Revisiting the WS Security Baseline: Part 1

Frequently attacked software has adherents

Lounge member Robko is not ready to give up WinMX, the peer-to-peer file-sharing program; but he wants a more reliable version of it.

His advisors in the Other Applications forum recommend not only a particular download but also a best practice — get your software from its publisher.

The following links are this week’s most interesting Lounge threads, including several new questions for which you might have answers:

Office Applications
General Productivity	Upgrading from Office 2003 to 2010
Word Processing	Need help with small Word 2002 macro
Spreadsheets	Adding Outlook alerts and email functionality to Excel spreadsheet
Databases	Recommend training for Access 2007 functions and database design?
Presentation Apps	How to automatically load template at start?
Microsoft Outlook	Sent Items confusion
Non-Outlook E-mail	Windows Live Mail error
Windows
General Windows	Using Office 2003 but getting updates for 2007
Windows 8	Apps store MIA in Win 8.1
Windows 7	Blue Screen of Death message
Windows XP	Prefetch folder: No layout.ini file being created
Internet/Connectivity
Internet Explorer	Favorites bookmark problem
Third-Party Browsers	Disappearing pinned tabs in Firefox
Networking	Need help setting up new Westell 7500 modem/router
Software Development
Web Design & Development	How to control font in Front Page HTML Page View?
Other Technologies
Security & Scams	Getting rid of SlamDunk adware
Maintenance	Recommend cloning software?
Hardware	Recommend HP mouse?
Other Applications	New WinMX version available?

starred posts: particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right into today’s discussions in the Lounge.

Your mailbox, fridge, garbage bin are occupied

Animator Marty Cooper’s alter ego, Hombre McSteez, is responsible for legions of creatures who dance in refrigerators, eat the mail, vomit up cats, and perform other antics for your entertainment on YouTube and other Internet venues. Combining old and new techniques, the animator uses a Sharpie, whiteout on transparencies, and his iPhone to release his witty little monsters into the world. Click below or go to the original YouTube video.

Revisiting the WS Security Baseline: Part 1

Regular readers know that Windows Secrets discusses the importance of PC and Internet security almost every week.

But it seems many Windows users never get the message. Here are tips for safe computing in the year 2014. Pass them along.

Rebooting the Windows Secrets Security Baseline

In the Feb. 17, 2011, In the Wild column, “Windows Secrets PC Security Baseline,” we listed the minimal steps every PC user should take to protect digital information. Back then, it was a bit easier because smartphones were not quite as ubiquitous and the first iPad had been released only the year before.

In that column we listed the four key elements for online security: a hardware firewall, antivirus software, an updated browser, and up-to-date applications. To that list, add password management. All those parts are still important. But with the evolution of online threats, the baseline of PC security has risen a notch or two. In this updated Windows Secrets Security Baseline, I’ll review what’s important today. And in a follow-up story, I’ll discuss some advanced security options.

These days, we have a lot of threats and risks to consider. Now that most of us are connected to the Internet 24/7, we face fewer worms and viruses spreading from system to system, but many more zero-day attacks that come through our connections to the Web. And to make matters more worrisome, cyber attackers are now targeting the sources of our Web experience — banks, online shopping, social networks, and many more back-end services.

Given the many ways our digital world might be compromised, I’m actually going to take a step back from the original WS Security Baseline and start with the most basic protection we have at hand: backing up our systems.

Rolling Windows back to the ‘last known good’

Using backups as a security tool isn’t new. About 10 years ago, a Microsoft Security program manager (now working at Amazon) wrote an article on the ways to recover from a system breach. He argued that you couldn’t recover a hacked system with cleaning tools alone; you needed good recovery media or a trusted backup. A decade later, that advice is still perfectly valid. To be assured you have a clean system, you need to recover or rebuild it.

So again: Item one on any security baseline is to ensure you have a full, working backup — and that you can recover data from that backup.

I’m a fan of Acronis True Image (site) and Runtime’s DriveImage XML (site); both are solid backup options, and both provide the ability to back up everything on your computer to an external USB hard drive.

Reviewing the rest of the security basics

As noted, those other basic security requirements are no less important than they were three or more years ago. Here’s a summary:

• Use unique passwords and keep them safe: Given all the websites and cloud services we now use, keeping passwords is only more difficult — especially because the first rule of password security is to use a unique password for each site or account. Keeping track of numerous passwords is tough; it would seem the two choices are either to write them down (a dubious solution) or use password-management software.

  For sensitive sites such as online banking, try changing passwords at least once every 180 days — or as often as you can without driving yourself crazy. Also, select security-reset questions that can’t be guessed from information you post online.

• Run firewalls: Ensure that Windows’ built-in firewall is up and running. Also check that your router’s hardware-based firewall is active. Contrary to what some believe, the two firewalls should not conflict with each other. And what one misses, the other will probably catch.

  A properly configured hardware firewall will protect your entire home network — not just PCs, but also other potentially vulnerable devices such as set-top boxes, tablets, and network-attached printers and hard drives.

  When Comcast recently updated my home router, I was reminded that most routers use basically the same default sign-in credentials: i.e., “admin” and “password” — or some close approximation. Moreover, the firewall’s security was set to “low.” Because router settings can be a bit obtuse for the average PC user, I will cover that topic in an upcoming article. For now, just make sure that you have a hardware firewall enabled. Oh — and change your router’s default sign-in credentials if you haven’t done so already!

