How to secure Windows: System security pre- and post-installation

Information security journalist Davey Winder offers advice on how to secure Windows systems in the enterprise with some pre-installation and post-installation security best practices, such as applying Windows patches and updates.

This tip will be the first of a series of articles on how to secure Windows. Make sure to check back each week for new Windows "how-to" advice.

Windows has garnered something of a reputation with both the media and the IT security industry for being a lot less than perfect. To be fair, it is a reputation well-earned. Windows and related products are designed first and foremost for ease of use.

Everything else, and that includes security, comes further down the feature list. Of course, that is not to say that there aren't numerous things that can be done to improve Windows system security.

How to secure Windows: Preinstallation
Securing Windows really needs to start even before installing the OS. Sounds daft, but stick with me. Barack Obama came under fire during the U.S. presidential election campaign for using the phrase "lipstick on a pig" but that is exactly what installing Windows without giving prior consideration to security issues is like in terms of securing your computer.

Settings can be tweaked all day long after the event, but if you've put Windows on a pig it will just turn into a Windows-powered pig.

Avoid the 'oink factor' by always ensuring the following:

The Internet connection must be robustly secured, via router firewall for example, before installation.

Only install Windows onto a clean machine; never upgrade, as this can leave potential permission weaknesses with regards to Windows Registry keys and files.

Always make sure the machine is set to boot from the hard drive only, and create separate system and data partitions upon it.

How to secure Windows: Post-installation
OK, once installed, regardless which version of Windows is in use, there are some security best practice defaults that bear repeating:

  • Apply all hotfixes, patches and updates as a No. 1 priority.
  • Never, never leave a password entry blank and always, always make it a strong one. Administrator accounts are a magnet for malicious hackers, so protect them with the strongest possible passwords.
  • Talking of which, use the Security Policy tool in Windows XP and later versions of Windows to rename the real administrator account to something less obvious, while creating a decoy administrator account that has no group memberships and no real power.
  • If a service is not explicitly allowed, then access to it should be blocked or the service itself disabled. Certainly disable file and print sharing for Microsoft networks (NetBIOS and SMB services) barring a good reason not to do so.
  • Configure built-in antivirus and malware software, or alternatively, install and configure your own preferred choice in security software. With either choice, be sure to keep the software updated!

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Read more on Endpoint security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.