminated from the computer before you use it or
pass it on to someone else. Here I’ll just hit the
highlights of how to anonymize Windows.
First, securely delete the data files owned or created by
previous users. If the users followed the convention of storing their
files in the My Documents or Documents folder, it will be trivial
to
locate and delete them. The Windows Search function makes it easy to
find data
files of a particular type stored elsewhere, such as photographs,
videos, music, Office files,
etc. Be sure to delete other obsolete large files like *.zip archives
and *.iso disk images.
Use programs
like Eraser to securely
delete files by over-writing them. Another option is the last
free
version of BCWipe.
Remember, if you don’t over-write a deleted file, it could be possibly
be retrieved later by someone using the proper un-delete
utility. This is because Windows
delete/ empty Trash sequence just removes a directory pointer to
a disk file. It does not affect the file itself. So that file could be
un-deleted with the proper tool until Windows re-uses its space at some
random point in the future.
In the United States, law enforcement uses full-disk scanning software
that will find files on disk that have not been securely deleted
(over-written). The American courts generally consider that any files
found on the computer belong to the owner. So if you pick up an unknown
computer and do not find and securely delete any illegal files, as the
new owner you are considered
liable for those files.
You’ll want to delete the old user accounts and replace
them with
your own set of user logins. Each new account should have an
appropriate
authorization level.
Make sure all the passwords you create are good
ones — long strings, mixing together characters, digits, and special
characters, with both upper- and lower-case alphabetics. Ensure that
Windows presents a mandatory login
screen upon start-up. (I get so many donated computers that let anyone
into Windows merely by turning
on the computer.)
While it’s easy to delete old users and their files, it’s
more difficult to remove previous user information from
application configuration files and to find and delete all their
profiles. Be sure to securely delete their email if it’s stored on the
computer. Most
difficult of all is ensuring that all reference to the users is removed
from
the
Registry. You might be able to use Windows Registry Editor to search
for
their logins and names to remove their Registry
references. Or you
might find this process next to impossible. It all depends on their
previous use of the computer, and the applications they installed and
configured.
Some items you need to find and securely delete to remove all trace of
previous
users include temporary files, temporary internet files, histories,
cookies, flash cookies, DOM storage, recently typed URLs, autocomplete
form history,
search autocomplete, most recently used (MRU) lists, log files, and
Index.dat files. Windows even keeps
a list of all the web sites anyone using the computer ever visited. This can be found in
either one or two
locations, depending on whether Internet Explorer auto-complete is
enabled.
CCleanerdeletes
most of this tracking data. CCleaner is a free program but it
automatically
installs the Yahoo! toolbar on Internet Explorer — as far as I can
tell, without asking. If you prefer to avoid this you can download an
older version of the program that eschews this behavior from FileHippo here.
Couple CCleaner with PurgeIE
for Internet
Explorer users, or its equivalent for Firefox users, PurgeFox. Both are
free for 15 days of
full use and cost $19.95 thereafter.
The free program MRU-Blaster
deletes
all most-recently used traces.
My favorite approach to anonymization isto delete all possible
traces of
previous users of the computer — remove user accounts and
their profiles, delete their files,run the Disk Clean
utility, CCleaner,PurgeIE or PurgeFox, and do a Registry scan and
edit.Then run Eraser or BCWipe
one time as the final step in the process to fully over-write all
unused
portions of the disk and securely delete any “deleted” files. Finish up
by running the Windows defragmentation
utility on the disk to increase performance.
Summary
Securing mature Windows computers takes some time but is not especially
difficult. You can do it withfree software. In this article I’ve
hit the highlights of how to do this to reuse mature computers and keep
them in service.
Securing Windows is vital for any
computer that changes hands should
the new owner keep the existing Windows install.
Because of rootkits and like technologies, you can never be
theoretically certain that an unknown Windows computer you clean up is
completely secure. Only wiping the disk and cleanly installing an
operating system absolutely guarantees full security. But from a
practical standpoint, the procedures in this article ensure adequate
security for normal situations.
Anonymizing Windows is easy on a surface level, but requires real
expertise if your goal is to completely thorough. Many consider
anonymizing of
limited concern, so I’ve only treated this topic superficially here.
But keep in mind you really do want to securely erase the previous
owner’s data files, because these might contain illegally downloaded
music, videos, photographs, software, or pornography.
Next month I’ll describe how to performance tune
unknown Windows XP systems. This will be based on my new guide that covers all Windows
versions, How
to Tune Up Windows. Meanwhile, please comment and
share
your own techniques for securing and anonymizing mature Windows
systems.