• Run anti-malware software: For many years I was content with a basic, full-time antivirus application and an on-demand malware scanner. Those two apps were Microsoft security Essentials and the free version of Malwarebytes Anti-Malware. But with the threats from casual websurfing getting only worse, I’ve switched to the paid, full-time version of Malwarebytes (site) — both on my home system and on others’ systems.

  There are, obviously, many other excellent anti-malware products. Sites such as AV-Comparatives and AV-TEST publish regular reports of the most popular AV products. You don’t need to buy one of the big security suites unless you want defense-in-depth and are technology-challenged.

• Keep browsers up to date: Eons ago, our only browser was Netscape Navigator. And the Net was, for the most part, a friendly place. Now it’s common to have three or more browsers installed — and you should. Chrome, Internet Explorer, and Firefox are the usual choices, but you might also want Opera (site) as yet another alternative — one that might not be as big a target for cyber attacks.

  Along with having several browsers installed, I recommend using more than one search engine. Several, such as the awkwardly named DuckDuckGo (site), promise not to use search-tracking to send you targeted ads.

  (For tips on keeping browsers clean, see this week’s Best Practices story [ERROR :: LINK TO COME], “Housekeeping tips for your Web browsers.”)

• Keep Windows and apps up to date: Windows and its associated applications might be getting less buggy, but hackers are also getting more sophisticated. So keeping your machine up to date is still a key element of online security.

  Along with system updates, take some time to remove applications you no longer need. That’s especially true for software that has a history of vulnerabilities. For example, if you don’t need Java, uninstall it; if you don’t need Silverlight, uninstall it (and ignore Microsoft’s seemingly endless offerings of Silverlight).

  Also be on the lookout for updates — Java and Adobe Flash Player, for example — that try to install toolbars and other “free offerings.” Use Secunia’s Personal Software Inspector (PSI; site) to help scan for outdated and/or unpatched software. (Note: Some overzealous security products flag PSI as malware. You can ignore the warnings.)

  Set up a limited-rights account: This might be the most overlooked security tool available to Windows users — most of whom are probably running continuously in administrator mode. That’s an opportunity for cyber attackers to take complete control of your system. Windows 7, 8, and 8.1 make it relatively easy to work in a “standard user” account and let you provide administrator credentials only when needed.

  A blog post (relatively old but still valid) showcases ways to set up both administrator and standard-user accounts. Yes, Windows’ User Account Control (UAC) can be annoying, but I don’t recommend disabling it. Stick with the default settings in Windows 7, 8, and 8.1.

  And though we might not like Win8’s Modern interface, keep in mind that Microsoft added SmartScreen technology (more info) to the operating system itself. (It’s been in IE since Version 8.) Malware downloads that Win7 might let through stand a better chance of being caught by Win8.

Baseline plus: A second machine for websurfing

You might suspect I’m in league with computer manufacturers, but I have good reasons for stating that the best form of Internet safely these days is to do casual Web browsing on a second machine — one dedicated to just that activity. Alternatively, dedicate a second system just for sensitive activities such as online banking. Some PC users set up dual-boot systems for the same purpose, but I’m not a fan of that technique. I’ve seen too many patching oddities that seem to be rooted in conflicts between the two installed operating systems.

The ideal system for casual browsing is one of the small, mobile devices such as an Android tablet, iPad, Kindle, or — if you must stick with Windows — a Windows RT device. Any of those platforms is more difficult (or less likely) to be successfully infected.

Super-geek and noted security blogger Brian Krebs recommends using a Linux boot disk when doing online banking. Great idea, but it will defeat communications between bank sites and any accounting software you might be using.

If you want additional security for online banking, I recommend installing two specialized applications on a Windows PC:

Trusteer Rapport (site): This software works with websites to block malicious keylogger programs that steal credentials. I reviewed the software in the March 7, 2013, On Security article, “Using Trusteer to enhance online-banking security.” It’s running on several of my office machines with no issues. You might check whether your bank supports and recommends Trusteer — or some other keylogger-blocking software.

CryptoPrevent (site): CryptoLocker is still a significant threat, and this software blocks viruses that include the CryptoLocker payload — even protecting the temporary folders that CryptoLocker loves to infect.

Monitoring your system for rogue software

In my office, I use two monitoring tools — Spiceworks and EventSentry — to alert me when new software is installed on my office machines. They cover any apps I’ve not authorized, including those unwanted toolbars. Note, however, that those tools are not recommended for consumer machines. I’m still looking for monitoring tools that are useful for personal systems.

For now, we’ll have to stick with the old-fashioned eyeball technique. Once a month, launch Windows’ Programs and Features applet and look for software you don’t recall installing. Sort the installed software by date. You should be safe uninstalling any applications you don’t recognize.

More tools for prevention and cleaning

A tool often overlooked is Microsoft’s Baseline Security Analyzer. MBSA 2.3 (site) is geared more toward IT admins than consumers, but it can still be useful on personal machines. I’ll cover it in detail in an upcoming article.

A more practical tool for all Windows users is Microsoft’s Enhanced Mitigation Experience Toolkit (more info). Microsoft has recommended EMET in particular for preventing Internet Explorer zero-day attacks.

Recently, fellow Security MVP Harry Waldron helped a friend clean up his system. He then posted his recommendations. The tools he mentions are designed to run from a flash drive, ensuring that they get under the installed operating system. The tools are updated regularly, so I suggest downloading them when they’re needed (assuming you have access to a second system in order to do so). To prepare for an emergency, I recommend keeping a blank external USB hard drive and empty flash drive of suitable size — so you’ll be able to move data quickly from one machine to another.

