EPTSystem Updates
Make sure you have the latest Windows and other Microsoft updates installed. Security researchers uncover new vulnerabilities in Windows components almost weekly, so make sure automatic updates is on, or visit Windows Update regularly. Also make sure you have the latest Service Pack installed - XP SP3, Vista SP2, Win7 SP1 and Windows 8.1. Viruses and worms can take advantage of vulnerabilities in Windows components to infect your system if you aren't up to date. Even if you use a pirated version of Windows, you can still turn on automatic updates.
XP, Vista and Windows 7 / 8 all come with Windows Update, but you can opt-in to use Microsoft Update which is essentially Windows Update with additional updates for other MS software (Office, Visual Studio, etc). I recommend you enable this by going to Windows Update and following the links to Microsoft Update.
Anti-Virus
I'm not a big fan of anti-virus software since it tends to lag behind the viruses in detection and can cause performance and compatibility problems, but it helps a little bit. I generally recommend ESET products if you really need some form of anti-virus. Make sure you let it auto-update, an out of date anti-virus is useless. Modern viruses are becoming extremely difficult to detect and remove, so it's important to follow the steps in this guide to try to avoid becoming infected in the first place.
Keep in mind that 3rd party anti-virus software can slow your PC down and introduce disastrous security holes.
Firewall
Windows firewall is all you need. Most of you will be behind a NAT router which prevents incoming connections to your PC anyway without port forwarding, but as IPv6 uptake in the near future takes off, NAT will slowly die and your PC will have a public IP address. Windows firewall simply stops programs from accepting connections from the Internet unless you allow them, so if there are vulnerabilities in any networked programs, worms and viruses can't exploit them.
Some of you may think you need a more advanced 3rd party firewall that blocks programs from initiating connections, but if you need this then you've already failed. If a program you don't trust is already executing code on your PC then you lost the battle to begin with. Also 3rd party firewalls themselves can expose your system to risk, there is a long history of firewall software that contains exploitable vulnerabilities, as well as bad coding which can cripple your PC performance or cause random crashes, network issues or similar errors.
DEP (Data Execution Prevention)
DEP (or NX as it's sometimes called) prevents computer code from executing from areas of memory that are marked as containing only data. This has been around on modern CPUs for a while but by default Windows will only apply DEP to Windows programs and services. Since web browsers, plugins, IM clients, etc are all common vectors for viruses and malware, it is a very good idea to have DEP apply to all programs as it mitigates a large number of attacks. That WMF exploit that infected people just by visiting a website? Blocked by DEP. That Warcraft 3 custom map exploit? Blocked by DEP. Those are just two examples I've personally tested. It's a great preventive measure that everyone should have enabled.
To enable DEP (procedure might be slightly different for Vista / Windows 7), right click My Computer, Properties, Advanced, Performance, Settings, Data Execution Prevention, and tick "Turn on DEP for all programs and services". Contrary to some reports, enabling DEP will not slow down your PC.
There may be old programs that rely on executing code from data memory that have not been updated for DEP compatibility. If you encounter a DEP violation, you will see a popup saying "To help protect your computer, Windows has closed this program". From that dialog you can add an exception, but only do this if you are sure the program is at fault (eg, by repeatedly being able to cause the DEP error yourself). If you are browsing the web and suddenly get a DEP violation, chances are something just tried to exploit your browser or a plugin so you would definitely not want to add an exception!
3rd party addons to programs can also cause DEP violations, eg if after enabling DEP you find your browser immediately exits with a DEP error, try disabling any plugins / addons or make sure they are all up to date. Windows Explorer also loads addons (shell extensions), so if you find Explorer is exiting with DEP violations and you feel comfortable with advanced tools, you can use AutoRuns to list your shell extensions and disable any problematic ones.
Despite the two paragraphs of compatibility warnings, 99.9% of you will have zero issues after enabling DEP, so don't be afraid
.Enhanced Mitigation Experience Toolkit
Despite the long and scary looking name, EMET is a great piece of software. It's a free toolkit from Microsoft that allows you to apply advanced security techniques to any piece of software on your system. You can download it at http://technet.microsoft.com/en-us/security/jj653751. After you install it, run it and set the following System Options: DEP: Application Opt-Out, SEHOP: Application Opt-Out and ASLR: Application Opt-In. This will allow applications that support it to make use of advanced methods to hinder malware.
The part where EMET shines is it also allows you to force otherwise unsupported applications into using these advanced technologies. In the Configure Apps page, you can add an application and choose which protections to apply (leave them all on by default for most apps). I strongly recommend you add all your web browsers and other commonly targeted software such as VOIP / IM clients, PDF readers, etc. This will greatly reduce the risk of "zero day" (unpatched) exploits from affecting you. Note, if you use FireFox, also add "Plugin-Container.exe" to the list as this program houses Adobe Flash and other external plugins. You do not need to have EMET running for the protections to apply, they are loaded automatically once they are set.
