I'm about to perform a clean Windows 7 install. From a security/privacy perspective, in which order would you do the following: 1. install updates from Windows Update; 2. install 3rd party security, eg. AV, firewall; 3. install hardware drivers; 4. encrypt system partition? Generally, I would download everything first (that would be all the above, except updates from Windows Update) for installation before connecting to the internet - particularly the 3rd party security software. However, I've been through Windows Update many times, checking every update to see if neccessary; this time I'm tempted to do those updates first and then image the drive so I don't have to do it ever again. Anyway... decisions, decisions. There's no 'right' answer but I'd be interested in people's thoughts nonetheless.
I do so: 0. install an hardware firewall 1. install 3rd party security, eg. AV, firewall 2. install hardware drivers 3. make an almost clean disk image ( good if in the future I won't change security programs ). 4. install updates from Windows Update
Install Windows 7. Install missing device drivers. Install the 2 KBs that will speed up your Windows Update search and install (restart after each). Install Windows Updates (search, download, install restart, rince and repeat). Install latest GPU drivers (muh games). Install Antivirus (Internet Security Suite), Antimalware and other security software if needed. Install all the other programs I need. No system image. Clean install > Image restore in my case.
0. Install a hardware Firewall before installing Windows; 1. Install Windows; 2. Make clean disk image; 3. Install security software; 4. Change UAC to Max, create a password for the Admin account, and create a non-Admin account; 5. Update; 6. Make another disk image; 7. Install drivers and whatnot.
No idea why people would install a hardware firewall before installing Windows itself. Hardware firewall isn't part of a standard Windows 7 installation. It's related to your network, not the system itself.
Thanks everyone for your thoughts. Ideally, I'd like to run Windows Update first, and ensuring that the firewall on my router/hub is set up correctly will enable me to do that securely. I'm thinking, then, that this might be a wise order: 1. install updates from Windows Update (relying on my router to provide firewall services whilst no software firewall is in place), then image; 2. install 3rd party security, eg. AV, firewall; 3. install hardware drivers; 4. encrypt system partition. Reading the posts above, it seems 2-1 in favour installing AV, firewall, etc before hardware drivers. Blacknight suggested making a system image after security and hardware drivers are installed, but it strikes me that when the image is restored at a later date, both will likely be out of date. Also, nobody's mentioned when they might consider encrypting the system partition... more thoughts welcome.
The thing with device drivers, Windows Updates and third-party programs is that sometimes, there's dependencies in between that you need to satisfy in order for them to all install correctly. Like someone could say, I'll install my Windows Updates and then my device drivers. However, let's assume that this computer uses RSIT and Windows Updates tries to install .NET Framework 4.5, it might not work. This is because the default RSIT drivers aren't compatible with .NET Framework 4.5, requiring you to install newer ones before installing the framework, otherwise it'll fail. It's a well known issue. So in order to avoid that, you install your device drivers first, then proceed with the Windows Updates and finally the security software. Some programs requires the presence of certain Windows Updates in order to install/work correctly. So while other installation orders might seem "good" security-wise, they might prove to not be that efficient when comes to time to follow them.
Good point, Aura. Of course it's not the same for everybody. I've been fortunate and not suffered such conflicts so far. I've done more reading, and found that one useful technique might be to set the Windows built-in firewall to some fairly extreme settings for the duration of the Windows Update process. This in combination with similarly restrictive router settings should ensure that the computer can safely be connected to the internet to perform Windows updates before the installation of a 3rd party software firewall.
I don't know why you would want to do that during the Windows Update process too. Do you fear that the servers would be hijacked meanwhile and malware pushed through or something? Highly unlikely to happen.