Howard Fosdick (President, FCI) is an independent consultant who
specializes in
databases and operating systems. His hobby is refurbishing computers as
a form of social work and environmental contribution. Reach him at contactfci at the domain name of sbcglobal (period) net.
Previous Articles in this Series: |
|
Smart Reuse with Open Source |
How refurbishing defeats planned obsolescence |
Scandal: Most “Recycled” Computers Are Not Recycled |
What happens to many “recycled” computers? |
How to Revitalize Mature Computers |
Overview of how to revitalize computers for reuse |
Other Resources: |
|
How To Secure Windows and Your Privacy |
Free e-book tells how to secure Windows (July 2008) |
How to Tune Up Windows |
E-book tells how to performance tune Windows (March 2010) |
Install it in a virtual machine within Linux and restrict its access to the Internet. Problem solved.
While I keep mine more or less behind two firewalls, I still appreciate that you are willing to address methods to secure Windows instead of “throwing it away” in favor of Linux or Mac OS X or some BSD.
I’ve always said if properly configured (and this does not assume that I agree or disagree with what you’ve addressed in your article) Windows is solid and relatively safe. It’s a good operating system. Every operating system is good tho’ to me, so take that with a grain of salt.
Anyways, my point is that I appreciate that you aren’t just slamming Windows, but working WITH it in this article.
And if this doesn’t make sense, forgive me, I am on my second martini.
While I keep mine more or less behind two firewalls, I still appreciate that you are willing to address methods to secure Windows instead of “throwing it away” in favor of Linux or Mac OS X or some BSD.
This is exactly what I thought when I saw the article: this is exactly the kind of things I’d love to see more here, and I love the fact that it’s not about bashing something but instead trying to make the best out of whatever you have!
While Linux or BSD or [insert-your-favorite-here] might be a better or more secure choice than Windows the fact remains that they won’t suit everyone and there’s always bound to be someone who wants Windows. Thus it’s better to show how to make Windows more secure and not just resort to forcing your own preferences on others.
Good work, and keep it up!
I would like to point out:
that firewall are needed, but over 80% of the attacks nowadays come from the browser/user/email, not over the network where the packet-filtering firewall lives.
True. That comes down to caution and common sense and perhaps some plugins that warn about sites, etc.
I would argue that Microsoft Security Essentials is more than sufficient for almost all end users – it does what it needs to do, it doesn’t use weird kernel mode hooks, it scores well on the tests and when coupled with an alert and aware end user the experience can be secure and reliable with minimum fuss and bother.
I second that, it is great to see an article that isn’t senselessly bashing Windows or some other operating system for that matter – the problem is that the bashers tend to be able to make wordy essays but none of it is based on reality – I’m gradually woking my way through a book on Windows 7 kernel changes and other low level system features, if the Windows critics read at least half the book I have I think their view of Windows would change dramatically.
I am with you there! I’ve been saying that for over a year (as others have). Some serious work has gone on, and is continuing.
Well, let’s see if they got rid of the most obvious flaws : is a web browser still part of several GUI rendering operations (including that of critical control panel applications) ? Do applications still have absolute access to user files without asking ?
Browser engine/backend rendering some UI components, that is becoming more commonplace in most modern applications. That’s not the same as hitting sites that host malware or what-not from a web browser application.
File protection can be tightened easily. The somewhat lax default settings are still a result of older dependencies that Microsoft has been slow to eliminate – the old “backwards compatibility” issues.
It’s the old story of trying to move the platform forward without isolating a whole heap of customers – I only hope and dream that maybe Microsoft will put its foot down and make the changes even in the face of much protest from the unwashed masses. It bugs me something silly that an organisation who has a million dollar private jet consider upgrading a software title from an incompatible version to the latest one as ‘not part of requirements for the core operations of the company’.
The big mistake was the compromise they made in Windows 2000; they should have forced upon the market an operating system with no compromises from day one and accepted that the transition would be slow than compromising for the sake of keeping a few whiners happy.
With that being said we can’t go back in time and change history so Microsoft is doing their best to meet that balance – having given Windows 7 a go it is definitely the step in the right direction that will hopefully translate into a small evolutionary step forward with Windows 8 and future releases.
Edited 2010-09-07 07:45 UTC
They did, to a degree: UAC. Notice how everyone whined about it?
It’s a good measure to tell people (and developers, directly or by proxy) that there’s something wrong with their apps, so there’s pressure on devs to minimize the problems that lead to UAC notices (and they did), while not breaking ancient, unmaintained legacy apps (they just get a tad annoying, hopefully pushing users to plan to migrate off of them eventually).
Windows 8 or 9 might do away with UAC, _finally_ breaking those ancient apps (or transparently pushing them in a sandbox – that already starts in Win7 with the namespace virtualization), while giving everyone a chance to fix things in the meantime.