Software Updates
Every piece of software on your PC that interacts with the Internet or files could be a possible vector for virus / worm exploitation. It's very important you keep all your programs up to date as exploits are discovered for common products surprisingly often. I recommend using the Secunia Personal scanner which will scan your entire PC for any programs that might allow your system to be compromised. You'll be surprised what it finds. The latest version can even auto-install updates for you if you're lazy.
Adobe software in particular seems to have a very poor history - Adobe Flash, Adobe Reader, Adobe Air have all had exploits that could allow your system to be compromised by visiting a webpage. Worse still, many of these products don't auto update so you have to rely on 3rd party assistance (Secunia PSI) or do it manually.
Browsers and Plugins
Since web exploits are the number one vector for malware, it's important to use a secure web browser. I strongly recommend Google Chrome as it has powerful sandboxing and isolation technologies to help prevent web-based malware from infecting your system. Firefox is OK, but it isn't as good as it used to be and Internet Explorer should really be a last resort. Chrome also has an excellent background automatic update system which is very important, an out of date browser is likely vulnerable to exploits.
Browsers are often extended with plugins, which while providing features like PDF viewing and streaming, also expose you to additional risk as a security vulnerability in a plugin can allow malware to exploit it and infect your PC. Many plugins do not auto update which makes managing your plugins quite important. Don't need to read PDF files in your browser? Disable Adobe PDF plugin so PDF files can't auto-load. Finished watching some stream that required a browser addon? Disable that addon. Installed a plugin from some strange Asian game that you're done playing? Now go and disable it. If you use Firefox or Chrome, you can do a very basic plugin check here: http://www.mozilla.com/en-US/plugincheck/.
To disable plugins in IE (you should do this even if IE isn't your main browser), goto Options -> Manage Addons
To disable plugins in Firefox, goto Addons -> Plugins.
To disable plugins in Chrome, go to chrome:plugins in the address bar.
To disable plugins in Opera, go to opera:plugins in the address bar.
Java
Java is often installed for some other purpose such as running a program, but it also installs a browser plugin. These days, very few sites use the Java plugin so it's a good idea to disable it for extra security. As of 2013, Java has suffered from multiple major security issues that can result in drive-by malware installation, so if you do not use it (if you don't know, you most likely don't use it), I strongly suggest uninstalling Java or at the very least, removing the Java plugin from all of your browsers. JavaScript is entirely unrelated to the Java plugin and will continue to work fine.
Flash Player
Flash player installs multiple versions - one for IE, one for Chrome / Firefox / Opera. Make sure both of them are up to date by visiting this page (once in Chrome, once in Firefox and once in IE) and comparing your version to the latest released version. If out of date, download and install the latest one. Flash should automatically update, but it only checks on startup of your PC which if you leave your PC running 24/7, may not be often enough.
Consider completely removing Flash if you can live without it. Most sites provide HTML5 compatible video players and Flash is mostly only used for advertising or small online games, yet exposes you to a lot of risk due to its poor security record.
Java is often installed for some other purpose such as running a program, but it also installs a browser plugin. These days, very few sites use the Java plugin so it's a good idea to disable it for extra security. As of 2013, Java has suffered from multiple major security issues that can result in drive-by malware installation, so if you do not use it (if you don't know, you most likely don't use it), I strongly suggest uninstalling Java or at the very least, removing the Java plugin from all of your browsers. JavaScript is entirely unrelated to the Java plugin and will continue to work fine.
Flash Player
Flash player installs multiple versions - one for IE, one for Chrome / Firefox / Opera. Make sure both of them are up to date by visiting this page (once in Chrome, once in Firefox and once in IE) and comparing your version to the latest released version. If out of date, download and install the latest one. Flash should automatically update, but it only checks on startup of your PC which if you leave your PC running 24/7, may not be often enough.
Consider completely removing Flash if you can live without it. Most sites provide HTML5 compatible video players and Flash is mostly only used for advertising or small online games, yet exposes you to a lot of risk due to its poor security record.
Password Re-use
One of the biggest threats to your online security is reusing passwords. When you use the same password in multiple places, any time one of those places is compromised, every other site where you use the same password is also compromised. What often happens is people re-use the same password at a forum or online store or similar, which is compromised by hackers, often exploiting old / insecure software running on the server. From there, they can download the entire user database, which often includes your email address. If you used the same password for your email account, then you're completely screwed - the hackers can log into your email, find every account you've signed up for, issue password resets, etc and completely compromise your online identity.
By cross-referencing usernames and emails, it's possible to exploit even further - if for example you're an admin on a forum and re-used the same password somewhere else which was stolen, hackers could compromise your admin account and then exploit your forum too, as admin accounts often provide elevated access that allows dumping the entire user database etc.
Unfortunately solving this issue is not so easy. You definitely won't be able to remember all your passwords, so the use of a password manager like Keepass or Lastpass is strongly recommended. Any time you sign up for a site, create a unique password and store it in your password manager. This greatly mitigates the risk if one of the sites is compromised, which happens a lot more often than you may think - sometimes even without the site owner knowing.
