This guide contains the practical security measures to secure your Windows desktop at home. This guide is not necessarily intended for business or enterprise use, but it might come in handy for some.
This guide contains the practical security measures to secure your Windows desktop at home. This guide is not necessarily intended for business or enterprise use, but it might come in handy for some.
The author doesn’t give XP Home users an option to secure the PC without third party apps(The users and groups control works on XP Pro)
It would be nice to have an article one can recommend to people who ask – save the trouble of writing it oneself. But this really isn’t it. It is a bit better than nothing. But basically all it says is use MS anti spyware and Hijack this, and don’t sign on as root. Don’t know about Hijack this, the rest is fine as far as it goes, but it is really a bit more complicated than this. It omits to advise the use of a router on Broadband – surely this is a key ingredient? Then there is the mess of issues around Explorer/Outlook – surely people need to be made aware of this?
I usually tell people to get “Computer Security for the Home and Small Office” by Thomas Greene. Its quite thorough and it has lots of screen shots and very specific explanations of what to do and why. If asked to give a checklist I usually say:
Firefox and i-scribe or Thunderbird
(Firefox with adblock, spoofstick, noscript)
Router not just modem if on Broadband
User accounts, with a dedicated one for banking
Enable privacy between accounts
adaware, spysweeper, spybot
AVG
WinPatrol
ZoneAlarm with query when app wishes to communicate
And if disposing of computer, shred the hard drive.
I also tell them how to make up memorable reasonably secure passwords, and to buy a dedicated machine for kids gaming. A dealer around here who spends most of his support time cleaning off infections said, you have to understand what normal use is nowadays. Its downloading bootleg ring tones and mp3s by kids. This is where the infections are coming from in his experience.
I usually also tell them a lot of this stuff can be avoided with Linux or Mac, but not to try Linux unless they have someone to support them, and not to try Mac unless willing to buy all their applications again, pay over the odds for the hardware, and then not if they have odd Windows apps they really need. But, that this is one they can do by themselves.
What do you all think? Its a fine line between telling them to do more than they will ever do, and so having them do nothing, and telling them not enough, so they have an illusory feeling of security.
That’s a tough one because once you tell too much, it becomes a hassle and a task.
No one likes hassles and tasks.
It all depends on the user, really. Those well-informed and with safe browsing habits don’t need so much redundant security, but obviously those downloading mp3s and the like without any knowledge would do well with your suggestions.
You would be absolutely wrong.
“That’s a tough one because once you tell too much, it becomes a hassle and a task.”
No , its an easy one , secure your system or face the possibilty of getting sued , you are entirely responsible for the damage your machine ( or the machine you own ) is doing on the internet by you or anyone who use it to any victim due to your lack of judgement and of securing your system. Lawyer specialist in technologies are catching up to that one.
Its going to become real ugly.
“It all depends on the user, really.”
No , it depend entirely on the OS.
“Those well-informed”
Cant do anything against an attack that there system is not patched to handle.
“and with safe browsing habits”
Browsing is not the only way to get a windows system infected or under control , it has so many means that even Microsoft finnaly caved in and started to fix some of its own flaw.
“don’t need so much redundant security”
Actually reading the list its not enough for the basic thing attacking a Windows XP system today and to be able to secure it.
Minimum would be :
http://www.techsupportalert.com/best_46_free_utilities.htm
Its always scary ( its not funny anymore when you know the arm that can be done ) to see people say that windows can be made secure without anything when most expert in the field say it cant be done at all with even the most advanced security tools set on maximum.
I have seen a system that is working on a 56k not connected at all exept when sending email that whas only used for e-mail get tottaly infected.
I have seen some of the tools used to hack and the option availaible to gather information automatically in seconds.
I have seen the reply of an ISP when someone as taken control of the legal online identifier and what they do to protect thet user : They dont at all and send you the bills.
I have seen the trouble people have when Identity theft happen and how well it goes with creditor after.
Personnaly I prefer to be safe then sorry and stop what is already common malware then hope they will miss me if they happen to be looking on my subnet for possible people like you.
You don’t need anti-virus and anti-spyware running if you have good browsing habbits.
All that is required is a decent firewall and setting up user accounts properly.
“Absolutely wrong”? Years upon years of never suffering an attack on any of my systems have told me quite differently.
“No , it depend entirely on the OS.”
Hardly. Some may be more inherently secure than others, but that doesn’t make them fool-proof.
“Cant do anything against an attack that there system is not patched to handle. ”
Sure you can. Be safe in your habits, including not opening any attachments from unknown sources… and, those from known sources, should be verified before opening.
“Actually reading the list its not enough for the basic thing attacking a Windows XP system today and to be able to secure it.”
I use a cable modem going through a properly secured router (read: minimum of default settings changed), Windows’ firewall turned on, Norton anti-virus enabled and running, and Ad-aware. No more, no less. Knowledge and good habits have kept me and my computers safe.
Quite frankly, my point boils down to this: I am not “absolutely” wrong.
yes, if you MUST use Windows, Thomas Greene’s book is good.
good job pointing that out.
Edited 2005-11-13 21:04
I’d stay away from buggy, insecure software like Mozilla components and Zone Alarm Pro. If you want security (or usability, or performance, or stability), Opera and Kerio PF are much better choices.
