My configuration at home is a example. I built the configuration because I have young children and I dont want their activity on the internet to introduce viruses on my computers.

First I have a router that has a hardware firewall enabled with latest encryption and a mac filter enabled. This means it you dont have a key and the correct mac address I have given you, you dont get in!

Second, I have a computer running the patch guard technology on x64 windows(dual core cpu). It is a unpatched, no user software system with firewall enabled and no internet access(web browsers are locked down). I permit only one software to be run, vmware player. I am the only authorized user of the system, and I am the only person in the house that can turn on a virtual operating system.

Third, I run all software applications in a virtual operating system built by vmware workstation on a different machine that is only used for this purpose. The other people in my house on only permitted access to these machines.

Fourth, The virtual machines physically reside on a network disk running a slimmed down Linux OS. Only I possess the passwords to write directly to the disk. My children have separate virtual machines that run their apps and browsers that are different from mine.

Fifth, Software is presented on Thin client computers running another specialized version of Linux. The connections are password configured and only I possess the passwords to configure the links.

Sixth, the real computers and network disk drive is locked physically in a storage space in my home, so the removable disk drives cannot be access with a key.

Seventh, The web browsers are patrolled by Net Nanny, which only permits browser access to approved web sites.

Eighth, The virtual machines have the firewalls enabled in the operating system.

And finally, if you figure out how to manuver around all of this I have a virus detection program that check the legitimacy of your software.

I have never had malware successfully gain control of my network. The only viruses I have had was inside of my kids virtual machine. I simply destroyed the virtual machine and recreated it (a 5 minute operation). Doing it this way gives my kids a disincentive to download viruses because when I get rid of their viruses, I also get rid of any unapproved software installed by them in their virtual machine….

My point is that education works (and most of my clients are seniors) once you provide a firm foundation by tweaking Windows (but I get lonely because they don’t call me all the time….)

1) Using a standard account if possible (much easier in Vista than in XP). Even if you can’t run in a standard account, any untrained/untrusted/naive users should have standard accounts.

2) Disabling download and installation of new ActiveX controls – allowing use of existing controls. I’ve put together instructions and scripts for this purpose. Extremely useful for those untrusted users who can’t be given a standard account.

A few more things about my situation. I don’t open any file that I do not already absolutely know and trust, even when they come from friends. I regularly back up data to an external hard drive. I have an “always on” cable connection, but there is no file sharing or remote access and services such as Alerter and Messenger are disabled. The computer in question is not on a network. I use user accounts, including passwords, even though no one else uses my computer. I am very careful about where I go on the Internet.

Am I a candidate for computing a bit more dangerously? Does your Inside and Out book on Windows XP security (which I have) cover all this? If it does, I’ll check it out. It has been awhile since I last read it.

Right now I am using Windows Live Care, but it sometimes causes problems or (more often) annoyances (all security software does — this one is actually less intrusive than others I have tried). I really don’t want to use it if I don’t need it. It seems to me like buying hurricane insurance for a house in Utah.

Thanks again.

the stats i’ve seen (both vendor supplied and from independant researchers) say otherwise… check out this example http://momusings.blogsome.com/2006/07/18/june-2006-malware-review/

I think a careful user who has multiple layers of security can probably – almost certainly – remain safe without AV software. In my case, I have an email server that blocks all potentially executable attachments, and I use browser settings that make it virtually impossible for a piece of malware to be installed without my consent. So I regularly run without AV software.

For the average home user with a less diligent email admin, good AV server provides an additional layer of protection but doesn’t replace common sense.

in the malware domain new equals unknown – it should come as no surprise that known-malware scanners would have difficulty with UNknown malware… it doesn’t mean there’s anything wrong with those scanners or even that type of technology, they do what they were meant to do… if you want something that works on unknown malware you should be looking at an entirely different type of technology and using it in concert with your known-malware scanner…

although the original article makes it sound like the sky is falling (and schneier does nothing to dispell that myth), it isn’t… most incidents don’t involve new/unknown malware and new/unknown malware doesn’t stay new/unknown for long…