Advance computing security in Part II

In the next article, I’ll discuss advanced topics such as Web-gateway filtering and encryption. The apparent loss of TrueCrypt has left many PC users scrambling for a solution. But as noted in the June 19 Top Story, “Data-encryption alternatives to TrueCrypt,” there are a few suitable alternatives. For an adjunct to file encryption, I’ll also discuss techniques for encrypting email and remote connections back to the home network.

The Windows Secrets Security Baseline recap

If you want to give those with short attention spans the basics of PC security, send them this list.

• Step 1. Have a backup solution.
• Step 2. Use unique passwords for each site or account.
• Step 3. Have a hardware-based firewall in addition to the Windows firewall.
• Step 4. Run — and keep updated — good anti-malware software, both real-time and on-demand scanning.
• Step 5. Have alternative browsers and keep them all updated. Consider using alternative search engines.
• Step 6. Applications: Either patch ’em or remove ’em.
• Step 7. Don’t run in administrator mode; set up a standard-user account.
• Step 8. Consider using a tablet-style device for recreational websurfing.

If that seems like a lot of work, consider the time and expense of getting hacked. At a minimum, you might end up with an unwanted toolbar. On the other hand, you might have your bank accounts cleaned out and your identity stolen. Keep in mind that cyber thieves are constantly finding new ways to beat the system. Stay tuned for Part II of our series on security.

Fixing a 'program blocked by Group Policy' error

Incorrect Software Restriction settings in Windows’ Group Policy can keep you from running your own software. But there’s an easy fix.

Plus: Curing a browser History malfunction in Firefox, Secunia’s Personal Software Inspector flagged as malware, and Microsoft’s free “Mouse without Borders.”

Remove bogus program blocks from Group Policy

Reader Neil McPherson has a really annoying problem. He can’t install software on his own PC!

• “On a number of occasions, my attempts to install new programs in Windows 7 Professional have been blocked with this error message: This program is blocked by Group Policy. For more information, see your system administrator.

  “How can I unblock my PC for all programs?”

The most common reason for this error message is a change in your PC’s Software Restriction Policies (SRP). It’s a Windows feature often used in businesses to lock down PCs; it helps ensure that only licensed and known-safe software runs.

Microsoft formally describes SRP as a “Group Policy–based feature that identifies software programs running on computers … and controls the ability of those programs to run. You use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run.”

SRP’s extensive blocking capabilities include software type, version, publisher, and user level (e.g., administrator vs. standard user). It can also block programs by location on your hard drive, by associated security certificates, and even by Internet zone (for downloads).

If you’re locked out of your own PC and you didn’t knowingly make any SRP changes, then one or more of your PC’s SRP settings might have been changed by accident, by malware, or by third-party software.

For example, some malware actively tinkers with the SRP settings to prevent anti-malware tools from installing or running properly. And some third-party security tools — such as Symantec’s Endpoint Protection — might interact with SRP, leading to unexpected results.

You can review your PC’s Software Restriction Policies via the Group Policy Editor, a tool included in business-class versions of Windows: Vista’s Business, Ultimate, and Enterprise editions; Windows 7’s Professional, Ultimate, and Enterprise editions; and Windows 8’s Professional and Enterprise editions.

As is usual with Windows tools, there are several ways to access the Group Policy Editor and the SRP settings. Here’s one:

• In an admin account, open Local Group Policy Editor.

  Vista and Win7: Click Start and then type gpedit.msc into the search box. Press Enter.

  Win8: Type gpedit.msc on the Start screen, then click the gpedit icon when it appears.

• In Local Group Policy Editor’s left pane, click Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies (see Figure 1).
  

  Figure 1. Windows' Software Restriction Policies lets you limit what a program can do — or even prevent it from running at all!

The right-hand pane of Software Restriction Policies will display the software restriction policies that are in effect — or you’ll see a notice stating No Software Restriction Policies Defined. It’s not unusual for personally managed PCs to have no SRP settings defined.

If any software restrictions are set, you can remove them all via the Delete Software Restriction Policies option. That should remove whatever bad setting is causing your software blockage.

It’s easy to do. Click the Action menu in the Group Policy Editor’s toolbar and select Delete Software Restriction Policies — if it’s there (see Figure 2). Follow the prompts and reboot. (Note: Always make a system backup before altering SRP — or any other important system settings.)

Figure 2. An option in the Action menu deletes all policy settings, returning Software Restriction Policies to its default state.

If you want to be a bit more selective, you can also step through the SRP settings one by one to look for whatever might be causing the unwanted block.

Note that there are over three dozen individual, “default,” SRP items and settings — too many to cover here. But you can learn more about any particular setting by right-clicking it and selecting Help from its Properties menu. Or click Help in the Policy Editor’s menu bar. Additional resources are listed below.

Whichever method you choose — an all-at-once reset or tweaking individual items — you should be able to remove whatever is preventing your software from installing or running properly.

Additional Microsoft SRP resources:

• “Software Restriction Policies” (TechNet page)
• “Administer Software Restriction Policies” (MS TechNet page)
• “Troubleshoot Software Restriction Policies” (TechNet page)
• “Software Restriction Policies technical overview” (TechNet page) Includes a useful “Best Practices” section
• “Software Restriction Policies technical reference” (TechNet page)
• “This program is blocked by group policy” (Microsoft Forums thread): an example of an SRP problem caused by third-party software — in this case, Symantec Endpoint Protection
• “Programs blocked by Group Policy” (Microsoft Community thread): an example of an SRP problem caused by malware

Restoring a lost History function in Firefox

Ronald Kaplan’s Firefox History function died.