When it comes to setting up older platforms such as Windows 7, I personally tend to prefer setting up everything prior to connecting to the Internet. Since there are 150+ updates for Windows 7, including many critical security updates for low level code. It kind of reminds me of the old days with Windows XP where you would do a clean install and be compromised before you are even done installing all of the updates. I believe that there are several different options for installing Windows updates offline. Personally, I use AutoPatcher and have done so for nearly 10 years now, and I choose to install all of the updates within the Security drop down. It is light years faster compared to Windows Updates with all of the issues going on there lately for Windows 7. Plus, all of your low level critical security patches are done prior to connecting to the net. So AutoPatcher is one that I can certainly vouch for since I've used it for so many years now and it has gained a lot of credibility. Another would be WSUS Offline Update, and I'm sure there are even a few more alternatives. Essentially, you be downloading all of your updates on another system or your current Windows (prior to formatting, clean install), copy updates along with updating platform (AutoPatcher, etc.) to a USB drive or alternate partition, and you can bring your system update to date prior to connecting to the Internet. Even with a Windows 7 SP1 disc, there are many, major low level vulnerabilities after a fresh installation.
No, but isn't the computer exposed by means of open ports etc? I thought that raising firewall protection to its maximum would be wise while Windows Update did it's thing. I may be wrong, so please tell me - I'm here to learn!
Totally agree, this would be my preferred route too... ... and, until now, I had no idea there were alternatives to Windows Update that would allow offline updates. This eliminates one of the conundrums that prompted me to start this thread. Thank you.
Basically, all you're worried about are open ports during the installation of Windows Updates. So what's you're worried of are what we call targetted attacks. I can assure you that your home computer is of no interest for a hacker, as he would rather pentest a system that have actual valuable information on it and dedicate itself to hack into it instead.
In my experience generally initial drivers are the best, especially for graphic card. Often to update graphic card drivers - ATI once, more recently NVIDIA - didn't give an improvement. In my own pc, at home, I don't need encryption.
True. But why don't do the things anyway at the high level of security ? I have not the absolute assurance that my pc could not be target of " attention " or of an attack, so, since I have an hardware firewall, and anyway I'll use it, why don't install it before Windows ? Using pc, there are two way to be paranoid : one it is caused by anxiety, lack of knowledge, fears... the second, safe and rational, simply says: since I can have an higher level of security, why don't provide it always and anyway ?
Sorry to tell you that this level of security is what we call a lack of realism. If you really think that your home computer will interest a hacker skilled enough to pentest it and break into it, then in my opinion, somewhere you're lacking something, because this isn't true. I agree that you should always use the higher level of security available to you, but while staying realistic and also not overdoing it (when I see someone overdoing it, I class that person as paranoid in my book).
That is the best approach in general. In addition to inbound threats there are outbound threats. Newer OS's, package installers which include drivers, and applications are far more likely to have infosec/privacy issues and inappropriate default settings on that front. Even before user data becomes accessible (which should be one of the last steps performed) there may be system information that one doesn't want phoned home. If you install as much as you can while there is no possibility of an Internet connection, and tighten up configuration settings before allowing one, you improve the odds of avoiding both the inbound and outbound threats. Especially if you have a software firewall conservatively configured before hitting the net. Some might even want to have a sniffer up and running when they first hit the net and/or during updates too. No, you can't. We live in an age where targeted attacks of various intensity are automated, and someone might become the target of such an attack simply by living near a facility of interest. There are plenty of other ways someone might find their way onto a targeting list. By renewing their IP Address and being assigned one that was previously used by someone of interest, by having the same/similar name, by visiting a watering hole of interest, by mistake or bug, etc, etc. Furthermore, every Internet user and consumer is targeted by the advertising and related industries. Which is, itself, something that many would want to protect themselves against. It can also lead to penetration targeting. Example: targeted advertising systems detect a pattern of interest (wealth, employment of interest, whatever)... smart hackers leverage the advertising system itself and/or related marketing lists to target those they are after. You need to know quite a bit about a/every poster to assess whether they might be a genuine target of interest. Even if they are not, all you can really do is assume that the probability of them getting caught up in a targeted attack is low.
You may or may not be aware of the Blaster worm that surfaced way back in 2003, affecting Windows XP machines through an unpatched DCOM RPC (port 135). I was infected by this immediately after a fresh installation of XP because I was plugged into the Internet and not behind any hardware firewall such as even a simple home router. I would agree this type of infection is not likely to happen on Win 7 and most people should already have some sort of hardware firewall in place.
