Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Securing a Windows Laptop, For the Windows Newbie?

Posted by timothy on from the not-under-my-roof dept.

madsdyd writes "I am a long-time user of Linux (since 1997) and have not been using Windows since 1998. All PCs at home (mine, wife's, kids') run Linux. I work professionally as a software developer with Linux, but the Windows installs at my workplace are quite limited, so my current/working knowledge of Windows is almost nil. At home we have all been happy with this arrangement, and the kids have been using their Nintendos, PS2/3's and mobile phones up until now. However, my oldest kid (12) now wants to play World of Warcraft and League of Legends with his friends. I have spent more hours than I like to admit getting this to work with Wine, with limited success — seems to always fail at the last moment. I considered an Apple machine, but they seem to be quite expensive. So, I am going to bite the bullet, and install Windows 7 on a spare Lenovo T400 laptop, which I estimate will be able to run both Windows 7 and the games in question." Read on for more about the questions this raises, for someone who wants to ensure that a game-focused machine stays secure. madsdyd continues: "Getting Windows 7 from a shop is surprisingly expensive, but I have found a place where they sell used software (legally) and can live with that one-time cost. However, I understand that I need to protect the Windows installation against viruses and malware and whatnot. The problem is, I have no clue how. One shop wants to sell me a subscription-based solution from Norton, but this cost will take a huge dip into my kid's monthly allowance — he is required to cover the costs of playing himself, so given that playing WoW is not exactly free, this is a non-trivial expense for him. On the other hand, he has plenty of time, so I guess he could use that time to learn something, and protect his system at the same time.

How do other Slashdotters provide Windows installations for their kids? What kind of protection is needed? Are there any open source/free protection systems that can be used? Should the security issues be ignored, and instead dump the Windows install to an external disk, and restore every two weeks? Is there a 'Windows for Linux users' guide somewhere? What should we do, given that we need to keep the cost low and preferably the steps simple enough for a 12-year-old kid to perform?"

27 of 503 comments (clear)

  1. Simple by Anonymous Coward · · Score: 5, Informative

    Install Microsoft Security Essentials and forget about it.

    1. Re:Simple by djl4570 · · Score: 5, Insightful

      I second Microsoft Security Essentials. Add Firefox with Noscript. Malware Bytes is highly recommended.

    2. Re:Simple by DeathFromSomewhere · · Score: 5, Funny

      Recommendation for a Microsoft product.

      Not a snarky post about how he should install some obscure linux distro instead.

      (Score:5, Informative)

      WHO ARE YOU PEOPLE AND WHAT HAVE YOU DONE WITH MY SLASHDOT!?!

      --
      -1 overrated isn't the same thing as "I disagree".
    3. Re:Simple by Gaygirlie · · Score: 4, Informative

      Install Microsoft Security Essentials and forget about it.

      It hogs the CPU and makes the disk thrash like a Dickensian schoolmaster. So even if it misses any malware or viruses they won't have time to do anything nasty.

      I don't get anything like you describe and I've been using MSE on all of my laptops and desktop for atleast a year now: it's actually very lightweight compared to all the other AV - solutions, it's very non-intrusive, and I haven't had a single issue with it yet.

    4. Re:Simple by Gaygirlie · · Score: 4, Insightful

      I use MSE, Firefox with Adblock Plus+Flashblock and disable Java in the browser as it's got more holes in it than Swiss cheese. These simple steps have kept me secure so far perfectly well. On the other hand OP's situation is a little as the kid may or may not end up falling for social engineering: how does one protect against that? I'd say actually teaching the kid what social engineering is and how to recognize it is better than relying on a software-solution for that, even though teaching that is a longer project.

    5. Re:Simple by fluffy99 · · Score: 5, Informative

      Actually I've found MSE to be the least intrusive and most resource sparing of all the windows anti-virus. AVG works well but they nag living hell out of you to upgrade and so do most of the others. Of course I haven't tried any of the paid versions. MSE is free and easy and I figure they built windows so should know how to protect it....I'm sure there are API's that none of the other anti-malware authors know of that Microsoft engineers use.

      I agree. it's definitely been the lightest foot print so far for a basic antivirus. Symantec and McAfee are hogs. I ran AVG for a while until it started getting to be resource hungry and missed a common trojan on my wifes computer.