• “The version of Firefox on my Win7 laptop is no longer saving my Web-browsing history.

  “When I click History/Show All History in Firefox 29.0.1, the date for the most recent entry is from a month ago.

  “Can you explain why Firefox has stopped saving my browsing history — and how I can make Firefox resume saving it?”

The most common reason for browser trouble is an incompatible third-party toolbar, extension, or add-in.

The usual cure is simple: reset your browser. This removes all toolbars, extensions, and add-ins, and it restores the browser’s default settings.

Once your browser is working properly again, put back the toolbars, extensions, and add-ins one at a time, testing the browser after each is installed. Keep an eye out for the one causing trouble.

It’s easy to reset Firefox:

• Click the menu icon (three horizontal bars) and then the help icon. Next, click Troubleshooting Information. (If you’re having difficulty getting there, enter about:support in the address bar.)
• Click the Reset Firefox button in the upper-right corner of the Troubleshooting Information page.
• Click Reset Firefox in the confirmation dialog.
• Firefox will close and be reset.

If you need additional help with resetting, please see the Mozilla support page, “Reset Firefox to its default state.”

If a reset doesn’t help, try the repair methods described in the support page, “Firefox is not saving history even with remember history preference turned on.”

If that still doesn’t help, you can force Firefox to rebuild its entire history subsystem by following the instructions on the support page, “Fix ‘The bookmarks and history system will not be functional’ error message.”

And, if even that doesn’t work, I suggest you completely uninstall Firefox, run a good Registry cleaner, reboot Windows, and then download and install a fresh copy of Firefox.

But odds on, a simple reset will do the trick for you.

(By the way, all major browsers offer similar reset options. See, for example, Microsoft Support page 923737, “How to reset Internet Explorer settings” or Chrome support page 3296214, “Reset browser settings.”)

Is Secunia Personal Software Inspector malware?

James Ryder has heard conflicting opinions about Secunia Personal Software Inspector (PSI).

• “I have seen Secunia advertised as a great help for keeping programs up to date; I’ve also seen articles saying that it’s a form of malware/spyware and dangerous. What is your opinion?

I run Secunia PSI (free; site) on my own personal-use PC. I’ve seen nothing to suggest it’s anything other than a completely legitimate and useful security patch management tool.

PSI periodically scans your system’s software to identify programs in need of security updates (that is, programs for which new security updates have been released). If it finds software that lacks current security updates, PSI can download and install the latest versions for you — or you can handle the updates manually.

Keep in mind that PSI checks only for security updates; it doesn’t check for general, nonsecurity fixes and enhancements.

Because PSI can scan your PC and make changes if you allow it, some other security tools might identify PSI as either malware or potential malware. I consider this a false positive.

There’s also another reason why some copies of PSI might be flagged as malware. Hackers sometimes take legitimate software and modify it for some nefarious end, such as adding a Trojan/malware payload. The hackers then release the altered software via third-party sites, where unwary users will download and install the infected software, thinking it’s the real thing.

Your best bet for avoiding altered downloads is to get your software directly from a software publisher’s site. If the publisher is reputable, the odds of a third-party infection are extremely low.

PSI is free and I recommend it. Download it from the official site.

Microsoft’s free “Mouse without borders” tool

In the June 12 LangaList Plus item, “Keyboard/Video/Mouse switch doesn’t play nicely,” I suggested using Remote Desktop as a KVM alternative.

Steve Walker has an alternate suggestion that can work great for physically adjacent PCs.

• “There’s a nice Microsoft Garage solution to this issue. It’s called Mouse without Borders [free; site], and I’ve used it for many years. It appears to work with all versions of Windows.

  “I currently use it to work across three machines running Win7, Win8, and Win8.1. The software lets you copy text, drag-and-drop files, and so forth across screens, from one computer to the next.”

Thanks, Steve!

Mouse without Borders lets you control up to four adjacent computers from a single mouse and keyboard. In effect, it treats the separate screens as if they were one, large, segmented screen. When you move your mouse to the edge (or border) of a PC’s screen, the mouse doesn’t stop. Instead, it seamlessly jumps to the screen of the next PC in line. This means you can use one mouse and keyboard to control multiple PCs — plus copy or move text and files between them.

The main limitation of Mouse without Borders is that the PCs have to be physically adjacent, with all screens visible at the same time. With Remote Desktop (and similar remote-control software applications), the PCs can be anywhere — adjacent, in the next room, or halfway around the world.

Also, as you state, Mouse without Borders is a Microsoft Garage project. It’s software produced by Microsoft employees on their own time. That means Garage projects are not vetted like full-blown, official, Microsoft software.

Some Garage projects do become real products. For example, OfficeTalk (a business-oriented messaging/microblogging tool) started in the Garage but ended up incorporated into SharePoint services and the Windows Phone. (See Microsoft OfficeTalk info.)

Other Garage projects, such as Mouse without Borders, are released as standalone programs, but they do not include Microsoft support. Often the software is supported by volunteers on non-Microsoft messaging boards, such as the Mouse without Borders support forum.

That said, a “Garage” designation — or the lack of Microsoft support — doesn’t mean the software isn’t good. Mouse without Borders does what it says it will, and it’s free. But, again, it’s not a standard, official, Microsoft software offering.

