This guide will show you how to secure Windows XP. While it covers the basics it also goes beyond them without going into “paranoid” mode…This guide is for home users in a stand-alone or workgroup environment. It is intended as a step-by-step guide and we highly suggest you read through the entire article before taking any action. We welcome suggestions and feedback.
For most home users, this article is overkill, especially when it comes to encrypting files. IMHO, file encryption is a privacy issue, not security. If you follow good security procedures, nobody will be able to hack your machine to get at your files.
Also, I’ve never enabled IPX/SPX – firewall prevents users from the outside from viewing my shared files. Also, as far as spyware removers, as long as you don’t use IE and do about 2 minutes of research before installing something, you’ll never need one of these. I scan my computer periodically with both AdAware and Spybot (neither one of them running resident), and the only thing they ever find is cookies.
Point if this post being that securing an XP box does not have to be this complicated.
Don’t use TCP/IP, don’t leave files unencrypted, run a fireannoyance(firewall that watches out traffic), turn off all the service you just blocked with your firewall….
Seriously…not only is this paranoid…it’s rediculous.
Turn on Window firewall, accept no incoming.
Turn off rpc services and sharing services.
Run adaware on a timed job, or remember to run it yourself.
Install firefox/mozilla/opera and delete IE shortcuts.
Do not use outlook.
Final and most important step:
STOP RUNNING AS THE ADMINISTRATOR!
an average windows xp user has no (that is as in none, nada, zero) knowledgde how to secure any computer.
they do *not* understand and mix up “virus”, “firewall”, “spamfilter”, “hacker” and the word “terrorist”.
they are a good target for marketing companies like symantec and microsoft who only gives a feeling of security.
or try to work on a windows pc under a non-administrative account and find out even if u use “runas” to install programs or handle systemwide changes that it wont work all the time.
windows ™ is an open and simple architecture. windows nt4 also failed c2 security certificate tests for use in a network, those problems have never been solved.
Good article.I expected to hear about the auto start folders as well.In order to boot with windows , a lot of bad things can nest in the auto start folders.I would recommend the c’t-tool Kafu.Make one account that will be your regular online account ( restricted user) temporary admin and run the tool.After that de-admin that account, this way its much harder for malware to auto start with windows, if not impossible.HKEY_CURRENT_USER|Software|Microsoft*
* (1)Windows|CurrentVersion|Run
(2)Windows|CurrentVersion|RunOnce
Windows NT|CurrentVersion|Windows , all these reg keys and the folders c:|Documents and Settings|*
* (1)<username>|Startmenu|Programs|Autostart
(2)AllUsers|Startmenu|Programs|Autostart
should have write permission for admins only.
The tool Kafu from the c’t website will just lock these holes.
and make sure that your computer and monitor do not emit any electromagnetic signals, so someone could watch what you are doing …
๐
Disable all possibilities to boot another OS, disable compatibility with earlier windows versions, enable newest encryption features, set a strong 14-character password, surf as non-admin -> Unbreakable.
It’s not necessary to disable network access because of the 14-character passwords.
I haven’t read the whole report, though it looks like what I ened up with — or close to it — after spending about a week researching security holes in XP and disabling services.
Very impressed that he does *NOT* list a firewall in the first tools list. Firewalls, while necessary, are often used instead of security…allowing security issues to presist.
This is probably a keeper!
When reading titles like this (securing windows…), I’ll just feel I have to puke. I’ll tell you a personal experience as one of the justifications.
It happened twice in the last year (the second time was just last week) that I found warez stuff (movies, porn, music and games) hosted on one of the Windows machines where I spend my daily work hours. The stuff got on the machine during a weekend (the machine runs 24/7, it’s someone’s personal developer PC), and it was noticed because of the dramatically increased net usage (~5mb/s) and suddenly filled HDDs.
This machine was now WinXP+SP2. The machine was installed by myself a few months ago. Every unnecessary service (and I _mean_ it) was disabled, firewall and antivirus software installed. Windows+antivir(norton corporate ed.)+sw-firewall(zonealarm) updated regularly and full system virus scan performed 2 times a week and nothing ever found (as I can tell).
The LAN also had a proxy allowing communication only on specific ports, although they don’t have a hw firewall, despite my repeated recommendations.
Thing is, I never ever before saw something like this actually happening. I heard of it, but no real experience.
I can’t write here pages long about me or the circumstances, you’ll have to believe (sorry ) that I know what I’m doing when configuring Windows and Linux servers and services. And that for years.
All I can say, I never ever thought any Win version was secure in any concievable way. And this experience won’t change my ways of thinking
Don’t get me (fully) wrong. I’m a fully commited Linux guy, but I don’t consider myself a zealot, meaning I don’t spread unjustified propaganda and I don’t recommend Linux if I think a Windows solution would be better for the job.
did anyone read the article?
“An example is port 80, the html port.”
the HTML port?
“If a port scanner can see port 80 on your system, and can inbound access your system via that port, they can mount your hard drives just as if they were connected to their system. They can read EVERYTHING on your hard drive – every file, all your data, and when they are finished, they can reformat your hard drives, or otherwise completely destroy your system.”
give me a break. WARNING YOUR COMPUTER IS BROADCASTING YOUR IP ADDRESS OVER THE INTERNET!