      Contrary to what a 1998 level of experience with Window might infer, Windows has gotten a lot more secure. The best protection is good habits and using known safe software. To help avoid infections I would recommend using Chrome or Firefox, as there are still zero-days out there for IE. Avoid crap from Adobe if at all possible. Teach the kids not to install or run random programs from the internet (yea, I guess your safer there on Linux). Install Windows 7 with the UAC enabled and either run the kids with a non-admin account or teach them that the UAC prompt is important, same as you'd do under Linux.

      I think you've done yourself and the kids a mild disservice by avoiding windows with such a passion. When they get into the real world, it won't be just WOW that they need to run. It'll be business apps like MS Office, LabView, or something else that's truly Windows-only and having Windows experience (even if they prefer Linux) will be invaluable.

    6. Re:Simple by atlasdropperofworlds · · Score: 4, Informative

      Also, do not give the kids administrative user accounts. What people don't know is that Windows 7 is actually a very secure desktop OS. The easiest path into the windows machine is by far via the user. The ASLR implementation is quite good, so even any exploits (such as browser-based ones) fire only occasionally. Apparently windows 8 has improved ASLR, so you can expect the next Win7 service pack to get the same treatment. I have some whitehat contacts, and they all say the same thing: If you want a secure desktop OS, Win7 64bit is the one to get - it's apparently a very tough nut to crack. Couple it with MSE to help cut down on operator-installed worms and you're golden. OSX, on the other hand, is certainly not the best options for security. It remains the least secure desktop OS (though it is still decently secure).

  2. value of your time by Moblaster · · Score: 5, Insightful

    Run it through your regular NAT router setup and tell your kid not to download nasty stuff!

    And consider the educational value of having him get viruses. And the joy of reinstalling the OS.

    Maybe he will appreciate dad's wisdom to date ;)

    1. Re:value of your time by echnaton192 · · Score: 5, Informative

      Ok. But the basic security steps should be:

      1. Use windows 7 64 bit, it is more secure
      2. install Windows and create a user you will use for the "root" work. Call ist root, if you like, or boss orbwhatever. Do NOT set a password yet! Search for updates using windows updates. Do not hesitate to install all optional updates. MSIE will end on the machine anyway, so it's best to have the least insecure installed. The optional drivers are propably crap, but they're better then the generic drivers that came with Windows. Install updates. Reboot, install updates. Reboot, install updates. This is the most annoying part, but eventually, Windows update, when asked to search for more updates, will report it has none in store for you. Phew.
      3. If it didn't install already, install MSE.
      4. in order to work correctly in games, you will now need to install the latest drivers for the video card and for the soundcard. Do not rely on the optional windows drivers for these two components, replace the ones you got in step 3. These are the important drivers that get glitchy in games. First place to look is NOT the producer of the laptop, but the producer of the chips that are used in the laptop for sound and graphics. Google for it. Only if step 4 breaks it, try the producer of the laptop for drivers. Only if the producer of the laptop has no drivers and the drivers from the producers of the chips break the installation, repeat step 1-3 and omit step 4.
      5. install the desired games and software
      6. Install chrome or Firefox. Chrome might be a bit more secure. Install a PDF reader.
      7. Install PSI from secunia in order to keep the update-hell in check. Run it once to check if everything is up to date.
      8. Now set up the account of your son as a normal user, give him a password. Now give the root account a password, as you will soon expose the laptop to your son the real world, not just a few sites.
      9. Backup and setup a backup-routine.

      Give your son the computer and the password for root. Explain to him that it is his responsibility to doublecheck if a program is OK to run with Admin-privileges. From time to time, make him login as root/admin and check if any bad written programs ask for updates and check if PSI complaints about old programs and keep them up to date.

      Most importantly: the best antimalware is a brain. Inform him, that he must double-check (with google, for example) that a source of downloadsoftware is reliable if he downloads software from the internet. If something sounds too good to be true, it propably is.

  3. My best windows admin tips come from *nix by damn_registrars · · Score: 5, Informative

    I know you asked about securing, but there is more than just security that is often overlooked in windows, that can be learned from the *nix world.

    First, don't give anyone admin privileges with their default account. You are just asking for trouble if you do.

    Second, the swap file should have its own partition. In *nix this is pretty much dogma, and it well should be in windows as well. Everyone knows that windows loves to fragment the hell out of its own file system, and the windows swap (paging) file is no exception. If you put it on its own partition you will make defragmentation a lot easier later when you have to do it.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:My best windows admin tips come from *nix by Gadget_Guy · · Score: 4, Interesting

      By the time anything comes down to local limited user vs rewt, you've already lost the security battle. So what if kernel32.dll is safe, when all of your programs have every right to destroy all of your files anyways?