The easiest thing to do is simply keep your machine up to date, use Opera and Kerio, log in with a limited user account, and don’t mindlessly download and run everything you see. That advice really applies across platforms.
Here’s the solution to all your windows security problems:
http://www.trans-video.net/images/modem07.jpg
In princype any article regarding security tends to be in complete.But this article is really too short in my opinion.
1)First point to start with are the file permissions
A good tool to check those is AccessEnum from Sysinternals:http://www.sysinternals.com/SecurityUtilities.html
“This simple yet powerful security tool shows you who has what access to directories, files and Registry keys on your systems. Use it to find holes in your permissions.”
You select any directory or registry hive and press scan.
In just a matter of seconds you get the overall file permissons picture.If you want to stay on the safe side but yet intend to secure the system more change at least all the “by everyone” accessible files and uncheck all their permissions.The last step is adding each time you remove the “everyone” group the local “users” instead with just the same permissions as each member of the “everyone” group had.
2)right click on My computer and go to properties
disable remote access
3)go to control panel —> network connections
right click your network connection and go to properties and disable all unnecessary protocols such as: a)windows networks
b) file sharing
The only protocol needed to connect to the internet and lan is: TCP/IP
4)Disable unecessary services such as messenger,remote registry,upload manager,webclient,
5)download kafu from C’t (www.heise.de)
Give any regular user-account you desire to protect temporarily admin rights.Open the cmd-prompt and run kafu
The result is every registry setting that’s known to enable spyware to nest their loads is now access denied.runonce,startup,etc…
Take away admin rights.
———–PS
If you have the professional edition you could enter mmc at the command prompt and load the high secure workstation policy.In addition to that it’s wise to go to administrative settings —-> local security policy
and disable the support help desk from being ebable to launch a batch job,set deny access to this computer to at least everyone (better would be adding all groups avaible).
Edit the dcomserver settings by uncheck everything that’s “remote”.
Delete the everyone group from the permission to bypass traverse checking,
I could go on and on….
At last install a firewall and a virusscanner,and spyware scanner.
A good firewall would be visnetic (deerfield) or Tiny firewall.
Tiny firewall (for at least the amd64 version) has binairy (md5 checksum integrity) protection,monitors everything inbound/outbound,has a IDS,is a great tool but not very comfortable ( a lot of options!)
And this is only 5% of the overall XP security process.
keep on writing the rest of 95% o give a link to existing resource. thanx!
Edited 2005-11-13 09:29
Dont open funky emails with attachments no matter how enticing the title sounds.
Dont look at pr0n without Firefox.
Get the updates from MS.
Use nLite.
Turn off useless services.
Turn off autorun.
Dont just accept files from your friends without scanning it first no matter how close your friends are.
Keep LAvasoft Adaware, MS Antispywre, and Spybot handy.
Scan your machine once a month at some free online anti-virus removal tool.
I follow this and thankfully I have never had problems with getting spyware on my comp.
I did start working on a plain English guide for people to handle Computer security in a way that isn’t hassle. People find it a hassle when they have to do things parrot-fashion that they don’t understand. Here’s what I did so far:
http://www.camendesign.com/blog/articles/fixtutorial
Looks good. Much better than the guide linked in this article. Hope you’ll finish it sometimes.
Yes, finish it. This exactly right tone, detailed, accessible and so on. Its just what people need.
Excellent guide!
Some suggestions:
Guide on Installing & securing Firefox
-Things like NoSCript, Adblock, cookie permissions
-disable referers
-disabling IDN support
Installing & configuring Zonealarm
-per application settings
Installing & configuring Spybot
-things like startup list +registry cleaning
-the hosts file
P.S. I understand that we all have time limitations, I am simply suggesting things that you might want to add.
Indeed, I hope to include all of that, time permitting
…recommends the MS malware remover for virus removal.
It’s a well known fact among those who know what they’re doing that there are better choices, even for free, than that.
looks like the author doesn’t belong to that group…
Especially considering that Microsoft’s purchase of Claria net. means that MS-AS now ignores Claria spyware including Gator.
Well, not to defend Microsoft but….
Claria is not malicious…. unwanted, probably, but it is not malicious.
MS Antisypware does still pick it up, it just has a default option to ignore it rather than to delete it.
A well known fact huh?
Everytime I clean off a system they always have some other spyware removal software on there. I fire it up and it doesn’t find anything. I pop in my CD with MS Antispyware in there and it finds all kinds of garbage.
Oh yeah, it’s a well known fact.
Also, MS Antispyware is not only free, but it has spyware defense rather than just spyware detection, including script blocking, constant spyware monitoring (similar to a virus shield), etc…. All for free.
Why don’t you jump off your high horse and admit that somethig that has a Microsoft name on it is actually decent. (Its ok, really, Microsoft didn’t actually write the software, they bought a company called Giant and made new bitmaps for it… so it won’t be against your religion)
Also, it is a good idea to have more than one spyware program as they all detect different things.
First off, to clear up a misconception… broadband users who use a router, (hardware firewall), or even a software firewall are NOT protected by default. Spyware will use the same open ports as your web browser/email/IM programs. So to truly stop the spyware, you will have to disable these ports too.
Now, here is the best way, using only free (for personal use) software..
