Windows without viruses and spyware? Yes, it's possible

Windows without viruses and spyware? Yes, it's possible

Summary: How do you protect Dad, Grandma, or Little Ricky from viruses and malware? The convention wisdom is to install multiple layers of antivirus and antispyware software and then come back once a month to clean up the mess. That's wrong. Here's my eight-step program for creating a practically bulletproof Windows XP machine.

SHARE:
TOPICS: Malware
74

Walt Mossberg of the Wall Street Journal takes tech questions from readers each week and publishes his answers in Mossberg's Mailbox. In this week's column, he tackles a question I get asked all the time. How do you set up a new computer for a relative who is an enthusiastic Internet user but is naive or technically unsophisticated?

I set my parents up with a new Dell PC, and included antispyware software that I run periodically to clean up the computer. I recently discovered they had more than 200 instances of spyware on the machine. This may be because my 81-year-old father surfs porn sites ALL the time (this isn't a joke). Is there any way to keep his computer bulletproof and safe?

OK, first of all, Dad's probably more typical than you might think. Grandma probably doesn't visit a lot of porn sites, but teenage boys and old men probably do (and so do a lot of guys in between those ages). Walt correctly notes that visiting these "bad" websites is a surefire way to run into the most aggressive pushers of viruses, Trojan horses, and spyware.

Walt's answer is the same one you'll get if you ask most reasonably experienced Windows users: "[Y]our best option is to switch to a type of antispyware program that blocks the installation and operation of spyware and adware programs as it is happening, rather than waiting until they are installed to clear them out."

Sorry, but I completely disagree with this advice. If this is the best you can do, then plan to come back once a month and clean up the mess. On the contrary, I think it's possible to set up a Windows computer for Dad, Grandma, or Little Ricky and make it practically bulletproof. And it shouldn't take more than about 15-20 minutes.

For the sake of these instructions, I assume you're working with a completely clean, trustworthy installation of Windows XP with Service Pack 2, installed fresh from a clean CD or from the recovery CD that came with the computer. I also assume that Dad's broadband connection is protected with an inexpensive hardware router. If you have even the slightest suspicion that there's any malware installed on the computer, then stop right now. Back up any data, reformat, and reinstall Windows. Then follow these step-by-step instructions:

  1. Open Control Panel, go to User Accounts, and create two brand-new user accounts, both in the Administrators group. Let's call them Dutiful Son and Bad Dad. For the Dutiful Son account, assign a strong, randomly generated, impossible-to-guess password. Write it down in a safe place and don't share it with anyone else. For the Bad Dad account, use no password. (Having no password on this account actually makes the computer better able to resist external attacks.) Delete any other user accounts.
  2. Log on as Dutiful Son, visit Windows Update, and get all Critical Updates. Restart the PC, recheck Windows Update, and install any additional updates. Repeat until you see no more available updates.
  3. Configure Automatic Updates to automatically download and install updates.
  4. Log on using the Bad Dad account. Start Internet Explorer and install all mainstream, trustworthy ActiveX controls that Dad is likely to encounter in daily browsing (Flash, Acrobat, Windows Media Player, iTunes, QuickTime, and so on). Then disable the ability to download or install any additional ActiveX controls. (Step-by-step instructions are here, along with a .reg file that you can download to apply the changes automatically.)
  5. Install a good antivirus and antispyware program, download all available updates, and configure it to automatically retrieve updated definitions. This is a final line of defense only. The other changes you make here should render this protection superfluous for attacks that rely on social engineering.
  6. Open Control Panel, double-click System, click the Remote tab, and configure the Bad Dad account to allow Remote Assistance invitations to be sent. If Dad runs into trouble later, this setting will give you a fighting chance at fixing the problem without having to make a house call.
  7. Log off. Log back on to the password-protected Dutiful Son account and change the account type for the Bad Dad account to Limited.
  8. Log off and log back on to the Bad Dad account.

You're done. Now, when Dad goes off looking for naked pictures of girls who are young enough to be his great-granddaughter, he won't be a virus victim waiting to happen. If he uses Internet Explorer, any ActiveX prompt will be completely blocked and he'll be unable to approve its installation no matter how convincing the pitch is. If a website or a virus-infected email offers to download an executable program, he'll be unable to install it. In short, you'll have protected him (and his PC) from himself.

Now go through and install any software that Dad needs. If you think he'll be safer using Firefox, go ahead and install it, making sure to add any necessary plug-ins. If Dad has a favorite piece of software that won't install in a Limited account and instead requires Administrator privileges, find an alternative. Whatever you do, don't give him the password to the Administrator account.

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

74 comments
Log in or register to join the discussion
  • Good avice until....

    "If Dad has a favorite piece of software that won't install in a Limited account and instead requires Administrator privileges, find an alternative."

    Much, much easier said than done.
    pkstephens
    • Do you want to be safe?

      Look, if a user cannot be trusted to resist visiting bad websites and installing spyware, than they can't be trusted doing anything that requires administrator privileges. Period. If more users ran with Limited user accounts, there would be a lot fewer security problems and there would be a lot more pressure on software developers to fix the programs so they work without requiring admin rights.
      Ed Bott
      • The limited accounts under xp are half baked

        under an XP limited accout I can make files but not erase them. Resently I've been switching OS's and have been getting used to a file system that assigns ownership specific to each file & folder on the pc and its behavior regarding other groups. The same can be said of other sytem resources/devices. If you own a file you should be able to manipulate it or destroy it to your hearts content.
        Hrothgar - PCLinuxOS User
        • Not normal behavior

          I can't tell you what's going on with your system, but I can tell you with certainty that a Limited user has Full Control over all files he/she creates in his/her profile.