For more information on Mouse without Borders, see its download page. For more information on Microsoft Garage, see the MS article, “The Garage: Microsoft’s 24-hour idea factory.”

Housekeeping tips for common Web browsers

Browser developers might squabble over whose product is the most popular or most secure, but these days any browser we use is our most-used application.

Staying secure on the Net requires not only keeping browsers up to date but also regular housecleaning of caches, plugins, and some troublesome apps.

Our online presence demands ever-increasing vigilance against intruders on our systems. No doubt you’ve had the experience of installing a desired program but then failing to see the prechecked box that installs an additional program. Before you know it, you’ve got more crapware taking up system resources — or worse.

Acquiring potentially unwanted programs

Those tag-along apps, commonly referred to as potentially unwanted programs (PUPs), are nearly ubiquitous with free software downloads. And they come not just from small software companies trying to generate revenue with PUP offers, they’re included as well with major products such as Adobe Flash Player and Oracle’s Java.

In many cases, PUP offers are small, easily overlooked checkboxes. Worse, some PUP downloads are revealed only when you select a custom installation option. And though these tag-along apps might not be malware, they can be difficult to remove.

The PUPs of concern for this discussion are those that make changes to our browsers. They might change your homepage setting, add unwanted toolbars, change your default search engine, or worse. For example, McAfee Security Scan Plus, typically bundled with Flash Player (see Figure 1), does no real harm but does take up some system resources. On the other hand, Oracle’s Java installer could include the more intrusive Ask Toolbar (Figure 2).

Figure 1. The Flash Player installer includes the often unwanted McAfee Security app.

Figure 2. When updating Java, you have to watch for the pre-checked box for the Ask Toolbar, which will also change your default search engine.

Given the amount of time most of us spend on the Internet, keeping our browsers clean should be a regular part of our system maintenance. Most of that task requires only a fairly simple, three-step process. Here’s how to do it in the big three browsers running on Windows 7 and 8.x.

Managing browser add-on apps and tools

Depending on the browser you’re using, add-ons come with various names such as plugins, extensions, add-ins, and (of course) add-ons. According to Mozilla, Firefox plugins help the browser display content, such as playing media. Extensions add new functionality to the browser.

Whatever they’re called, all good add-ons are designed to be easily added and removed (though in most cases, completely removing an add-on requires restarting the browser). You might be surprised by the number and variety of add-ons you’ve accumulated over time.

Google Chrome: Click the Chrome menu (three-bar icon, upper-right corner of the browser window) and select Tools/Extensions. On the Extensions page, you’ll see all installed add-ons, with checkboxes indicating whether they’re enabled (Figure 3). There is also a trash can to the right of each add-on: when clicked, it will delete that extension.

Figure 3. Chrome's extensions manager has a simple interface for enabling, disabling, and deleting installed add-ons.

If you want to get more add-ons, click the Get more extensions link at the bottom of the Extensions page. The link takes you to the Chrome webstore.

Mozilla Firefox: As previously mentioned, Firefox divvies its add-ons into extensions and plugins. So if you’re looking for a particular add-on and don’t find it in the Extensions list, look in Plugins. To manage Firefox add-ons, click the three-bar icon and select Add-ons.

Extensions can be enabled, disabled, or removed. Some extensions are also customizable; you might see an Options button along with the standard buttons (see Figure 4).

Figure 4. Firefox's extensions manager is easy to use and includes options for how extensions are updated.

Items in the plugin list are managed a bit differently. Options include Ask to Activate, Always Activate, or Never Activate. For the most part, these add-ons are installed by third-party applications — such as Adobe Acrobat and Microsoft Office — on your system.

Internet Explorer 9 and later (Win7 and 8.x): Click the Gear icon (upper-right corner of IE) and select Manage add-ons. In the popup window, click Toolbars and Extensions in the left column (Figure 5). Click the add-on you wish to manage and then press the Enable/Disable button on the lower-right corner of the window. You can also simply right-click the add-on and make your change. Click Close when you’re done. You’ll find more IE add-ons at Internet Explorer Gallery (site). Note: To remove some third-party add-ons, you must use Windows’ software-uninstall tool; removing other add-ons requires resetting IE — but you can do so without losing your stored passwords and related data.

Figure 5. IE's add-ons manager lets you enable or disable browser extensions, but not delete them.

Some PUPs require more thorough extermination

The most annoying PUPs are those that so insinuate themselves into your system that they seem impossible to remove. One of the more notorious, for example, is the Ask.com toolbar that often rides along with Java installs.

Yes, we know now that Java has a history of malware vulnerabilities, and it’s best not to have it on our systems. But there are still too many useful third-party Web apps that require Java to run properly. So we must be vigilant about keeping Java updated. Unfortunately, that small checkbox that also offers to install the Ask.com toolbar is easy to miss.

Removing a PUP-like Ask.com from your default browser (and possibly any other browsers on your system) is a multistep process. Start by closing all browsers. Then open Windows’ application uninstaller — Control Panel/Programs and Features.

In the Uninstall or change a program list, find and remove all references to Ask.com; right-click each one, and then select Uninstall. When that’s complete, reboot your system and open your default browser. Using the step for managing your add-ons noted above, remove all instances of Ask.com from the Extensions tab. Repeat this process with all other installed browsers.

When removing PUPs such as Ask.com from Chrome, it’s especially important to start with Windows’ uninstaller. If you don’t, you’ll not be able to fully remove the extension in Chrome.

