PC Setup - Practical advice on security, organisation and backing systems up - Eliminate Spam
This section is included entirely as a courtesy and reflects our experience in running secure PC systems within a business environment starting with CPM, then MS-DOS, Windows3.1 (awful), Win3.11 (good), W98 (terrible), Wme (awful), NT4 (dreadful BSOD specialist), XP (first OS that really worked well other than 3.11), Win8, 8.1, and now Win10. It has no commercial value to us and is provided in the hope it will give you some pointers and ideas about how best to setup and run your PC systems. We don't say it is the only way, or even the best way. What we do say though is that it works efficiently for us and eliminates almost entirely, the absolute tedium (and cost) of fiddling around with Windows and the PC. 2017 - Win 7 was added to the list via a cheap OEM version. Win 7 is probably the best OS that MS ever managed to make.
PC Types and Operating Systems
OS - Our main PC now runs Linux Fedora with the XFCE front end. The laptop (old) now runs a lite version of Linux Mint.
Why not Vista or Windows 7,8,9,10? From long experience of Microsoft products, running the latest software is always a nightmare with some new bug or incompatibility just waiting to strike. This creates a huge amount of work trying to get on top of the situation and detracts from productivity.
New - 2020
Keeping up with everything as it changes is still tedious, time consuming and problematic. At the time of writing, Chinese CV19 is in full swing and the Internet now the backbone of business and private communication life. This brings added security and privacy risks especially as more and more things go online and millions of inexperienced new users download all sorts of 'free' apps (applications) on PCs, smartphones, tablets et al. This trend seems set to continue for the forseeable future. Of course nothing is actually 'free' and as people are finding out, THEY are the product with personal data shared with anyone prepared to pay for it. As a business with intellectual property concerns, this is a big deal for us.
We have stuck with (amazingly) Linux Fedora XFCE flavour, finding this unbelievably reliable and useable. It just works and, unlike Windows, even the update process is seamless and never gets in the way of productivity. There is another massive bonus - Windows often locks files, preventing access or saying you don't have the necessary rights to alter or delete them which is endlessly infuriating and wastes time. No problem as reverting to Linux, you can happily delete ANY Windows file you like (be careful though)! The biggest changes over the past couple of years are with data handling and transfers. As more and more stuff goes WiFi, connection speeds and reliability are bound to drop and so we have made a big effort to physically wire everything up via a Cat7a or better cabled network. This is fed from a distribution patch panel via a Netgear intelligent switch (GS108T) that will soon be upgraded to a 10GbE version, plugged into an ASUS router port. Connection to the Internet is via a Sky modem (WiFi disabled) feeding an ASUS RT-AC86U Router (WiFi & DHCP enabled) and uses a fast VPN (Virtual Private Network) connected at all times with operating software loaded on the router itself. The AC86U is fast enough to allow greater than 100Mb/s realtime encrypted / decrypted traffic which allows ALL our connected devices to be protected via the VPN thus protecting our IP address and avoiding the silly ISP and geolocation blockers. This works fine, is fast and most importantly, is reliable. One of the key changes over the past year has been to move away from DHCP (dynamic) addressing and assign fixed IP addresses to key componants such as the smart switch, printers, NAS etc.. Any additional temporary stuff connected to the network (eg Raspberry Pi), gets an address automatically assigned from the remaining available pool. This arrangement allows for rapid changes to the ISP by simply swopping the modem, with everything else remaining the same including VPN protection.
Virtualbox works very well and allows us to use all our existing designs and software (XP and Win7) seamlessly and safely.
2017
Keeping anything like this up to date is a nightmare as it seems virtually everything changes, all the time. Windows has now become a 'service' which means you lose the right to own anything that actually works and trade it all off for a never ending series of upgrades, each one of which may, or may not, stop some or all of your products working. On top of that, the latest reports show that Win 10 is spying on virtually everything a user does including a keystroke logger. NO!! Download SpybotW10Immuniser to block all spying. Fedora continues to work seamlessly (fantastic).