1: Install Firefox
2: If it will not be your own PC, then remove ALL links to IE
3: Install Kerio from http://kerio.com
4: Reboot
5: Install AVG antivirus from http://www.grisoft.com
6: Reboot
7 Install Thunderbird
8: If it is not your own PC, then remove ALL links to Outlook/Outlook Express.
9: Install GAIM
10: Remove ALL links to Windows/Microsoft Messenger
11: Install AD-Aware from http://www.lavasoft.com/
12: Install Spybot from http://www.pcworld.com/downloads/file_description/0,fid,22262,00.as…
13: Reboot
14: Finally, actually READ the stuff before you blindly click on OK
1. Unnecessary. IE can be used with restricted settings. There are also other free browsers such as Opera.
2. Kerio Personal Firewall is being discontinued.
5. The free one is at http://free.grisoft.com but there are alternatives at least as good.
7. & 8. Unnecessary. OE is secure nowadays. Mail can be read with restricted settings.
9. & 10. Unnecessary. I never had any problems with MSNM . GAIM is also a lousy replacement.
15. Install Spywareblaster from http://www.javacoolsoftware.com
1. Install Firefox because they don’t leave the browser to stagnate for five years, and don’t patch once-a-month leaving you open to attack until then.
Whilst patching with firefox has been rocky thus far, once 1.5 is out of the door hello to automatic day 1 patching of flaws.
Internet Explorer will never ever be secure as long as it is 1. This is from using IE since v3. Even with the best security in place – IE is still a liability.
They used to patch as soon as it was available. But everyone (Mostly SysAdmins) complained that they had to spend too much time testing patches all the time. So they started a monthly patch cycle. If something is severe enough, they will release a patch early.
9. – I believe you made the common mistake of confusing “MSN Messenger” – an IM client with “Windows Messenger”, a service which displays windows with messages from the network – like “your print job is ready”, and can probably be abused to chat on a LAN.
10. – I’m not sure GAIM is lousy. This claim stands against my empirical observations, that my colleagues started using it instead of the original AIM client, Trillian and also as an IRC client. I use it too and am rather happy with it, though I don’t claim it’s perfect.
12: Install Spybot from http://www.pcworld.com/downloads/file_description/0,fid,22262,00.as…..
Here’s one step i would disagree with, Spybot is an archaic spyware defender nowadays, and is geared to those who still use IE (don’t believe me? It puts a whole bunch of “known spyware hosts” into your hosts file so IE doesn’t go there). If you’re using Firefox, I wouldn’t bother with it.
And theres really nothing wrong with the XP Firewall. Especially if you’re behind a router. People get too paranoid (LOOK AT ALL THESE INCOMING HITS!!!), but most of your advice is sound.
“Here’s one step i would disagree with, Spybot is an archaic spyware defender nowadays, and is geared to those who still use IE (don’t believe me? It puts a whole bunch of “known spyware hosts” into your hosts file so IE doesn’t go there). If you’re using Firefox, I wouldn’t bother with it.”
Why is your hosts file example evidence that spybot is IE centric? Maybe you think Firefox doesn’t use the hosts file? Perhaps the hosts file on my linux box is just there for a joke since I don’t have IE
I won’t disagree with your assessment of spybot (I just don’t pay attention to windows antispyware stuff anymore, for obvious reasons), but putting something in the hosts file is hardly an IE only fix..
I didn’t mean that the hosts file was IE centric, I meant that the only reason it puts all those useless entries into your hosts file is because they are for websites that exploit IE holes. Why have a huge hosts file if you can just have a good browser? Same with Opera, you can block ads, but no need for blocking hosts as its a silly waste of time.
i read the article but it was a bit lacking in substance,
there are many ways to secure XP properly and i think the article doesnt go into enough depth at all,
heres some more info for those that are interested
http://www.windows-noob.com (protect yourself from spyware etc)
adios
anyweb
that’s easy. And free.
Install Linux.
The latest Linux distro: $0
Linux NVidia drivers: $0
Replacements for all your productivity software: $0
Dumping the whole lot in the bin and getting something that works without spending a week searching the Internet for answers or editing config files: Priceless
You know, free means nothing when it takes time, stress and learning things average people really don’t care about to use a computer.
Mark this down, but completly ignorant posts like the parent drive people away from linux. This article is about how to secure Windows, if you can’t accept that windows is 95% of the market, then please keep your comments to yourself because nobody wants to hear them.
Mark this down, but completly ignorant posts like the parent drive people away from linux.
I agree with this, even as a Linux user.
getting something that works without spending a week searching the Internet for answers or editing config files: Priceless.
However, I can’t agree with this. A month ago, I installed both Windows and Debian on one notebook. I had much more stress with installing Windows then Debian. Simply because I have much more experience with the latter.
Windows having 95% of the market share implies nothing about their quality. It only says most people use it. Most people also use cheap cars, cheap pens and wear cheap watches.
[rant]
And about taking time and learning things – people _HAD_ to do that, when they started using Windows. I’ve seen the following somewhere on the web:
“Nipple is the only intuitive thing. Everything else is learned.”
E.g. secretaries (or personal assistants, to be p.c.). Ten years ago, they were able to type in Wordperfect. “Number analysts” could work in Lotus 123. Why do we today hear, that text-only interfaces are hard? Are today’s secretaries and “number analysts” dumber than those ten years ago? [/rant]
I agree with this, even as a Linux user.
