NateHoy's Essential Security Guide for Windows 2000/XP.

The following are my opinions on the most important things you can do to make your computer secure.  I have listed them in order of importance, but keep in mind that ONE through FIVE are absolutely essential.  Don't go online without them.

1.  BE SMART

The internet is full of people who want to scam you, break into your computer, and use your computer for evil stuff.  Follow this simple rule:  If something is too good to be true, it probably isn't.

Quite a bit of freeware comes with Adware (that shows advertising) or even Spyware (that follows your activity patterns or can even send your usernames and passwords).  Research software before you download it.

Your friends may not be secure, and many viruses and worms are sent from the computers of people you know and think you can trust.  The virus infects them and hijacks their computer to send the virus to YOU.  Don't click on attachments in emails, even if it's from someone you trust, unless you KNOW what the file is.  Since many viruses are written specifically to attack Microsoft Outlook and Microsoft Outlook Express, you may want to consider using a different email client.  Mozilla (the web browser) has a very nice one built in.  Eudora is a fantastic email client.  There are dozens of other free ones.  Think about it and consider trying one out.

Speaking of software selections, Internet Explorer has its own security issues and plenty of them.  Give some thought to running one of the alternative browsers, like FireFox (found at www.mozilla.org).  If you must run IE, be sure you have the latest version and keep it patched.  Actually, that goes for any browser, since none of them are hackproof.  Patch early, patch often, and play it safe.

No matter what you do, you cannot make your computer 100% secure.  But you CAN stay on your toes and try to keep yourself as secure as you possibly can.

2.  Run and UPDATE AntiVirus software.

  Always run Antivirus.  If you aren't,  go get it.  NOW.  With all the excellent free clients out there, you have NO EXCUSE for not running some form of AV.

  My personal favorite is Grisoft's AVG.  You can find them at http://www.grisoft.com - they even have a free version.

  Norton WAS my first choice for a commercial solution, though they are adding DRM to their software lately so I'm leaning toward McAfee.  Either will do the trick if you want a commercial package, though.  It really depends on your feelings about DRM.  You don't need a commercial package, but some people prefer them.  That's cool if that's what you prefer - JUST RUN SOMETHING.

  Don't like any of the above?  That's OK.  There are plenty more.  Here's a list for you to research (in no particular order):

   Norton  McAfee  Panda    Grisoft AVG    NOD 32    Protector Plus    Command    Kaspersky    GlobalHauri    Etrust EZ    Avast32    Vexira    PC-Cillin    Sophos    F-Secure    ProtectorPlus    AntiVir Personal Edition   Norman 

 Some of the companies above make commercial software, some freeware, and some may even be out of business by now.  Of the list above, I have personally used only AVG, Norton, and McAfee, though several others are well-known products.  I've heard good things about Avast, Sophos, and NOD, but I've never used any of them.  Do your own research and find an independent review if you want to try one out.

Once you pick one, it is critical that you KEEP IT UP TO DATE.  Antivirus software that is more than 2 weeks out of date is almost useless.  Viruses come out every day.  You should update your antivirus client at LEAST once a week.  Better yet, configure it to update itself daily and check on it every couple of weeks to make sure the virus signatures are up-to-date.  Make this a habit.

If you are not running AV by now, stop reading this site and go get something.  If you have one and you haven't updated it in a while, stop reading and start updating.  Don't worry, I'll wait.  :)

OK.  So you have a current AntiVirus client up and running, and life is good now, right?  Well, you're better off, but there are still a few teensy little items to consider...

3.  Visit Windows Update / Office Update regularly.

New vulnerabilities are found regularly in Windows XP.  Don't take it personally as an attack on the quality of Windows XP - that's not the point.  ALL operating systems have vulnerabilities, including XP (in fact, if you are running Linux or MAC, you should also be updating regularly).  The point is that you need to patch these vulnerabilities.  

Windows Update is your friend, and a good friend to have.  Get to know it.  Don't make it feel lonely - visit it at least once a week.  You can do this easily by starting Internet Explorer and selecting "Tools" / "Windows Update".  Update all of the "Critical Updates" when they come out, and look carefully at the "Recommended updates" for security patches.  I generally recommend keeping everything security-related updated as soon as it comes out.