Making everything old new again: Even after completing this deep cleaning, PUPs such as Ask.com might remain tenaciously set as the default search engine. Restore your preferred search engine using the following steps.

Chrome: Select Settings from the three-bar icon and then scroll down to the Search section. Use the drop-down button to quickly set the default search engine (see Figure 6). Or use the Manage search engines button to add, remove, or change settings for search engines (Figure 7).

Figure 6. Setting Google as default search engine in Chrome

Figure 7. The Search engines page lets you manage search sites used by Chrome.

Firefox: Select the small down arrow in the search box at the top of the browser window. Click the Manage Search Engines option and make any needed changes. If an unwanted search engine is proving particularly troublesome, you might try the SearchReset (site) add-on. It returns Firefox to its default search engine and homepage — and then uninstalls itself.

Internet Explorer: Select the gear icon and then Manage add-ons. Click the Search Providers section and remove or disable unwanted search engines (see Figure 8). Then set the default search engine in the Listing order column. While you’re there, click the box near the bottom of the windows to enable “Prevent programs from suggesting changes to my default search provider.”

Figure 8. IE's comprehensive search-engine manager

If all else fails, you might have to completely reset your browser. Check out your browser’s documentation for instructions.

Cleaning out your browser’s storeroom

By default, all major browsers keep snapshots of webpages you’ve visited on your hard drive. When you revisit a site, loading cached pages into the browser is always faster than downloading them. Each browser sets aside a certain amount of cache storage space and works on a first-in/first-out basis — as the cache becomes full, older pages make room for the newer ones.

Occasionally, the cache prevents new or updated content from loading properly — or causes other problems with live content. For that reason, it’s good to clean out the cache from time to time. You might also want to adjust the cache size, depending on how much free hard-drive space you have. Here’s how to clear and/or resize the cache in Chrome, Internet Explorer, and Firefox.

Chrome: Click Chrome’s three-bar options icon and select Tools/Clear browsing data (or use the address-bar shortcut: chrome://settings/clearBrowserData). See that the box next to “Cached images and files” is checked. Finally, click the Clear browsing data button.

You can, of course, delete other categories of browsing data at the same time. If you want to be even more selective about what browsing data gets deleted, use the Obliterate the following items from: button (see Figure 9).

Figure 9. Chrome makes it easy to selectively clear browser data — but difficult to change cache size.

Unlike most other browsers, changing the cache size in Chrome requires some minor hacking. You open its properties in Windows and, in the Shortcut/Target field, add {space}–disk-cache-size={size in bytes} after …\chrome.exe. If you think changing Chrome’s cache is worth the effort, a Google search will give you more on how to do so.

Firefox: Firefox offers two ways to clear its cache. Method one: Select History/Clear Recent History from the title-bar menu (or click Ctrl + Shift + Delete). Click the Details drop-down menu caret. Again, make sure that only the Cache box is checked. In the Time range to clear box, select Everything (Figure 10). Click the Clear Now button to finish.

Figure 10. Like Chrome, Firefox makes it easy to selectively delete collected browser information.

Method two: Click Tools/Options (or click Options from Firefox’s three-bar menu icon). Select the Advanced section and click the Network tab. In the Cached Web Content section, click the Clear Now button. You’ll also find the setting for cache size in this section. By default, Firefox set the cache to 350MB on most systems.

Firefox also has an application cache: “Offline Web Content and User Data.” This is information that websites store on your PC and that you might want to access when offline. You’ll want to check and clear this setting, too.

Internet Explorer 9 or later: Click the gear icon, select Safety (or use shortcut, Ctrl + Shift + Delete), and then click Delete browsing History. If you want to clear just the cache, check only the box next to Temporary Internet files and website files (see Figure 11). Uncheck all other boxes, especially the top one — Preserve Favorites website data. Click the Delete button at the bottom of the Delete Browsing History window.

Figure 11. IE's tool for removing Web-browsing information is comparatively basic.

IE’s cache size defaults to 250MB. To adjust the allotted space, click the gear icon, select Internet options, and, under the General tab, click the Setting button in the Browsing History section. Look for the Disk space to use setting under the Temporary Internet Files tab (Figure 12).

Figure 12. IE's tool for setting cache size

When to do your housecleaning: As stated above, cleaning up your browsers should be a regular part of your Windows maintenance routine. Run through them every month or so. But check your browsers carefully whenever you install free software that might contain PUPs.

Review: Microsoft's Surface Pro 3 tablet

Microsoft’s third-generation tablet is rolling out with more configurations, a larger screen, and other worthy enhancements.

The old adage about “third time’s the charm” with Microsoft products would seem to apply to its just-released Surface Pro 3.

Succumbing to the ‘new model’ syndrome

Let me get something off my chest right away — I’m feeling a little ripped off. Barely six months ago, I plunked down a bunch of money for the Surface Pro 2. And I was really happy with it … until Microsoft announced the Surface Pro 3. Surely Microsoft knew last November that it had an even better product so close to market! But then that’s the rub with many products — especially digital devices.

Still — a bigger screen, a bit more memory, and additional storage proved too tempting. I gave the Surface Pro 2 to my son and plunked down a bunch more money for the Surface Pro 3 (more on that shortly).

With that said, I’ll suspend my personal angst and move on to evaluating what Microsoft has delivered with the Surface Pro 3.