That’s what I like with Windows or Solaris: Their maintainers care about compatibility, while planning how to move forward with hacks like these to push people in the right direction. (Sadly on Solaris it’s less so since they started with OpenSolaris)
On Linux, you simply get changes thrown at you, forcing you to cope _immediately_ with them (or lack new features because to update, you’d have to update libfoo, which requires udev no older than x.y, which requires you to switch the device detection mechanism, which … and so on) – that model is good for 0.0.x versions, where experimentation happens, but I really despise it for “mature” systems (such as those I’d like to work with daily)
But the poor communication explaining UAC to the average user didn’t help either; if the average user knew that the UAC could be avoided if the software vendor actually updated their software then you might see the end user putting the hard word on software by pestering them.
True, but even with Apple they’re pretty fair with their transition; the only things I’ve seen broken on movement between different versions of Mac OS X are vendors using private frameworks that should never have been used in the first place.
Agreed; and worse comes when there is no smooth transition from one to the other; you can put in the older way of doing things but then a whole heap of interoperability problems rear their ugly head.
Edited 2010-09-07 10:56 UTC
Solution: Install a LTS (Long Term Support) Linux distribution with a back-ports repository.
Here are two candidates:
http://distrowatch.com/?newsid=06030
http://distrowatch.com/?newsid=05334
You will not then have to contend with any of the problems you claim, yet the installations will be supported (with security updates but not necessarily feature updates) for a long time into the future (at no cost other than a bit of Internet bandwidth).
PS: On Linux, you do not have to install updates immediately, or indeed at all if you do not want to.
http://ubuntuforums.org/showthread.php?t=541173
Edited 2010-09-07 11:44 UTC
Exactly.
That it has become common isn’t an excuse for introducing this security flaw. Especially when we know that Microsoft started it all, in the Windows 98 days, as an attempt to keep IE bundled in their OS.
Having a web engine handling critical things is fundamentally a mistake, in my opinion. That’s because as time passes, web standards get more and more bloat… complete, and just about nothing is ever removed. Consequently, web browsers become in turn more and more complex, which in developer’s terms mean more lines of code. When you have security in mind, more lines of code means a less trusted program, because more exploitable flaws can be around here due to human error.
As IE keeps getting overtaxed with features, like any modern web browser, chances are higher that one day, we’ll see the control panel asking us about administrator password in an unusual place. And the average Joe will give it. And disaster will occur.
Or am I wrong ?
So Microsoft has some plans for ditching the old user/admin paradigm and finally introducing some tightly sandboxed security model that doesn’t let user files exposed to the first unprivileged malware which comes around ? If it’s true, that’s truly great ! I envisioned that as one of the killer features of my hobby OS, and am glad that 90% of the desktop/laptop computer market will get this major improvement in security too. Many thanks to Microsoft for planning to fix that hole !
Edited 2010-09-07 19:21 UTC
Tuishimi:
http://blog.linuxtoday.com/blog/2010/04/junk-cyber-crim.html
Werecatf:
In and of itself this is perfectly correct.
However, IMO, it is downright dishonest not to point out to people that virtually all the malware that exists targets only Windows, and that therefore any malware at all that one is ever likely to encounter will only be a threat to one’s machine if one is running Windows.
Other OSes are way more secure, there is virtually no chance of one encountering any malware that can target other OSes, and using other OSes is just as easy (or as hard, for that matter) as Windows, and anything that an ordinary user might want to do with their machine can be done, and done well, by good programs available for no cost under other OSes.
Bill Shooter of Bul:
Oh yes, this is very very true. It takes ages to try to repair a compromised Windows system, it is a boatload of work and time, and quite often it is not successful.
This should be emphasised over and over. Only if one’s time is worth nothing should you consider trying to re-instate a broken/compromised Windows installation. In comparison, booting a decent Linux distribution LiveCD and installing a full Linux desktop with a complete suite of applications takes only thirty minutes or so.
Edited 2010-09-07 07:12 UTC
Assuming 100% hardware support, which is not always the case.
Indeed. Happily, it is exceedingly easy to test first before installing … just boot a Linux LiveCD and check out that all the hardware works. It should for most systems.
If we are talking about refurbishing older computers, as is the subject of this thread, then if an older Windows machine has been compromised, and it is necessary to re-install the OS, then for most cases this will only be possible if one has available ALL of the original CDs for the machine itself (e.g. motherboard drivers CD), for the OS, for all of the peripherals (e.g. printers), and for all of the applications. Without all of those, re-installation is not possible.
Given the state of many home computers, in many cases, it is far more likely that installing Linux would be achievable, but re-installing Windows not.