2015
Much of the information below relates to running Windows XP, the first Operating System (OS) that really worked, but is now largely superceded. Given the demise of XP, the choice was to stick with Microsoft (easiest) or migrate to Linux. Our shiny new PC came preloaded with Win 8.1 and after a small amount of work to get it ready for business, it crashed. Many hours later and after a great deal of frustration it was sort of working but hard to use or find anything. Support was poor and it was obvious we were in for a lot of head banging (not unusual with MS products).
We took a monumental decision to abandon Microsoft and move to Linux. After much research, we chose Fedora with the XFCE desktop because it was clean, efficient and simple. Installation was realatively straightforwards (very impressive actually) and completed after an hour or so. The worst thing about Linux is the program names and learning what they all mean. A simple thing like 'Update' for example is actually called Yum Extender (now DNF)!! A simple word editor is either Nano or Leaf - totally non-intuitive. Of course the biggest difference is having to go back to a command line editor (like in the early days of MS). Downloading an A4 cheat sheet saved hours of time. Once installed and working, the next thing was to install Oracle VirtualBox.
Oracle VirtualBox
This free and amazing program allows you to run any OS in a standalone container. You can totally isolate it from the web if you wish to stop viral contamination. So, after a few false starts, we ended up with containers for XP, Linux Kali, Win 8.1 and Win 10. You basically install your OS as normal but to a container rather than the PC. Given that most of our business software runs on XP, an isolated container is ideal to continue doing this without any fear of crashes or viruses. You can of course save a container and use it as an instant backup - perfect. So you fire up the PC, click VirtualBox and then select which OS you want to use today (or indeed ALL of them at once). Quick, simple and it works exactly like having the OS installed on your PC.
Fedora In Use
Time has shown that Fedora is rock stable (never crashed) and suits our business perfectly. Shared drives are another bonus and are accessible from all OS and the host Linux. This means that files that Windows won't allow you to change (er why?) can be simply deleted under Linux. Control (and sanity) is restored! The update process is very different to MS too. You can see exactly what is happening at all times and is far far better than the Win 10 experience of frozen PC, black screen, weird non-linear % update screens and multiple reboots. Yes sir, way better! You also get four 'Workspaces' which is a brilliant idea. Each one can have a different program running in it. So you could have for example Linux on screen 1, Win 10 screen 2, a network traffic monitor screen 3 and say your emails on screen 4. All accessible with a single click. On top of that, all the services that matter are accessible and displayed at all times. This really increases productivity and removes the Windows frustrations of hunting down services buried deep under multiple layers of clicks. Backup programs are built in and work seamlessly. The downside of Linux is the pain of learning it and the non intuitive program names (simple text editor called Mousepad for example, or K3b for burning CDs).
Windows 10
Is possibly the most dangerous OS ever released by MS (no wonder it was a 'free' upgrade). It has multiple trackers and collects information for advertising purposes including geographic location. Some but not all of this can be disabled but who really knows? Spybot do a very good Innoculator.
PC Organisation This referes to machines running MS software though is appropriate for Linux too.
2020 - For Linux we have a 32GB SSD for the OS, a pair of 250+250 SSDs configured in raid 0 for the Home directory a 4TB raid 10 main Files disk and a 4TB single belt and braces backup disk. A spare 32GB SSD with a physical copy of the OS is a great insurance policy
For Windows we found it best to split the main hard drive into smaller sections. A 10GB C: drive containing the OS ONLY, a much larger D: drive for programs and data, and a 767MB R: drive made out of computer RAM (2GB total). In addition we have a 500GB NAS (Network Attached Storage) drive N:. Sometime in the future, we will move C: onto a pair of SSD (Solid State Drive), 32GB or smaller will be fine, but with the fastest I/O speeds available, and configured in a RAID array. Also in the future will be an offsite copy of the entire system in case of fire or theft.