      That is bad advice. Security is all about layers. If the first level of security is breached then you don't just throw your hands in the air and concede defeat. That is like putting a fence around your property and then not locking your doors. The point is to make it as hard as possible for malware to work.

      And so what if they can delete your user files. Most malware these days are made to keep your system running so that they can be remote controlled.

    2. Re:My best windows admin tips come from *nix by benjymouse · · Score: 4, Interesting

      Second, the swap file should have its own partition. In *nix this is pretty much dogma, and it well should be in windows as well. Everyone knows that windows loves to fragment the hell out of its own file system, and the windows swap (paging) file is no exception. If you put it on its own partition you will make defragmentation a lot easier later when you have to do it.

      Stupid advice, based on an old Unix/Linux myth.

      Consider this: What is the paging file actually for? Yes, for swapping out "dirty memory" when the memory pages are needed for something else. The paging file is *not* used like a large video file. It is being accessed *randomly* (non-sequential) *most* of the time.

      What if the primary concern with fragmentation? Answer: Excessive head movements.

      And you advice users to place the paging file on another partition, all but *guaranteeing* excessive head movement on *each* access to the paging file? The original recommendation to place the swap file in its own partition was that Linux (and most Unix'es) fails pretty horribly under low-disk space conditions. I.e. the recommendation was for space management - not for controlling fragmentation.

      Fragmentation of the paging/swap file is a non issue. The OS rarely need to read more than a few blocks sequentially. Actually, one could argue that the best place for the paging file in a memory-constrained system (where swapping happens a lot) is at ½ disc width - or centered in the partition. If that happens to be interleaved with other files which are also access in a random-access pattern - so be it. It is still more optimal.

      The *only* files that really benefit from *not* being fragmented are large files that are access in sequential fashion or which account for a very large share of all disc accesses (such a large video file or a database file in a single-instance database server).

      If you are concerned that the paging file may grow and shrink and thus cause fragmentation of *other* files, then simply reserve a minimum size for the paging file. If you keep it on the same disc as the OS, then you should definitively keep it in the same partition as the rest of the OS. Now, if you could move it to another physical disc - that would offer a performance improvement - as long as you reserve that disc for paging.

      But suggesting to move the paging file into a location where you are guaranteed to *increase* head movements - that is nonsensical. Unfortunately that is a very hard myth to bust.

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  4. Let him deal with it by e065c8515d206cb0e190 · · Score: 4, Interesting

    How did you learn? By making mistakes. Let him run his Windows 7. With admin rights. If he gets viruses, trojans, adware, malware, so be it. If he needs to reinstall every 3 months as you probably did when you had Win 95, so be it. That's how he'll learn.

  5. Good luck by __aaltlg1547 · · Score: 4, Insightful

    Your kid might not be satisfied with the way WoW works on an old T400 laptop. Check the graphics specs vs. the game recommendations. And for security, I'd just use Microsoft Security Essentials. It's free, probably works as well as any of the subscription-based anti-virus products and how much do you really care if your kid's game platform gets a virus?

  6. Wine - Get Crossover, But Also Get Windows by vinn · · Score: 5, Insightful

    Two comments -

    1. If you're going to use Wine, go purchase Codeweaver's Crossover version. It's much better than the standard Wine. Plus, you can get a warm fuzzy feeling you're paying to support open source. PlayOnLinux is an option too.

    2. However, do expose your children to Windows. It's what they're going to learn in school and possibly what they'll need in the workplace. (Oh, I'm sure some people would like to point out why I'm wrong, people have been predicting the demise of Windows for decades. It's still the de facto standard.)

    Finally, just go download something like MIcrosoft Security Essentials or Avast for your antivirus. They're free and work.

    --
    ----- obSig
  7. MSE is good enough - but teach him to reinstall by stillnotelf · · Score: 5, Informative
    Microsoft Security Essentials is the only thing I have running on most of the Windows computers I administer (note: they're XP, not 7). I've never had any problems. Install that and don't worry too much about it. Install noscript on Firefox and tell him not to use IE; that will avoid most of the remaining problems. Let all software autoupdate as much as it wants.

    You do want to do two other things. 1) Keep that install disc, and make sure the kid knows how to install Windows himself, plus install his games himself. I think WOW and probably LOL are both cloud-based saves so wiping the HDD is no issue. Reinstalling Windows is generally 1/4 the time and hassle of actually fixing a malware problem.