I agree with it, even as a cross platform user (OS X, Windows and Linux myself)
Likewise a hostile user on any platform will turn off potential users.
Windows having 95% of the market share implies nothing about their quality. It only says most people use it. Most people also use cheap cars, cheap pens and wear cheap watches.
Agreed.
“Nipple is the only intuitive thing. Everything else is learned.”
One of my favorits too
E.g. secretaries (or personal assistants, to be p.c.). Ten years ago, they were able to type in Wordperfect. “Number analysts” could work in Lotus 123. Why do we today hear, that text-only interfaces are hard?
Prob because there are ways available today that are considered to be ‘easier’, or more ‘productive’
Are today’s secretaries and “number analysts” dumber than those ten years ago?
Absolutely not. Today’s secretaries just know of a better way to do their work.
100 years ago people rode horses to work. Are these people ‘dumber’ because they found a more effecient way to get somewhere ?
People used to dig pits in the earth and bake foods in earthen ovens. I refuse to do that everyday and yet technically I’m sure I could learn how. I use an electri range for my cooking. Does this make me dumber than my ancestors ?
Absolutely not. Today’s secretaries just know of a better way to do their work.
Sure, but that was not my point. My point is all the screaming going – “OMG! that’s hard! we can’t use it!”. That is quite different from “I prefer the easier way, but if needed I could do it the hard way, how people 10 years ago did it.”
Though I use the bus and metro (undeground, tube) daily, I would be able to ride a horse if needed. As well as cook water or prepare meat on open fire. I don’t prefer it, but could do it, if needed.
Also, you are comparing 10 years to generational changes (cars) or even longer (earth oven to electrical stove).
Most importantly, MS Word is works very similar than Wordstar, same for Excel vs. Lotus 123. They just look flashier and you can use the mouse (which you also could use in DOS sometimes). I’m not sure about Lotus, but Wordstar definitely had in-built help. So it wasn’t like you had to have a printed manual and could consult only this hardcopy.
It is one thing to prefer a more efficient way, other to claim that it is impossible to do in the harder way, especially if only 10 years ago the harder way was the norm.
Sure, but that was not my point. My point is all the screaming going – “OMG! that’s hard! we can’t use it!”. That is quite different from “I prefer the easier way, but if needed I could do it the hard way, how people 10 years ago did it.”
If forced with no other options I’m sure most people would break down and learn the *hard way*.
Also, you are comparing 10 years to generational changes (cars) or even longer (earth oven to electrical stove).
In computer years the change from commandline, or classic ‘dos based’ (lack of a better term) software to the GUI was a generational change. It literlly redefined the way we interface with the computer.
Most importantly, MS Word is works very similar than Wordstar, same for Excel vs. Lotus 123. They just look flashier and you can use the mouse (which you also could use in DOS sometimes). I’m not sure about Lotus, but Wordstar definitely had in-built help. So it wasn’t like you had to have a printed manual and could consult only this hardcopy.
Could you highlight text and then click “Edit”, “Copy” ? Not that I remember. I used MS word 5.5 for a long time and honestly I’d say “I can’t go back” to the first person that said I’d have to use it again.
It is one thing to prefer a more efficient way, other to claim that it is impossible to do in the harder way, especially if only 10 years ago the harder way was the norm.
I do think its impossible. I know in my job with the expectations and business processes we use today that the softwre I was using 10 years ago would not *cut it* today and no amount of me ‘re-learning’ the old system would change that.
In computer years the change from commandline, or classic ‘dos based’ (lack of a better term) software to the GUI was a generational change. It literlly redefined the way we interface with the computer.
Yes. A generation for software. Not a generation for people. So where are the people, who could do it the hard way? Where is the knowledge? Where did it go?
I do think its impossible. I know in my job with the expectations and business processes we use today that the softwre I was using 10 years ago would not *cut it* today and no amount of me ‘re-learning’ the old system would change that.
OK, maybe the knowledge disappeared this way. The expectations changed, so the knowledge is unusable.
“Windows having 95% of the market share implies nothing about their quality”
For certain – but what it does show is that it is “good enough”. Linux zealots in particular tout everything that to an average user, means nothing.
GPL means nothing to average Joe when Windows is Good Enough, and comes with the machine.
Security means nothing to average Joe when he can purchase security in a box labelled Norton.
Free (0 cost) software means nothing to average Joe who knows that “the more you pay the better it is.”
(This, as we know isn’t the case, but the customer is always right)
Linux zealots need to be less blind to Joe Reality and start making a product that just works instead of being religiously the best.
So it all comes down to “there’s something better, but Joe Sixpack is not interested because he has got something that is ‘good enough’.”.
Joe Sixpack’s ignorance and non-interest however does not make the better things disappear. Hence I see no wrong in recommending them, though I agree that the form should have been better. As well as selection of those, to whom you reccomend. “Pearls to swines” comes to mind.
I personally don’t care what other people run and gave up long ago on “converting” people to Linux.
I actually agree with the parent post.
