Give the Gift of Security
http://blogs.washingtonpost.com/securityfix/2005/12/give_the_gift_o.html
This holiday season, many readers will no doubt be giving or receiving
Windows desktop and laptop computers -- machines that, despite Microsoft's
best efforts, will still take a significant amount of tweaking to ensure
they are sufficiently secure against hackers, viruses and worms.
If you are giving a PC as a gift this year, consider pulling it out of the
box and handling the tweaking process yourself on behalf of the recipient.
That way, you can be sure that your loved ones won't put off these important
precautions until it's too late.
There are several steps users should take before doing anything else with a
new Windows PC:
* Set up and use a non-administrator account: When you (or your children)
browse the Web using one of these, spyware and other unwanted programs have
a much harder time getting their hooks into your system because the account
does not have privileges to install programs.
The importance of using a non-admin account for everyday functions like Web
browsing cannot be overstated from a security perspective. Also, you should
take this step before you do anything else, because it's a lot more work
once you've installed a bunch of software and saved tons of files.
When you first fire up an XP computer, it will prompt you to create accounts
for each person who will use the computer. The problem is that each account
will automatically be given administrator status and will not be protected
by a password.
Go ahead and create an account with whatever name you want. Then, when
you're at the Windows desktop, click on "Start," "Settings," then "Control
Panel" (or just "Start" then "Control Panel") and then "User Accounts."
Next, change the newly created account to a limited-user account. Click on
the account name and select "Change the account type" from the options page
that comes up, then select "Limited" from the next page and click on the tab
that says "Change Account Type." That will return you to the account options
page. From there, click on the "Create a Password" option.
You will be prompted to enter a password twice, and you'll have the option
of entering a hint in case you forget your password. That page has tips on
creating strong passwords, and Security Fix also has its own advice in a
password primer. You should do this for every account you manually create at
the startup screen.
When you're done, click the "back" button on the left side to return to the
main User Accounts page. You should see three accounts there now:
Administrator, Guest, and whatever name you assigned to the account you
created.
On Windows XP Home, the Guest account will be disabled, but this doesn't
quite lock it down. We want to assign a password to it. To do this, click on
"Start," select "Run," then in the window that pops up type "cmd" to make a
command prompt window pop up. At the prompt, type "net user guest
(password)" replacing (password) with the password you want to assign to it
(and again, don't include the quotes or braces).
If you do want to install a program while running the PC under a limited
user account, right-click on the installation file and select "Run As," then
select the account with administrator rights ("Administrator" by default,
but if you're really paranoid like me you might consider renaming that to
something less obvious), and enter the password for that account.
(Helpful hint: When installing new programs this way, if you change the
default installation location (usually C:\Program Files) to your "Shared
Documents" folder, you should have few problems using any program you
install from any account you wish.)
* Use a Firewall: All recently purchased new PCs should already have
Microsoft's Service Pack 2 installed, which means the built-in Windows
firewall will be activated automatically. This firewall, however, mainly
blocks just inbound traffic, and does little to stop programs -- good or bad
-- from "phoning home" or otherwise sending data out of your machine.
Consider downloading and installing a third-party firewall product. A number
of these do a great job of helping you determine which programs should have
access to your Internet connection, and there are still quite a few free
firewall options, including Kerio
(http://www.kerio.com/us/kpf_download.html), Outpost Firewall Free, 8Signs,
Tiny Personal Firewall, Jetico and Zone Alarm Free.
Wireless routers also can add a solid layer of protection, as most include a
built-in firewall that should stop all unwanted incoming traffic from even
seeing your PC on the Net. If you intend to use a laptop around the house
with your Wi-Fi connection, be sure to follow the vendor's instructions for
setting up encryption and securing the router with a strong password (do not
make the password the same as your user name!).
Microsoft has a pretty good tutorial for wireless-router encryption setup,
including instructions broken down by each of the major wireless hardware
makers.
* Download and install all available Windows security patches: Again, most
Windows XP machines sold today should have Service Pack 2 installed. This
means that when you start it up for the first time, the machine should ask
whether you want to enable automatic updates from Microsoft.
The default setting is for Windows to download updates when they become
available, then prompt you to install them (and reboot) at your leisure.
Whether you choose to accept the default setting or let Microsoft fully
automate the process for you is a personal decision, but if you're setting
this PC up for a relative who is not too security-savvy, it might be best to
select "automatic."
Due to the lag time between the date the PC rolls off the production line
and the time it is sold in the store, most new Windows PCs will lack at
least a handful of essential security updates, and could be missing dozens
of critical patches.
I strongly recommend that users visit the Microsoft Update Web site and
download and install all available "critical" security patches, rather than
waiting for Windows Update to get around to the process. This can take up to
several hours, which is plenty of time for attackers to find and seize
control of a vulnerable computer.
* Use and update antivirus software: If the PC comes with a free 60- to
90-day trial of antivirus software -- as most do these days -- make sure the
software is equipped with the latest virus definition updates.
You might also consider simply removing the software and installing a free
antivirus program. I say this because I have seen far too many users
continually ignore the renewal prompts when their trial subscription
expires, leaving their machine increasingly vulnerable.
Also consider downloading and using anti-spyware software. Microsoft's
Anti-Spyware beta is still free, and should work just fine for the majority
of users. Other good (and free) options include AdAware Personal and Spyware
Blaster.
Finally, if you need help setting up your antivirus, anti-spyware or
firewall programs, check out our video guides to securing your PC.
Failure to follow these basic security precautions could allow your PC to
fall victim to viruses, worms or spyware -- or worse yet, to be ensnared by
"bot" programs that allow attackers to control your machine remotely.
According to antivirus vendor Symantec Corp., the number of bot networks
increased more than sixfold in the New Year compared with December 2004, a
spike it said could be attributed to new, unprotected PCs appearing online
in the New Year.
You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.