    2) Let him know that he is only likely to get viruses doing things he shouldn't. Drive-by downloads on legit sites are rare. Drive-by-downloads on warez, gold sellers (for WOW), and porn are a lot more common. If he is going to do that stuff (you can't stop him) at least make sure he knows that those are dangerous sites. If his computer is acting funny after visiting one, and a reboot doesn't fix it, then wipe the install.

  8. Relevant story from two weeks ago by neile · · Score: 4, Informative

    What free antivirus do you install on windows

    Install Windows Security Essentials and you'll be fine. Seriously, it's not like by putting Windows 7 on a computer your house is immediately going to be invaded by zombies dragging every virus or malware known to man. Install WSE (or one of the other recommendations from the above thread), run with standard (not admin) rights, and that's pretty much all you need to do.

    Neil

  9. Re:Well, do it, but... by magic+maverick+ · · Score: 4, Insightful

    "Any snooping should be in the open and agreed upon beforehand."
    Exactly. Any it doesn't matter if the child looks at porn. That's what teenagers do. Even better, find some sites with some non-extreme porn (no violence, and even no insults at the women) so that the child doesn't think that fucked up things are normal. It's not normal to insult and hit a women (unless she wants you to). Hell, maybe even just some naked pictures, no need to show sex at all.

    --
    HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
  10. Unable to meet all requirements.... by Raxxon · · Score: 4, Insightful

    You want to keep the laptop secure. You want a 12 year old to use it. You want it to run Windows.

    There is no solution. There will always be security risks and in some cases a negative time-frame to deal with them. Doesn't matter how good your AV is or what utilities you put on there, if it's connected to the Internet and there's a user at the keyboard then it is inherently insecure.

    Now, how "secure" do you need it to be? If you're ok with putting that laptop on a separate subnet from everything else and teach the kiddo to do a proper update check every couple of days you should be able to mitigate most of the 'risk'.... but that seems a bit much to ask.

  11. I don't believe you. by Zombie+Ryushu · · Score: 4, Informative

    WoW runs perfectly under Wine, even under a dirty prefix, and has for like 5 years, maybe longer. League of Legends you must clean Prefix, and install dx9, dotnet2.0, and vcrun2008. Then LoL will work. I know from experience that this shit works.

  12. Re:Well, do it, but... by Austerity+Empowers · · Score: 4, Insightful

    He said his son is going to play WoW. That means visiting WoW sites, and possibly WoW guilds. This means he'll be exposed to keyloggers, malware and other crap. While I agree it's better to avoid the whore than to wear the condom, but if you know you're going to visit the whore anyway better suit up. Also, and I know many parents particularly on slashdot don't agree with me and that's fine, but my children get privacy once they reach majority and move out and establish financial independence. Until then their lives are my business.

    If your son is going to play wow, make sure he has two factor authentication enabled. Especially important is to make sure he sets his email password differently than his game password (or better yet, you sign up for his account with one of your disposable email accounts, and let him create the battlenet account).

  13. You want a windows appliance eh? by RandomFactor · · Score: 4, Insightful

    Translating - you aren't a windows guy, and you aren't going to become one for this, but you don't want to waste time reinstalling every couple of weeks or listen to your kid crying his account got hacked.

    With that premise

      - Set Windows updates to nightly download and install automatically.
      - MSE (AV from MS) is fine, oddly enough. Its even light enough you can run a second one such as Avast! if you wish.
      - NAT router in front assumed
      - Leave the Windows Firewall on, don't enable file sharing
      - Install Firefox, make it the default browser, load two addons - NOSCRIPT and AdBlock Plus. Remove the IE icon from the desktop.
      - Council the kid that this is NOT his general internet browsing/use machine. It is dedicated for the games. Continue to browse etc. on the systems you know how to maintain.

    With the above, you have no cost, minimal maintenance and the machine is very likely to stay secure for years.

    --
    --- Mercutio was right.
  14. Re:Well, do it, but... by maxwell+demon · · Score: 5, Interesting

    Any it doesn't matter if the child looks at porn.

    Maybe. But then do it from a Linux computer. There are obviously plenty of them available in that household. There's no need to allow it from the Windows computer which is the one most likely infected by malware from those porn sites.