*THIS* is what I consider a reasonable way to secure a Windows XP system. While a few very small nits are missing from what I’ve done, anyone who follows this guide should have a much more secure system.
I’m keeping it as a check list and passing it along to others so they can see what is necessary.
Many (though not all) of these tips, btw, also apply to other versions of Windows NT versions and later. Windows 95-ME versions could benifit…though not nearly as much (ex: managing services and turning them off isn’t possible or necessary).
You missed the point. It’s not for someone who knows all the details; it’s for the majority of people who think “I’m using a firewall! … I’m using the latest patches! … I’m secure!”. Those people will see this tip as interesting.
While you are right and it is techically incorrect, you’re really reaching for a reason to be critical.
Anon quote “Yeah you can endlessly continue to argue that Linux will get more problems when its used by 90% of the world, but face it: Linux isn’t being used by 90% of world! Until you people stop complaining about Linux never being ready for the desktop, Linux will always be more secure than Windows simply because its less popular.”
Even if Linux was used by 90% of the world it would still be more secure than Windows. It is written into its very architecture.
Just a little hint about convincing your Linux to talk to your mp3 player. Don’t, I repeat, don’t try to convince it by talking to it, this won’t help.
Instead install the necessary software (if any is needed and you can not simply use your file browser after you plugged in the mp3 player) and press the appropriate keys in the software.
Hope this helps.
“set a strong 14-character password”
What a knowledgable advice. I know for a fact that I can erase/change your XP password faster than you could type it in — ever. I will bet any amount of money on this. Windows password is not even a joke, because you don’t feel like laughing about it but instead break out in tears, that’s just how sad it is.
You may be well off with a strong password for encryption software, but for the Windows password, I do mean as I sad, it’s not meant to be sarcastic. I am not talking about reading data off your discs via Knoppix, I mean erasing/changing your system password faster than you could even enter it yourself.
That wasn’t my point. My point was it’d be much easier learning how to secure a Windows box than it would be switching to Linux. Perhaps securing Linux wouldn’t be as difficult (and even that is doubtful), but by the time you get your hardware working and find all hte apps you need, you would’ve spent 10x the amount of time that you otherwise would have.
While I do like the article (check post by address nrockv01.md.comcast.net), I don’t think this is true.
Yes, Windows can be secured…somewhat. Linux, especially with the selinux extentions, is incredibly secure out of the box. Perfect? No, though much of what this guide goes over are security mistakes by Microsoft — mistakes made intentionlly by Microsoft to support marketing and not customer needs. (Example: The list of enabled services shown in the article. Leaving some ports open without the user’s ability to turn them off — requiring the use of a firewall to block them instead.)
Linux *ISN’T* hard to use or to manage. It has many programs that replace or are not even found under Windows. Many important Windows programs can be used under Linux with Wine, Crossover, or VMware.
It is quite trivial to keep a Windows PC secure, but part of that involves the user.
No, it’s not trivial.
You can’t just leave a Windows machine to a person who knows nothing about security and expect it to remain secure, no matter how much you lock it down. It would be like handing a gun to a 4yo child with the safety switch turned on. They will more than likely eventually end up turning the safety switch off and inadvertently firing the gun.
This is why. If you can’t protect your systems from the users you’re not securing your systems.
You may be well off with a strong password for encryption software, but for the Windows password, I do mean as I sad, it’s not meant to be sarcastic. I am not talking about reading data off your discs via Knoppix, I mean erasing/changing your system password faster than you could even enter it yourself.
Prove it. Keywords or URLs if you’ve got them.
I was running Linux for the last 6 months and it was great as a desktop BUT, after much deliberation and research I ended up re-installing WindowsXP. Why? It was because I want to create music on my PC and even though there are some programs that go part of the way in Linux, there still is nothing like Cubase/Reason. Until I can get an equivelent of CubaseSX 3 with a broad range of Virtual Instruments like Atmosphere and Halion, then I am not productive.
Sad but true. I miss my gnome desktop and no, I can’t be f’d with dual booting but I will be keeping my ear to the ground and pushing for Linux support in this field but until it happens then it’s Windows for me.
I can’t disagree more. This article covers the basics — ONLY. Security is difficult and important. Encryption, for one, is a necessary step — if you do it at the file, account, or system resource level.
This article is really overkill. First there are many errors/false claims (which cannot be excused by “this is meant for home user”). Second – entire article makes feeling that it’s paid by linux promoters. Third – some steps are duplicated, unneccessary or just too destructive for windows system. I can imagine home user, blindly following this article and finding that he/she can’t do anything with their pc after.
I won’t say that windows doesn’t need securing – of course it does. But, like everywhere else, suggesting to do something gives better effect, if it’s suggested positively – what this article certainly doesn’t. In other words, instead of scaring user with billions of dangers it would be better teach the user step by step and tell him, what good it can get.