As to your suppositions, Windows has been designed without security in mind, with the only express goal of getting people using Microsoft products. Even those that have no idea what they’re doing with a computer. The mentality today is “why should I have to learn how to use a computer”. Monkey A just wants to click, click, click, point, hit enter, click, click, click. And this is the real problem. And this is why we have so many viruses on the Windows platform. No other platform has so many virus issues as Microsoft Windows. And don’t give me that “cos they don’t have 95% of the market” bullshit. Cos that’s all that reason is – bullshit. People need to learn how to use a computer competently. Period.
Dave
quote from Kroc…
“Mark this down, but completly ignorant posts like the parent drive people away from linux. This article is about how to secure Windows, if you can’t accept that windows is 95% of the market, then please keep your comments to yourself because nobody wants to hear them.”
I do. And you don’t speak for me.
The man has a right to his opinion just as you do. The difference is that you are the only one being negative.
BTW… He’s right, install Linux. Problem solved.
As much as I’m a UNIX guy, UNIX’s not allways ansfer. There is software, the UNIX can’t run.
Thanks for all the feedback. I realized what I missed and will make the necessary changes immediately.
CPUGuy, I’ll agree with most of what you wrote, with this glaring exception:
> You don’t need anti-virus and anti-spyware running if
> you have good browsing habbits.
>
> All that is required is a decent firewall and setting
> up user accounts properly.
A firewall is not a cure-all. Browsers have exploits, some of which are known and some of which are waiting to be discovered. The same is true of instant messaging clients, e-mail clients, and other network applications.
Many worms have spread through firewalled systems where there was no one browsing anything.
Most people use their PCs for more than just browsing. If you download software, you may be downloading a trojan horse. You can tell all of us about how careful you are to check out the reputation of the download site, the web site of the software’s authore, MD5 signatures, etc., but that doesn’t guarantee safety.
Many worms have spread through firewalled systems where there was no one browsing anything.
Care to elaborate? Without further facts, sounds like a FUD.
Many worms have spread through firewalled systems where there was no one browsing anything.
Care to elaborate? Without further facts, sounds like a FUD.
You’ve really never heard of worms which spread through e-mail? How about VBS/Bubbleboy@MM, which used an exploit in Outlook and Outlook Express to execute VBScript via the HTML display engine — even when the message was simply previewed? What are you going to block with the firewall? All access to your e-mail server?
Edited 2005-11-13 16:46
Many worms have spread through firewalled systems where there was no one browsing anything.
Yep and the first one ever was invented on a unix system. Whats the point ?
You’ve really never heard of worms which spread through e-mail?
That requires someone to be using the computer, and viewing something.
Blaster would be a nice exploit that was able to do damage without the computer being used, but merely turn ‘on’
How about VBS/Bubbleboy@MM, which used an exploit in Outlook and Outlook Express to execute VBScript via the HTML display engine — even when the message was simply previewed?
I remember it. Considering the changes that have been made to OE and outlook since that time I’d say it would be rare to see a repeat on that large of a scale but anything is possible I guess.
What are you going to block with the firewall? All access to your e-mail server?
I’m going to do nothing with my firewall. I’ll let the scripts on my email server detect and remove something like that.
Yep and the first one ever was invented on a unix system. Whats the point ?
That my claim that worms spreading through firewalled systems was not “FUD” and that antivirus sofware is needed even when you have a firewall.
That requires someone to be using the computer, and viewing something.
So what? It’s still a worm that could go right through firewalls. I’ll agree that a computer is secure if it isn’t on, but that’s hardly a viable security solution.
I remember it. Considering the changes that have been made to OE and outlook since that time I’d say it would be rare to see a repeat on that large of a scale but anything is possible I guess.
Think outside the box: Any network app may have an exploitable hole — not just Outlook/Outlook Express. It could be an instant messaging client, a USENET binary downloader client, a web server, or anything.
I’m going to do nothing with my firewall. I’ll let the scripts on my email server detect and remove something like that.
And what happens when the next exploit isn’t through e-mail? Or what if your e-mail server has a remotely exploitable buffer overflow and the server itself becomes the conduit for a worm? Without antivirus software, you’d be at risk.
Think outside the box: Any network app may have an exploitable hole — not just Outlook/Outlook Express. It could be an instant messaging client, a USENET binary downloader client, a web server, or anything. .
Yes. Any network app can have an exploitable hole. The point about which I and the other poster are arguing are the involved TCP/IP semantics.
1) the application has to be running. unless it is a server daemon, it implies that
1a) somebody is using the computer
1b) it mostly does not have an internet-accessible port, on which it listents. E.g. Bittorent clients are an exception to this, but that is connected to 1a)
2) Most home firewalls permit all outbound connections and allow no inbound connections. Company firewalls ar e often stricter on outbound connections, but allow inbound connnections to specific ports.
Company firewalls, they should be administered by professionals, who know what inbound stuff they allow, why, and how to secure it.
So we have firewalls, which leave something or all outbound, nothing inbound. Hence, all connections must be initiated from the inside, by a user. From there comes the comment that someone is required to use the computer. So an idle computer, with user logged off, behind a firewall is not accessible from the Internet and therefore a worm cannot reach it.
One notable exception is the already mentioned Bittorent client, but I have not yet heard about an remote exploit in any of the implementations.
That’s all I wanted to say. I’m not claiming anti-virus or anti-bad-sw-* software in general is useless.