          The only way this would be a problem is if you're running under a Limited account and trying to save files to an external drive that was created by another user.
          Ed Bott
          • Icons on my 5 year olds desk top...

            She made a game of filling the screen with them. I used my account to trash them. I changed nothing when I activated it I did it so she wouldn't accidentally install games from nickjr or cartoon network or even neopets.
            Hrothgar - PCLinuxOS User
          • Sorry, I don't follow that

            If she put the files there, she can delete them. So can you, if you log on using her account credentials. So what are you saying here?

            Does she have a limited account? Did she have an Administrator acount when the icons were created? Did you reset her account type at some point?
            Ed Bott
          • Clarification

            Her account was limited
            I tried deleting them initially in her login.
            I tried by highlighting the icon/s to be deleted and hitting the delete key I was told I couldn't due to a lack of permission.

            If this case is not the norm thats fine. It may have been some other issue that cause the refusal of the system to delete the icons in question. I'm not a tech but thats how I interpreted the responses.

            I enjoyed loading and (on purpose) destroying win95a up to 6 times a day to learn windows and I'm enjoying the challenge of learning linux.

            The some in the linux crowd can be at times be obnoxious enough to turn away the otherwise curious. However, MS will no longer be supported in my household.

            ps I am excitedly waiting on your next linux test. PCLinuxOS would be a good one to try.
            Hrothgar - PCLinuxOS User
    • My experience with restricted rights accounts

      [i]If Dad has a favorite piece of software that won't install in a Limited account and instead requires Administrator privileges, find an alternative.[/i]

      Since this is all about getting the best results with least effort, may I suggest that giving Bad Dad write access to the Program Files\BadlyWrittenApplication directory will work for 90% of BadlyWrittenApplications and it only takes a few seconds. If that doesn't fix it, you might need to give "Bad Dad" write access to BadlyWrittenApplication's registry entries which would only take a couple minutes. In my experience, trying these 2 things will fix 99% of BadlyWrittenApplications within a couple minutes and is far easier than finding an alternative program (and [b]certainly[/b] faster than installing Linux, Wine, Crossover, etc.!!).
      NonZealot
    • My "Solution"

      I use this on the kids PC...

      Deep Freeze.

      Excellent product, bullet proof, relatively cheap.

      I created two partitions. One is the systems partition and is fully protected. The other is their partition where they can save their games or whatever they want and isn't protected.

      Get a virus...who cares...just reboot.
      rkuhn040172
  • yes it can be possible you use something else

    :)
    Quebec-french
  • So Ed, you don't think....

    ... that there is any mileage in Firefox or Thunderbird as opposed to IE and OE?
    bportlock
    • Of course I do

      That's why I mentioned Firefox in the wrap-up. But in the setup I outline here, all of the risk vectors for IE and OE have been eliminated. The user with a limited account with ActiveX disabled cannot install a virus, Trojan horse, spyware program, or rootkit. But if you want suspenders with that belt, go ahead and replace the browser and email program.
      Ed Bott
  • Or...

    I know everyone gets tired of hearing this, but I still believe that these types of users are a perfect fit for Linux.
    30otsix
    • Why?

      In this case, Dad has a computer that runs Windows just fine. He probably has some software that will run on a Limited user account as well, plus some hardware that may or may not work with Linux. His only problem is he doesn't understand security.

      So why should I wipe his hard disk, install an operating system he knows nothing about, and make some of his investments in software and hardware null and void? Especially if I can do this eight-step program in less than 20 minutes and eliminate virtually all his security issues?
      Ed Bott
      • I agree, to late now.

        But I was referring to:

        "I set my parents up with a new Dell PC, and included antispyware software that I run periodically to clean up the computer."

        It was at the above point in time that Linux would have been a good consideration.
        30otsix
      • Sunk money

        [i]make some of his investments in software and hardware null and void?[/i]

        Your conclusion may be correct, Ed, but this argument is totally bogus. It's like saying that I shouldn't buy a car because of my vast inventory of buggy whips.

        Sunk money is sunk money be it software, hardware, or undevelopable land. Your proposed solution, for instance, would wipe out the value of any investment in various antispyware tools.

        The value of something is [i]at most[/i] what it would cost to get the same results, and it really doesn't matter if your father paid a wad for Trumpet TCP/IP.
        Yagotta B. Kidding
        • Dad just wants to browse the web

          The computer is already set up. Everything works. He knows how to use it. Why throw all that away when it's so easy to fix?
          Ed Bott
          • Apples and Green Apples

            "For the sake of these instructions, I assume you're working with a completely clean, trustworthy installation of Windows XP with Service Pack 2, installed fresh from a clean CD or from the recovery CD that came with the computer."

            This is a very huge assumption and not an easy one to guarantee. To be absolutely sure you would have to be an expert or just do the clean install at which point its apples to apples.
            30otsix
          • Linux = Hammer

            I find it amusing that every single post on this blog attracts the Hammer crowd ("When all you have is a hammer, everything looks like a nail", who insist that the cure for every problem is Linux.

            Fine. But lots of people know Windows, are comfortable with it, and don't want to learn a new OS. Nor do they need one.

            But go ahead and keep pounding away with that hammer.
            Ed Bott
          • Well Ed...

            [url=http://www.desktopbsd.net/]This would be[/url] an even BETTER solution, more like the wrench to secure the loose nuts! LOL ]:)
            Linux User 147560