I’ve seen lot of scared users, who rarely touch their PCs at home, and if even they touch, then they are frightened by surfing on web, not talking about downloading anything or using any other network goods. Windows or not – this doesn’t matter, such people usually even don’t know about alternatives. They are just scared – and articles like this don’t help either.
This article is really overkill.
No, it’s not. Security is difficult. Windows is shipped in an easy to use — and easy to abuse — default configuration. That’s why this is an important — if technically imperfect — document.
First there are many errors/false claims (which cannot be excused by “this is meant for home user”).
List them. (I see some, though none serious enough to damn the article over.)
Second – entire article makes feeling that it’s paid by linux promoters.
Where? It doesn’t talk about Linux or even unix at all.
The article does list Microsoft’s own security tools as important things to get. Seems to be an odd thing to mention for a stealth pro-Linux advocacy effort!
This is as pro-Windows as you can get. It’s for Windows users, power users, and jr. admins (or admins who haven’t given the topic any thought yet).
Third – some steps are duplicated, unneccessary or just too destructive for windows system.
List them.
These are reasonable steps. I’ve even forwarded it to friends who have asked for security tips but don’t have time to look up all the details.
I can imagine home user, blindly following this article and finding that he/she can’t do anything with their pc after.
“Security is a process, not a product.”
“Security is a process, not a product.”
“Security is a process, not a product.”
Programs are tools. Nothing more. A hammer can’t be blaimed if I drop it on my toe. If I don’t know how to use a hammer, I should ask someone else to help me. Easy to use does not mean safe.
Agreed. Thanks for the pointer to Kafu. Much appreciated.
As always the Linux pro biased mods here don’t like it when someone points out the truth.
I checked the posts that have been moderated down. Quite a few of them were from pro-Linux advocates.
Seems like the moderators are doing a fairly good job.
” I found warez stuff (movies, porn, music and games) on one of the Windows machines where I spend my daily work hours.”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I’d be suspecting the user of downloading that stuff…
ralph
Instead install the necessary software (if any is needed and you can not simply use your file browser after you plugged in the mp3 player) and press the appropriate keys in the software.
Yeah see, that’s the point. In Windows, the software normally comes on a CD with the player. In Linux, I have to go hunting for it and hopefully, I don’t have to recompile anything.
Anonymous (IP: —.nrockv01.md.comcast.net)
Yes, Windows can be secured…somewhat.
What do you mean, somewhat? Either an OS can be made secure or it can’t. If I can go several years running Windows without getting hacked and no traces of viruses, spyware, worms, etc, is that not secure enougH?
Linux *ISN’T* hard to use or to manage.
Depends mainly on the user’s prior knowledge, distro, software needs, and hardware configurations. But there are always headaches somewhere along the way … always.
> It is quite trivial to keep a Windows PC secure, but part of that involves the user.
No, it’s not trivial.
Sure it is. I could write a guide and if you read it, you could secure a Windows box in about 20-30 minutes (assuming it wasn’t already infected).
This is why. If you can’t protect your systems from the users you’re not securing your systems.
Right, but I like to approach it from a different angle. If you give a user a list of 6-7 things to do/don’t do and the follow your instructions, than Windows becomes as secure as any Linux box, at least to the point where it would never get hit. It’s kind of like trying to prove whether one system is more stable than the other – sure, one might be technically more stable, but of neither of them ever crash, what difference does it make?
Listen and learn. Don’t take this as an offense.
What do you mean, somewhat? Either an OS can be made secure or it can’t. If I can go several years running Windows without getting hacked and no traces of viruses, spyware, worms, etc, is that not secure enougH?
Your personal experience does not mean that something is or is not secure.
On the high end, the miltary has disposal methods for old equipment that includes grinding the parts into flakes and then melting them.
On the low end, how do you know — for a fact — that you have not been broken into? 80% of the spam being sent is sent by rogue personal computers.
Depends mainly on the user’s prior knowledge, distro, software needs, and hardware configurations. But there are always headaches somewhere along the way … always.
Microcenter and WalMart sell Linux computers. Do you think that they sell them only to Linux advocates?
Sure it is. I could write a guide and if you read it, you could secure a Windows box in about 20-30 minutes (assuming it wasn’t already infected).
Write the guide. Compare it to the one above. What’s the difference?
Right, but I like to approach it from a different angle. If you give a user a list of 6-7 things to do/don’t do and the follow your instructions, than Windows becomes as secure as any Linux box, at least to the point where it would never get hit. It’s kind of like trying to prove whether one system is more stable than the other – sure, one might be technically more stable, but of neither of them ever crash, what difference does it make?
I don’t think you realize the differences between the systems. Both can be secured fairly well. Windows takes a whole lot more effort to get it to the same level. Linux can be secured beyond what Windows can (ex: selinux — a project hosted by the US National Security Agency — the NSA — and is now becoming a default security policy on many Linux systems.)
I agree with Darius. For most home users, this is overkill. However, for those who are interested or concerned, this article is fine.
Windows XP SP2 comes with a security center which tells you about antivirus being installed, tells you wether you have your firewall active, tells you wether you have automatic updates enabled.
While this is not foolproof. Because of e.g.
* Doesn’t tell wether the virusscanner is actualy *active*.