Downloading drivers is not hard. The only times you have to look out for a difficult machine is Windows XP machines using SATA hard drives. Usually the motherboard is emulating IDE and XP will install from any disc, but in the case of Dells like this, the SATA drivers were slipstreamed into their custom XP disc.
Regardless, most OEM machines come with a hard drive recovery accessible via a special key before boot, and if the original MBR is gone, you can use GParted to set the boot flag on the hidden partition which forces the OEM recovery to run.
edit: In five years of full time repair work I have had to install Linux on a machine only once (a pirate copy of Windows with no way to repair the install). Any machine that came with Windows can run Windows. Statements like “Given the state of many home computers, in many cases, it is far more likely that installing Linux would be achievable, but re-installing Windows not.†are idiotic. Changing a system known to work on the machine to a foreign system that may yield compatibility (if not at least usability) problems is no good way to be reducing workload. The idea is to remove problems, not remove them and replace them with totally unrelated, new problems that keeps you coming back to the job week after week (I bought a webcam it doesn’t work. “I tried downloading Skype—Windows version—and it didn’t workâ€. I can’t find my files…).
Edited 2010-09-07 10:18 UTC
Not so. Simply not so.
Every time I have been asked to re-instate a borked Windows machine, being a home machine belonging to an ordinary Windows user, said user has been unable to supply all of the installation CDs. Every single time.
In some cases, it has been possible to wipe the machine and get it working again with full drivers (via online downloads … this takes ages and ages, and is fraught with error). In many cases, however, without the installation CDs, this has not been possible.
Testing the exact same set of machines with a Linux LiveCD has shown me that Linux works 100% on more machines than those on which Windows can be 100% restored.
So if you don’t mind … that makes my claim real-world-factual rather than idiotic.
In my experience (using Linux since 1995) a Windows machine that boots to Safe Mode is infinitely more useful than even the latest Ubunutu distro.
Linux is for servers. Forever.
How so? I use Ubuntu as my main OS and have bery few problems with it. I may just be lucky (most of my hardware happens to be reasonably well supported in Linux) but I actually find it less problematic than Windows, and certainly more usable than Windows booted in safe mode.
I can’t agree. There is software in many cases that either is worse or just unavailable in Linux (for example). To be fair a lot of software is also better on Linux, that’s why I use Linux as my primary operating system.
However, one has to appreciate that Windows has its uses. My co-workers predominantly use Windows, and I need to interoperate with them. This means I need to have Windows installed in a virtual-machine to do things involving Word, Powerpoint and Excel (OpenOffice tends to eat my work-mates spreadsheet files, so I kindly no longer inflict this on them ). Although highly subjective, I also find Powerpoint much easier and faster to use than the OOffice equivalent. Additionally, I release some cross-platform software for Windows now and again, so I have to test it.
Another point: a member of my family has the need to use some specialized tax software, which is unavailable for Linux. Linux for them would unquestionably cost them more time than it would save, so it is untrue to say that you should only repair/continue to use a Windows installation if you don’t value your time.
One is always entitled to an opinion, but it helps if you can back it up with solid examples rather than just stating an unsupported opinion.
What you are talking about for Office software is actually format lock-in. Stated fairly, you actually mean that Windows is far less interoperable with other platforms than other platforms are interoperable with Windows … Windows Office software chokes far worse over OpenDocument (ODF) files than OpenOffice in handling MS Office files. OpenOffice handles MS Office files far, far better than MS Office handles OpenOffice files.
Solution: if you need a group of workers collaborating and exchanging Office data, simply install OpenOffice on all machines. If you need a central collaboration repository, use Alfresco and not Sharepoint. Headache-free. Significantly cheaper, too.
http://en.wikipedia.org/wiki/Alfresco_%28software%29
As far as financial/accounting applications go, there are plenty of personal financial applications available for Linux. Moneydance is perhaps the best of them:
http://en.wikipedia.org/wiki/Moneydance
http://www.moneydance.com/features
http://moneydance.com/faq
Here is a more objective look (in that it has actual facts) at the various solutions for desktop financial/accounting applications:
http://en.wikipedia.org/wiki/Comparison_of_accounting_software
Anyway, once you have a TXF file exported from your personal finance application, you can use any browser in conjunction with TurboTax Online.
http://www.tax-preparation.com/
My bold.
Enjoy.
Edited 2010-09-07 10:43 UTC
OpenOffice deals with OpenOffice files better than MS Office. MS Office deals with MS Office files better than OpenOffice. That’s a reason to use Windows if you have many MS Office files around. Telling everyone to switch to OpenOffice doesn’t work in all cases (consider legacy documents). Again, unconvincing argument, sorry.