If you can tell me about a worm, which can infect a computer, which has not any open socket reachable from the internet, I’d be delighted to hear. This is what I meant by my first “please elaborate” question.
That my claim that worms spreading through firewalled systems was not “FUD” and that antivirus sofware is needed even when you have a firewall.
In that case I agree. Although the scanning can be done at different places, such as an email server or other proxy gateway that controls access to the internet. I’m online right now with no virus scanner running, sure one is installed *just in case* but my computer isn’t wasting cycles with it running.
So what? It’s still a worm that could go right through firewalls. I’ll agree that a computer is secure if it isn’t on, but that’s hardly a viable security solution.
In my book a firewall (software based like norton and all the consumer ones on the market) are strictly for people who have no clue about is running on their system.
Think outside the box: Any network app may have an exploitable hole — not just Outlook/Outlook Express. It could be an instant messaging client, a USENET binary downloader client, a web server, or anything.
I already think outside the box and honestly it dosen’t worry me as I’ve got a fine track record at securing my operating systems to date.
And what happens when the next exploit isn’t through e-mail? Or what if your e-mail server has a remotely exploitable buffer overflow and the server itself becomes the conduit for a worm? Without antivirus software, you’d be at risk.
Usually an exploit on that scale is going to put you at risk anyway. Blaster for instance, it exploited a buffer flaw in RPC on windows. No virus scanner helped with that one.
In my book a firewall (software based like norton and all the consumer ones on the market) are strictly for people who have no clue about is running on their system.
I’d have to disagree — and I’ve got a lot of professional computer and network security expertise.
The advantage that a software firewall has is catching and stopping egress traffic that no hardware firewall can recognize. Something like ZoneAlarm cat tell what application is trying to access the network. You install something that tries to surreptitiously “call home” and ZoneAlarm pops up a box in which you can choose to let the application access the Internet, the trusted zone, and/or act as a server. The hardware firewall doesn’t know if it’s your browser trying to contact a site on port 80 or if it’s spyware, a keylogger, or some other piece of malware.
I already think outside the box and honestly it dosen’t worry me as I’ve got a fine track record at securing my operating systems to date.
I prefer not to take chances. When you write security plans for sensitive government data and it has to be approved by three-letter-agencies, you’ll find that “so-far-so-good” doesn’t go very far at all.
OK. I know about e-mail worms. However “no one browsing anthing” implied “no one is using the computer”. A little misunderstanding.
OK. I know about e-mail worms. However “no one browsing anthing” implied “no one is using the computer”. A little misunderstanding.
But it’s not like browsing. The preview pane would open and the worm would go to work. It didn’t rely on you clicking a link, approving a software install, etc.
Besides, there are other worms which spread without anyone using the computer. How about Code Red? It was spread through millions of unmanned computers running IIS.
Now if you’re going to say “no one at the computer, no servers running, computer unplugged”, then you don’t need a firewall to protect against worms.
But it’s not like browsing. The preview pane would open and the worm would go to work. It didn’t rely on you clicking a link, approving a software install, etc.
The preview pane however did not appear by itself on the screen. Someone had to stare Outlook and select the specific email. Hence, someone was _using_ the computer at that moment. That’s all I was saying.
Besides, there are other worms which spread without anyone using the computer. How about Code Red? It was spread through millions of unmanned computers running IIS.
IIS is a server application, I was under the impression we are discussing users / personal computers in this thread. IIS should not be on one’s personal computer. If it is a developer, it should not be accessible from the Internet and preferably listen on 127.0.0.1 only. I of course accept the existence of “Code Red” .
Here are the major issues I found in a quick read:
1. The Backup Operators account can be trivially escalated to admin, and there’s no reason a normal user should be a member
2. Terminal Services is required for Fast User Switching, so disabling it in a multi-user environment is a real PITA
3. Disabling Secondary Logon will break RunAs, which makes running at least user privelege almost impossible
In general you don’t need to disable most services, you can set them to manual start. If an attacker has the privelege to start the service then they will also have the privelege to enable it, but a required dependency may fail if the service is disabled. The service dependency list is not 100% accurate in practice, as some applications will manually start required services. This can be tested by restarting the system after you make your changes and identifying any manul services that have been started. Also, telling someone to shut off services without explaining the impact is a recipe for disaster.
If you want a good introduction to running a least user privilege system, I would suggest starting here: http://blogs.msdn.com/aaron_margosis/
I’ve changed the default file actions for file types I don’t normally use but that can be used to disguise a malicious program.
Screen savers, DOS shortcuts, VBS, etc. They were changed from the default action of install/execute to configure/edit.
From Explorer Tools->Folder Options->File Types
The article seems quite lacking to me.
* a cheap flame-bait in the first paragraph. Just drop it, if you are going to update the article. The security issues in question is requires a certain version and configuration of PHP and awstats. The underlying OS is not important. The worm author decided to prepare a Linux/x86 binary only, therefore the worm travelled through Linux/x86 systems only. The bug exists on non-x86 systems and non-Linux systems as well. There are Linux/anyproc systems, which do not have the software in question installed and are hence unaffected.