* Doesn’t recognize every virusscanner.
* Doesn’t tell wether automatic virusscan updates are enabled.
* No spyware/malware scanner.
* Even when you automatically update you are not safe against IE malware per see because Microsoft doesn’t issue timely updates for IE and perhaps other ‘vital’ Windows parts.
Its at least a start and an improvement over SP1.
The firewall already created lots of problems for casual users because its too hard for them. This tells us something about how much casual users actually know about basic TCP/IP…
On the low end, how do you know — for a fact — that you have not been broken into? 80% of the spam being sent is sent by rogue personal computers.
In that case, how does anyone know? Generally on machines that are infected with spyware, I can tell because the firewall usually goes nuts and the system slows down to a crawl. That’s never happened on my machines, plus if I had something, you would think that muliple scans with different antivirus products and adware scanners (which I never run resident) would’ve turned up something.
Write the guide. Compare it to the one above. What’s the difference?
Mine is much less complicated and yields the same results Of course, I am lazy, so who knows if I’ll ever write it.
I don’t think you realize the differences between the systems. Both can be secured fairly well. Windows takes a whole lot more effort to get it to the same level.
It takes effort, but not a whole lot. What I mean is, Windows doesn’t technically need to be as secure as Linux, only secure enough not be protected from every day threats.
Linux can be secured beyond what Windows can (ex: selinux — a project hosted by the US National Security Agency — the NSA — and is now becoming a default security policy on many Linux systems.)
Look, I’m talking about Windows on the desktop for Joe Sixpack, not protecting the NSA. Joe Sixpack doesn’t need the same level of security that the NSA does.
“Microcenter and WalMart sell Linux computers. Do you think that they sell them only to Linux advocates? ”
No. In fact they sell most to Windows lovers with a warez XP cd and corporate key.
Windows XP SP2 comes with a security center which tells you about antivirus being installed, tells you wether you have your firewall active, tells you wether you have automatic updates enabled. …
Anti-virus, firewall, and automatic updates do not make a computer secure. They only assist after the system has been secured. Sound strange? Read on.
… The firewall already created lots of problems for casual users because its too hard for them. This tells us something about how much casual users actually know about basic TCP/IP…
A firewall isn’t a good method of securing a system. Having it cause problems only shows that if all the steps necessary aren’t taken, someone can break the system the first time they find it to be a ‘problem’.
This is one of the reasons why I suggest securing a system without relying on firewalls, system patches, or other additive tools like anti-virus programs. Since they do, indeed, fail — don’t rely in them alone.
Does this still sound strange? Are you a professional in a field of software development or management? If it does, and you are, you really should be reading up on this or hire someone who can.
No. In fact they sell most to Windows lovers with a warez XP cd and corporate key.
Speculation, anecdotes, or proof? If you have proof, let’s hear it.
In that case, how does anyone know? Generally on machines that are infected with spyware, I can tell because the firewall usually goes nuts and the system slows down to a crawl. That’s never happened on my machines, plus if I had something, you would think that muliple scans with different antivirus products and adware scanners (which I never run resident) would’ve turned up something.
Ah, you’re starting to ask the right questions, Darius!
Here’s some more questions to ponder…
* As systems, and networks, run faster and faster, how will you be able to guess that any malware is installed at all?
* Have you ever encountered a false positive or false negitive on a virus program?
* If a virus gets installed, how can you trust your virus scanner?
* How do the the companies that make virus scanners find out about the viruses in the first place?
There are answers to each of these; it’s not entirely hopeless.
Mine is much less complicated and yields the same results Of course, I am lazy, so who knows if I’ll ever write it. …
… It takes effort, but not a whole lot. What I mean is, Windows doesn’t technically need to be as secure as Linux, only secure enough not be protected from every day threats.
The things you’re skipping do matter. That’s why they were in the report. If you choose to skip them, you have lost certianty; you are going on faith and hope. Fine for a temple, though not for a technical task.
Look, I’m talking about Windows on the desktop for Joe Sixpack, not protecting the NSA. Joe Sixpack doesn’t need the same level of security that the NSA does.
Selinux isn’t there to protect the NSA. It’s there to protect users including Mr. Sixpack. The NSA thinks it’s important enough to let everyone else use the fruits of thier research. That’s normal people!
Selinux is automatically ON — no fuss or configuration — on a distribution that includes it and has the proper policy settings. So far, you can get Fedora Core Linux with the targeted policy — the default for Fedora Core 3 — and you have to do nothing to set it up.
Go read about selinux at the NSA if you’re curious. Windows needs something like this…hell, Linux needed something like this for years.
In the meantime, having the systems locked down as described in this document is a good idea. Yes, it will take a few hours, though that’s time you don’t spend on attempting to recover from dammage that could have been avoided in the first place — a net win in the long run.
Microsoft should learn from non-Microsoft operating systems. A default OS X installation is fairly secure compaired to a default Windows installation. The main problem isn’t the OS, it’s the defaults. If you don’t want to be bothered with all the work involved…complain to Microsoft. I already have!
