Basic Computer Security – and I mean Basic

Securing your computer takes a little time but can and will save you a lot of pain and financial suffering when done properly.

The following are the most basic steps in keeping your computer safe:

  1. Switch to Windows XP Professional. As you will read in the tips below, the Professional version of Windows is phenomenally safer and “better” than the Home Edition. When you buy a new machine, don’t get Vista (Until February of 2008). Many local companies can and will install XP Professional for you. If you have a newer machine (bought since 2004) then you should simply upgrade to the Professional edition.
  2. Provide Physical Security for the machine. It may seem basic, but we didn’t want you to overlook the obvious. The simple fact is that most security breaches in corporate environments occur from the inside. Keep your computer or laptop in an office or room that locks, install a lock on the tower or laptop case and keep it locked, and store the key safely away from the computer at a secure location. (i.e. a locked cabinet in the server room) Never leave your laptop in your car, not even to run in and get a Red Bull at your local stop-and-rob.
  3. Use NTFS on all your partitions. The FAT file systems that were shipped with Windows 95/98/ME offered no security for your data and left your system wide open to attacks. The NTFS file system is faster than FAT and allows you to set permissions down to the file level.

    If you’re unsure of how your system is configured, open My Computer, right-click on the drive letter you want to check, and select “Properties” from the menu. If your Windows XP system is configured with the FAT file system, you can convert the partitions quickly and easily using the convert.exe utility.

    When you choose to convert to NTFS, you cannot go back to the FAT file system unless you reinstall XP and many XP disks do not give you the opportunity to install FAT. In addition, using NTFS on Windows XP Professional allows you to encrypt files and folders using the Encrypting File System (EFS).

    If you are dual booting Windows XP and Windows 9x/ME, keep in mind that these operating systems cannot read NTFS partitions, and you won’t be able to access the files when you are in Windows 9x/ME.

  4. Disable Simple File Sharing – XP Professional only. Both Windows XP Home Edition and XP Professional computers that are not part of a domain, use a network access model called “Simple File Sharing” where all attempts to log on to the computer from across the network are forced to use the Guest account (this prevents them from using a local Administrator account that wasn’t configured with a password). This means that if you’re connected to the internet and don’t use a secure firewall, your files contained within those shares are available to just about anybody.

    To disable Simple File Sharing on XP Professional:

    • Click Start | My Computer |Tools | Folder Options.
    • Select the View tab.
    • Go to Advanced Settings, Uncheck the Use Simple File Sharing box (you will have to scroll to the bottom of the list).
    • Click Apply.

    Unfortunately, XP Home Edition doesn’t allow you to disable Simple File Sharing (and is unable to join a domain) so the best you can hope for is to make sure you set your shared folders to be read only, hide the file shares by using a $ sign after the folder name, or if your using the NTFS file system, use the Make Private option in the folder properties.

  5. Use passwords on all user accounts. Both Windows XP Professional and Home Edition allow user accounts to utilize blank passwords to log into their local workstations, although in XP Professional, accounts with blank passwords can no longer be used to log on to the computer remotely over the network, and you cannot schedule tasks without a password.

    Obviously, blank passwords are a bad idea if you care about security. Make sure you assign passwords to all accounts on your machine, even the one for your kids and especially the Administrator account and any accounts with Administrator privileges. By the way, in XP Home all user accounts have administrative privileges and no password by default. Make sure you close this hole as soon as possible

  6. Use the Administrator Group with care. It’s very common for home users and small business administrators to simply give all local accounts/users full Administrator privileges in order eliminate the inconvenience of logging into another account. However this practice gives a hacker the opportunity to try to crack a greater number of administrator level accounts and increases their chance of success. It also increases the odds that malicious code can be executed via an e-mail or other way can do more damage to your computer and files.

    In a workgroup consider placing local users with a greater need for control in the local Power Users group (only available in Windows XP Professional), instead of the Administrators group. Defiantly avoid the temptation of using the local administrator account as your default login account.

    If you are not sure how to configure this, contact your local IT professional. At Ward Conciliation we are able to do this for you.

  7. Disable the Guest Account. This account has automatically been turned off but not disabled if you have Service Pack 2, so check to be sure.

    The guest account has always been a huge hole ripe for hackers. It should be disabled as soon as you set up your computer. Unfortunately, this setting recommendation only applies to Windows XP Professional computers that belong to a domain, or to computers that do not use the Simple File Sharing model.