Yes, just as Microsoft touts, many users really can use the Surface Pro 3 (info page; see Figure 1) as both a tablet and their one-and-only laptop. Add on a docking station, and many users can even dispense with their desktop computers. (For a personal take on living with a combo tablet/laptop, check out fellow contributor Lincoln Spector’s April 3 story, “30 days of working and living on a Win8 laplet.”)

Figure 1. The new Surface Pro is thinner and lighter than its predecessor — but it also has a bigger screen, making it easier to get real work done.

As with the Surface Pro 2 — and unlike iPads and most other tablets — the Surface Pro 3 offers the power and features needed to perform serious computing work. To begin with, it has a full, standard version of Windows 8.1 — not the far more limited Win8.1 RT. The tablet’s maximum 8GB of system memory and a 512GB SSD puts it on a par with many laptops and common desktops.

Ports are, of course, another matter. As with its predecessor, the Surface Pro 3 has just one USB 3.0 port. If you need more USB connections for a mouse, full-size keyboard, and/or external hard drive, you’ll want a docking station or USB hub.

Evolutionary: Small — but useful — changes

Most of the Surface Pro 3’s enhancements are relatively small changes, but taken together, they add up to a computing experience that’s significantly different from that of the Surface Pro 2.

Display: If you set the Surface Pro 2 and Surface Pro 3 side by side, the most immediately noticeable difference is the newer model’s larger display. Going by the numbers, the increase from 10.6 inches to 12 inches is 13 percent. But (for me at least) the extra space makes a huge difference when creating and editing documents. The Surface Pro 2’s smaller screen is fine when working with one application. But it’s a challenge cutting and pasting data from the Web or between multiple documents. Surface Pro 3’s display is just large enough to make working with two or more open applications practical.

Microsoft also bumped up the Surface Pro’s screen resolution from 1920 by 1080 pixels to 2,160 by 1,440 pixels. That’s good for viewing photos and media, but it made the text on some websites a little difficult to read. If you want to connect an external monitor, you can do so via a Mini DisplayPort connector; depending on the cable you use, it supports both VGA and HDMI monitors.

Size and weight: Thinner and lighter is seemingly a required feature in new mobile devices. What’s not to like about a tablet that gives you a bigger screen with no additional weight? With Version 3, Microsoft’s tablet shaved off over two-tenths of a pound, down to only 1.76 pounds. It’s also thinner, measuring just .36 inches thick compared to .53 inches for the Surface Pro 2.

An interesting side note on the thin size: It might make the device even more difficult to service than Version 2. Do-it-yourself repair site iFixit regularly publishes online guides for servicing digital devices. Its popular Teardown series shows how to open devices to reveal what’s inside, and the iFixit techs are very good at what they do. But as noted in their Surface Pro 3 Teardown report, they broke the screen when opening the case. They noted that Microsoft’s device, like most other tablets, is held together with lots of very sticky tape. (You might want to purchase a good case for your tablet, if you haven’t done so already.)

Choice of processors and storage: With the Surface Pro 3, Microsoft now offers its tablet with an Intel Core i3, i5, or i7 processor. (Version 2 came equipped only with the Core i5 processor.)

Not surprisingly, the amount of system RAM and drive size are tied to the processor. For example, units with the Core i3 processor have 8GB of RAM and just 64GB of storage. On the other hand, the Core i7–equipped models have 8GB of RAM and either 256GB or 512GB of storage. That undoubtedly helped Microsoft lower the price of the base model to U.S. $800.

If you need more storage, you can add another 128GB by inserting a microSD card.

Keyboard and touchpad: The optional Type Cover 3 ($130) bears a strong family resemblance to the cover/keyboards sold for the Surface Pro 2. Both covers have the same felt-like texture, the same strong magnetic attachment, and the same keyboard layout. But Microsoft did make a few improvements. The touchpad, for example, is larger and has a smooth surface, making it much more comfortable and usable. (That said, I still prefer to turn the touchpad off, because frequently I inadvertently move the cursor to an unintended location. You disable the touchpad by calling up PC Settings from the Start screen, selecting “PC and devices,” and then selecting “Mouse and touchpad.”)

The Type Cover 3 also offers noticeably better tactile feedback and key travel than its predecessor. That’s resulted in fewer typos — always a good thing for a writer. Microsoft has also added an extra magnetic fold along the top of the keyboard so users can give it a sight up-angle. That makes typing a bit more comfortable, though the whole unit tends to slide more on, say, a lapdesk.

Friction kickstand: The Surface Pro 2’s kickstand has just two positions. But for Version 3, Microsoft designed a new friction kickstand that you can adjust to any position, up to 150 degrees. This might not seem like a big deal, but it really does help reduce screen glare; it also lets you get the most comfortable angle when attempting to work at 30,000 feet.

N-trig stylus: Microsoft has replaced the Surface Pro 2’s single-button Wacom stylus with a 3-button model made by N-trig. The new stylus/pen also offers pressure sensitivity — important for tasks such as illustrating, where pen pressure sets line thickness.

The pen has a good feel and weight; it was also noticeably more responsive on the display, having less latency than I experienced with the Version 2 pen.

Microsoft has made some interesting assumptions about how the pen will be used. For example, clicking the top button on the pen immediately opens a black page in Microsoft’s OneNote, where you can start scribbling notes. The tablet’s handwriting recognition is surprisingly good, even if you have handwriting as poor as mine (see Figure 2). I can easily take meeting notes — without the distraction of a keyboard — and then quickly convert my notes to text later in the day when I have the keyboard connected.