(end of comments from me…we’ll pick this up later in another story if we both are there)
This is one of the reasons why I suggest securing a system without relying on firewalls, system patches, or other additive tools like anti-virus programs. Since they do, indeed, fail — don’t rely in them alone.
The problem I see here is that you are taking the extremely paranoid ‘bulletproof’ approach to security, and that isn’t really practical in most cases. Let me use a real-life example of what I’m talking about:
Say you wanted to go to an ATM machine, but you are afraid of being robbed. You could hire two bodyguards to go with you, arm yourself with a machine gun, and learn kung fu so that just in case the bad guy takes out both your bodyguards and the machine gun doesn’t work, you at least stand a fighting chance. You could also stake out the ATM machine you want to go to for a few days just to make sure there are no suspicious people lurking around. You could either do that, or use the common sense approach – don’t go to a remote ATM machine in the middle of the night, dont’ count your money at the machine, look over your shoulder to make sure nobody is watching you enter your PIN, etc. Sure, you’re more protected using the bulletproof approach, but the chance of anything bad happening using plain old common sense is almost nil.
Anyway, to say that you should not rely on a firewall to protect your system is insane – that’s what firewalls are for. That’s like saying that even though you lock your door every day when you leave your house for work, you should lock up your DVD player, computers, and anything else you have valuable in a storage closet just as a safeguard. That’s not practical, and neither is locking down your machine to be protected without a firewall. For example, one of the steps they list is to enable IPX/SPX on your home network which is great, unless you happen to be using a program on your home LAN that speaks TCP/IP. In my case, I use such a program to enable the XM radio connected to my PC (XMPCR) to be controlled across a network. If you really wanted to add an extra layer of protection, you could always invest in a $30-$40 firewall router, which should do the job for you at home.
* How do the the companies that make virus scanners find out about the viruses in the first place?
One of the rules in my guide is to not run email attachments with certain extensions. Since I would imagine 9 out of 10 people who get infected by a rapidly spreading virus get it via an email attachment, you would be safe from them. If a virus were to be introduced to your system via some other means, it is likely that the virus defs already know about it.
Speaking of email, I read a couple of times in these comments ‘Don’t use Outlook’ but actually, newer versions out Outlook (or older versions that are patched) are about as secure as anything else. Newer versions don’t run scripts by default and even block harmful attachments.
Anonymous (IP: —.nrockv01.md.comcast.net): [i]It’s not a debate. Please go back and read so you can benifit from my guru level wisdom! ‘
I’m going to use your words right back at you: “Listen and learn. Don’t take this as an offense.”
Don’t get arrogant that’s the path which takes you through mistakes you won’t realize you’ve made for possibly a long time (if ever).
Only wannabe gurus call themselves gurus (except for possibly a few limited cases involving striking down an arrogant person or something else like that). If you are a true guru people will recognize you for what you are or not, it does not matter to a true guru.
Anonymous (IP: —.nrockv01.md.comcast.net): Your personal experience does not mean that something is or is not secure.
Agreed.
Anonymous (IP: —.nrockv01.md.comcast.net): On the high end, the miltary has disposal methods for old equipment that includes grinding the parts into flakes and then melting them.
What the military does or does not do has nothing to do with the following…
Anonymous (IP: —.nrockv01.md.comcast.net): On the low end, how do you know — for a fact — that you have not been broken into? 80% of the spam being sent is sent by rogue personal computers.
You do not know. Period. You cannot check every individual thing that can possibly happen, you are subject to someone else at some point. Always. You can narrow it down to a ridiculously small window, which is virtually impossible to penetrate, but it is always some size above 0. The more knowledge (and resources) you possess, the more you can do. But it never actually ends.
I have never seen or heard of anything be it implemented or theorectical (and you can do more in theory than in practice) that has been able to reduce to 0. I suppose it’s possible, I’ve missed this “miracle” event since computer security is not my speciality. But somehow I doubt it.
However… I will add that both you and Darius had some good points. Next I’ll mention the article briefly…
Well… I skimmed through the article and it was truly interesting. It seemed to be pretty good overall. Though I personally feel some things are lacking, on both ends. It was both “too strict” and “too loose” in my opinion.
As Darius said, this is infact not very practical for a home user.
For one thing, the LAN situation (using IPX instead of TCP/IP) is sheer stupidity. Why? Simple. Some programs people are going to want to use at home only run with TCP/IP! I don’t know them all, but for instance some games only work over TCP/IP.
As if that wasn’t enough, some “network adapters” I’ve seen, apparently only work with TCP/IP (as bizarre as it may sound).
The other big thing is actually the guide itself to put it bluntly. What do I mean? Well… The average home user (that I know) isn’t even going to be able to find this page or follow the instructions very easily. To make matters worse, a number of “experts” I know would call this ridiculously paranoid and as a result, it would be ignored. (Or even better some “experts” I know would practically advise not using email at all or wouldn’t even know how to follow the steps themselves. Heh.)
The way I see it, is that someone will have to do this for a lot of home users and resolve their problems for them. And if they’re going to do that, they might as well do some other stuff which I personally think is better anyway. (For instance, restricting the programs which can be run. Maybe set the computer up so seperate programs don’t have access to the same data. And so on… While we’re at it and doing it for them we might as well hit the problem hard.)