It’s not even related to what I said. I said it would most certainly cost them more money than it would save to switch to another format. Your argumentation isn’t even on the same topic, it even demonstrates you didn’t read what I wrote.
Let me recap so you can maybe take another stab at this: format lock-in is a reason to use Windows.
You have every right to dislike this concept, but unless you can refute it you’ll have to admit that there are reasons to use Windows.
It is indeed very often touted as a reason to use Windows. People without imagination or current knowledge of the capabilities of Linux desktop applications quite often believe that using Linux is not a viable alternative for them.
My point is that this is changing. Legacy MS Office documents and application installations cannot seamlessly interoperate with current versions and formats of MS Office. The current .docx format is not a standard (requirement for interoperability) of any kind (it is NOT ISO 29500), and it is next to useless for interoperability.
http://en.wikipedia.org/wiki/ISO_29500
A single-platform, single-vendor format-lock-in application is the very worst choice imaginable for any kind of Office interoperability/collaboration … even insofar as interoperability with legacy and touted future versions of the same product.
Save yourself and your company an absolute fortune, both now and for future (incompatible) upgrades, get off the Office treadmill, and install OpenOffice everywhere.
It is, after all, fully supported by some very heavy hitters in the IT industry, and many large organisations have already saved millions by using it in preference to MS Office …
http://ulyssesonline.com/2009/09/14/ibm-replaces-microsoft-office/
http://www.lostintechnology.com/how-to/replace-your-office-suite-wi…
http://technocrat.net/d/2006/8/31/7344/
http://www.ilovefreesoftware.com/16/windows/business/office/ibm-lot…
http://www.zdnet.co.uk/news/desktop-apps/2005/06/23/indian-openoffi…
http://www.zdnet.co.uk/news/application-development/2005/01/19/fren…
http://computerworld.co.nz/news.nsf/news/FE73A77E2BB96F21CC25742500…
http://www.israelnationalnews.com/News/News.aspx/55243
http://tech.blorge.com/Structure:%20/2008/10/25/openoffice-v30-…
http://www.guardian.co.uk/technology/blog/2010/aug/26/local-governm…
(These are just a ver few recent examples).
OpenOffice has over 20% installed base measured in some markets. That is no small beans.
Format lock-in is an excuse for some frightened IT staff (who know nothing but MS software) to continue to recommend MS office to their organisations, but organisations in the know are already starting to move to OpenOffice in large numbers. Very large numbers. Savings of millions can be made, ongoing year after year savings, and that is a very powerful motivator indeed.
For reasons of sovereignty over their digital data, some governments around the world have begun to mandate OpenDocument format, and this is also a trend that is starting to gain significant moment. (Proprietary formats mean that governments do not really have control over digital data stored in such formats, and governments can become beholden to a sole-source supplier. For most governments, a sole-source foreign supplier at that. They don’t like that at all).
Au contraire, I showed that there exist perfectly viable options on Linux for every single use case that you explicitly mentioned, including Office files interoperability and collaboration, and tax lodgement software.
Edited 2010-09-07 13:31 UTC
You just did it again. I’m saying that SOME people use Windows because it hosts the programs that are able to best read their data, which cannot be transformed in a satisfactory way to another format.
The world is a big place, sometimes people can use Linux to great effect, sometimes not. Vice-versa for Windows. There is a place for both, and people make their own choice to use Windows if they want, possibly for very good reasons.
My personal choice of OS is Linux, but I place no judgement on such individuals who use Windows, as it would be incredibly arrogant of me to do so.
Of course. My point is that on many occasions Windows is chosen not for good reasons but through ignorance of any alternative. This is particularly the case in the “refurbished PC” scenario with ordinary users use cases.
I make no judgement of people also. Not everyone is in a position to make the best choice for themselves. Because information about real, viable and perfectly cost-effective alternatives to Windows (particularly in the arena of refurbished PCs) is very difficult for most people to become aware of, it is beholden of us who know about potential alternatives to point them out.
Hence my point that Linux is a perfectly viable, usable, secure, cost-effective solution (particularly in the arena of refurbished PCs) in far, far more cases than most people realise.
It is just that people in general don’t know much about Linux.
The right thing to do then is tell them, so that they realise they do have a choice other than Windows.
Edited 2010-09-07 14:04 UTC
OpenOffice has between 10% and 20% installed base. “Legacy documents” and indeed “Office files” include OpenDocument files.
You are correct ins saying that: (a) OpenOffice deals with OpenOffice files better than MS Office, and (b) MS Office deals with MS Office files better than OpenOffice, but you omit mention of the fact that (c) OpenOffice deals with MS Office files much better than MS Office deals with OpenOffice files.
