Ask Slashdot: Securing a Windows Laptop, For the Windows Newbie?

madsdyd writes "I am a long-time user of Linux (since 1997) and have not been using Windows since 1998. All PCs at home (mine, wife's, kids') run Linux. I work professionally as a software developer with Linux, but the Windows installs at my workplace are quite limited, so my current/working knowledge of Windows is almost nil. At home we have all been happy with this arrangement, and the kids have been using their Nintendos, PS2/3's and mobile phones up until now. However, my oldest kid (12) now wants to play World of Warcraft and League of Legends with his friends. I have spent more hours than I like to admit getting this to work with Wine, with limited success — seems to always fail at the last moment. I considered an Apple machine, but they seem to be quite expensive. So, I am going to bite the bullet, and install Windows 7 on a spare Lenovo T400 laptop, which I estimate will be able to run both Windows 7 and the games in question." Read on for more about the questions this raises, for someone who wants to ensure that a game-focused machine stays secure. madsdyd continues: "Getting Windows 7 from a shop is surprisingly expensive, but I have found a place where they sell used software (legally) and can live with that one-time cost. However, I understand that I need to protect the Windows installation against viruses and malware and whatnot. The problem is, I have no clue how. One shop wants to sell me a subscription-based solution from Norton, but this cost will take a huge dip into my kid's monthly allowance — he is required to cover the costs of playing himself, so given that playing WoW is not exactly free, this is a non-trivial expense for him. On the other hand, he has plenty of time, so I guess he could use that time to learn something, and protect his system at the same time.

How do other Slashdotters provide Windows installations for their kids? What kind of protection is needed? Are there any open source/free protection systems that can be used? Should the security issues be ignored, and instead dump the Windows install to an external disk, and restore every two weeks? Is there a 'Windows for Linux users' guide somewhere? What should we do, given that we need to keep the cost low and preferably the steps simple enough for a 12-year-old kid to perform?"

Simple

Install Microsoft Security Essentials and forget about it.

Re:Simple

[fluffy99]

Actually I've found MSE to be the least intrusive and most resource sparing of all the windows anti-virus. AVG works well but they nag living hell out of you to upgrade and so do most of the others. Of course I haven't tried any of the paid versions. MSE is free and easy and I figure they built windows so should know how to protect it....I'm sure there are API's that none of the other anti-malware authors know of that Microsoft engineers use.

I agree. it's definitely been the lightest foot print so far for a basic antivirus. Symantec and McAfee are hogs. I ran AVG for a while until it started getting to be resource hungry and missed a common trojan on my wifes computer.

Contrary to what a 1998 level of experience with Window might infer, Windows has gotten a lot more secure. The best protection is good habits and using known safe software. To help avoid infections I would recommend using Chrome or Firefox, as there are still zero-days out there for IE. Avoid crap from Adobe if at all possible. Teach the kids not to install or run random programs from the internet (yea, I guess your safer there on Linux). Install Windows 7 with the UAC enabled and either run the kids with a non-admin account or teach them that the UAC prompt is important, same as you'd do under Linux.

I think you've done yourself and the kids a mild disservice by avoiding windows with such a passion. When they get into the real world, it won't be just WOW that they need to run. It'll be business apps like MS Office, LabView, or something else that's truly Windows-only and having Windows experience (even if they prefer Linux) will be invaluable.

My best windows admin tips come from *nix

[damn_registrars]

I know you asked about securing, but there is more than just security that is often overlooked in windows, that can be learned from the *nix world.

First, don't give anyone admin privileges with their default account. You are just asking for trouble if you do.

Second, the swap file should have its own partition. In *nix this is pretty much dogma, and it well should be in windows as well. Everyone knows that windows loves to fragment the hell out of its own file system, and the windows swap (paging) file is no exception. If you put it on its own partition you will make defragmentation a lot easier later when you have to do it.

MSE is good enough - but teach him to reinstall

[stillnotelf]

Microsoft Security Essentials is the only thing I have running on most of the Windows computers I administer (note: they're XP, not 7). I've never had any problems. Install that and don't worry too much about it. Install noscript on Firefox and tell him not to use IE; that will avoid most of the remaining problems. Let all software autoupdate as much as it wants.

You do want to do two other things. 1) Keep that install disc, and make sure the kid knows how to install Windows himself, plus install his games himself. I think WOW and probably LOL are both cloud-based saves so wiping the HDD is no issue. Reinstalling Windows is generally 1/4 the time and hassle of actually fixing a malware problem.

2) Let him know that he is only likely to get viruses doing things he shouldn't. Drive-by downloads on legit sites are rare. Drive-by-downloads on warez, gold sellers (for WOW), and porn are a lot more common. If he is going to do that stuff (you can't stop him) at least make sure he knows that those are dangerous sites. If his computer is acting funny after visiting one, and a reboot doesn't fix it, then wipe the install.

Re:value of your time

[echnaton192]

Ok. But the basic security steps should be:

1. Use windows 7 64 bit, it is more secure
2. install Windows and create a user you will use for the "root" work. Call ist root, if you like, or boss orbwhatever. Do NOT set a password yet! Search for updates using windows updates. Do not hesitate to install all optional updates. MSIE will end on the machine anyway, so it's best to have the least insecure installed. The optional drivers are propably crap, but they're better then the generic drivers that came with Windows. Install updates. Reboot, install updates. Reboot, install updates. This is the most annoying part, but eventually, Windows update, when asked to search for more updates, will report it has none in store for you. Phew.
3. If it didn't install already, install MSE.
4. in order to work correctly in games, you will now need to install the latest drivers for the video card and for the soundcard. Do not rely on the optional windows drivers for these two components, replace the ones you got in step 3. These are the important drivers that get glitchy in games. First place to look is NOT the producer of the laptop, but the producer of the chips that are used in the laptop for sound and graphics. Google for it. Only if step 4 breaks it, try the producer of the laptop for drivers. Only if the producer of the laptop has no drivers and the drivers from the producers of the chips break the installation, repeat step 1-3 and omit step 4.
5. install the desired games and software
6. Install chrome or Firefox. Chrome might be a bit more secure. Install a PDF reader.
7. Install PSI from secunia in order to keep the update-hell in check. Run it once to check if everything is up to date.
8. Now set up the account of your son as a normal user, give him a password. Now give the root account a password, as you will soon expose the laptop to your son the real world, not just a few sites.
9. Backup and setup a backup-routine.

Give your son the computer and the password for root. Explain to him that it is his responsibility to doublecheck if a program is OK to run with Admin-privileges. From time to time, make him login as root/admin and check if any bad written programs ask for updates and check if PSI complaints about old programs and keep them up to date.

Most importantly: the best antimalware is a brain. Inform him, that he must double-check (with google, for example) that a source of downloadsoftware is reliable if he downloads software from the internet. If something sounds too good to be true, it propably is.