If you are seriously behind on your updates or stuck on dialup, Microsoft is now offering a CD that they will ship to you for free that contains SP2.  You'll still have a lot to download, but it can get you closer to being current.  You can order the CD at: http://www.microsoft.com/athome/security/protect/cd/confirm.mspx.  Note that this CD may not be available forever.  If this link doesn't work just look around their site (starting here, assuming it works) on the "how to keep your computer up to date" and see if you can find a link to mail you a CD.  Microsoft does not heavily advertise the availability of freely-mailed CD's, but they have been really good about providing them for a couple of years now. 

An alternative for those of you on dialup may be as close as your local library (at least, if you have a laptop or a friend with a laptop and a CD burner).  SP2 and many of the other updates can be downloaded as installable patches and burned to CD.  See here and here.

Unless you need it, don't bother with the .NET framework - it's a huge download that won't do you any good unless you have software that requires it.  The latest Windows Media Player is nice if you use Media Player a lot, but if you use a different media player, you can easily do without this download.

If you use any version of Microsoft Office, be aware that it has lots of security patches that you want to stay on top of, too.  http://office.microsoft.com/home/default.aspx - subscribing to one of Microsoft's bulletins or an excellent resource called "Woody's Office Watch" will help you stay on top of these security patches and what they mean to you ( http://www.woodyswatch.com ).

It's also a good idea to check for updates to the software you use regularly, your antivirus software, and even the firmware for your hardware router if you use one.

So, viruses are pretty much a non-issue, and the latest XP hack is beneath you.  Life is good?  Well, you're starting to get there, but there are other threats you need to be aware of...

4.  Run a Software Firewall.

Get a good software firewall, configure it as tightly as you can, and use it.  One of the major attack vectors is port attacks.  There are crackers out there just trying to drill a way into your machine right now.  Additionally, you have lots of software packages that just LOVE to dial home and report stuff without you knowing about it.

A personal firewall protects you against unsolicited attacks, and more importantly reports (and controls) what programs can talk from your machine out TO the Internet.  If you download that oh-so-cool calculator program, and your firewall starts telling you that it's trying to report something every 5 seconds, that should be telling you that this software is not a friend of yours.  Well, maybe it is, but it's the kind of friend your mother warned you about.  Lose it.

My personal favorite for beginners is ZoneAlarm, which can be found at http://www.zonelabs.com.  The free version is quite capable and very easy to configure.  Each program that tries to communicate outbound for the first time gets stopped by ZA and you get a little popup asking you if the communication is OK.  You can say "yes" or "no" to that program, and you can tell ZA that your answer is just for this one time, or this program should always (or never) be able to talk.

There are more sophisticated programs that can allow access to specific ports, and are much more customizable.  Agnitum Outpost is a free firewall that is quite sophisticated, and Norton Internet Security is very feature rich (though I've had a lot of trouble with it in the past).

ZoneAlarm gets the job done, it's effective, it's easy to use, and the basic version is completely free.  Install it now and you can always uninstall it and change to something else later.  Or eventually pay for the full version if you like the extra bells and whistles.  'Nuff said.

OK, so now viruses are covered, you have XP up to the latest patches, and Guido and the boys are watching the back door for you.  What?  There's more?  You betcha, boss.  Read on...

5.  Disable unneeded Windows services.

Did you know that your copy of Windows was shipped with features you don't need, all sitting there running and taking up resources?  More importantly, some of them are actually major annoyances and a few are even security risks.  Yes, your firewall will probably catch them, but why leave them?  Do you leave the keys in the car with the engine running and set the alarm?  Of course not.  Well, OK, not INTENTIONALLY.

So you have all these little programs all running along, doing their thing.  Most of them are useful, some of them are somewhat useful, and some are downright stupid.  Which are which?  Fortunately, a very nice guy by the name of Black Viper made up an excellent site with a list of all of the major services running in Windows and a brief tutorial on each one, with recommendations on whether you want it active or not.  This site is a MUST READ.  Scan it, make your own decisions on services, and get your Windows locked down. 

http://www.blackviper.com/WinXP/servicecfg.htm
MIRROR SITE: If the main site is down, use this link.

NOTE:  Unfortunately, Black Viper's site has been down for a while.  However, his service information is available on the "Internet Wayback Machine" - a web site that caches periodic copies of other people's sites for review later.  You can find the most recent Black Viper Windows XP Service Pack 2 data HERE.  VERY special thanks to web.archive.org for saving this most valuable data!