Why Split Drives? Purely because of backup issues. If you use Windows, it WILL crash - it is inevitable, built in. Worse, it always crashes at the most inopportune time. So a clean XP install to drive C:, patched to SP3 is the first step. This takes 4-5GB of space and will inflate to around 7GB in a fully working system. Therefore a 10GB drive size is plenty big enough and allows space for drive defragmentations. After installing Windows and patching, the first thing to do is make a backup. After that, you can always get back to this point within 10-15 minutes even if the whole OS crashes. Win 10 is a different animal and probably needs 32GB or more to even function.
After installing the OS and making a backup, install all your software to drive D: We always use the D:\Program Files\xxxxx tree to do this.
We also use a RAM disk. It took around 4 years to find the right software (free) - Gavotte Ramdisk with GUI. This works with no wrinkles at all provided you exclude this drive from System Restore (requires simple registry tweak), otherwise your SR stops working.
Why a RAMdisk? Specific to MS software
Mainly security and to avoid file 'bloat'. Anything stored in RAM gets lost when the PC is switched off. So if all your temporary files including web history, cookies etc are stored here, they get destroyed whenever the PC is switched off. You don't need any sort of software file cleaner, you can't store infected files and you know all cookies go too. Additionally, RAM is very fast and your PC will work faster. The only downside is you must save to hard drive, anything in RAM you wish to keep.
Another excellent dodge is to put all your web browser config files in RAM. We use Firefox here and have a BATch file that runs everytime the PC is switched on. This copies all Firefox settings and menus into RAM. This is great as we always have the SAME favourites etc.
Backup Solutions
2020: Clonezilla may be old, clunky and potentially complex, but it continues to work, all the time and on any system. An OS backup every three months or so works fine for us and we persevere with a small OS drive (now a 32GB SSD for speed). A full backup or restore takes around a standard tea break (still do that!), and works every time. Programs files and emails now go on a 4TB raid 10 setup of four hard drives all backed up daily (via Rsync) to a separate hard drive and occasionally to a NAS drive (raid1). Local files, virtualised images and downloads go to a separate Home drive comprising a pair of SSDs configured in raid 0. This drive is blazing fast, especially for the virtualised containers (XP, Win7, Win10 etc) and does not need to be backed up as all the information is stored securely elsewhere. A spare 32GB SSD containing the basic OS is a great and inexpensive insurance policy.
2017 Solutions. Having moved to Linux, backup is far less of an issue. Linux has a robust built in backup system that maintains an up to date image of the essentials. Every so often we connect up a NAS drive and run Xcopy to sync up aor latest data files. Any Windows programs we might need run in containers on virtualised software and can be restored to a previous good copy in under ten minutes. So far so good.
Having lost all our company data as a result of a system crash some years ago, reliable backup became a big issue for us. We tried all sorts of products but to cut a very long and expensive story short, we settled on Acronis True Image Home (V9.0). This was simply wonderful, easy to use and worked really well, for a while. Then out of the blue, it started going flaky. Images were reported as being OK but restored to around 30% and then stopped, crashed. NO GOOD for a backup solution! We upgraded but V12.0 had issues with SCSI driver compatibility. Lots of research highlighted NOVA as a good brand. After purchasing this, a word of advice - it's awful! Horrible interface and tricky to use. Fortunately we had a backup, backup plan and this was product called EaseUS ToDo. Having just bought Workstation V6.0, ($23) this works fine and is easy to use.
On top of that, we also run a BATch file whenever the PC is turned off. This uses Xcopy to make a copy of any newly modified or downloaded files and duplicate them to the network drive. Provided you maintain the same file structure on the backup drive to your main PC, then this works fine and you always save a copy of whatever you did while the PC was switched on. Take a look. If you want to try it, save it as text and rename as .bat.