Given that OpenOffice has between 10% and 20% installed base (depending on the market), point (c) is very much a serious flaw in MS Office that is only a minor problem in OpenOffice.
Do indeed consider legacy documents vs current versions of MS Office and OpenOffice, and also consider legacy versions of MS Office vs current formats of MS Office and OpenOffice … OpenOffice supports interoperability better.
Edited 2010-09-07 13:53 UTC
From Combofix.org
Download combofix and Smitfraudfix, both are great tools and offer a lot, great way to start working on heavily infected Windows computers. I also recommend Super antispyware.
I wouldn’t advise a normal person to hit a machine with Combofix. The tools great but it can very easily mess a machine up
Adding entries to the hosts file also does wonders.
http://www.mvps.org/winhelp2002/hosts.txt
That’s cool, thanks for that!
Spybot s&d (in the article) will add almost 15,000 entries to your hosts file.
That is if you let it.
If you do that, you will have issues with DHCP and performance due to every site needing to be looked up in a huge file.
Don’t add the entries to the HOSTS file. DNS changes instantly, and this will not protect you against the fast-flux attacks that are so popular these days. Also, for this protection to be effective, you’d need to update daily and have 200,000+ domains.
What if you have to blacklist entire IP ranges? HOSTS fails here. DNS does not.
Configuring a DNS sinkhole service on a local DNS server, however, is a much more scalable and efficient option that will work once for your network, and will be updated at least daily!
Here’s a PDF on how to do it, step by step:
http://www.whitehats.ca/downloads/sinkhole/DNS_Sinkhole_installatio…
Or use OpenDNS. You can configure it to block malware sites, spyware sites, adware sites, even gambling or pr0n if you wish.
I can recommend it!
This is only legal if you are the original licensee.
You cannot pass on a Windows license. Any new purpose/computer owner/user needs a new license, legally.
Ernie Ball uses Linux on all their workstations and servers because MS sued them for 5 figures, and refused to let them simply pay for the new license (they didn’t even know that it wasn’t permitted by the license terms).
Yeah.
I left Windows behind 3.5 years ago.
Don’t miss it.
Nonsense.
I know, isn’t proprietary software silly?
Huh?? What are you smoking? Of course you can transfer the license, and in fact OEM licenses are transferable, as they go with the machine they came with, not a specific person. Volume licenses are different of course, but both Retail and OEM are transferable.
Yeah, sure. Tell it to the judge… Or just read the EULA.
According to the EULA, you can. The Judges have already proven that in courts.
What happened with Ernie Ball was multiple instances of the same software installed, not transferring it. Different scenario than what you had claimed.
http://news.cnet.com/2008-1082_3-5065859.html
Old news, and one company that did the right thing when they got pooched by Micro$haft.
Wait, what are you saying? That it is possible to run a successful and internationally respected business without MS products? Heresy! We all know that you can’t do business without MS Office, Exchange and Windows. Right? Right??
Clearly this is some kind of OSS zealot conspiracy to end capitalism.
Do I detect a note of sarcasm here?
http://www.dailyfreshnews.info/1672/google-replace-windows-with-lin…
http://www.technewsworld.com/rsstory/68441.html?wlc=1283843958
http://www.neoseeker.com/news/5436-ibm-will-not-use-windows-vista-b…
I guess my sarcasm detector wasn’t broken (and I knew the original poster was being sarcastic).
My post here is only to make the sarcasm clear to people who may not have picked up on it, and who may have thought the original comment was serious.
Dude, I _am_ serious.
I unrar enough files that the proprietary rar is a basic neccessity for me, and I have flash on one machine.
Other than that, I’m 100% free software, to my knowledge.
I just can’t abide restrictive licensing terms. I own this computer, I don’t want to rent software.
http://www.7-zip.org will extract rar.
Reliably? And those with passwords?
I’ve not had good luck with free extractors in the past, but only with the .rar format.
I’m not saying you’re wrong, not at all, just making sure. I use an all-archive-formats extractor front-end called atool (aunpack is all I’ve had great luck with, apack seems less reliable) but I’m sure I could hack it into working with 7zip as an unrar program.
Not MS’s fault if the IT staff doesn’t know the difference between an OEM license and a normal license…
…and if you change out the mobo it’s considered a new computer.
If you change out enough components, I think MS considers it another machine.
Wasn’t it an issue with at least Vista that a main HD change constituted a ‘new computer’ by their licensing terms and WGA would kick in and shout at you?
…or did I dream that last bit.
I do know the first is true, absolutely.