Figure 2. To turn hand-written notes into typed text, you simply lasso the notes with the pen and select Ink to text from the Draw menu.

Clicking and holding the upper button on the pen’s side lets you select objects in OneNote. The bottom side button turns the pen into an eraser. Unfortunately, that’s the extent of button functionality for OneNote at this time. However, N-trig offers drivers (site) that customize the buttons for other applications such as some Adobe Creative Suite apps.

Videos at 1080p: Microsoft must have gotten an earful from customers who were unimpressed with the Surface Pro 2’s 720p videocam resolution. Both the front and back cameras have been upgraded to 1080p. Both cameras also take 5 megapixel still images (relatively standard for tablets).

Future-proofing wireless connectivity: As with most very new mobile devices, the Surface Pro 3 supports 802.11ac wireless. (The Surface Pro 2 uses 802.11n.) There are not many wireless networks using the new 802.11ac standard yet, but it’s nice to know that you’ll be getting better connectivity when you — or your local Starbucks or airport lounge — upgrade routers.

Bottom line: Choosing price and power

As with the Surface Pro 2, the Surface Pro 3 is way too expensive for simple computing activities such as surfing the Internet, doing a little e-mail, or watching Netflix in bed. But for serious work outside the office, the Surface Pro 3 is up to the task.

As noted above, the Surface Pro 3 comes in a variety of configurations, starting at $800 and going up to $1950 for the Core i7 model with 8GB of RAM and 512GB of storage. That gives you a wide range of price/power options. (Again, the keyboard/cover is an additional $130.) If you work in a Microsoft-centric world of Windows 8 computing, the Surface Pro 3 will run all standard Windows apps, and it should hold up to all but the most resource-demanding types of work.

As with all tablets and most laptops, you can’t upgrade the Surface Pro after you buy it. The best policy is to buy a bit more power than you think you actually need. Note: At the time of this writing, the Microsoft site listed the base and top-end models of the Surface Pro 3 as “pre-order.”

Another final consideration: As the iFixit site demonstrated, repairs after the warranty period are virtually out of the question — most of the device’s parts are solidly glued together.

10 tips to optimize the Surface Pro 3

In the Nov. 14, 2013, Best Hardware review of the Surface Pro 2, I included 10 tips for getting the most out of your Win8 tablet. Here they are again, with a few changes for the Surface Pro 3.

• Free up space by moving the recovery partition: Surface devices come with Windows recovery information that allows consumers to quickly restore the computer to factory condition. This information is stored in a separate partition. Moving this data to a USB will free up valuable storage space. Just remember to keep that USB in a safe place, because if you run into a problem you’ll need it to reset your Surface. Detailed instructions for creating a recovery drive are available on an MS Support page.
• Pack a USB 3.0 hub in your briefcase: Most of the time you won’t need it. (The Surface Pro 3 supports Bluetooth, but your Bluetooth-based mouse might have an adapter that takes up the computer’s one USB port.) However, there will be times when you’ll want to attach an external drive, a memory stick, or some other USB-based device.
• Format a MicroSDXC card for libraries: The Surface comes with a MicroSDXC slot that you can use for up to 128GB of storage. But to use this storage with Windows libraries, you need to format the card as NTFS and use the Disk Management tool to mount the drive. (Disk Management is a bit hard to find. Go to Control Panel/Administrative Tools/Computer Management and look under Storage.) Once you’ve formatted the card, create a new folder on the Surface and then right-click the card in Disk Management; select Change Drive Letter and Paths and map the card to the new folder.
• Use a Bluetooth mouse: OK, this one’s sort of obvious. But that USB port is just begging to be used for a mouse. I like Microsoft’s Arc Touch mouse. You turn off the mouse by flattening it, which also makes it easy to slip into your briefcase or pocket. Oh, and turn off the touchpad if you’re opting for a mouse. Again, I found I often inadvertently touched the pad, causing all kinds of unpredictable behavior.
• Use cloud storage: Microsoft is not offering free OneDrive storage as it did with the Surface Pro 2. But it still makes a lot of sense to use cloud storage to minimize the demand on local storage. And if you sync the cloud storage to local storage on your desktop (or to an attached external drive), you’ve also got safe, off-site backup for your important files.
• Charge your phone from the power supply: Many users may not immediately notice the USB port on the Surface’s power supply. It doesn’t connect to the computer, but it does allow you to power USB-connected devices such as your smartphone. And the power provided by this port is generally stronger than what you get with a USB hub.
• Hook up to a monitor with DisplayPort: Duplicate or expand the Surface Pro’s 12-inch display to a larger desktop monitor. Expect to pay $25–$40 for an adapter cable.
• Practice with the stylus/pen: As noted above, handwriting recognition is really quite good — even with my scratchy penmanship. Why would I want to use this feature when I find it so much easier — and faster — to type? The pen is great for taking notes in meetings, where a keyboard might be obtrusive or inconvenient. You might also consider purchasing an extra pen to keep in your briefcase. Although the pen can be magnetically attached to the power port when you’re traveling, it’s all too easy to knock off and lose.
• Get a USB 3.0 Ethernet adapter: If you must often work in locations with unreliable or unsecure Wi-Fi, Ethernet might be your best option. And though the Surface Pro 3’s 802.11ac connectivity should provide excellent performance when available, Ethernet will be faster than the fallback 802.11n.
• Configure your ribbons: All Office applications let you hide the ribbon entirely for more workspace. You control this by clicking on the icon between the Help and Minimize icons in the upper-right corner.