Every month, we make a backup ie Jan11.tib which is a complete backup of C: - basically the OS including all startup and registry values. Before backing up, we always empty the wastebin and do a C: defrag to keep things tidy. Once every three months or so we might do a full D: backup but since we always have the source program files, this is no big deal if one gets an error as a reinstall is quick. C: backups take around 10 mins on our machines and are around 2GB in size. Restoring the whole C: drive is painless and takes 10-15mins - just long enough to make and enjoy a coffee. All backup images are copied to the NAS drive as well. So worst case is a PC stolen or totally scrap. Buy a new PC with no OS set to boot from CD. Insert Acronis recovery CD and provided you get access to the NAS drive, restore latest C: backup image. In 10-15 Mins, your PC is working again and just needs D: sorting.
If your PC suddenly becomes listless, acts funny or refuses to play ball - immediate full restore. Works a treat and you always get back to EXACTLY the same position as when you stored the image. You can also restore individual files, so an image of the data on D: can be useful too.
Data Data on drive D: is obviously critical and this is backed up to an attached network drive. We have a small BATch program that checks out the archive bit on every file on drive D: and stores any file that is new or that has changed. Xcopy is part of Windows and ideal for this. We run the backup BATch file after finishing any new work and at the end of the day. Thus drive N: (Network) a LaCie NAS drive, has a complete copy of D: and all C: backup images for each computer we have.
Everytime Firefox (our web browser) has a new link added (or advert blocked), we need to copy the relevent files from R: (the RAM drive), to d:\Myfiles\Firefox\, otherwise the changes are lost when the PC is switched off.
Security (XP)
System security is handled by a multi level approach. The main line of defense used to be a software package ZoneAlarm (ZA) Security Suite which replaces the Windows firewall by something much better and allows you to do really useful things like completly disabling Dr Watson (annoying and useless Windows crash program). Unfortunately, ZA went unstable on XP (2012) and started crashing explorer.exe, prevented our PCs turning off and consumed huge processor resources. Microsoft Security essentials is now used instead.
Connection to the internet is a security nightmare and is compounded by government intentions of monitoring all internet searches and emails. Whilst having nothing to hide, this is way too intrusive for us so we use a system called Open VPN. This is effectively an encrypted tunnel from each PC to the Open VPN provider server. There are many of these servers and they are located in the UK, USA and Far East. Not only does our ISP (Internet Service Provider) have no means of seeing what we are downloading (other than quantity), our IP (Internet Protocol) address is also hidden from websites. This means that sites like Google cannot track your search history as they see your Open VPN IP address, rather than your true IP address. It also means you can avoid geographical redirection, or video content denial based on IP - a great research tool. This works for VOIP and email too as traffic goes over the same connection. Having said all that, government agencies now routinely tap virtually ALL your data. For an in depth analysis, see privacy guide.
Wherever possible, try to connect to websites by using a secured web connection (eg https://) to minimise the risk of your web connection being compromised (man in the middle attack). Be aware though that your web browser may not be set to the highest security setting by default. This is certainly true of Firefox. Currently the highest level of security is provided by 256 bit AES encryption. Test your browser by visiting here.
We want to make sure that our version of Firefox only uses AES 256 bit, AES 128 bit or 3DES 168 bit ciphers. Open up a window and type "about:config". Then in the "Filter" bar at the top search for the following: (Double clicking on each line will change the value)
- tls and set the lines to true.
- ssl2 and set every line entry to false. (You may not need this)
- ssl3 and set every line to false except lines containing the strings "aes_256" and "aes_128".
- security.ssl3.rsa_des_ede3_sha and set it to true. This is the weakest cipher and may be needed for some older SSL sites.
Now your browser will only accept the TLSv1 protocol in AES256 bit cipher encryption no matter what previous weaker ciphers a web server prefers. This configuration also makes your browser FIPS 120-2 compliant (year 2030 specs). Currently, IE8 running on XPsp3 will only connect at RC4 128 bit security (though needs more investigation). Chrome out of the box is also set for RC4 128 bit.
One extra measure can really help with securing your Internet connections and this is a file buried deep within Windows - See Web Access below.
