10 ways to secure your PC from physical access

Security tips to keep your data safe

10 ways to lock down your PC

We're our own worst enemies. It doesn't matter how much antivirus software we install, how many updates we comply with, or how many regular malware scans we do, it's the way we use our PCs that leaves us most vulnerable to attack.

Much of this is due to habits we develop over time, or which are pushed upon us by the services we use. For example, we live in an age when people think it's funny to type embarrassing status updates on your behalf when they find your Facebook account logged in, but Facebook seems to actively encourage maintaining a permanent connection.

It's time to learn the simple PC security tips that will keep you safe from virtually every problem likely to be caused by physical access to your computer.

1. Set different accounts

user accounts

It may be convenient to switch on the family PC and go straight to the Windows desktop without logging in, but it's also rather insecure. There are good reasons for using individual accounts for each user, not least of which is that it reduces the risk of system-wide infection from dodgy software installations.

The problem is that single-user machines generally utilise a single account that has administrator privileges. However, standard user accounts cannot install software that can compromise the operating system's security, so using these for family members is a sensible choice.

In the Control Panel, click 'Add or Delete User Accounts', then select 'Create New Account'. Enter a name, select 'Standard User' as its level and click 'Create Account'. The new account is added to the list of existing ones.

Click its icon and then on 'Create a Password'. Get the user to enter a password and confirm it, then press 'OK'. Now create a strong password for the administrator account to prevent the other user logging into it, instead of their own account.

2. Don't save passwords

Password saving in your web browser is convenient and means that you can't fail to remember login credentials, even after a few years. However, this convenience is also a major security risk if your computer, logged in to your account, stands a chance of being accessed by others without your knowledge.

We've witnessed a distant intruder opening the 'Saved Passwords' dialog in Firefox in an attempt to sniff around our valuable accounts. It's most unsettling.

In IE8, click 'Tools | Internet Options'. On the Content tab, click 'Settings' in the AutoComplete section. A window pops up. Unticking 'User names and passwords on forms' prevents these being stored, but if you leave it selected and instead deselect 'Ask me before saving passwords', you can keep the convenience of the browser remembering website usernames but not the associated passwords.

Clicking 'Delete AutoComplete history…" will ensure that any of your previously stored passwords are removed. In Firefox, click 'Tools | Options' and on the Security tab, deselect 'Remember passwords for sites'. However, you can protect all your auto-completed credentials using a master password by selecting the appropriate tickbox.

3. Lock your screensaver

Well-run IT departments enforce the rule that you must enter your password to unlock the screensaver, and that screensavers come on after just a few minutes of non-use. This may seem like overkill but a PC left logged into an account overnight is a gold mine to an industrial spy posing as a cleaner, or someone bent on sabotage.

Password protecting a screensaver at home is seen as a pain and is rarely implemented, but there's no reason you can't be careful.

In Windows 7, click anywhere on the desktop and select 'Personalise'. Down at the bottom right of the resultant window is the screensaver icon. Double-click this and select 'On resume, display logon screen'. It's not necessary to select a screensaver for this functionality to snap in at the time indicated (with a default of one minute of inactivity) – the logon screen simply appears.

4. Double-check security


Online security is a slippery slope – just when you think your network has found firm footing, along comes another potential threat to drag it down again. Because of this, it's a good idea to have a program such as the free version of MalwareByte's Anti-Malware handy to run an occasional extra check on top of your current regime.

After download, accept the defaults to install, update and launch the program. When the user interface appears, select a full scan, select the C: drive in the pop-up window that appears and click 'OK'. The scan now proceeds.

Don't worry that it may have found something nasty because it's likely that the threat is simply an unencrypted cookie used by more than one website, the likes of which can be used to track your progress around the web.

At the end of the scan – which can take upwards of an hour on a computer packed with files – if your security is tight, you should receive the happy news that all is well.

5. Install NoScript


Firefox users have a vast galaxy of free plug-ins to choose from, but one in particular is becoming part of the essential online security toolkit. NoScript blocks the execution of all scripts within a web page (including those served by third parties) until you explicitly say otherwise.

To install NoScript, click 'Options | Add-ons', select the Get Add-ons tab and enter the word noscript into the search box. NoScript should be the first in the resulting list of add-ons. Click 'Add to Firefox', confirm the installation in the resulting pop-up and click 'Restart Firefox'.