    --
    The Tao of math: The numbers you can count are not the real numbers.
  15. Re:Well, do it, but... by ifiwereasculptor · · Score: 5, Funny

    find some sites with some non-extreme porn (no violence, and even no insults at the women)

    Good luck, that's a small niche. You'll probably have to film it yourself. By the wa, if it comes to that, I don't know if trying to disguise or hide your face on camera is worth the hassle, but if you find it isn't, then there's no reason not to do a live show for the kid. Might be alittle awkward, but the opportunity for an improptu Q&A session offsets that.

  16. Re:Well, do it, but... by Anonymous Coward · · Score: 4, Interesting

    Actually, porn sites tend to be among the safest as far as malware is concerned. You're more likely to catch an infection from your local church website. [http://daltondailycitizen.com/national/x1968178697/Unprotected-sects-Church-websites-more-likely-to-have-viruses]

  17. Re:IT'S A TRAP !! by madsdyd · · Score: 4, Informative

    Submitter here:

    Step 1: There is no windows to uninstall. There are literally no Windows installations in this house, (and actually never have been, as we built the house in 2004, but that is another story). The kid in question - my 12 year old son - does run Linux (Kubuntu 12.04) and uses e.g. Scratch from MIT for programming, libreoffice for school work, minecraft for, well, minecraft and so on, and so on. Oh, and he runs his own minecraft server.

    But, no, I can't get WoW and LOL to work with/under Linux (neither can he). Starting point is some semi-old laptop (not the T400, which have just become available recently), running Kubuntu 12.04. Been through various permutations of Wine, Crossover and some "just install this, guaranteed to work, autoinstall Wow" permutation of crossover (I think, have forgotten the details). For all, it looks as "the right thing" happens, but eventually it turns out something or other does not work, e.g. the system is left for 24 hours to download the last 1% and it just does not happen. I think the last approach we tried, we ended up installing a US version (?) and beeing in Europe, this apparently (eventually) failed to start. Or something. I have lost count of the hours we have used. I simply can not make it work, and I do not know any persons that can. I could possibly hire someone to do it, but I have no idea if it ends there. What if all his friends plays "FunkyNewGame" next year, that only runs under Windws? What then? Make no mistake: I consider Windows in this context simply a console, much like the PS3 - but a console that needs a lot more handhelding than the PS3 (And, I understand that WoW does not run on the Xbox).

    Now, beside that I personally have other things to use my time on, all this fidling is also a very frustrating experience for my kid. I do not expect you to understand this, especially not, if you have no kids, but he gets his hopes up high, and sort of thinks his dad is "the shit" for finally making this work, and then, after 4-5 hours of reading, installing, downloading, and whatnot, it just does not work. And, another day/week/month has gone by with him still not beeing able to play WoW/LOL with his friends. So, as I stated, I am going to bite the bullet and get Windows. For this particular purpose. (Oh, and possibly to reprogram the properitary house control system of this house, which was the only legal option to install, according to Danish Law, when the house was built - but again, that is another story).

    You may argue that my linux skills are inadequeate because of this - you may be perfectly right. The sad truth is then, that my Windows skills are even worse.

  18. Windows for Linux users, advice by JackDW · · Score: 4, Informative

    I maintain a machine much like the one to be used by your son. You are right to give up on trying to get these games working in Wine. Even if you succeed, the next patch might break it. It creates an unreasonable amount of recurring effort, which you can avoid entirely for the cost of an OEM Windows licence, which is really, really cheap in comparison. Sure, this is not what Stallman would say, but then he does not support PCs for a family.

    Here are some suggestions:

    1. Windows 7 on a new laptop.

    2. Install Microsoft Security Essentials. It's free (beer). Don't bother with Norton.

    3. Create a regular user account for your son. Ensure the account is not able to modify system files without asking for the admin password. This prevents most of the nasty things malware tries to do. WIndows security is actually really good these days.

    4. Order a Blizzard authenticator to go with WoW. This excludes more nasty things that malware might do... just in case!

    5. Back up the machine after you install the games but before you hand it over to your son. Use backup software that will generate a disk image like Macrium Reflect Free Edition. Restore this disk image from a live CD (Reflect can create one for you) if your son has any problems. You have to use a full disk image for Windows because restoring an install is not just a matter of copying the files and rerunning update-grub.

    6. When working with Windows, use the same patience you have to use when working with an unfamiliar Linux distribution. Don't expect everything to be straightforward or logical, and be pleasantly surprised when it is. The only extra thing you need to beware of, but Linux users do not, is that there are scam sites which offer to "help" you with common problems, e.g. device driver issues, and serve up malware instead of help. Good practice is to research Windows problems on a Linux machine.

    --
    You're an immobile computer, remember?