Nov 19 2009
Defending your home computer, part 4: Closing the holes in your Windows
Okay, I admit it. Microsoft’s reputation for security sucks. Whether it is caused by rushing their products to market, poor programing practices or because Microsoft’s dominant position in the market make it the primary target of malware authors, Windows has been full of holes.
Of course, it has come a long way from Windows 98, which had no security to speak of. Since that time, Microsoft has made a continuing effort to improve, with mixed success. Some “improvements”, such as Vista’s implementation of User Account Control (UAC) were so frustrating to users that they turned it off rather than deal with it. With Windows 7, they seem to have made some significant strides. In fact, the first patch Tuesday after the release of Windows 7 contained no critical security updates – a first for a new Microsoft OS.
Nevertheless, even if Windows 7 proves to be much more secure than previous Windows versions, there are still holes that need to be closed. Some holes, such as bugs in the code, must be closed by installing patches and updates. Others have to be closed through proper configuration and good account management.
Enable Windows updates
On of the simplest steps you can take to help protect your system is to turn on Automatic Updates. Although Microsoft generally releases major security updates once a month (“patch Tuesday”), updates can occur at almost any time. If these updates are intended to close a security hole, chances are that you want to have them installed as soon as possible. You can configure Windows Update to download the patches and notifiy you, downlad the patches and install at a specified time of day, or download and install the patches immediately.
To turn on Automatic Updates in Windows XP, simply right-click on My Computer and select the Automatic Updates tab. In Vista and Windows 7, go to the Control Panel and click on Windows Updates.
Turn off autorun
One common method of infection is to embed a virus in a program or file that is configured to autorun when a CD or USB drive is inserted into the computer. Autorun is one of those features that is intended as a convenience. In my opinion, the convenience is not worth the risk. With Autorun turned off, the system will ask you each time a CD or USB drive is inserted what action you want it to take. I generally just open the folder and select the file I want to open directly.
Instructions for turning this feature off can be found here.
Practice good account management
In Vista and Windows 7, Microsoft closes a couple of holes that existed before by disabling the built-in administrator and guest accounts automatically. In XP, the guest account was disabled but not the administrator account. These built-in accounts often allow an intruder access into a system because everyone knows the name of the account, and many people use blank or easy to guess passwords.
Here are some good account management practices you should implement:
- Be sure to rename the administrator account to prevent an attacker from trying to use it to invade your system.
- Provide each user of your system with a unique user ID.
- Insure that no blank password are used, and that password should be strong passwords. (These policies can be enforced by the OS. If you would like to know how, please leave a comment and I will provide directions.)
- No accounts other than the primary administrator of the system should be members of the Administrators group. This will prevent unwanted software and malware from being installed under their accounts. They should be members of the Users group only, or of the Power Users group at most.
- Periodically review the user accounts on your system and be sure you recognize each account. The appearance of new accounts may indicate that someone has accessed your system without your knowledge. (Some applications may create service accounts that you don’t recognize, but you can Google these.)
- Turn on auditing for logon/logoff activity and periodically review these to see if you spot any suspicious activity. (Again, if you would like to know how to do this, leave a comment and I will provide instructions.)
Turn off file sharing
Windows includes file and print sharing services by default. However, on a home network, these services often are not needed. Leaving them turned on can provide an open door to an intruder. Unless you are sharing files between your home systems across the network on a regular basis, you should turn these services off. You can find instructions for disabling simple file sharing and file and print services here and here.
Turn off remote access
Windows includes the ability to access the system remotely, either to provide user assistance or to use the remote system as if you were sitting at the console. Microsoft calls these services Remote Assistance and Remote Desktop. If you do not use these services, you should disable them. You can do this by right-clicking on My Computer, selecting Properties and then selecting the Remote tab (XP) or the Remote Settings link (Vista/Win7). Make sure the “Allow Remote Assistance” and “Allow users to connect remotely” are both unchecked.
Use your screen saver
You should use the screen saver feature of Windows to lock your workstation after a period of inactivity. This prevents another user or an attacker from gaining access to the system logged in as you (probably with administrative privileges). It may take a few extra seconds to get back in, but it is time well spent to help safeguard your system.
Taking the time to implement these steps will not prevent every attack, but remember, the goal is to make your system/network an unattractive target to a hacker. These steps will help deter all but a very determined attacker.