* wtf is this? That will allow you to backup and restore data, and additionally it doesn’t make you vulnerable to all those nasty hackers out in the wilderness.. I am aware why people should not have Administrator priviledges on their normal account, but this definitely is not the way to explain this. This sentence sounds like something told by a drunk factory worker complaining about politics over his Friday evening beer. No facts, just some emotions about a remote all-encompasing and unavoidable evil.
* to be a responsible computer user is not use P2P programs for illegal file sharing – that’s just total bullshit. I don’t even know, where to start. Though it’s not legal, you of course can use P2P services and download things without getting malware (malware as a superset of adware, viruses, spyware, etc.).
There are two points to it. If you are downloading a program, check it with your anti-virus and similar after download, prior to running. In general, think! If you want music, you want a set of .mp3 files, one .zip file or .rar file. You do not want an .exe file. If you are downloading a whole album, it sure is going to be bigger than a few kilobytes. A movie is one/two .avi, .mpg file(s). A DVD rip is one .iso.[*] Or a huge set of .rar and .rXX files (applies to both movie and DVDs). If you want a nude celebrity, it’s a set of .jpeg files or an archive. Probably in the size of a few megabytes, but can be bigger. If you got a few kilobytes big .exe file, something is wrong.
Saying that using P2P is dangerous to your _computer_ is just plain wrong. It can only get dangerous to you, your free time and money (think law, court, jail).
[*] – edit – movie will mostly be around 700 MB, or two times 700 MB. A DVD would be around 4GB.
Edited 2005-11-13 16:21
Damn, I have to reply to myself
* Note to never disable Automatic Updates. In fact, you should download all the updates. Now.. No, there is a reason why the Windows admins in my company test every update and only upload the required ones to that update-server-gizmo, from where all the desktops download it.
OTOH, it probably is true enough and right for home users to install all updates.
It’s a damned good, compact set of instructions for securing Windows XP Pro.
This forum has way too many comments from people who make useless suggestions like ‘run Linux.’ Then there are others who say ‘I do X and I really want to believe that doing X is is not a security risk, so I’m going to post here in authoritative sounding prose that doing X is safe.’ There are also the nitpicking comments which go something like ‘you recommended package X and I personally prefer package Y.’ These are often couched as the writer speaking on behalf of “everyone,” as in ‘everyone knows that package X sucks and that package Y is better.’
In addition to those comments, there are the comments from posters who seem to have have a deep-seated psychological need to be respected by strangers on the Interent. They want to make us believe that they know more than the article’s author. Usually, they are just arguing minutiae or adding any of countless additional security steps that one may take.
The article is intended as a quick read on how to secure Windows XP Pro. It’s not trying to replace an O’Reilly book on computer security. It’s not claiming to be the only viable means or the be-all-end-all on the subject. Summary: Good article. Good suggestions. If followed by all, malware of all types would be drastically reduced.
Good article – yes.
quick read – yes.
damned good, compact set of instructions – no.
I listed my comments elsewhere. It misses explanations in some points, makes blanket statements in other.
I don’t think that discussing details is bad. Details make the difference in computer security.
Most importantly, the author stated he will incorporate given suggestion. Shouldn’t we help him?
I appreciate your help. I will certainly take into consideration your suggestions.
And hey, gimme the benefit of the doubt, I’m only 15…
By the way, I love Linux. Using Slackware 10.1 to write this reply.
//Replacements for all your productivity software: $0//
Almost … but not quite.
What’s the linux full-featured replacement for Quicken? Nope, not Moneydance or GNUCash. Not even close, since they won’t download transactions from 99% of online banking sites.
Getting Quicken’s online features to work through WINE is basically impossible.
What is all that fuss about Quicken? Is that something US-centric? Is it something about yearly tax reports?
Over here, in Czech Republic (and I’m sure it applies to Slovakia as well), your employer does your tax report. You only do it yourself when
a) you are employing yourself
b) have more than one source of income in that year.
Even in case b), if you only switched employers, the new one would be willing to file the report, if you submit the figures from the previous one.
In case a), you need the whole general-ledger stuff (and there is SW for that which runs on Linux), and that machinery would prepare your tax report as well.
So generally speaking, people don’t need something like Quicken over here. One less problem on a “minority platform” .
“What is all that fuss about Quicken? Is that something US-centric? Is it something about yearly tax reports?
(author assumes yes)
So generally speaking, people don’t need something like Quicken over here.”
That might be true, if your initial assumption was correct. You askeda question, then made up an answer and formed your opinion from there.
Here you go: http://quicken.intuit.com/ (or better yet, http://www.justf–kinggoogleit.com/search.pl?query=quicken )
It’s a finance app, not a tax filing app. Deos stuff like “Track Your Income and Expenses, Pay Your Bills, Reconcile Your Accounts” etc. Good for seeing what sort of income you are geting, seeing what your monthly bills are and how much is left (extremely simple example).
Anyway, in addition to the ones already mentioned, kmymoney is a possible alternative. Like the others though I doubt it can be used to pay bills online like Quicken can.
/not a quicken user, just someone who knows that things generally get a reputation for a reason
I did not question the quality of Quicken, I questioned the use of it, why people think it is so important that they need a replacement for it on Linux.
Thank you for your answer.
“Is that something US-centric?”
Nearly true. In the UK it was withdrawn on 31 Jan 2005, with support ending 31 Jan 2006. See http://www.quicken.co.uk/ for the details.
