I decided to write on how to secure a Windows install with a few freely available programs: Eraser, TrueCryptand (most importantly) Core Force.

Intended Audience
I have not used Windows Vista for numerous reasons that are beyond the scope of this article. This article is geared towards users of Windows NT5 (2000/XP).

Abstract
The purpose for this article is to briefly point out how to secure Windows on systems where it must be used.

Secure Deletion
Some files may contain sensitive information (e.g. account numbers, financial records, etc.). Ordinarily deleting them may remove them from the filesystem, but not from the drive itself. Securely deleting the data involves overwriting the area on the disk with random data repeatedly so that the original data is lost.

On Unix-like systems, this can be accomplished using tools such as shred(1). For Windows, you can use Eraser (official site).

Encrypting Data
Personally, I opt not to save passwords in web browsers and other applications unnecessarily. I prefer to keep my passwords stored in a text file on an encrypted volume of a USB flash drive. (With a GPG encrypted backup stored in another secure location in the event of loss or failure of the flash device.)

There are two reasons for this: (1) the more places the password is kept, the greater the odds of compromise; (2) I distrust the security of the encryption schemes used by browsers and worry about potential exploits of the browser (via plugins, etc.).

There are many proprietary tools to accomplish this on Window and projects for Linux (e.g. LUKS) and BSD (e.g. GELI, CGD, etc.). However, for the sake of some compatibility (at least between my Linux and Windows hosts) as well as the features available, I chose to use TrueCrypt

Really Locking It Down
The above measures are great methods for a user to be proactive and help maintain security, but are not adequate on their own in a normal Windows environment. There are numerous applications for Windows that aim to lock the system down; however, the one I was most impressed by (due to features, price and developer) was Core Force.

Core Force includes a firewall based on OpenBSD's PF and allows the user to use pre-defined or custom policies to lock down the sytem. The user can be prompted to allow or deny attempts from programs to read, write or execute. Programs can be listed as trusted or untrusted. Overall, it's simply great at helping lock down a system.

The main drawback, in my opinion, is that it's not open source like the previously mentioned projects. However, it still is free as in beer and is licensed under an Apache license.

Conclusion
With the above tools and a well defined security policy, a paranoid (or security-focused) user can feel a lot safer while using a Windows system.

Caveats

• In some instances with some Windows Updates enabled, Eraser can cause the system to hang on right-clicks in Explorer due to bad context-menu hooks.

Links

• Core Focus
• TrueCrypt
• Eraser