Installing Vista Securely
September 15, 2008 10:15 AM   Subscribe

Those stories about Windows PCs getting infected within minutes of connecting to the internet... does that still apply in Vista SP1? Soon I'll be setting up a new PC put together from parts and doing a fresh install of Vista Ultimate with SP1 (retail). Should I do anything special to maximize security?
posted by kidbritish to Computers & Internet (22 answers total) 1 user marked this as a favorite
 
Well, if you're connecting through a router, then your address is non-routable (as long as you haven't configured it otherwise) and no random attacks will actually reach you. Then, so long as you don't go to compromised/fishy websites & download junk, you should be pretty safe.
posted by alexei at 10:20 AM on September 15, 2008 [1 favorite]


Install Ubuntu.

Only kidding. ;-) What I would do is hop over to FileHippo.com and take a look around their site. They have a lot of the top-notch security programs available for download there, including firewalls, adware and virus scanners, rootkit detectors, etc. It was extremely useful for me... before I switched to Linux that is.
posted by aheckler at 10:23 AM on September 15, 2008 [1 favorite]


No, the exploit you are talking about is an RPC exploit circa 2003 that is only for XP. I wouldnt worry about Vista. Mostly likely you are behind a router anyway.
posted by damn dirty ape at 10:36 AM on September 15, 2008


If you're feeling particularly paranoid, do what I do when (re)installing Windows.

1. Put latest versions of important security software on CDROM (I recommend Avast! and SpyBot Search & Destroy)

2. Disconnect PC fron the webbernets.

3. Install OS.

4. Install security software from CDROM

5. Reconnect PC to the webbernets.

This is probably overkill, but it does minimize your exposure.
posted by DWRoelands at 10:39 AM on September 15, 2008


Second alexei: The most significant thing you can do to protect yourself on the Internet is to use a router. The kind of security risks the studies you're thinking about revealed only really apply to computers connected directly to the 'net, i.e. plugged straight into the cable/DSL modem.

The second thing is to avoid sketchy sites. Unless you're trying to download pirated music/software/pr0n or following spam links, the net is actually not that dangerous. Most normal sites aren't malicious.

I don't recommend any traditional anti-viral software. It's overpriced, not terribly effective, and a massive drain on your computing power. AdAware, MalwareBytes, and similar tools work pretty well. Be sure you get Microsoft's Malware Remover. It's actually pretty decent (which figures, as it was acquired by Microsoft from a third-party developer).
posted by valkyryn at 10:41 AM on September 15, 2008


DWRoelands, is it possible to install Vista without being connected to the internet?

alexei, valkyryn, & damn dirty ape, thank you for the note about the router. I hadn't considered the security provided by the router.

aheckler, I probably will install Ubuntu eventually! I may come to you for help. ;) But I want to get Windows up and running first.

And to the person who said that after installing Vista, my computer already is infected: you speak truth and I'm sorry your comment got deleted.
posted by kidbritish at 11:05 AM on September 15, 2008


Yes, you can install Vista without a net connection. In fact, you kind of have to, because until Vista is installed, your network hardware won't work. Connectivity becomes important after install, but isn't required to actually get yourself to the desktop.
posted by valkyryn at 11:09 AM on September 15, 2008


Note that a "router" isn't the same as an ethernet hub. A router is a proxy that sits between you and the internet. Your computer is given a local IP, often in the 10.*.*.* or 196.168.*.* blocks, and your access to the net happens through Network Address Translation (NAT).

If that is done, then anyone out there who is trolling through banks of IPs looking for vulnerable computers only sees the router, and cannot find anything that's behind it. You can call out but no one can call in.

Sometimes routers are called "hardware firewalls". Prices vary from under a hundred dollars to many thousands. For home use the cheap ones are fine.
posted by Class Goat at 11:13 AM on September 15, 2008 [1 favorite]


You can install Vista without a net connection, but then you have to validate the install. If you don't do that, eventually Vista will deactivate itself.

Validation is usually done across the net, but it's possible to do it by voice call.
posted by Class Goat at 11:17 AM on September 15, 2008


As other have said: Yes, you can completely install Vista before connecting to the net. You'll have to validate your install (within 60 days, I believe) at some point, but you'll already have your security software of choice in place by then.

I've been using Vista Home Premium (64 bit) for a month and I'm completely enamored of it.
posted by DWRoelands at 1:08 PM on September 15, 2008


...or 196.168.*.* blocks...

Ooops, 192.168.*.*, that should have been. Sorry about that.

Those two blocks (and there's one other but I can never remember it) are specifically reserved by ARIN for local use.
posted by Class Goat at 2:11 PM on September 15, 2008


i believe that starting with Windows XP service pack 2, and continued with Vista, the Windows firewall has been turned on by default, almost eliminating these types of attacks.
posted by jacobsee at 2:21 PM on September 15, 2008


I second installing Ubuntu.

But you should be okay so long as you don't visit anything fishy. Stay behind a router.
posted by expletivization at 2:45 PM on September 15, 2008


first off. You will not get infected with vista if you keep UAC on. UAC will tell you whenever a program wants administrative and system access to your pc.

make sure your up to date also. I have ran 3+ months without a virus scanner installed on vista.

i say its more secure as long as you use it the way its meant to be. Namely leaving uac on.
posted by majortom1981 at 2:59 PM on September 15, 2008


jacobsee is correct. The 'exploit within seconds' applies to pre-SP2 windows XP machines connected to the internet without a firewall. XP SP2+3, and Vista (vanilla and SP1) has the firewall turned on by default at install, protecting from this particular attack. That said - there has been some demonstration on XP that during initial bootup, the software firewall isn't active for a couple of seconds, leading to a very narrow window of vulnerability. I believe they fixed that in vista.