Honestly, for the average home user who doesn’t have someone to deal with issues for them, I have to agree with Darius. From my own experience in dealing with home computers, the reason many of them get compromised (and I do mean many) as well as a number of machines at different companies, some dolt made a critical error at some point, which should be really easy to avoid. For example, not running a firewall, not updating software, blindly running attachments, and so on… Basicly the stuff that Darius said.
The article does not recommend turning off TCP/IP (you’d not be able to connect to internet and download windows updates if it were so).
It recommends turning off TCP/IP and using IPX for “FILE AND PRINTER SHARING ONLY”. (Bindings people, bindings).
It’s not much different than editing /etc/samba/smb.conf to listen on the addresses you select.
or try to work on a windows pc under a non-administrative account and find out even if u use “runas” to install programs or handle systemwide changes that it wont work all the time.
For example ?
windows ™ is an open and simple architecture.
Ironic, then, that most of the complaints seem to be about it being closed and complex.
windows nt4 also failed c2 security certificate tests for use in a network, those problems have never been solved.
It’s impossible to “fail” C2 for use in a network because C2 doesn’t have any network-related requirements.
When reading titles like this (securing windows…), I’ll just feel I have to puke. I’ll tell you a personal experience as one of the justifications.
*If* the machine and network was really as secured as you think, then I’d suggest:
a) questioning anyone who could conceivably have access to the machine.
b) checking the rest of your network for compromised machines.
9/10 times this sort of thing is some employee – either deliberately or inadvertently – opening the machine up to exploitation. Of the remaining 1/10 times, at least 50% of *those* are going to be a cracker gaining access to the machine from some other compromised machine within your network.
Blaming it on “typical Windows” is not only a cop out, it’s professional negligence.
Until you people stop complaining about Linux never being ready for the desktop, Linux will always be more secure than Windows simply because its less popular.”
Less [publicly] exploited != more secure.
Even if Linux was used by 90% of the world it would still be more secure than Windows. It is written into its very architecture.
How so ?
This is one of the reasons why I suggest securing a system without relying on firewalls, system patches, or other additive tools like anti-virus programs. Since they do, indeed, fail — don’t rely in them alone.
Sounds fascinating. Do tell how you propose to secure systems – while keeping them useful – without firewalls, patches or programs to detect abnormal system behaviour.
Sukru: The article does not recommend turning off TCP/IP (you’d not be able to connect to internet and download windows updates if it were so).
It recommends turning off TCP/IP and using IPX for “FILE AND PRINTER SHARING ONLY”. (Bindings people, bindings).
You are right he was only talking about file sharing (which I didn’t notice, since I only skimmed through the article). (Something you seem to be unaware of though is that you can turn off TCP/IP for your home network without cutting yourself off from the internet. There’s a number of ways to do this. One is called dialup… Another is called having a second network adapter for the internet. And so on…)
However, as I already stated… Some network adapters I’ve seen can only use TCP/IP (for some bizzare reason. Very few are like this, but it is still a problem)
Also… The author makes it sound like (early in that section) it’s bad to have anything on your home network use TCP/IP and this is why I didn’t notice he was only talking about file sharing. Probably this is what caught Darius as well.
He says for example: To prevent this from happening you can tell your computer to stop speaking TCP/IP for your home network and speak IPX/SPX instead.
The home network is used for more than file sharing. (In a number of cases) And there’s a few other things he says which also implies that we will be removing TCP/IP from the home network entirely. But the actual steps (appear to be) for simply file sharing.
No, though much of what this guide goes over are security mistakes by Microsoft — mistakes made intentionlly by Microsoft to support marketing and not customer needs. (Example: The list of enabled services shown in the article. Leaving some ports open without the user’s ability to turn them off — requiring the use of a firewall to block them instead.)
Oh, goody, I love conspiracy theories. Tell me more about yours.
Linux *ISN’T* hard to use or to manage.
Yes, it is – and I speak as someone whose job is a unix sysadmin.
Linux is a PITA to use as an “it just works” tool – a consumer desktop. FreeBSD somewhat less so, but both are significantly more work that either Windows or OS X.
[It is quite trivial to keep a Windows PC secure, but part of that involves the user.]
No, it’s not trivial.
1. Don’t run as an admin.
2. Keep the system patched.
3. Enable the firewall.
That protects the typical user from 99% of typical external attacks (that is, script kiddies with network scanning tools). It’s trivial.
Internal attacks – that is the user deliberately or inadvertently running malicious code – are much harder (if not impossible) to defend against. But that holds true for every mainstream OS.
It’s trivial to keep a Windows machine secure without going over the top in terms of inconvenience and breaking functionality.
This is why. If you can’t protect your systems from the users you’re not securing your systems.
Protecting systems isn’t particularly difficult. Protecting data, OTOH, from users is nigh on impossible – because if they have the potential to do something bad to it, then malicious code run by them also has that potential.
The article does not recommend turning off TCP/IP (you’d not be able to connect to internet and download windows updates if it were so).
