Can Windows based computers ever be secured? [closed]
In light on this excellent article series by Ars regarding the black security work by HBGary - HBGary claims to have coded several rootkits and had access to 0-day exploits that could compromise a range of windows releases and firwall/antivirus software - how can Windows based computers be secured?
Solution 1:
You need to accept the fact that no general-purpose monolithic operating system like Windows, Linux, Mac OS X, or anything else similar can be truly secured. Which is more secure is subjective and I won't go further into that. But, that being said, I think the following helps:
Use Windows 7 64-bit. It's more secure in a lot of ways than Windows XP.
Apply Windows Updates as soon as possible.
Do not run normally under an Administrator account.
Uninstall needed features and software.
Don't use Internet Explorer unless you need to.
Outgoing network traffic of extremely critical systems needs to be monitored using a separate system running a separate operating system, and if suspect traffic patterns are detected, assume the system is compromised.
One good way to detect rootkits is to shutdown the system, and run a virus/rootkit scan against the drive without the operating system running. If you can do this on a regular basis it's a good thing.
If what you do on the machine can survive the performance hit of virtualization, then virtualize your Windows installation (preferably using a VMM under a different OS) and utilize snapshot features to rollback if things go wrong.
Infected systems, or systems otherwise suspicious of being compromised need to be reimaged, rather than repaired. Keeping regular backup images of your system will aid this.
But really, the best way to secure a computer is frequent, regular backing up of the data that lives on it on a separate storage device that is stored away from the computer when not being used. That way, if/when your system is compromised, you haven't lost anything but the time it takes you to reimage or reinstall.