Wireless Group Policy WLAN Radius Part 3 WLAN Radius Config WLAN Client Config Linksys BEFSR41 Firmware Linksys BEFSR41 101 Linksys WAP54G config More Linksys BEFSR config Security how-to Writing DNS Zonefiles Is ZoneAlarm Spyware? Linksys Wishlist Sendmail spamblock Bind Privacy Feedback

Securing your Windows ^TM computer.

Unfortunately, Windows computers still come with default settings that favors usability and ignores security. The fact that Microsoft changed the default setting on the Firewall that comes with Windows XP SP2 from "disabled" to "automatic" doesn't really change a whole lot. There's still quite a few things that are not configured correctly, and I'll try to go over some of this here.

1. Install operating system on an NTFS partition.

It is preferable to install the OS on an NTFS partition. This way, access to files are restricted. If the OS is installed on FAT or FAT32 partition, it is still possible to convert to an NTFS partition, but you won't have the default restrictions on files and folders.

2. Changes to local security policy.

The first thing you should consider doing is importing on of the Local Security Policy templates that comes with your computer. These templates are located in the %systemroot%\security\templates folder. On a new Windows XP installation that would be C:\windows\security\templates.

To open the Local Policy Editor, click start -> Run, then type gpedit.msc.

There are several templates in there, but we'll focus on the ones for workstations. The templates are compatws, securews and hisecws. There's also a Setup security template, which contains the default settings that the OS uses out of the box. For a more secure installation of Windows, you should choose either the securews or the hisecws templates. I recommend going with the securews template, as it has all the necessary settings in it to make your computer more secure than the default configuration. The difference between the securews and hisecws templates is that the later enables auditing of many more events, prevents caching of logons (only applicable to domains), clears out the name of the last person logged in and also clears out the pagefile. Using the hisecws template may also break file and print sharing, especially if you are also running older versions of Windows.

Here's a few of the changes that are made by using these templates:

• Password minimum length is set to 8.
• Passwords must meet complexity demands.
• Password must be changed every 42 days.
• Old passwords cannot be reused.
• 5 incorrect passwords locks out the account for 30 minutes (indefinitely for "hisecws")
• Access to Event logs are restricted, and the size of the Security log is increased.
• Auditing is enabled for most types of events.
• Anonymous users can't see names of shares or list user names.

This may not sound like much, but there are more things that are changed that are of less significance. The above settings are things you would have to manually add either in the Local Security Policy or in the registry, and importing this file certainly makes this easier.

3. Disable unnecessary services.

The easiest way to disable services on your computer is through the services control panel. Perhaps the quickest way of getting there is to right-click on "My Computer" and select Manage from the menu, or click on Start, select "Run" then type in gpedit.msc. Either way, you'll get access to the services. Another option is to control this through Group Policies, but that only applies to computers in a Domain. The following recommendations are for stand-alone computers or computers in a small home or SOHO network. Now, here's some of the services you should consider disabling:

• Server. This service allows other computers to access shared files, folders and printers. If you don't intend to share any files or printers with any other computer on your network, then you should disable this service. Disabling this service will also shut down the Computer Browser service.
• Computer Browser. This service just keeps track of computers on the network and makes sure that the master browser on the network gets this list. If you don't do any sharing of resources on your network (printers or files), then this service can safely be disabled. If you have disabled the Server service, this service will not start.
• Remote Registry. Allows remote access to your registry! This is a no-no! Unless you have restricted access to this in the registry and have a definite need to view/modify the registry on your computer from another computer, you should turn this service off. Set it's startup type to "Disabled".
• Messenger Service. Not to be confused with either Windows Messenger or MSN Messenger (which are Instant Messenger applications), this service is responsible for popping up messages on the screen when certain events takes place, such as messages from the Alerter service. If you don't have a firewall, this service must be disabled, is it is abused by spammers to send spam directly to your desktop.
• Alerter. This service is used to notify certain users of administrative alerts. Works with the Messenger service that we disabled previously.
• Clipbook. Allows remote access to your clipbook. Turn it off unless you have a specific need for it.
• Infrared Monitor. If your computer has an infrared device, this service will be installed and running. If you are not using this infrared device for anything, disable this service.
• IPSec Services / IPSec Policy Agent. Name depends on your OS. Unless you are using the built-in IPSec services for VPN access or for encrypting local network traffic, then disable this service.
• Telnet. Disable this service unless you have a very specific reason for needing telnet access to your computer.
• Routing and Remote Access. Disable this unless you have a specific need.
• SSDP Discovery Service. This is the UPnP discovery service. If you disable this, your computer will stop looking and listening for UPnP devices that you may have on your network. If you don't have such devices or you simply don't want to use the UPnP features, disable this service.
• Windows Firewall/Internet Connection sharing. If you don't have Windows XP SP2, then it'll simply be Internet Connection Sharing. If your computer is behind a firewall or a NAT router, or you have a third-party firewall installed on your computer, then you can safely disable this service.
• Wireless Zero Configuration. Unless you have a wireless network card in your computer, you can disable this service. 

4. Disable DCOM.

This is another service that is unnecessary for most users. It can safely be disabled without any adverse affect for most users. Follow the instructions in this MS KB Article to disable this service. If something doesn't work afterwards, simply reverse the procedure. I strongly recommend using the dcomcnfg.exe tool. 

