Ask Slashdot: Securing a Windows Laptop, For the Windows Newbie?

madsdyd writes "I am a long-time user of Linux (since 1997) and have not been using Windows since 1998. All PCs at home (mine, wife's, kids') run Linux. I work professionally as a software developer with Linux, but the Windows installs at my workplace are quite limited, so my current/working knowledge of Windows is almost nil. At home we have all been happy with this arrangement, and the kids have been using their Nintendos, PS2/3's and mobile phones up until now. However, my oldest kid (12) now wants to play World of Warcraft and League of Legends with his friends. I have spent more hours than I like to admit getting this to work with Wine, with limited success — seems to always fail at the last moment. I considered an Apple machine, but they seem to be quite expensive. So, I am going to bite the bullet, and install Windows 7 on a spare Lenovo T400 laptop, which I estimate will be able to run both Windows 7 and the games in question." Read on for more about the questions this raises, for someone who wants to ensure that a game-focused machine stays secure. madsdyd continues: "Getting Windows 7 from a shop is surprisingly expensive, but I have found a place where they sell used software (legally) and can live with that one-time cost. However, I understand that I need to protect the Windows installation against viruses and malware and whatnot. The problem is, I have no clue how. One shop wants to sell me a subscription-based solution from Norton, but this cost will take a huge dip into my kid's monthly allowance — he is required to cover the costs of playing himself, so given that playing WoW is not exactly free, this is a non-trivial expense for him. On the other hand, he has plenty of time, so I guess he could use that time to learn something, and protect his system at the same time.

How do other Slashdotters provide Windows installations for their kids? What kind of protection is needed? Are there any open source/free protection systems that can be used? Should the security issues be ignored, and instead dump the Windows install to an external disk, and restore every two weeks? Is there a 'Windows for Linux users' guide somewhere? What should we do, given that we need to keep the cost low and preferably the steps simple enough for a 12-year-old kid to perform?"

Let him deal with it

[e065c8515d206cb0e190]

How did you learn? By making mistakes. Let him run his Windows 7. With admin rights. If he gets viruses, trojans, adware, malware, so be it. If he needs to reinstall every 3 months as you probably did when you had Win 95, so be it. That's how he'll learn.

Windows VM

[Nerdfest]

If your machines have the power for it. you may be able to get away with running Windows in a VM. Install everything, get it set up properly, then snapshot it and restore to that point at the end of every gaming session. It's one fairly sure way of keeping Windows safe.

A few things

1) Install a free antivirus program like Microsoft Security Essential or AVG. Most free antivirus programs are close enough to paid software as long as you pick the better ones.

2) Run the computers network through a filtering program or DNS server like OpenDNS with the filtering option enabled.

3) Limit user account for kid. Install the software he needs for him. This would be a major improvement in security with limited hassles as it's usually the user that is the cause of many security issue.

Bonus) Occasionally keep a backup image of the hard drive. If the computer does get infected, it's easy and faster to recover from.

Re:A few things

[magic+maverick+]

I like 1 and 3, but have another suggestion instead of 2. Install a firewall between the computer and the Internet, and block all inbound and outbound connections except on the ports used by the games required. No web browsing, no email, no chat (except in game) on the MS Windows machine at all.

Disclaimer, I've been using GNU/Linux myself almost exclusively since 2003 or something, and so my knowledge of MS Windows is also dated. But, if the worms can't access the machine they can't hurt it. If the child can't access the web, they can't have some ad network serve drive-by-download malware. Etc.

I also like the idea of letting the child learn about computer security themselves and do it all themselves. But that may cause more heartbreak in the end than my suggestion.

Well, do it, but...

[Penguinisto]

...one word: Proxy.

Run your kid's network connection through it (enforce it via the home router if necessary), and whitelist what he is allowed to visit. Here is an example of how to set up SQUID to do that.

That by itself will knock out virtually all threats from the network.

As for the machine itself, install CCleaner and AVG (which IMHO is among the least intrusive of the A/V solutions), maybe tweak RDP so you can sniff around in there from time to time remotely w/o his knowledge, and that should cover practically everything you really need to protect and control your kid's computer.

Re:Well, do it, but...

Can you give any concrete benefits of installing CCleaner? The only effect I see this software having on systems of people who've been suckered into installing it is that it takes them much longer to get to a usable desktop. I would also recommend against anti virus software, but many people are too brainwashed nowadays that infections will be blamed on the person who told them they don't need anti virus when they would have gotten infected regardless, so do install anti virus software and learn from your own experience. If you would like a tiger-repelling stone, I've got one that I could sell you. No tiger has ever come closer than a mile.