Which is better, an available and working program such as Moneydance or GNUcash or a better-featured but unavailable and unsupported program like Quicken?
It isn’t silly in the right circumstances, and it can be part of the solution.
I support a couple of people who are basically writers. They are fine with what comes with Linux, and they share files a lot, get a lot of attachments. And some malicious spam. They don’t need quicken or anything else windows only. They don’t install software, just use what’s there. Every now and again when I am in town, I stop by and update to the next version. If there’s new hardware, like a new screen, I drop by when convenient and make sure it works.
From people like this, I get very few calls, and its mostly to do with help using Office, and I would get those if they were on Windows or Mac also. The great thing is, I am pretty much certain they are not going to get infected. Hardware firewall, no root signon, no open ports, software firewall too.
But I would not suggest to the average person using their machine in a less appliance-like way that they do it, and no way would I suggest trying to install even Mandrake by yourself as a naive user. Most people, the only thing you can do is try to help them harden Windows.
I just remembered that I bought my old father a bondi blue iMac in 1997 with modem, and hooked it up to broadband 1999.
He has now been online for eight years, six years 24/7 and haven’t had one single problem. He’s using MacOS 9, MS Internet Explorer and some Eudora version. He surfs, downloads images and print stuff.
I’m not trolling, it is just a reflection of something working so incredible well I almost forgot about it. My guess is that there are NO similar stories about Windows 95 or 98? 🙂
quote from Dylan…
“*nix users will scoff at this article, but don’t listen to them. They’re still pondering over the recent Lupper worm for Linux servers. I was going to title this article, “Practice Safe Hex”, but that was apparently already taken.”
This statement alone proves this guy has no idea what he is talking about.
get the facts here…
http://www.google.com/search?as_q=Lupper+worm&num=100&hl=en&btnG=Go…
FYI DYLAN, Lupper is a PHP/CGI vuln not Linux! Do your homework.
As far as everyone else. I would not listen to this guy as he clearly has a closed mind and somewhat arrogant attitude. Not someone I would take advice from.
Here’s the truth about Win security…
I can tell you with 100% certainty that his advice will not protect you. Discontinuing you use of Windows is your best defense. Or, at least unplugging it from the net.
Try living with a few skilled black hats for a while. Believe me, Windows, no matter what third party add ons you install to protect yourself is still a piece of SWISS CHEESE.
And you’ll never know anything happened.
Edited 2005-11-13 20:54
If you really want to learn about security go here…
radsoft.net
rixstep.com
insecure.org
lots of facts and truth about Windows and security that will change your mind about articles like this.
The difference between UNIX/Linux and windows is not features it IS security.
A UNIX box has all the tools on-board to secure it and start serving.
Windows has to add on a bunch of third party tools that have their own exploits on top of Windows.
A UNIX server’s third party add ons are mostly for monitoring attacks not preventing them. That’s already been taken care of by the OS itself.
A Windows server’s third party add ons are for catching exploits after they happen and trying to plug existing holes.
There’s no such thing as Windows security. There’s only security.
Why is this so hard to understand?
Given the Sony Copy-protection debacle, I have to wonder
when the next hidden corporate-sponsered virus will
infect everybody’s system without anyone knowing it &
worse no one supplying instructions on how to recover
from them! I’ll just stick to my Amiga, where these
types of problems are extremely miniscule.
The author’s first suggestion, to get rid of XP Home and install XP Pro, is what made the article useless to me. I’m not about to do that on my home machines! That is worse than someone telling me to just install Linux!
I’ve already paid for one copy of XP home on my desktop system and my laptop came with it pre-installed. I’m not going to buy yet another copy of Windows.
As for the people who posted links and ideas in the comments, thank you. That is some useful information. Especially Aaron Margosis’ weblog.
I’d stay away from buggy, insecure software like Mozilla components and Zone Alarm Pro.
Care to back up those out-there remarks with anything of substance? I’ll be happy to counter your Internet trolling them with opinions from real experts.
Secure Computing Magazine Global Awards
Editor-in-Chief” Award, February 2005.
SC Magazine calls Firefox “one of the most secure on the market.”
MAXIMUM PC
“Softy Awards 2004” – 1st Place
“The crĂ©me of this year’s software crĂ©me”
On ZoneAlarm:
Secure Computing Magazine
US Excellence Awards – Best SOHO Security 2005
Best Enterprise Security Solution 2004
Datamation
Product of the Year 2004
I won’t even bother with showing the other dozens of awards those products have won.
If you want security (or usability, or performance, or stability), Opera and Kerio PF are much better choices.
I tried using Operal for over six months and got tired of having to start Mozilla or IE to get many pages to render properly. I also felt that the UI was inferior to the Firefox UI. It’s better than IE, but it’s a far cry from Mozilla or Firefox.
As to Kerio Personal Firewall, it’s a dead product:
“Kerio Personal Firewall is being discontinued on December 31, 2005. While Kerio will continue to support this product for all customers through 2006, we will not be actively developing any new features or functionality going forward.”
It’s also consistently ranked behind ZoneAlarm. Keep in mind that ZoneAlarm is now owned by CheckPoint, one of the most respected enterprise-level firewall vendors in existence. They don’t buy “buggy, insecure” products.