When funds allow, we will also install a standalone UTM (Unified Threat Management) unit to further strengthen defences. Plus we need to think about equipment theft and fire - maybe store critical files offsite in a secure store, BUT, be very wary of uploading your data files to some offsite cloud computer network. You have NO control over the data once it leaves your network, especially if unencrypted and there is no guarantee you can ever delete any of it ever again!
Wireless connections are handled by a Netgear router with full security setup. WEP-PSPK and MAC address filtering ensures only our own PCs can connect and we always turn down the signal to the weakest possible whilst maintaining full bandwidth.
Email. Simply NEVER EVER run a file by clicking a link from a downloaded email, even from people you trust. Read the link address, make a note of it and if safe (check on Google first), enter it directly into your web client (Firefox or Explorer etc.). Attachments to emails are even more dangerous and need to be treated as if they had the plague (which they might)! If your ISP offers an email filter program (such as Postini) then this might be worth considering. It pre filters email for viruses and spam and prevents most attacks from being downloaded to your PC.
Spam - Such an important issue it has its own page: here
Web Access
**Latest**
2020 - Firefox has been replaced by GNU IceCat which remains stable far better than Firefox as it uses an ESR base (eg doesn't get updated as often). We still use uBlock origin and have a list of the worst advertising websites blocked on the router. Web access is currently provided by Sky and downloads (fibre to cabinet) at around 50Mb/s. Our previous supplier (VirginMedia) downloaded at around 108 Mb/s. We will sign up for FTTP (Fibre To The Premises) when it becomes available locally. All Internet conectivity goes via a VPN provided by VPNac who advertise no tracking, no speed decrease and good reliability which so far (past three years or so), has proved true. Shame they don't do an Iceland connection though!
2017 - uBlock has been replaced by uBlock Origin which continues to work well at blocking everything unwanted. It is paticularly good at killing Google search engine adverts so it must be good!
2015 - Firefox is back in front and worth using again! However, we have replaced ADBlock with uBlock which is much better and has no paid advertising at all.
Firefox is falling apart. This is a shame but....true. We stuck with Firefox because of ADBlock Plus but have now moved on. Google Chrome is OK but the tracking and updating features are really unwanted, even sinister. So we tried SRWare Iron. It has all of the benefits of Chrome with none of the downside and supports ADBlock too. It's very fast, reliable, light-weight yet fully functional and certainly worth a try. The differences between SRWare Iron and Google Chrome can be found here.
We have a fast broadband connection (30GB), though with Open VPN, probably less than half that which is fine. Our web browser is (used to be) Firefox with some essential add-ons: ADBlocker Plus + Element Hiding Helper + free subscription to the US block list + Firebug. This allows you to selectively block all bits of a website that you don't want to see. There are however, many other bits of a webpage that you don't see, bits that log your IP address, track your preferences, forcefeed adverts and generally slow down your access times; Virtually every website has a Google tracking link. Whilst ADBlock allows you to hide bits of websites you don't want to see, they still take time to load and here is where another trick can be used.
Windows has a special file where you can add websites you want to block (eg never see). The file in particular is called HOSTS (no extension) and can be found (XP) at: windows/system32/drivers/etc/HOSTS. Open it with Notepad or Wordpad, add an entry and save. If you want to unblock a website, either remove the entry or prefix it with #. Save the existing HOSTS file (if it exists) as HOSTS.old and then add your new one. You are welcome to use our copy if you wish. Download here (right click then Save as) and paste all of it to the location shown (true for windows XP). However, HOSTS is a bit crude and broad brush plus it can get quite big and slow down your PC. There is an even better solution, PACS (Proxy Auto Configuration).