Also, if you feel you need to "sniff around in there [...] w/o his knowledge", then either you or him are not ready for him to have his own computer that can be used unsupervised. Any snooping should be in the open and agreed upon beforehand.

Re:Well, do it, but...

[maxwell+demon]

Any it doesn't matter if the child looks at porn.

Maybe. But then do it from a Linux computer. There are obviously plenty of them available in that household. There's no need to allow it from the Windows computer which is the one most likely infected by malware from those porn sites.

Re:Well, do it, but...

Actually, porn sites tend to be among the safest as far as malware is concerned. You're more likely to catch an infection from your local church website. [http://daltondailycitizen.com/national/x1968178697/Unprotected-sects-Church-websites-more-likely-to-have-viruses]

Re:My best windows admin tips come from *nix

[Gadget_Guy]

By the time anything comes down to local limited user vs rewt, you've already lost the security battle. So what if kernel32.dll is safe, when all of your programs have every right to destroy all of your files anyways?

That is bad advice. Security is all about layers. If the first level of security is breached then you don't just throw your hands in the air and concede defeat. That is like putting a fence around your property and then not locking your doors. The point is to make it as hard as possible for malware to work.

And so what if they can delete your user files. Most malware these days are made to keep your system running so that they can be remote controlled.

Re:You want a windows appliance eh?

No, no, no.
Yes, Windows updates should be set to run nightly and install automatically, firewalls are great, and so is a secure router, but...
Never run two AVs at the same time, no matter how light they are. They will interfere with each other, causing false positives left and right, not to mention your computer will slow down immensely. I like MSE and use it my self, but most AV reports will tell you that it's certainly not the best and usually lags behind on zero-day virus updates. Avast is usually rated the best free AV, however I don't use it for many reasons (you have to re-register it every few months, 6 or 12 don't remember and it's very UI heavy and more resource heavy than MSE). Malwarebytes is also great and free and should be installed along side your AV. However it's not an active AV, it's only purpose is to find what the AVs miss and is not something that has to run 24/7.
Don't install Firefox, install Chrome (or if you want, something like SRWare Iron, which is a Chrome build that removes stuff Google adds to Chrome that might be considered intrusive). Use Adblock Plus (Beta) and ScriptNo (the closest Chrome version of NoScript) if you want. I've never used NoScript myself, but a lot of people swear by it. However, if you really want safety, have your kids only use Windows for games and browse the web on Linux (as previously posted), or have them run the browser in a virtual machine, which is a much better option than running the games in a VM.

Re:My best windows admin tips come from *nix

[benjymouse]

Second, the swap file should have its own partition. In *nix this is pretty much dogma, and it well should be in windows as well. Everyone knows that windows loves to fragment the hell out of its own file system, and the windows swap (paging) file is no exception. If you put it on its own partition you will make defragmentation a lot easier later when you have to do it.

Stupid advice, based on an old Unix/Linux myth.

Consider this: What is the paging file actually for? Yes, for swapping out "dirty memory" when the memory pages are needed for something else. The paging file is *not* used like a large video file. It is being accessed *randomly* (non-sequential) *most* of the time.

What if the primary concern with fragmentation? Answer: Excessive head movements.

And you advice users to place the paging file on another partition, all but *guaranteeing* excessive head movement on *each* access to the paging file? The original recommendation to place the swap file in its own partition was that Linux (and most Unix'es) fails pretty horribly under low-disk space conditions. I.e. the recommendation was for space management - not for controlling fragmentation.

Fragmentation of the paging/swap file is a non issue. The OS rarely need to read more than a few blocks sequentially. Actually, one could argue that the best place for the paging file in a memory-constrained system (where swapping happens a lot) is at ½ disc width - or centered in the partition. If that happens to be interleaved with other files which are also access in a random-access pattern - so be it. It is still more optimal.

The *only* files that really benefit from *not* being fragmented are large files that are access in sequential fashion or which account for a very large share of all disc accesses (such a large video file or a database file in a single-instance database server).

If you are concerned that the paging file may grow and shrink and thus cause fragmentation of *other* files, then simply reserve a minimum size for the paging file. If you keep it on the same disc as the OS, then you should definitively keep it in the same partition as the rest of the OS. Now, if you could move it to another physical disc - that would offer a performance improvement - as long as you reserve that disc for paging.

But suggesting to move the paging file into a location where you are guaranteed to *increase* head movements - that is nonsensical. Unfortunately that is a very hard myth to bust.