Browser for Windows 7?

[Neto]

With respect, the way you run security won’t actually prevent security problems. For example, opening something in “Print Preview” has been a source of security holes in the past relating to image rendering.

Browsers that can function on the modern Internet won’t be supported or tested on Windows 7 because there isn’t really any reason to do so and because doing so is difficult. Your only option will be to run an out of date browser.

I’m not sure why you wouldn’t just move to Windows 10 or 11
for Internet usage.

Thank you for your advice, and I readily admit that a move to OS 10 (or probably 11, since the end of support date for 10 is only about a year away as well) will be necessary in the future. However, I still respectfully maintain that taken together with other configurations I have in place here, my experience of the past 15 years indicates that my approach is secure.

I hope it's not disrespectful for me to point out that a sample size of 1, or even 10, doesn't prove anything about whether your approach is secure.

True. But the time period should attribute something to the conclusion. It hasn't been a simple test of a few weeks, or even a few years. And as I said above, I have not allowed ANY of the Microsoft Security Updates to be installed over that entire time period, which covers the major part of the Windows 7 popularity and massive use in business - the time period during which it was the primary target for hackers.

However, as far as Windows 7 in particular, looking at my records, I see that I was still using XP during the early part of the 15 year period I mentioned previously. But I was using the same approach with XP, having attended the Microsoft workshop in 2008. Also, my first Win 7 configuration was 32-bit, and I later upgraded (on the same computer) to 64-bit.

I sold the first Windows 7 system in August of 2010 (prior systems were all XP). The motherboard in this computer (Intel DG41TX) is from the 2nd Win 7 model, of which the last one was sold in Feb of 2012. This motherboard was the shop system during that model run, but I initially used one that I had replaced on warranty after the networking was burned out in a lightening strike. So I probably started using Win 7 here in my office sometime in 2011. So call it 12 years doing this approach in Win 7, the prior few years in XP.

Of all of the hundreds of word processors and computers I have built for sale, there have been two cases of a ransom attack. In both cases someone in the business concerned used an unprotected device being operated on the device's Administrator log in account, a device that I didn't even know they had (as my wife says, I'm not the "Amish Police") to log in remotely to the locked-down word processor. Also in both cases, the only files that were compromised were those in the Public Documents folder, and only in the system onto which they had logged in remotely. That's plenty bad in itself, but my point is that even though the hackers were ON the locked-down system, they could not any farther than that one file folder.

IF/When I get hacked, I'll be sure to let you all know, and eat the proper quantity of crow.

[Josh]

Did you really attend a Microsoft workshop that said not to install security updates? I’m unclear on what exactly your “security procedure” is.

The biggest risk in this day and age is out of date browsers.

[Neto]

Did you really attend a Microsoft workshop that said not to install security updates? I’m unclear on what exactly your “security procedure” is.

The biggest risk in this day and age is out of date browsers.

I cannot say that the speaker (a Microsoft representative whose job was testing on-line security) said NOT to accept the security updates - I don't think he did. He just said that you do not need anti-virus software, IF you never go on-line while logged in as an Administrator, that if you were also careful to never enter the Admin password when it was requested, UNLESS you had personally initiated the process that was requesting it, or were certain that it was a legitimate process.

It's the same kind of common sense that people say about not giving personal information to every Tom, Dick, and Harry that calls you, and tells you that they are from such-and-so agency or business, some outfit that has never before called you about anything at all. (I thought I could find the date of that workshop by checking my mileage records, but apparently I didn't start keeping track, or charging mileage, until January of 2010.)

Anyway, he explained his job, and said that he tested security by purposely going to web sites that were known to be dangerous, just to see if the configurations he was using were effective.

I cannot explain here what all I do to create a secure system - it's my business, and not only do I not want to disclose my company secrets, the procedures are very extensive, now taking around 8 hours or more to implement in a one-off situation.

[For the systems I manufacture, I build an image, then apply it to each new system I build. The time to do it that way, once the image is built, runs less than a half an hour, and most of that time is spent in changing the system name, the the system passwords, the Windows license key & registering it (always by telephone), then checking everything out (like network connectivity). I use a check list to be sure I don't miss something. Then there are things like, if an SSD is being used as the primary drive, turning off defragmentation, and if there is a secondary drive, changing the location of the Public documents and pictures folders (this requires going in in Safe Mode) and then also changing the location for the non-Admin user's Documents, Pictures, Desktop, Contacts, etc. - moving all of those to the 2nd drive.

With Windows 7, I had to build a new image for every new model run, except one, where the chipset was the same between two motherboards. Now, with Windows 10, I don't have to do that, and can use that image on systems whose motherboards were manufactured long before Windows 10 even came out in beta form. In those cases the main adjustment is the need to install graphics drivers for the particular CPU generation installed on the board. (If that is not done, the screen view is stretched out of shape, the icons are huge, and the screen is not clear.)]

In general, I use a mix of custom settings on some system folders, Registry hacks to both create and enable new features and to cripple others, Group Policy configurations to block some operations, and to allow others, etc. Some of these settings are double security, with more than one level of prevention in place. Then I also do a lot of what I call 'clean up', removing things that only appear to be security weaknesses (people talk), or are just clutter that won't work anyway in the non-internet setting. But things like the acceptance of real email (more than just FAX to email), and especially subscription programs are really making it difficult to hold to the required level of security (in the sense of complying with the Amish and conservative Mennonite guidelines I've agreed to uphold). QuickBooks is one of the very worst, because a subscription has to be able to sync the license with the Intuit servers within every 14 day period, or the whole thing stops working. (So in those applications, the user account has to sort of have internet access, but it has to be limited to the programs, and not allowed for the user.) Other subscription programs (like ZedAxis, which integrates with QB) will function for the full annual subscription period with no internet service required at all. Open Source programs can often be modified in their inner workings, to weed out the undesirable functions.

But honestly, I don't think that I can continue doing this much longer. I forget things now that I already know, and sometimes loose a lot of unbillable hours because I have to rediscover something I already knew, just didn't remember at the time I needed it. It's also becoming more complex, with video or internet access being built into other applications that didn't have that before, and Microsoft taking away more and more of the users personal control of the operating system. (Like today, searching for a certain executable I needed to block, and a total system search coming up as "not found". Then, after knowing where it was located, going to the containing folder and having Windows tell me that it is empty, when in reality -
after I busted my way into it - I see that it has oodles of files and folders in it.) It's also mind-numbing work, and I cannot keep at it all day like I used to. Getting old, I guess.

Sorry for getting so long-winded.