If you visit it and appreciate his work, then pay the man a few bucks.  Maybe he'll bring his site back up.  :)

 If BlackViper's site is too complicated, never fear.  There are a few services that are the most critical to shut down.  Download and run the following tools from Gibson Research (they are all free) and they will get the worst ones for you:

Shoot the Messenger:  The #1 thing you want to do in Services.  Messenger is not the MSN Messenger, it is a tool for network administrators to sent little popup messages to your desktop, and spammers have learned that this is a great way to convince you that your machine has been corrupted or hacked so they can sell you junk to stop the very messages they are sending.  Run this little free app instead, it does a better job and will save you money.  :)

Unplug-and-Pray:  This tool disables "Universal Plug and Play".  Some newer peripherals, particularly wireless ones, may need this, but the tool allows you to re-enable UPnP as easily as you disabled it, so don't worry.

DComBobulator: Disables DCOM service, which you are very unlikely to need.  Again, you can turn DCOM back on if turning it off causes problems.

 

Now you have a system that's not running a bunch of extra junk, you are somewhat immune to viruses, you are patched to the hilt, and nothing on your computer can communicate on the Internet without your say-so.  What could possibly still hurt you?  Well, if you've made it this far, you are already more secure than 90% of Internet users.  Give yourself a light pat on the back.  However, there are a few things you can do to further improve the picture...

6.  Run as a "limited" user.

By default, the account you use in Windows XP is a computer "Administrator".  This user profile is capable of formatting drives, installing software, deleting the WINDOWS directory, and just about anything else nasty you can possibly imagine.  If someone should hijack your profile by using a virus or trojan, they can pretty much do anything they want to your machine.

An excellent security measure (and a seldom-used one) is to do your daily tasks as a limited user rather than an administrator.  Limited users cannot install new software, they cannot access protected system files, and generally are protected against shooting themselves in the foot or allowing someone else to do it for them. 

To do this, simply to to the Control Panel and select "User Accounts".  Click on "Create a new Account", give it a name, select "Limited User", and assign a password.  You may need to copy your documents into the "Shared Documents" folder or into the "My Documents" folder of your new profile (generally found in "C:\Documents and settings\<username>\My Documents" Then log off and log on to your new limited account and try things out.

When you need to install new software or make major changes to your system, simply log out and log back in as your original account.

Note:  Some older software may not work well under a limited account.  Your best bet is to set up a limited account and try it.

7.  Run frequent Spyware/Adware Scans.

So, you downloaded a really great software package. It's free, it's functional, and you only had to click past several licensing agreements to get going.

Did you READ those agreements?

The next day, you are in Word, minding your own business, when suddenly - out of NOWHERE - a screen just rudely pops up telling you that you've won the lottery, or that your computer is insecure, or that you need to take pills to get a bigger... well... never mind.  You get the drift.

Congratulations.  You have been infested with "Adware".

Most adware is actually harmless.  It runs when the ad-supported software you downloaded runs, and pops random ads based on preferences you may have given the software vendor when they gave you the software.  The ads are usually contained within the software window of the application you are running, so they don't pop up all over the place.  Since you got the software for free, you really should expect these, and I don't advocate disabling them - the people who wrote the shareware need to get paid to encourage them to write more software, after all.

However, some of it can get downright nasty, and some slip into the region of "Spyware".  Applications that actually watch what you are doing and report it (possibly including keyboard captures of you typing your passwords into your online banking site) back to the Mother Ship

Download SpyBot (http://www.safer-networking.org/) and Ad-Aware (http://www.lavasoft.de/) and update and run both of them at least every few weeks.  Read up on what you are cleaning out of your system, and understand that some of your ad-supported freeware might not work or may reinstall its adware the next time you run it.


8.  Get a NAT Router (broadband users only - DSL or Cable).

In step 4, you added a software firewall.  That's good.  However, there is a relatively inexpensive way you can improve on that security - adding a NAT router.

A NAT (Network Address Translation) router sits between your internet connection and your computer.  Any requests made from the outside world, unless you have specifically requested them, are automatically rejected.  The router is a good outer perimeter of defense against intruders.  Note that it does not prevent your computer from talking out to the Internet, so you still need the software firewall.  However, it provides a much more effective defense against port attacks.

Your best bet for a NAT router is a unit that includes a function called SPI, or Stateful Packet Inspection.  This adds an extra layer of protection.

Personally, at the moment, I am using a Linksys WRT54GL with aftermarket firmware, but any router affords some level of security. Be sure you secure any wireless capabilities it has, or you may find your neighbor using your account for something he'd rather not admit to, or a hacker using your account to break the law.