It recommends turning off TCP/IP and using IPX for “FILE AND PRINTER SHARING ONLY”. (Bindings people, bindings).
And it’s still a waste of time. It’s not going to buy any meaningful increase in security, at the cost of an increase in complexity (thus, increased probability of failure).
I’ve just browsed the article but I think this article is not for the home-user. If any of my non-computer-geeky friends where to follow the guide they would become clueless around “port scans” and completely lost around “port 80, the html port” (it is the http port guys if you have to have names for it…).
Usually, whenever someone screwed up their Windows (although they claim that they haven’t done anything…sure you didn’t…you didn’n point you unpatched IE to those pron sites no you didn’t…) they call me to “fix” their computer.
I’m a nice kinda guy (I think) so I’ll swing by and install Windows for them since they still haven’t figured out that it isn’t so hard to install Win (2k/XP) and then windows update.
When the install is done I install some kind of firewall. Usully it ends up with ZoneAlarm or Norton Personal Firewall. Once I gave Agnitum Outpost a try (30 day trial version – a free one exist as well, haven’t tried it though) . Anti-virus as well…
After a system install I give them the usual rant on safety…switch to Firefox, if the firewall pops up with a new application wanting net access – READ – don’t just accept…the usual…
But what do you know…a few weeks later when I drop by and check the “trusted applications” or whatever it’s called firewall XYZ it’s crammed with dialers and other malware.
Again they claim that they haven’t done anything…sigh…
The point of this rant you wonder. The point is that firewalls are good only if the users have some kind of clue of what is going on. I never liked application based firewalls because because non-geeky ends up accepting the annoying application because once they accidentally blocked an application and suddenly their browser didn’t work.
I like more port based firewalls, but even these can’t protect the “dumb” user if some spyware running on port 80 infects the system. A combination of both would be the best solution, however being geeky I hate having to have both. I like every free byte of RAM I got and I keep tweaking my box to give me even more. You say now that I’m beeing silly since I probably have plenty of RAM. Sure, but I am geeky as well as some of the readers of OSNews are.
To conclude:
Firewalls can help make your system more secure if you know what to do. If you don’t it won’t.
Completely useless and pointless article.
Any half competent Windows admin will already know all that’s mentioned in the article and an average home user will not even know what a “port” is so will never be able to follow the article.
In addition, the competency of the authors became suspect as soon as they mentioned IPX/SPX and Zonealarm.
Anybody who ever fixed, mainteined, administered one SOHO network will know that in this day and aga you need TCP/IP on your local network otherwise you loose most of everyday usefull functionality.
Anybody who recommends Zonealarm obviously doesn’t care about system performance and stability. Zonealarm is the worst piece of shit software and it’s the first thing I do when I start troubleshooting a system is I get rid of Zonealarm.
Same goes for Symantec Firewall.
Those two are equivalent to a virus.
The other shits I purge are anything from McAfee and Roxio.
Nothing good ever came from those two, other than a plentifull suply of troubleshooting work (i.e. source of income for me).
I don’t use software firewalls. And in my opinion, if you need a software firewall that keeps an eye on apps communicating with the Internet, then you already have a fucked up system because you picked crapy apps that “phone home”.
Hardware router with SPI firewall built-in is more than sufficent for 99.9999999% of home users and small LANs.
Although I do like one kind of software firewall, a Linux or BSD based computer, but those are nothing like that shit Zonelarm. And it’s not realy fair to call them “sofware firewall” because you’re using a whole computer just to function as a firewall.
Runnins as a nonadmin user on Windows is a big hasstle as not all programs support that and many have bugs that cause problems with that kind of set up.
It’s hard to get it working but worth the effort.
Not every technician has time or gets paid enough to do it though.
But in the end 99.9999% security threats are brought into the system by the user so no matter how much you lock down the system ( and anoy users by making their life difficult) all it takes is for the user to visit one porn site in between Microsofts monthly patches and it goes all downhill from that point on.
And I’m glad it’s the way it is. Keeps not only us computer thechs working but also the whole industry around the spyware and adware, never mind all the antivirus companies that emploey a lot of people. It’s one big circle of life, a whole ecosystem.
But it’s nice to have a Slackware behind Smoothwall at home.
I know, some of us don’t play fair
But what do you know…a few weeks later when I drop by and check the “trusted applications” or whatever it’s called firewall XYZ it’s crammed with dialers and other malware.
Again they claim that they haven’t done anything…sigh…
Assuming they’re not using Internet Exploiter (a critical step in the security process), where does all this malware come from?
try http://www.openbsd.org … it rocks… no more problems
Anti-virus, firewall, and automatic updates do not make a computer secure. They only assist after the system has been secured.
Duh? When you install such, you assume the system is secure. Otherwise you do a clean install and then install this software. Ofcourse these systems assist in helping a system more secure and in theory nothing is secure. In the situation of SP2 they contribute which is an effort i applaud.
Indirectly you have a point though: when one installs Windows XP non-SP2 they are vulnerable because of several vulnerabilities in the Windows XP non-SP2 system. Hence a system directly on the Internet being used e.g. to surf with MSIE or being directly accessable via e.g. RPC is potentially exploited. This is a problem for casual users more than corporate networks given a corporate network runs a firewall uses NAT, is able to slipstream, can have updates off-site, etc. They have more knowledge and time and security is more important than with the masses. This is a problem.
