Network News

X My Profile
View More Activity

Give the Gift of Security

This holiday season, many readers will no doubt be giving or receiving Windows desktop and laptop computers -- machines that, despite Microsoft's best efforts, will still take a significant amount of tweaking to ensure they are sufficiently secure against hackers, viruses and worms.

If you are giving a PC as a gift this year, consider pulling it out of the box and handling the tweaking process yourself on behalf of the recipient. That way, you can be sure that your loved ones won't put off these important precautions until it's too late.

There are several steps users should take before doing anything else with a new Windows PC:

* Set up and use a non-administrator account:
When you (or your children) browse the Web using one of these, spyware and other unwanted programs have a much harder time getting their hooks into your system because the account does not have privileges to install programs.

The importance of using a non-admin account for everyday functions like Web browsing cannot be overstated from a security perspective. Also, you should take this step before you do anything else, because it's a lot more work once you've installed a bunch of software and saved tons of files.

When you first fire up an XP computer, it will prompt you to create accounts for each person who will use the computer. The problem is that each account will automatically be given administrator status and will not be protected by a password.

Go ahead and create an account with whatever name you want. Then, when you're at the Windows desktop, click on "Start," "Settings," then "Control Panel" (or just "Start" then "Control Panel") and then "User Accounts."

Next, change the newly created account to a limited-user account. Click on the account name and select "Change the account type" from the options page that comes up, then select "Limited" from the next page and click on the tab that says "Change Account Type." That will return you to the account options page. From there, click on the "Create a Password" option.

You will be prompted to enter a password twice, and you'll have the option of entering a hint in case you forget your password. That page has tips on creating strong passwords, and Security Fix also has its own advice in a password primer. You should do this for every account you manually create at the startup screen.

When you're done, click the "back" button on the left side to return to the main User Accounts page. You should see three accounts there now: Administrator, Guest, and whatever name you assigned to the account you created.

On Windows XP Home, the Guest account will be disabled, but this doesn't quite lock it down. We want to assign a password to it. To do this, click on "Start," select "Run," then in the window that pops up type "cmd" to make a command prompt window pop up. At the prompt, type "net user guest (password)" replacing (password) with the password you want to assign to it (and again, don't include the quotes or braces).

If you do want to install a program while running the PC under a limited user account, right-click on the installation file and select "Run As," then select the account with administrator rights ("Administrator" by default, but if you're really paranoid like me you might consider renaming that to something less obvious), and enter the password for that account.

(Helpful hint: When installing new programs this way, if you change the default installation location (usually C:\Program Files) to your "Shared Documents" folder, you should have few problems using any program you install from any account you wish.)

* Use a Firewall: All recently purchased new PCs should already have Microsoft's Service Pack 2 installed, which means the built-in Windows firewall will be activated automatically. This firewall, however, mainly blocks just inbound traffic, and does little to stop programs -- good or bad -- from "phoning home" or otherwise sending data out of your machine.

Consider downloading and installing a third-party firewall product. A number of these do a great job of helping you determine which programs should have access to your Internet connection, and there are still quite a few free firewall options, including Kerio (http://www.kerio.com/us/kpf_download.html), Outpost Firewall Free, 8Signs, Tiny Personal Firewall, Jetico and Zone Alarm Free.

Wireless routers also can add a solid layer of protection, as most include a built-in firewall that should stop all unwanted incoming traffic from even seeing your PC on the Net. If you intend to use a laptop around the house with your Wi-Fi connection, be sure to follow the vendor's instructions for setting up encryption and securing the router with a strong password (do not make the password the same as your user name!).

Microsoft has a pretty good tutorial for wireless-router encryption setup, including instructions broken down by each of the major wireless hardware makers.

* Download and install all available Windows security patches:
Again, most Windows XP machines sold today should have Service Pack 2 installed. This means that when you start it up for the first time, the machine should ask whether you want to enable automatic updates from Microsoft.

The default setting is for Windows to download updates when they become available, then prompt you to install them (and reboot) at your leisure. Whether you choose to accept the default setting or let Microsoft fully automate the process for you is a personal decision, but if you're setting this PC up for a relative who is not too security-savvy, it might be best to select "automatic."

Due to the lag time between the date the PC rolls off the production line and the time it is sold in the store, most new Windows PCs will lack at least a handful of essential security updates, and could be missing dozens of critical patches.

I strongly recommend that users visit the Microsoft Update Web site and download and install all available "critical" security patches, rather than waiting for Windows Update to get around to the process. This can take up to several hours, which is plenty of time for attackers to find and seize control of a vulnerable computer.

* Use and update antivirus software: If the PC comes with a free 60- to 90-day trial of antivirus software -- as most do these days -- make sure the software is equipped with the latest virus definition updates.

You might also consider simply removing the software and installing a free antivirus program. I say this because I have seen far too many users continually ignore the renewal prompts when their trial subscription expires, leaving their machine increasingly vulnerable.

Also consider downloading and using anti-spyware software. Microsoft's Anti-Spyware beta is still free, and should work just fine for the majority of users. Other good (and free) options include AdAware Personal and Spyware Blaster.

Finally, if you need help setting up your antivirus, anti-spyware or firewall programs, check out our video guides to securing your PC.

Failure to follow these basic security precautions could allow your PC to fall victim to viruses, worms or spyware -- or worse yet, to be ensnared by "bot" programs that allow attackers to control your machine remotely.

According to antivirus vendor Symantec Corp., the number of bot networks increased more than sixfold in the New Year compared with December 2004, a spike it said could be attributed to new, unprotected PCs appearing online in the New Year.