Basic operation is simple. When a script is blocked, the options bar appears at the bottom of the browser. Click the 'Options' button and you can selectively allow individual domains. So, surfing to Google Search will produce the options bar. Click 'Options' and either temporarily or permanently allow google.co.uk to run scripts.

You can also use the 'Options' button to remove this rather intrusive bar, in which case the NoScript icon in the bottom right can be clicked to perform the same allow or deny actions.

IE8 users also have a form of script protection in the form of the built-in XSS Filter. This is an automatic facility that consults a blacklist to decide which sites can run scripts. It's not perfect, but it's better than nothing.

6. Install all OS updates

It should be obvious that Microsoft – or your Linux distribution maintainer – isn't out to spy on you with regular, free updates to its operating systems, yet many people claim otherwise. Some people won't have any truck with an automatic operating system update, not even one that fixes a gaping hole in OS security.

As well as a disregard for the fundamental need to install and maintain even a free, basic antivirus product, this attitude (and the weakened PCs it leaves in its wake) helps evermore sophisticated malware to propagate more easily.

If you know someone like this, and they can't be persuaded to change their ways, on no account let their hardware onto your network, and treat email sent by them as being suspect. Never follow any links they send you. Castigate them until they sort themselves out.

7. Use different browsers

We all have our favourite browser, but it makes sense to spread the risk of becoming infected with an unknown exploit by downloading and using several different applications at different times. This makes sense on an aesthetic level too – some sites simply look nicer when rendered by one browser and not others. It's also a chance to check out the facilities you may be missing in other browsers.

Chrome, for example, is hungry on resources but very fast indeed, and it's by no means the only alternative to IE8 and Firefox – there are lots of other browsers available that may be better suited to your needs.

8. Don't install from unknown sites

Why would YouTube suddenly want you to install a special codec to see the hilarious video your friend apparently sent you? The short answer is it shouldn't, it doesn't, and your friend probably doesn't even know they sent you the email.

This kind of scam is becoming more easy to spot. Sites that demand you install a special codec to see a video, those that insist you need to install a 'new' version of Adobe Reader, or need to add an extension to your browser to access content are all usually trying to get you to authorise the installation of malware.

By being aware of this sneaky tactic designed to get around the Windows UAC and checking before any changes are made to the system, you can keep yourself safe, and by insisting that others use your computer only from a standard user account, you'll keep the machine safe from them too.

9. Clear your browser's cache

Browser cache

It's a little-known fact that some forms of malware don't infect your machine directly. Instead, they lurk in your browser's cache or temporary internet files folder, waiting for you to revisit a site before triggering. This is quite clever.

Having previously visited the site and apparently found yourself safe, you're more likely to dismiss what you see as being a mistake by your security software. If you instead delete your cache and try again, you can tell whether the site is infected, then you can delete the cache again and avoid the site in future. You can delete potentially risky files in IE 8 by clicking on 'Tools | Delete browsing history…'.

In the resultant pop-up window, select the tickbox next to 'Temporary Internet Files' and click 'Delete'. In Firefox, click 'Tools | Clear Recent History…'. Select 'Cache' from the list of things to delete and select a timeframe. The safest setting for this is 'Everything'. Click 'Clear Now' and the cache will be emptied.

10. Password-protect the BIOS

If you put a password on your BIOS, you add an extra level of protection to your computer that exists outside of its operating system. Though there are lists of default BIOS administrator passwords out on the web that will override this setting, there are so many different makes and sub-types that any password will slow down a determined hacker and will bamboozle a thief looking to sell your stolen laptop.

In cases of theft for resale, a BIOS password will render your secrets safe while thwarting the thief's attempts to demonstrate the working nature of the computer. In the same way that you'd never buy a TV without a remote control (indicating that it's stolen), buying a laptop or other computer from someone who doesn't have the BIOS password (or promises that it'll be along shortly) is an obvious enough no‑no that even the uneducated will avoid such a deal.

To set the BIOS password, press [F2] when your computer boots up to enter the BIOS settings. BIOS settings screens differ, but there will be a security tab. Enter a supervisor password that can be used to override the normal boot-up user password, which you should also enter.

The supervisor password is there so that even if someone guesses and changes the user password, you can still get in to change it back.


First published in PC Plus Issue 300

Liked this? Then check out How to secure your wireless network

Sign up for TechRadar's free Weird Week in Tech newsletter
Get the oddest tech stories of the week, plus the most popular news and reviews delivered straight to your inbox. Sign up at http://www.techradar.com/register

Follow TechRadar on Twitter * Find us on Facebook

Article continues below