Hi Jim, Am Sam, den 17.01.2004 schrieb Jim Race um 19:20: > Since the ping-pong game is far past 21 points...
:-) > How safe would you consider: > > A WinXP box with all current patches There is no such thing as a WinXP box with all current patches :-) Since installing all patches that Microsoft makes available still doesn't mean every critical bug is fixed you should find out as much as possible about the unfixed bugs. For example there is still a URL spoofing bug in the Internet Explorer 6 which hasn't been fixed for more than 2 months. I am pretty sure there are lots more. The dilemma is that MS doesn't seem to think full-disclosure is the way to go... Knowing about the unfixed bugs is as important as installing all the patches that are available. Consider using alternative software in the meantime, thus replace IE6 with Mozilla and so on. > A properly configured HW firewall This is pretty good. I don't like hardware firewalls since those are less flexible than say a barebone Unix/Linux firewall, but this is probably the most effective end user protection in front of Windows XP boxes. Be careful though. Inside a hardware router some kind of software is running (most often based on Linux :-)) and it can contain bugs too. >From time to time there are firmware updates available from your firewall vendor. Inform yourself about this by checking the vendors website. > ICF enabled, web services ONLY enabled and all ICMP requests disabled You have to find out if there are any known vulnerabilities to the services you use and if yes, how to fix them. It's a pity pivX took their list offline. Instead they are promoting personal firewalls now in association with MS... > Apache (latest) installed with no add'l modules (static pages only) Be sure to keep it patched. Static pages are good (no possibility of injecting parameters). Check whether the cgi-bin directory is accessible from the outside! (shouldn't be by default) > NOT running Outlook or OE Very good ;-) This is probably the most important measure :-) > Mozilla with Java and JS disabled in email If you want to protect your privacy then disable HTML displaying in your mail client and forbid the loading of external content from within a displayed mail. > An "admin" who knows not to run attachments :-) > No add'l (hated) SW firewalls A personal firewall is not bad. It's an addition. But it's not the cure. If you are sure the intended users of the machine know what to do with all the interactions that are required to run a personal firewall then install one. It will be hard to configure your hardware router so that it stops specific processes from connecting _to_ the Internet (in contrast to _from_). A personal firewall can be of much use here, taken the users know to use it. > No AV stuff running, except when scanning known executables Some AV software should be running at all times. There are usable products available for free, personal use only of course. Have a look at antivir.de. Be sure to get rid of adware too. Use Adaware or Spybot regularly. > I am of course, asking for a "friend". Probably the most important thing when running Windows XP: none of the users should work as administrator or any other account with those rights. Windows XP Home creates only users with administrative rights by default. Be sure to tweak this behaviour. Users should always work with minimal rights, just as much as they need to perform their tasks. It's not that you don't trust the users, but any malware initiated inside their user session will run with their rights! And last but certainly not least: make regular backups. Additional measures: Have some sort of bootable live CD available. There are a lot of Linux based live CD available on the Internet which contain f-prot and lots of recovery and diagnostic tools. It's very handy to have one of those lying around. cheers, Tobias _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