The setup for a good NAT router is pretty simple, though most of them require that you use Ethernet (and not USB) to connect your modem:

BEFORE:   [COMPUTER] ------------<ethernet cable>------ [ MODEM ] ---------<cable or phone line> --------- [ ISP ]

AFTER:   [COMPUTER]  ----<ethernet cable>---- [ROUTER] ---<ethernet cable>--- [MODEM ---<cable/phone line>--- [ISP]

Another major advantage of a router is that it allows you to hook up multiple computers to a single broadband connection.  Your ISP only has to give you one internet address, and the router splits the connection for you.

WARNING:  Some routers come with wireless capability.  If you buy a wireless router, read the instructions carefully and set your network up as securely as possible.  Otherwise, the additional security afforded by the router will be completely eliminated when someone driving by with a laptop gains access to your machine.  If you don't need the wireless, turn it off.  If you do need it, follow the directions for securing it carefully.

Also, when you install the router, the first thing you should do is change the administrator's password.  Most routers are shipped with an easy-to-guess default password, and you don't want anyone hijacking your router.

If you have an old machine lying around and want a real learning experience, you can turn it into a router/firewall.  Personally, I prefer the small, inexpensive router solution myself, but a machine running a Linux-based router is very configurable and if you have the hardware already, you might be able to save the $30-50 that a router would cost.  Since this is more of a beginner's article, I'm not going to explore that option, but Smoothwall is a highly-recommended solution.  Google can help you.

9. Know your files.

By default, Windows XP (and most versions of Windows) has this really annoying habit of hiding file extensions.  Think you are opening a file called "budget.xls"?  Are you SURE?  That file could be called "budget.xls.vbs" and Windows would HIDE the ".vbs", fooling you into thinking that you are opening a spreadsheet when in fact you are running a Visual Basic Script (a type of program).  This is a common exploit for viruses and trojans.

Fortunately, Windows can be easily persuaded to tell you what is really going on.  All you need to do is ask.  Start up Windows Explorer, and from the Tools menu, select Folder Options.  Click on the "View" tab.  About halfway down the list, you will see a little checkmark labeled "Hide Extensions for Known File Types".  Turn this checkmark OFF.

Wow... you're still with me.  If you've followed every recommendation and done everything right, you are now as secure as you are likely to get.  Congratulations.  But you have to be sure you really did everything... 

10. Test, Test, and Test again.

Cool.  Now you are 100% secure and never have to worry again, right?  WRONG.  If you have followed all of the recommendations above, pat yourself on the back.  You are now "somewhat" secure, for now.  There is no such thing as a secure computer on the Internet, but you are now a harder nut to crack than your neighbor (unless he works for some covert government organization).  However, new threats pop up every day, so you have to keep your AntiVirus up to date, and test your security from time to time.

Now, go test your new shields and make sure you did it right.  A false sense of security is a terribly dangerous thing.

As you proceed through the first round of tests, read everything carefully.  Steve is a security guru and his advice is well worth following.  He tends to the dramatic at times, but better safe than sorry where security is concerned.

Visit Steve Gibson's excellent tools at http://www.grc.com and select "ShieldsUP!".  Go down to "Hot Spots" and select "Shields Up!" again, then click "Proceed" and select "All Service Ports".  Give it a few minutes and look at the results.  GREEN is excellent, BLUE is OK, and any other color is a sure sign of trouble.  Note that a good router should show GREEN except possibly at the Ident port (# 113).

Next, download and run Steve's excellent "Leak Test", which will test your firewall's ability to identify and stop unknown software from talking outbound.  http://www.grc.com/lt/leaktest.htm 

Finally, try to download the EICAR Test Virus from http://www.trendmicro.com/en/security/test/overview.htm - this is NOT a virus, but a test file that has a pattern that all known antivirus clients recognize as one.  It's a good way to verify that your Antivirus client is at least scanning files for you.  If you can save this file to your hard drive without your antivirus client going berserk, you need to check the settings on your AV software.  Now.

-----------------------------------------------------------------------------

Suggestions/Compliments/Complaints?  Contact me at feedback*nmhoy.net (replace the "*" with the usual @ sign)

DONATIONS AND SUPPORT:
If you find these pages useful and want to donate, it would be very much appreciated.  Money is always welcome, as is any working router, networking, or other computer gear so I can play with it and expand my knowledge.  

Let me know at the above email address and I'll give you a PayPal account link, or a mailing address to send any gear to.  Or just email me an Amazon gift certificate in the amount you choose, or choose an item from my Amazon Wish List.  There is absolutely no obligation for you to do so, but any donations are gratefully accepted. Thank you.

(C) 2004-2006 Nathan Hoy - all rights reserved.