The best protection though, as described, is a NAT-routing hardware firewall. Often combined with wireless access points, they give your machine an IP in the 192.168.x.x, 10.x.x.x or 172.16.x.x to 172.32.x.x range, while the router has the external 'real' IP from your adsl or cable modem. If you're on adsl, some routers also have ADSL modems built in.
They're pretty cheap, and stop random external people seeing your pc regardless.

The biggest risk is if you start browsing the internet generally before you visit windows update. There's a fair few nasty drive-by-downloads you can get from adbars on otherwise innocent sites, amongst other ways, that will infect a non-patched machine.

So rules of thumb for home security
1) don't turn off the built-in software firewall, it really does help
2) use a hardware firewall/router (strictly speaking different services, but you always see them together in one box)
3) If you do use wireless on your router, make sure it's WPA or WPA2. Don't leave it on WEP or worse, unencrypted.
4) make your first visit post-install windows update, and run it repeatedly until there are no more default patches
5) make your 2nd site firefox or opera, install that, then delete the IE shortcut from your desktop so you're not tempted to use it.
6) make your 3rd visit a decent AV site, install and update the AV software. Downloading it to a thumb-drive or CD prior to install is not a bad idea as suggested.
posted by ArkhanJG at 3:35 PM on September 15, 2008


majortom1981 - UAC has been beaten several different ways. It makes life harder for attackers, but it's certainly not unbeatable. More and more trojans are getting past it. It's worth using (if you can put up with the prompts and read them), but it's not a panacea.
posted by ArkhanJG at 3:40 PM on September 15, 2008


Oh, one last thing. continued maintenance post install is also important. Windows update (and microsoft update if you have MS office), browser updates and antivirus updates will all close holes that are discovered over time. Most people do not keep their security patches from these three sources up to date, and thus end up vulnerable even when they think they're secure. Don't be one of them.

OK, one very very last thing. Back up your important files to DVD of thumb-drive or external hard-drive (or all three). There will likely come a day when your hard-drive goes bang, or you get a trojan piggybacked on something else. It happens to everyone, even security guys, and the best bet is to wipe and reinstall. Without backups, you will cry because you lost your family photos and emails. Don't be that guy, make regular backups and check they're of good quality.
posted by ArkhanJG at 3:47 PM on September 15, 2008


He should be logging in with a limited user account, not an admin account. UAC is just a band-aid.
posted by damn dirty ape at 3:56 PM on September 15, 2008


has the firewall turned on by default at install, protecting from this particular attack.

Windows firewall allows all traffic from local subnet. So lets say you install a fresh copy on xp sp2 on a lan with another guy using a computer with blaster. You get infected.

Again: Vista does NOT HAVE THE RPC vulnerability. Its fine to activate it on the internet.

Also, IE7 runs sandboxed, its probably safer than opera and firefox on Vista.
posted by damn dirty ape at 3:57 PM on September 15, 2008


Windows firewall allows all traffic from local subnet. So lets say you install a fresh copy on xp sp2 on a lan with another guy using a computer with blaster. You get infected.

Not all traffic, but some RPC traffic, yes. That particular hole has long been patched on XP too, not just vista. A hardware firewall between you and the internet is never a bad idea, and a software firewall is better than nothing.

IE7 runs sandboxed, its probably safer than opera and firefox on Vista.
Lets say that opinions differ on that front, and leave it at that rather than get too off-topic.
posted by ArkhanJG at 4:04 PM on September 15, 2008


That particular hole has long been patched on XP too, not just vista.

Not on a fresh xp install from disc.

The question is whether its safe to install vista on a computer connected to the internet. The answer is yes because the RPC bug doesnt exist in vista.

Most infections dont even happen via exploints anymore. People just click on emails with bigtitties.exe or torrent cracked software that just delivers a trojan payload. Why bother writing exploits for people who run as local admin and have no computer security skills?

Its not 2002 anymore. Install AVG, Run as limited user ,and be happy.
posted by damn dirty ape at 4:07 PM on September 15, 2008 [1 favorite]


Not on a fresh xp install from disc.

It has been patched on XP SP3 fresh installs. Yes, I can install windows XP SP0 and get that owned out of the box by blaster too, but what does that prove? old software is exploitable, but it's been fixed in newer versions? Why are we even having this argument? Because I think a firewall is generally a good idea, even if a specific old RPC bug from 2003 isn't a threat against vista? Because I also advised to do updates and get decent AV software before using the general internet? Because I advised that a non-majority browser is subject to a lot less attacks than IE? (and the sandbox on it is worth jack diddly)

I don't advise people to only use a limited user account because there's too much software out that doesn't work with limited accounts, games being worst amongst them. It's fine if you know what you're doing, but for a general user I find it causes more problems than it solves.

AVG only catches some 75% of viruses and trojans, and limited user accounts are not a panacea either. Security is layers and not absolute.

Install AVG, Run as limited user ,and be happy. is overly simplistic and not the whole answer. It's not 1999 either, when AV was all you needed.
posted by ArkhanJG at 4:28 PM on September 15, 2008


« Older Goin' to the chapel...   |   What to do with my small 403(b) Newer »
This thread is closed to new comments.