    Windows XP Home Edition will not allow you to disable the Guest account. When you disable the Guest account in Windows XP Home Edition via the Control Panel, it only removes the listing of the Guest account from the Fast User Switching Welcome screen, and the Log-On Local right. The network credentials will remain intact and guest users will still be able to connect to the shared resources of the affected machine across a network.

    Microsoft Knowledge Base Article: 300489 describes this behavior and states that it is by design. The best workaround for XP Home Users is to assign a strong password to the Guest account.

  8. Use a firewall if you have a full time internet connection. Having instant, high speed access to the internet is a real convenience (just the thought of dial-up internet causes my left eye to twitch) but it also puts your computer system at higher risk.

    Although XP comes with a built in firewall (called ICF – Internet Connection Firewall), it only filters incoming traffic without attempting to manage or restrict outbound connections at all (If you have not upgraded to Service Pack 2 it is most likely not even activated).

    This is in no way safe for the vast majority of users, I highly recommend using a third party personal firewall such as Zone Alarm Professional or Outpost Firewall (for more advanced users).

    For business users already behind a quality hardware firewall, the very least you should consider is using Group Policy to enable ICF and disable specific ports when users are not connected to the corporate network.

  9. Use a router instead of ICS – Internet Connection Sharing. The Internet Connection Sharing feature within XP allows a user to connect one PC to the internet and then share that connection with the rest of the computers within his home or small office network. While it was generally a good idea when it was conceived, if you have a high speed connection a “real” router is a faster, easier to configure, and more secure.

    I have not used any for if ICS for over 7 years since a router is so much more stable and easier to set up, for small home or office, I strongly recommended the Linksys Cable/DSL Routers, which are usually under $100.00. Call Ward Conciliation at 417-353-1794 for an exact quote on a router specific to your needs.

  10. Install a complete Security Software Suite on all computers. Viruses and other forms of internet nasties have been around for years, but today’s malware utilizes the internet and e-mail systems to spread globally in a matter of hours. Installing ant-virus software (such as the award winning ESET NOD32) is a basic step in protecting your data, but it’s near useless if the definitions aren’t updated so make sure it updates hourly. Don’t forget an anti-malware program (like AVG’s Anti-malware –formerly EWIDO) that watches for different types of attacks to your computer
  11. Keep up to date with Windows Critical Updates and other patches. Windows XP is a complex operating system and is not immune to bugs and security holes. It’s common for hackers to use the latest known security hole(s) to break into a system and work backward from there until they find an open door that gives them full access. In fact, I figure 99% of system breaches are executed using known security vulnerabilities that were never patched.

    Use the Windows Update feature or “automatic update” to keep your system up to date. To enable automatic update in Windows XP:

    • Click Start, then click Control Panel.,
    • Next, click on Performance and Maintenance.,
    • Then click System.
    • On the Automatic Updates tab, click the setting of your choice. Microsoft has “patch Tuesday” where they release critical and non-critical updates. I would set your computer to download these updates “Every Wednesday” at whatever time you will have your computer running.
  12. Password protect the screensaver. Once again this is a basic security step that is often circumvented by users (or in my case teenagers wanting to go where they shouldn’t). Make sure all of your computers have this feature enabled to prevent an “internal threat” from taking advantage of an unlocked console.

    For best results, choose the blank screensaver or logon screensaver. I suggest you avoid the OpenGL and graphic intensive program that eat CPU cycles and memory thus slowing down your entire computer. Make sure the wait setting is appropriate for your usage.

    If you can get in the habit of manually locking your computer when you walk away from it, you can probably get away with an idle time of 15 minutes or more. You can keep users from changing this setting via Group Policy or the local security policy.

  13. Secure your wireless network. The wireless standards allow you to roam freely without cables and make anywhere your virtual office. This also gives hackers another open door to your data if you fail to lock it. A survey in the U.K found that of 5,000 wireless networks that were discovered by simply driving around the city with a wireless enabled laptop, 92% were wide open. As “drive by” hacking and warchalking are becoming common practice, any hacker with a laptop and a Pringles can, could potentially compromise your network.

    We could go into a whole new checklist on securing your wireless network but I have written several articles and papers (to be listed on this web site) and countless other articles have been written giving you exact instructions on how to do this. If you are unsure you can always call a technology professional out, at Ward Conciliation we provide just such a service.

  14. Secure your Backup tapes. It’s amazing how many people and organizations implement decent security, and then don’t encrypt and/or lock up their backup tapes containing the same data. It’s also a good idea to keep your computer software disk (such as Windows, Microsoft Office et al) locked up and stored away from your computers as well.