posted by Alcibiades on Wed 4th Jan 2006 18:04 UTC

"Securing Windows 2/2"

Rule 3: Only use secure software.

This falls into three parts.

First, don't use the chronically insecure Microsoft Explorer and Outlook; get (free) Mozilla Firefox (Web) and Mozilla Thunderbird (Email). Also get the Firefox Spoofstick plugin and Adblock to guard against phishing. One or two UK banks require Explorer, and firewalls off. Avoid them. Use Mailwasher to screen and delete unwanted mail on the server.

Second, get the following:

ZoneAlarm is a free software firewall. You do need this as well as the router hardware firewall. Replace the weak XP built in firewall with it. Use it to disconnect from the net when inactive, and to control outbound traffic from applications.

AVG is a free anti virus package (Kapersky and McAfee are also very good, paid packages). Update at every connection.

AdAware & Spybot Search and Destroy are free anti-spyware packages. Get both, and update at least weekly. Microsoft's own anti-spyware package is free and highly rated. Webroot's Spysweeper is a paid, well regarded package, as is Pestpatrol. One anti spyware package is definitely not enough. Find all these by using Google, or on Tucows. Also, install SpywareBlaster for real time protection, but still sweep with the others weekly.

If using Anti-Executable, I wouldn't rely solely on these scans, to clean up the system first, but would do a clean Windows reinstall as explained later.

WinPatrol is also highly rated, and protects against some system parameter changes.

Third, keep Windows up to date using the Windows Update control. You'll have to sign on with an account with admin privileges. Check out Sans Institute Internet Storm Center, 'Windows XP, Surviving the First Day', for instructions on doing this safely - find it using Google. This helps because security updates for Windows come out often - as more holes are discovered and exploited. The quicker you get them in, the shorter the time you are at risk.

One should also disable insecure Windows services, as Greene's book (below) explains. And never install anything when prompted to do so by a web site or email.

Rule 4: Keep as much personal information as possible off the machine, on paper.

Never have your browser remember passwords or logon information. Never keep NIS numbers, passport numbers, drivers license numbers, bank account numbers or branch addresses on disk. Never use Quicken or MS Money to connect to your bank to download data. Never dispose of a PC with a hard drive in it: take out the drive first, and destroy hard drives before disposal.

If you have children, have a dedicated machine for gaming, music downloads, chat etc, keep no personal data whatever on it, and if you allow it to share the Broadband connection, firewall it off totally from the other machines. Consider using Anti-Executable or even DeepFreeze (also Faronics) on it. All this will be fairly technical, and will probably require professional help. It will be worth it.

Microsoft has just published the 'Shared Computer Toolkit' for making a machine safe for multiple users in a walkup environment. Professional help will probably be needed to install and use this, and it may be overkill for home users.

Reading.

Thomas Greene's book 'Internet Security for the Home and Small Office', is essential reading if you ever use Windows on the net, dialup or broadband, to bank or shop. Get it (from Amazon). Clear, detailed (lots of screen shots) how-to on hardening Windows. It explains how to disable insecure Windows services, which is a must, but which is too big a topic for these pages. Steve Gibson's site, see previous page, is worth a visit. Secunia and SecurityFocus are very good but technical. Wilders.org has lots of good links and clear explanations.

How to know if your machine is infected, and what to do.

You'll know because of slowdowns, crashes or unpredictable behaviour, especially of Explorer or Outlook, or because scans with anti-virus or anti spyware software tell you of infections. You may find lots of popups appearing, you may find yourself on sites which you have not clicked on. Your internet connection may be very active when you are not doing anything. Your ISP or other people may tell you your machine is sending spam. Trying to find out what is going on by Crtl-Alt-Delete may not permit you to examine running processes.

Take this very seriously and do not bank or shop online until fixed.

What to do? It used to be a very simple matter, get and run anti-virus software and keep it up to date. No more. In the last year, it has become decreasingly possible to be sure of having cleaned a badly infected Windows OS that one has booted from. The only method reasonably certain to succeed nowadays is, back up your work files to removable storage, then format and partition the affected hard drives and reinstall Windows, harden it, and then copy back the work files and reinstall software. I would personally do this by buying a new hard drive (Seagate Barracuda) with an OEM copy of XP, and starting from scratch. I would do the data backup by booting from Knoppix or similar Linux live CD.

Advice. Find a professional and say this is what you want done. If he tells you it is not necessary, and that simply running AdAware etc is enough, well, it may be. But there again, it may not be. The question is, how much do you want to bet?

I would demand (and pay for) a clean install...

Appendix: where does this problem come from?

If you are just trying to keep systems secure, this may seem a bit academic. But people do ask, so here is a very short account. First, to avoid being forced by anti-trust actions to give equal treatment to all browsers, Microsoft, during the 'browser wars', made Explorer part of the Operating System, and also linked Outlook to Explorer. This means it really cannot be removed. But it also means any vulnerability of Explorer or Outlook is a vulnerability of Windows. Second, it's the social culture of Windows use - in particular, the universal practice of signing on with Administrator privileges. This means any infection is automatically a system wide infection. Third, its to do with myriad vulnerabilities in the way Windows handles services. As an example, the recent wmf flaw enables graphics, regardless of browser, to carry malicious code. This is because of flaws in the way thumbnails and graphics rendering is done in Windows. RPC (Remote Procedure Calls) is another example.

Bottom line: it is not going to go away any time soon.

Caveat

I've taken care over this, but its a very brief guide to a very complicated and rapidly changing subject. I can't be responsible for any inaccuracies or any consequences of following these recommendations. Do not follow them blindly. Verify first, and then use them only as the basis for formulating your own security policy, and arriving at your own list of dos and don'ts.

--Alcibiades


If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSNews.
Table of contents
  1. "Securing Windows 1/2"
  2. "Securing Windows 2/2"
e p (0)    40 Comment(s)

Technology White Papers

See More