5. Use anti-virus software. Always.

This is an absolute necessity today; get your hands on some good anti-virus software. Not everything has to cost money either, there are a number of free solutions available for home users.

6. Consider alternative web browsers.

Even if Internet Explorer looks pretty and comes with your Windows computer, you really should consider using a different browser. Historically, there have been so many problems with Internet Explorer that many people in security have given up hope that it'll be fixed. So, it's time to go looking for an alternative web browser. The three leading candidates at this moment are:

• Mozilla Firefox. A very good and popular browser. May be incompatible with some sites that are specifically designed to only work in IE. I love the RSS (Live Bookmarks) feature. On the downside, it seems to have some problems with pages with heavy flash content.
• Netscape. The good old Netscape browser is still around, and still has a large fan base.
• Opera. A Norwegian product. This is technically ad-ware, unless you pay for it. The free version will display some ads on a reserved area on top of the browser. Some might find that annoying, personally, I never noticed it...

7. Be careful with that e-mail.

Just as many are taking issue with Internet Explorer, many are having the same concerns regarding Microsoft Outlook and Outlook Express. To put it very simply, Outlook and Outlook Express may execute code that arrive via e-mail (either contained in the message or just linked to). This may allow the installation of software on your computer. Now, that's not good. There's two ways to avoid this problem:

• Use an alternative e-mail client. There are so many e-mail programs out there that will allow you to send and receive e-mail without the fear of what Outlook or Outlook Express may or may not do to your computer.
• Learn to use Outlook or Outlook Express in such a way that it is less likely to cause any problems to your computer.

First things first, here's a quick list of alternative mail clients.

• Mozilla Thunderbird. From the makers of Firefox comes an e-mail client that is getting about as much good press as the browser.
• Netscape. Good old Netscape comes with an e-mail client.
• Opera. This browser also comes with a built-in e-mail client.
• Eudora. This e-mail client has been around since the beginning of time. A well-liked, well-supported e-mail client with a number of features that'll keep your inbox spam-free.

Despite much of the hoopla over Outlook and Outlook Express, these e-mail clients still have a lot to offer, but unfortunately, the default settings leaves a lot to be desired. Here's a few steps you can take to re-claim your mailbox using Outlook and Outlook Express.

• Disable all preview features. This includes the AutoPreview and the Reading Pane features. At the very least, these features should be disabled on your inbox.
• Learn how to use the rules to sort your mail. Create rules to automatically move mail to different folders. For instance, newsletter can be moved to individual newsletter folders within another Newsletter folder. This way, you can enable the Reading Pane and/or the AutoPreview feature for these folders.
• Consider using Plain Text to view all messages. In Outlook, go to the Options dialog box, and click on E-Mail Options on the Preferences tab. There's a checkbox for enabling reading all messages in plain text. This can improve blocking viruses and malicious scripts.
• Set the spam-filter on "High". Even if there's an increased chance of false positives, it's definitely worth it to get all the junk moved out of your Inbox and into the Junk E-Mail folder.
• Consider blocking e-mail from certain countries and using certain types of encoding. Even though the U.S. is the biggest source of spam, blocking messages from some countries may improve your chances of blocking spam and messages with malicious scripts. The same goes for e-mail using different language encoding. For instance, Asian and Cyrillic characters. Unless you have friends or family that are likely to send you e-mails using these character sets, it's fairly likely that any e-mails with those types of encoding will be spam. The same can be said about e-mail from countries such as Brazil, Hungary, China, Korea and a the Netherlands. Obviously, don't block countries in which you have friends or family, as that would prevent them from e-mailing you.
• Compose e-mails using plain text format. HTML is pretty, but it may also include things that people don't want. And, if they are converting it to plain text on the receiving end anyways, why go through the trouble?

8. Consider getting a NAT router.

Last, but not least, getting a NAT router will certainly improve your security regardless of your Operating system. Simply put, the NAT router prevents any traffic from the outside to reach your computer. The exception is any traffic that are considered to be a response to any action you have taken. For instance, when you request a web page, the router will allow any traffic in that is a direct response to this request, while still preventing any unsolicited traffic from coming in from the outside.

A NAT router is not a perfect solution, and most of these cheaper routers (also called Broadband routers) does not prevent any traffic getting out. Since there are more and more spyware and other malware that are making outbound connections, these routers doesn't offer much protection against these types of "attacks". However, it is still a worth-while investment to make. Combining the router with some common sense (some of which I hope you have learned from this article), you should fairly safe on the Internet, even with Windows and Internet Explorer.

There are more powerful devices available as well. These are called Firewall Appliances or Hardware firewall. These will block inbound and outgoing connections as well as offer extended logging and other features that means these devices offer better protection for your computer and network than the cheaper NAT routers. But, these are often more expensive than what a home user are willing to spend. Yet, if you are interested, here's a couple of links.

• Watchguard SOHO 6. Comes in a couple of variations, with and without wireless access point. The price tag on the non-wireless model is around $275(US).
• Sonicwall TZ 150. A good firewall from Sonicwall, a leading provider of firewalls for many years. This model will set you back about $330(US).
• Zywall 10. Same class of device as the two above. Price tag is about $280(US).

These are not all the products available, but just a short list of products that are getting good ratings from the user community. For a more comprehensive list of available and certified firewalls, take a look at ICSA Labs web pages.

© 1999 - 2005 Lars M. Hansen