While I thought some of the past articles in the series were interesting, useful in some cases even, I can’t say the same about this one. Really, it’s a losing battle trying to “secure” (if you can actually call it that) a compromised Windows machine. It cannot be trusted, as is stated in the article–period. And you have to go through hell, hours of it, just to even get that “feel-good” sense of accomplishment. It’s just not worth the time and effort. Especially for the types people this series seems to be targeting, people who are new to and unfamiliar with the inner workings of computers.
IMO, the first step should almost always be to wipe and start over anyway–especially for those less experienced users. If that means bending over to get the serial number off your machine, going to its manufacturer’s web site and getting their phone number, and then calling it to ask for a set of OS install discs to be sent in the mail (most likely for a heftier-than-should-be charge), then that’s what should be done first. Otherwise, try to look for the original disc set (if you have them) or look into Linux for older hardware (as was described in previous articles in this series).
I just see no reason anyone who needs to know (ie. doesn’t already know) all this stuff mentioned in the article should have to go through this long, tedious and (potentially to them) confusing process. Installing an OS tends to be a much simpler process, as long as it’s an “easier” Linux/BSD distro or the OEM version of Windows from the computer’s manufacturer. The “official” Microsoft versions of Windows will likely leave a less experienced user, and hell, even experienced users in some cases, with headaches (not to mention cost a hell of a lot more, if you don’t already have a copy). All thanks to the fact that most of the time OEMs put hardware in their machines that aren’t supported by a bare Windows installation without first installing third-party drivers.
Edited 2010-09-07 00:38 UTC
Thanks for the article. But I cannot understand the reasoning behind most of the comments here.
I still don’t believe Linux supporters live with historical anecdotes of Windows, but not the current reality. Linux is a secure OS, as long as you take care (many servers are hacked each year). And the same is true for Windows. Do not look at home users to judge Windows security, since their (hypothetical) Linux root password would be ‘abc123’ anyways (or whatever simple thing passes the installation requirements).
I’m sorry, but one must be insane to reuse existing windows installation … malware infested OS is *already compromised* and may lead to further compromising of the future user’s data. Windows license key can be obtained via appropiate application and reused in a clean installation manner. That is a far better thing to do IMHO.
Besides – if it really is an old machine, then why would you ever use Windows on top of it? It will only degrade in time, slow down and make your work crippled. There are so many valuable OSs these days, so you should – at least – reconsider available options.
However – I suppose that the OS-related critics are not especially in place here because it’s about refurbishing an old PC with Windows, so I will just shut up
I have done what the article talks about countless times. Sometimes successful, sometimes not successful. Its a lot of work. A lot. It really stinks to spend 12+ hours trying to do this and fail becuase the viruses are more exotic than you think. THe antivirus that does remove it won’t work on the os. The updates to the os service pack won’t work becasue it conflicts with an existing app/ crashes with the mother board. Like I said, I’ve doen this many many times. I’m sick of wasting all of that time.
New procedure:
1) Try installing ubuntu/fedora depending on which one installs. use that.
2) If not, then reinstall windows if possible.
3) If that fails, remove usable parts for other computers ( hard drive, memory, video card, ethernet card, network card, ect) and send to recycling center.
12 Hours?
I fix consumer’s PCs for a job. The average job is 2 hours—in, cleaned up, secured, done. I have it down to a fine art.
Windows computers is all that’s being sold in shops for the price range and that’s not going to change. Especially now that all machines are coming with Windows 7 the problems are greatly minimised.
What some are simply not willing to accept is that Windows does the job well enough for the majority and can be secure with the simplest of software—user caution given.
All a Windows machine needs is:
a) Decrapify the craplets
b) MSSE
c) Firefox + AdBlock, Foxit Reader
That’s it. The user’s router will have a firewall and the Windows firewall will suffice. Since after Blaster32, I have never seen a machine infected through the firewall. 80%+ of infections are coming through Flash+PDF. Wake up people times have changed.
You see, both of use have some valuable points. It’s true that the terrible Windows XP malware-infested computers are gone to some extent, but there are new problems which you probobly already know of if you read IT security news:
1. DLL loading problem / vulnerability
2. Windows ‘link’ vulnerability
3. flash vulnerabilities
and so forth. Most of them have critical status which means that the end user is almost completely helpless. No matter what security mechanism/software he’s using on his Windows machine – he will probobly get infected anyway – sooner or later, but it will be there eventually.
So yes, the times have changed, but I’m affraid it’s a change for bad, not for good. MS Windows – as the biggest target – gets $@#$%# all the time and now it’s easier than ever before to get infected and robbed out of your data.
Nope 12 hours. I ‘ve spent 12 hours trying to decrapify/ repair some pcs. (Note these were pcs that were really in the wild at internet cafes in third world countries, but I’ve spent a n equal amount of time on donated computers as well. Sometimes the most difficult malware, is the coperate installed malware.