By Brian Krebs  |  December 22, 2005; 2:40 PM ET
Categories:  Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Instant Message Worms Get Mean
Next: Exploit Released for Unpatched Windows Flaw

Comments

Brian a basic question. If you suggested that they buy a Mac do you "think" any of the above would have been necessary?
Sheeeeeeesh.

Posted by: D. Titus | December 23, 2005 6:25 PM | Report abuse

Hi,

You mentioned: "At the prompt, type "net user (password)" replacing (password) with the password you want to assign to it."

CORRECTION: Once you have entered into the command prompt, you will need to type in:

net user guest [newpassword]

replace [newpassword] with some password that makes sense to you and keep the brackets off of any password.

This is the correct way to assign the guest account a password.

AG, Michigan

Posted by: arinews | December 24, 2005 10:35 AM | Report abuse

AG,

Doh! Looks like I omitted a word there. Good catch, thank you. I've fixed in copy above.

Posted by: Bk | December 24, 2005 12:06 PM | Report abuse

Brian, a minor error on your reference to an anti-spyware product. The correct software name for the product from lavasoft.de is "AdAware".

Posted by: ScottR | December 25, 2005 5:43 PM | Report abuse

It's a good solid list; but IMCO some other steps ought to be taken first.

1) Close all open network ports -- especially if this computer is going to stand alone, with no network connection except to the Internet.
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html
Doing this puts paid to any network-borne worms which propagate on listening ports.

2) "Harden" Internet Explorer by raising its zone-security settings.
- Internet zone = High (and then, go in and manually select 'Disable' for all settings which have that option);
- Restricted Sites zone = High (and then, go in and manually select 'Disable' for all settings which have that option *except* active scripting: set that to 'Enable');
- Trusted Sites zone = Medium (and optionally, since this is a brand-new computer, have no sites in this zone's list except Windows Update);
- Local Intranet zone = High (then go in and manually select 'Disable' for all settings which have that option, especially if this computer is going to stand alone, with no network connection except to the Internet; this zone can always be reset to its default if you find you need to).
(The My Computer zone under XP SP2 you shouldn't have to touch. It's usually not shown, and it's set by default to the equivalent of High anyway.)
http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx
http://support.microsoft.com/kb/174360
https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm
http://www.nwnetworks.com/iesc.html
http://www.pcmag.com/article2/0,1759,1625127,00.asp
http://www.pcworld.com/howto/article/0,aid,122500,00.asp [#5]

3) Block the opening of e-mail file attachments directly from the attachments folder.
http://www.horizondatasys.com/product_page.html?page_id=4
http://www.horizondatasys.com/downloads/exevaccine304_freeware.exe
http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm

4) Disable a few key settings for Windows Media Player.
http://www.theorica.net/safexp.htm

*Then* do all the other stuff on that list.

Posted by: Mark Odell | December 25, 2005 8:38 PM | Report abuse

Save yourself and friends from aggravation and buy a Mac. All the setup instructions above are gobbledigoop for a new computer user.

Posted by: Benton | December 26, 2005 12:44 AM | Report abuse

Please go ahead and buy a Mac and don't take these basic precautions. Once it's in place, I own all your information. Don't believe the Mac hype - it is only that. In the ways addressed by this article, Macs are vulnerable.

Posted by: DZ | December 28, 2005 12:28 PM | Report abuse

Please go ahead and buy a Mac and don't take these basic precautions. Once it's in place, I own all your information. Don't believe the Mac hype - it is only that. In the ways addressed by this article, Macs are vulnerable.

Posted by: DZ | December 28, 2005 12:30 PM | Report abuse

"Don't believe the Mac hype - it is only that."

You don't know what you're talking about. You're simply clueless and/or employed by Microsoft (which probably comes to much the same thing.)

Anyone with any sense nowadays runs Mac OS X - or Linux or Free BSD if he's knowledgeable enough.

Running an abortion like Windows and then running round after it trying to plug the holes afterwards is simply an unintelligent strategy.

Even Microsoft knows Windows is broken, as it admitted to the Wall Street Journal:

http://www.ein.com.au/index2.php?option=com_content&do_pdf=1&id=62

Run some form of Unix - i.e. Mac OS X, Linux, or one of the BSDs. These are BETTER BY DESIGN.

http://aplawrence.com/Words2005/2005_06_15.html

Posted by: Mike | December 30, 2005 5:42 AM | Report abuse

Fine, but have you tried to get either a software firewall or anti-virus product that is fully compatible with Windows XP (NTFS file protection; limited user accouns; fast user switching; stand-by). Most are not and if you want to be protected you need to use a product that will support the protection stratergy such as F-Secure Internet Security/Anti-Virus. If you don't you are going to create a lot of work and frustration.

Posted by: Steve H | January 11, 2006 12:51 PM | Report abuse

I cannot get networking between on a brand new laptop&desk top computer running Windows XP Home SP2.

when i ("Configuring system") and then give the following error message: "You don`t have a permession to use this network contact the administrator of the server to use this network resource "
The problem is my account is an administrator account. I've tried creating a new account also of the type administrator, but get the same error message. I've also tried starting in safe mode as well as logging in under the administrator account actually called "Administrator" (the one created by Windows XP upon installation).

Nothing works. I always get the above error message. I don't understand why I can't when I do have an administrator account.
if knew any solution for this problem mail me @ mechguysrini@yahoo.com

Posted by: srini | July 30, 2006 3:16 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company