A firewall isn’t a good method of securing a system.
Strange how all these corporate networks run firewalls, ehh..? A properly configured firewall secures a network. I’m not in a position to argue wether the Windows XP / SP2 firewall is either by default or able to secure a network properly.
Having it cause problems only shows that if all the steps necessary aren’t taken, someone can break the system the first time they find it to be a ‘problem’.
Ignorance of users is ofcourse impossible in any situation…
This is one of the reasons why I suggest securing a system without relying on firewalls, system patches, or other additive tools like anti-virus programs. Since they do, indeed, fail — don’t rely in them alone.
???
How does this make sense?
One of the rules in my guide is to not run email attachments with certain extensions.
Darius, thats all fine. I’m quite sure *some* people are able to secure their computer nevermind wether that is Windows or Linux or whatever. But we need to educate users t adopt policies such as the one you described here. Education is an (!) important ingredient to inform people about dangers and disadvantages which they’re otherwise ignorant or apathic to. Alternatively, abolish the opening of executables or attachements. Why should an e-mail client have access to the OS other than reading mail from a mailbox, $server:25, $server:110, $server:143?
Selinux is automatically ON — no fuss or configuration — on a distribution that includes it and has the proper policy settings. So far, you can get Fedora Core Linux with the targeted policy — the default for Fedora Core 3 — and you have to do nothing to set it up.
Sure, sure. I’ll be looking forward to the experiences of less technical inclined users with that. Problem is when its too strict (same as with the Windows firewall). You and i may be able to overcome from that, but the casual home-end desktop user? Not by a chance. Thats why a pro-active design which ‘thinks’ for the user without mandatory user intervention is a pre.
“windows ™ is an open and simple architecture.”
Ironic, then, that most of the complaints seem to be about it being closed and complex.
The author obviously did not refer to that. Stop trolling.
Assuming they’re not using Internet Exploiter (a critical step in the security process), where does all this malware come from?
You know..I’d really like to know that as well. ๐
I must admit I really haven’t bothered to see whether all was malware. Some of it might be legit programs they use for whatever purpose suits them. I agree on the use of IE, however even Firefox isn’t invulnerable to spyware or malware. I’ve heard of sites (most likely porn/warez sites) providing Firefox extensions which turn out be some kind of spyware. When non-geeky visits these sites (denyingly of course) and a pop-up tells him to install this piece of software non-geeky most likely will.
As I said in the begining, I’d like to know how this spy/mal-ware gets installed because it is a riddle to me how people can screw up their systems that much this way. Fortunately for me my non-geeky friends doesn’t use Outlook Depressed so at least they don’t get it from that ๐
I agree on the use of IE, however even Firefox isn’t invulnerable to spyware or malware. I’ve heard of sites (most likely porn/warez sites) providing Firefox extensions which turn out be some kind of spyware.
Would be interesting if you know if any specific sites. I have often wondered if spyware on Windows (as well as Linux) might be possible using Mozilla/Firefox exteions as a backdoor.
I’ve never run across any of these alleged sites myself. Notice that I wrote that I heard of such sites. It is a claim. A bold claim indeed, however it does not have to be some shady warez site. It could just as well be a trusted site where the author have joined the “dark” side as this discussion on mozillazine: http://forums.mozillazine.org/viewtopic.php?t=149844
And if non-geeky ventured on to this apparently trusted site and non-geeky installed this “trusted” extension non-geeky would be infected with some spy/mal-ware.
We the geeky ones know that “mozilla.org” is a trusted site, however if I tell non-geeky that mozilla.org is trusted you can be sure that in two weeks non-geeky has forgotten all about it. Guess who has to fix non-geeky’s computer :/
Indirectly you have a point though: when one installs Windows XP non-SP2 they are vulnerable because of several vulnerabilities in the Windows XP non-SP2 system. Hence a system directly on the Internet being used e.g. to surf with MSIE or being directly accessable via e.g. RPC is potentially exploited.
Windows XP has always had a firewall. There is no “requirement” that a pre-SP2 system be exposing RPC on the ‘net.
The author obviously did not refer to that. Stop trolling.
Obviously. What’s not obvious is what he _was_ referring to.
>I am not talking about reading data off your discs via >Knoppix, I mean erasing/changing your system password faster >than you could even enter it yourself.
>Prove it. Keywords or URLs if you’ve got them.
I’m not the original poster, but I have often used the Offline NT password utility that is found on the Austrumi linux cd or The Ultimate Boot CD (UBC). It’ dirt simple. maybe not as fast as the original poster, but the same result. The only real issue is when you use the native encryption provided with NT/2k/XP systems. Those encrypted files probably won’t be recovered.
And didn’t I read the LMHASH forces uppercase letters and isnt’ someone running a telnet server where you can dump the contents of SAM and it will return plain text passwords?
Of course folks something very similar can be done with *nix and the chroot command, so bother, if physical security isn’t in place then there is no security.