Its that first step “Decrapify” that takes the longest. You really are naive, if you’ve never met a virus you couldn’t remove with anti-virus of any kind ( much less free anti-virus tools, they seem to be worth what you pay for them).
I’ve met every worst nightmare of a rootkit you can imagine. Granted, I did say that average job is 2 hours. If ComboFix can’t scrape the rootkit out then I just format and re-install which still takes the same amount of time as a decrapify.
If I understand well, he needs 12 hours because he tries not to wipe Windows out of the disk. A noble task, actually. Didn’t knew it was even possible.
The last rootkit I had to remove manually took about 5 hours (lots of NTFSDOS and rebooting), so yes, it’s far from practical compared to wiping and installing Linux. I however personally feel that replacing Windows with Linux just changes the problem, rather than solving it. Fixing someone’s car by replacing it with a tank does solve the problem, sure, but now they have to learn how to drive a tank.
Permit me to fix that car analogy for you
(Otherwise, I agree with you, though once the learning problem has been overcome, people generally feel more at ease in their new tank *AND* don’t have the parking issue anymore. Then, as others pointed out in this thread, comes the hellish update issue…)
Edited 2010-09-07 20:26 UTC
I consider it like requiring those with a Drunk driving charge to check their Blood alcohol levels before being allowed to drive again.
Their needs are 1) web browsing and 2) document creation/editing. Linux does that very well and pretty easily while preventing them from harming themselves or others.
Edited 2010-09-07 20:53 UTC
While my job no longer entails anything to do with end users, I agree with you 100%.
On my own windows machines at home I just add MSE and ensure the firewall is turned on. I also use foxit reader – not for security but because Adobe sucks. Hard.
Actually Adobe is the shining example of previously functional software that is now so bloated that anything is better. And their security sucks.
Morglum
The only way to have a secure machine is to uninstall Windows.
Seems a bit weird considering it’s the best tool available now. Surely it would have been an idea to review it before writing the article?
The article says
Is it not the “MSE” you are referring to?
“You’ll want to delete the old user accounts and replace them with your own set of user logins. Each new account should have an appropriate authorization level.”
Is as close as you get to telling people to use limited user accounts for day-to-day usage. I don’t even bother installing anti-malware apps on most PCs as most browser entry vector malware doesn’t elevate it’s privileges sufficiently to do any damage on a limited user account.
Except for on Windows 7 where the default UAC level means that any non-elevated exploit can instantly elevate without prompt.
Agreed. It was a surprise to me that he didn;t go into that in much more detail. Part of my deinfestation process of infected PCs is setting up a limited user account and then educating the user on its use (and non-use of the Administrator account). Everyone I’ve done that for has remained malware-free since.
He also mentions setting an Administrator password, but leaving it blank can be an option on a 1-user PC, as this automatically disables network access to that account.
In my opinion, education is a mandatory step when improving the security of computers. The sole thing we can do is reducing the amount of data which the user has to learn.
There will still be some people who look for all-technological solutions to the security issue, of course, and this is fine because it can make the teacher’s life easier. But do not except this to ever block basic phishing attacks if you didn’t teached the user to check security certificates when they are on a “dangerous” website (e.g. banking)
Edited 2010-09-08 07:09 UTC
Just a note, none of Piriform’s applications force install Yahoo without a prompt. At the very last stage of the installer they give you a prompt asking if you want to enable this or that, check for updates automatically and “Install Yahoo Toolbar.”
They even have a “lite” version of ccleaner that doesn’t prompt period. The standalone version that can run on a thumb drive also does not integrate in any toolbar addons.
I had to support a PC for my family. No matter what I did, they always managed to get viruses on it. Finally, I went crazy and locked the thing down and it hasn’t had a virus in about 5 years. Here is what I did:
– Create separate partitions for the application/system files and the users’ home directories
– Set all permissions on the application/system partition to read-only
– Set all permissions on the users partition to deny execution
– Set up two anti-virus programs that automatically perform thorough weekly scans late in the morning once per week as well as real-time scanning
This broke many poorly written apps, but it was well worth the effort. I realize that this is not an option for everyone, but for those with this option, I highly recommend it. (Please note that this arrangement worked with Windows XP and is not guaranteed to work well with Vista or Windows 7).
I still want to try this on Linux, I think it would work.
Have a home-directory and possible /tmp without execute permissions (mount with noexec).
I didn’t have a reason to do that yet, Linux has been pretty resiliant. But it would be good to lock things down.
I also use luks encryption for my root and /home partitions.
My non-executable home partition was more an idea where non-technical users would not be able to run a script they just downloaded from the internet.