You don't need to know any of the technicalities but this free bit of kit allows you to block any website, or any bit of any website from even loading to your PC. Brilliant. You can edit the file using Notepad to add or remove entries. Firebug allows you to see every file downloaded as part of a webpage and you can then block the bits you don't want, all the trackers and adverts and whatever else. The basic information about PACS is here and you can copy our own PACS file if you wish from here. Simply copy the file to some location such as C:/windows/system32/drivers/etc/ After that, you need to tell your PC how to use the PACS file. You do that by going to Control panel/Internet options/Connections/LAN Settings/ Then tick the use Automatic Configuration Script and paste the location of the PACS file such as: file://c:/windows/system32/drivers/etc/no-ads.pac This technique works with Google Chrome and MS Explorer too though you may need to look around for where to paste the proxy file address. For Firefox, navigate to Tools/Options/Advanced/Network/Connection/Settings and add the PACS location as decscribed above.
Basically, a list of website addresses saved in simple text format that will be prevented from opening on your PC. So if you never want access to www.facebook for example, add it to the list and it will not load.
If you do a lot of searches on the internet, over time Google and the others (Hi NSA and GCHQ) build up a picture of you and your interests. If you like Google but want to avoid ALL tracking, try startpage.com. It is a https site too so is fully encrypted between your browser and their server.
Web Hosting
2020 - For the past lots of years we have used KDA web hosting based in Sheffield. Their service is supremely reliable, well priced and support as good as it gets. Why would we go anywhere else? They put all other suppliers we used in the past in the shade.
Essential Software
Some software is essential even before installing your 'working' software.
2020 Update - Clonezilla for system backup or duplicating disks. Clunky and old but persevere with it - it works!
2017 Update - Printkey Pro has been superceeded by a native Linux screen grabber. This gets anything displayed, Linux, Windows, anything. CutePDF remains absolutely essential. Firefox + uBlock origin does all our web stuff. ZoneAlarm got too big and resource intensive, so that has gone. OpenVPN (VPN.ac now) is in our view essential to maintain a semblance of privacy, though for some strange reason it won't do SFTP uploads. We don't now use any anti virus software and our email system (Thunderbird) running on Fedora seems bombproof.
- Printkey pro - Has been around for ever. It always did work well and still does. Allows you to capture a screen print of ANYTHING on the screen including those Windows error messages just before everything goes t*** up! Really flexible, with the ability to output or save in various formats - essential. What it does not do though is to convert a screen capture into editable text. So far we have not found ANY software to do this reliably. Works on all Windows OS up to Win10.
- Cute PDF Professional - Installs as a printer driver and allows you to save anything you can print as a PDF file (even Printkey screen captures). Cute is fantastic for organising information. We have a directory D:\Myfiles\pdf\xxxx tree Any website you visit or page you see can be printed and saved in this way. This means you should never lose or forget anything at all. Plus, pages from different applications can be saved as a single document. For example a web order where you print out the order page, then add the help page and finally (when it arrives), append the email confirmation page. Some websites only show you certain pages once and you can never get back to them. Cute allows you to save them all. Files can be encrypted and password protected. Then, on top of all that, a neat typewriter function allows you to add text anywhere on the document before saving it. Just excellent. Works on all Windows OS up to Win10.
- Virtual Private Network (VPN). Secure internet connection with 128 / 256 bit encryption. Prevents ISP 'evesdropping' and IP address monitoring. Use with the TOR network to further increase security and access the rest of the internet. Make sure the VPN provider keeps no records though and does not slow down your traffic. VPNac are very good.
Other Useful Software
- CorelDraw - Powerful graphics suite with good PDF creation tools. Big and complex suite but works well for us. Reliable and bug free too (patched X3 version).
- FileZilla - free FTP client. Simple, effective and free!
- Registry Mechanic (on XP) - Cleans up broken registry entries and is a solid performer.
- PerfectDisk - V7 is what we use (on XP) and this keeps hard drives defragmented and optimally organised.
- Tough to recommend other software. We have in the past listed stuff here but, over time, all of it has been found to cause issues or conflicts.
As you might imagine, this document represents a lot of research and work. It has the potential to save you a great deal of time, money and enhance your security when online. Please make a donation to show your appreciation if you can. A link to this page might be of value to others struggling with similar issues.
We hope you found the site interesting, well presented and above all, informative. Thanks for visiting and please feel free to link to us or recommend us to others. |
|