Data Security on Windows Machines?

mcskoufis asks: "I am running my own company from home, offering various Internet related services to customers. I have rented a server which runs Linux and there are no current security or performance problems. However, because I cannot afford to have a business site with several geeks investigating into network security, I have some sensitive data on my Windows box at home which need to be safe from malicious marketers/kiddies having fun/etc. More and more marketing companies are working on very dirty tricks to gather email addresses and also turn windows (mainly) machines into mass mailing servers without the owners knowledge. With the latest worm attacks and also the sophistication of them, I feel even more and more vulnerable each day. Bearing in mind the fact that it is impossible to switch to Linux at home for a number of reasons and also that because of the business I need to be online 24/7/365 what the Slashdot community suggest as the best way to have a secure environment for my data while using Windows? Anti-virus software has proven to be not enough and firewalls create problems while performing daily business tasks on the server from home."

A few ideas

[DetrimentalFiend]

Now I don't really know how much this would help, so please correct me if I'm wrong, but maybe it'd be helpful to work in a normal user account. Most people that I know in the windows world just log in as administrator for daily work, but that seems kind of like working as root in Linux. Now, I understand that user security isn't as strong in Windows, but I wonder if you could lock it down enough that programs wouldn't install without your knowledge.

Besides that, good virus software (we've got McAffe at work and are happy with it), using the firewall capabilities of XP (if you have it), and not using Outlook (if you can) would be good ideas. If you're really paranoid, and know how to configure it well, a Cisco pix box may add a little more security too.

About your issues with firewalls disrupting daily activities on your server, you should look into VPNs. PPTP is very simple to set up, but has problems with man in the middle attacks. IPSec can be a pain to get working with windows, but it is possible. SSL tunnels probably would be the best way to go, and they're not too hard to set up.

Get a "Work" workstation

[duffbeer703]

Buy a cheap computer that is strictly for business. Don't let your wife or kids on it and don't install games or surf for pron on it.

I'd also suggest buying a smart card reader and storing all of your private keys on the card.

I've done this for years.

[HotNeedleOfInquiry]

Set up a Windows server. No users, just file service. Don't let anyone use it, don't install more than a bare Windows installation. Set its network protocol to Netbeu or IPX *only*. Very important *no* TCP/IP. Don't let anyone muck with it.

Set your user machines to both TCP/IP and Netbeu or IPX, depending on which the server is set for.

Set your firewall to only allow mail, http, https and whatever else might be essential.

No guarantees, but like I said, it's worked for me for years.

Pull the cord.

[molo]

If you really want it to be secure, de-network it. No ethernet, no modem, no wifi. Use another machine for network connectivity and put the data you want to take over (that is known to be clean) on a floppy or cd-r.

Then get some good locks and a security system. Nothing trumps physical security.

-molo

What I use..

[zcat_NZ]

Internet (ADSL) firewalled by a FreeBSD server. Linux could do the same job. I also have spamassassin+amavis+clamav scanning my mail, and I keep all my files on a samba share, which is backed up to another server via a cron job.

The only two windows machines on my network are actually my kids games machines (Windows, because there's very little good educational software for Linux yet!)

I've replaced Outlook and Internet Explorer with FireFox and ThunderBird. I've also got open-office installed. Original files, drivers, and games CD's are all on the Samba server. Anything they type up or scan in gets saved on the Samba server. If anything weird happens to the Windows boxes, I simply nuke-and-pave.

I haven't had any problems with Viruses or anything yet, but the kids don't tend to download stuff or share their email addresses too widely.

Not foolproof, but low-maintanence and works

[DaveJay]

Here's what I do to keep my wife's Windows laptop (with sensitive film production information on it) from being hijacked:

1. Up-to-date anti-virus and zonealarm firewall on the laptop;

2. Mozilla and Thunderbird for web browsing and email;

3. A Mitel SME (formerely e-smith) Linux box between the laptop and the internet -- the firewall is very unobtrusive, but effective -- and the distro itself is low-maintenance;

4. No wireless;

5. Important but not commonly updated information backed up on CD-R and removed from the machine (you can't get information off the machine if it isn't there).

Freeware windows security 101

[cgenman]

"firewalls create problems while performing daily business tasks on the server from home"

Not a well-configured software one. It's not as safe as a hardware firewall, but it is a heck of a lot safer than running around with your pants down, not knowing when your machine is connecting and what it is sending. It makes it difficult to connect *to* the machine, but your home winbox shouldn't be a remote server anyway.

Grab ZoneAlarm NOW, and put up with a few extra dialog boxes until it is trained.

Furthermore, good Antivirus software will detect many trojans. Get AVG if you have alredy abandoned your AV of choice.

This must sound like free windows security 101 by now, but get AdAware and / or Spybot, and schedule a regular download / check for once every week.

For encrypting sensitive or old data, you can either use windows built-in encryption (which uses your user password, enable this now if your machine is fast enough) and / or pick up a (non-free) copy of Dekart Private Disk, AKA The Bat! Private Disk, a simple encrypted virtual disk creator. Anything you really don't want people to see should go here... Just remember to shut it down when you're done.

Furthermore, don't use I.E. and don't use Outlook. What many people refer to as "computer" viruses or "windows" exploits are really just I.E. exploits or Outlook viruses. Firebird, I mean, Thun... Firefox is a powerful little internet surfer, which while not as flexible as my beloved Opera (ducks), does render pages faster, is more beginner friendly, and is free. Thunderbird is a good mail replacement, though pegasus mail, Opera's built in e-mail client, and the non-free The Bat! are all good choices. If you want the most security possible, try Secure Bat. At 140 dollars per copy, it isn't cheap, but it does encrypt all of your personal files and utilizes hardware token authentication to ensure that you really are who you say you are.

Finally, don't forget to regularly back up your disks to something not normally connected to the computer. For simplicity's sake, I'd attach an external USB drive and run Polder Backup once a week, removing the drive when done. For a more automated approach, get a PC controllable X10 unit, and have it turn on and off the external USB drive, so that backups can be completely automatic.