- Introduction: My Windows Fixes
- WINDOWS SECURITY
- WINDOWS SETTINGS
INTRODUCTION: My Windows Fixes
If you've used Microsoft Windows (any version) you know it has problems. If you haven't encountered any problems yet, rest assured you WILL - especially if you do nothing to prevent them. On this page I'm going to share with you some of my personal favourite "fixes" for Windows, because I swear I've had just about every problem in the book show up with my various machines. The fixes here, though, aren't geared toward the geek elite - I doubt I could tell them anything they don't already know anyway. No, the stuff here is geared toward the many people I know who use Windows machines but don't really understand (nor WANT to understand) the inner workings and finer points. So, the stuff here will be limited to things YOU can do that don't require a lot of technical know-how.
SECTION 1: WINDOWS SECURITY
If you're connected to the Internet (and I can safely assume that if you're reading this you are), the worst thing you can do is network a computer to the World Wide Web and not protect it. A "clean" new system, with no protections, can become infected with a computer virus in less than a minute after being connected to the Internet. Yikes! So what can you, a mere mortal do? Plenty! If you aren't running an Anti-Virus program AND a Firewall you may as well leave your car unlocked and your credit cards laying on the seat. What follows are some simple tips on how to keep the bad guys out of your computer. You should also have a good spyware sweeper on your system too. I know this page is LOOOONG, but if you really don't know much about protecting your computer or WHY you need to protect I'd urge you to read the whole thing.
Just Say No!
It should go without saying these days, but some people STILL just don't get it. If you recieve and e-mail from an address you don't recognize just delete the @#$ thing without opening or reading it - ESPECIALLY if it has a file attached to it. But here's where most people screw up, they might get a wierd e-mail from a friend or relative's e-mail address and open it. STOP DOING THAT!! If the subject line looks like nonsense, even if you recognize the address, delete it without opening. If you get an e-mail from an address you recognize and it has a file attached to it - and you weren't expecting to receive any files - delete it without opening it. Odds are the message is malicious. Either a virus or spyware has compromised your friend's computer and has hijacked their e-mail account or (more likely) it's a spammer who is "spoofing" the sender's address (i.e., they have masked the actual address from which they sent the message and have substituted someone else's to make it look like it's coming from them instead). The majority of these messages don't seem to be malicious, just annoying spam. But some of them could contain viruses, spyware, or trigger some Windows exploit that allows bad guys access to your system. Be safe and just stop opening any message that looks suspicious.Break the Chain (or Feel the Pain)
We've all received them, usually from people we know - friends, relatives, co-workers. Those messages that say you should "forward" them to pretty much everyone you know. Some of them are innocent - some sappy, inspirational poem by "Anonymous" or a funny list of jokes about some topic. Others contain some dire WARNING about a new virus threat or that some law is about to be changed and the government is going to impose a new e-mail tax or something. Billions of e-mails a day move through the Internet. When you send "junk mail" like funny lists or inspirational poems to everyone you know, furthermore urging THEM to forward it to everyone THEY know - you're creating unnecessary traffic on the Internet that slows EVERYTHING ELSE down. PLEASE STOP SENDING THESE MESSAGES TO PEOPLE!Ha! Ha! You Fell For It!
I've been on the Internet for a while now, and I'm amazed at how persistent some hoaxes are. It seems that if you put something out on the Internet it stays in circulation FOREVER, and as new users continue to log on they fall for these hoaxes and the cycle continues. Before you go forwarding that "warning" message about a new virus threat, that e-mail about how Microsoft will pay you for forwarding a message (trust me, you pay Microsoft, not the other way around), or a call to action to fight an e-mail tax being proposed in Congress (by a non-existent Senator, no less) - do your homework and determine if it's a hoax before you run around like Chicken Little crying "The Sky is Falling!" Go here:Rules to Mail By
One feature built-in to stand-alone e-mail clients (like Outlook) is the ability to create "rules" for how the program should process incoming mail messages. With these you can create your own custom Spam Filters and Blockers. For example, you can route messages to a Spam folder instead of your Inbox, or better yet tell your e-mail program not to even download the message from your Mail Server in the first place, and then to delete it off the server so you never have to see it (though, depending on the criteria for the rule you create, there's always the possibility it will screen out and delete a legitimate message as well). There are some good tutorials online that tell you how to create mail rules for whatever program you are using - go to Google and search for "mail rules" and the name of your mail program, you're bound to turn up something. The more restrictive your mail rules are the more effective it will be at blocking spam from your inbox. A couple of my favourite mail rules are (look at instructions for your mail program to see how, exactly, you create these kinds of rules for your specific program):1. If the message is FROM someone on my "trusted" list (addresses added to the list from my Address Book), route it to my Inbox and stop processing any other rules for the message.
2. If the message was sent TO one of my e-mail addresses (in other words, my address appears in the "TO:" line or the "CC:" line), route it to my Inbox and stop processing any other rules for this message.
3. If my name is NOT in the "To:" or "CC:" lines, route the message to my "Spam" folder. This is a "catch-all" rule - if condition #1 isn't met then it moves to condition #2, if that isn't met then it applies THIS rule and routes it into the Spam folder (or, as I quickly discovered, I got sick of having to review my Spam folder to see if anything legitimate had fallen into it - I eventually changed the rule to just route those messages directly into the TRASH folder).
Just those three Mail Rules will keep tons of junk mail from getting into your Inbox. I also created additional rules that filter for specific words often found in Spam messages and told my mail program to not only NOT download them, but to also delete them off the Mail Server automatically. The word filter rules aren't as effective as you might think because Spammers are wise to them - they purposely mis-spell words just so such filters won't work.
Great Guide to Creating Rules in Outlook (all versions)
Don't Use Outlook
Yeah, I know I just told you how to configure Outlook, but ideally you should consider not using it in the first place. A lot of the malicious attacks involving e-mail are thanks to "security holes" in Microsoft Outlook (and the freebie version, Outlook Express). Makes me wonder if it shouldn't be called "Look Out" instead. A really good way to avoid having your e-mail program compromised is to not use the one that is the biggest target. If you absolutely NEED to use a seperate e-mail client consider using Mozilla Thunderbird or Eudora. Another good option is to use a Web Mail service that runs through your web browser (like HotMail (now MSN mail), Yahoo Mail, etc.) or, if your Internet Service Provider (ISP) offers Web Mail service (as most do) take advantage of it - you're already PAYING FOR IT. The free services are usully sufficient for the average user, and they provide automatic, free virus scanning and spam blocking services - better that stuff is blocked and filtered out on their servers before it ever even GETS to your system, right?
ALTERNATIVE WEB BROWSERS (they're all free)
A lot of the problems people get on their computers come in right through their web browser because they are using Internet Explorer or some older, outdated one. Browsers are FREE so there's no reason to not get a newer, better one. Here are some options that have more features than Internet Explorer and added security features.
Mozilla Firefox - One of the best and most popular browser available. Has many nice built-in features, including privacy protections and a pop-up blocker. It's a 5 Megabyte Download. There are also a number of browsers based on Firefox including:
- Flock - Described as a "social web browser" it integrates many of the community sites like MySpace, Facebook, YouTube, Flickr, etc. You can expand Firefox with add-ons to accomplish the same thing, this version just has all that stuff already installed for you.
- SeaMonkey - is described as an "all in one application suite" and is the replacement for what used to be Mozilla's suite and is similar to what was Netscape Communicator. It integrates a browser, e-mail client, IRC chat, Newsgroup reader, and HTML editor.
- Camino - is a version of Firefox that is optimized for Mac OSX users. There is no Windows version.
- IceWeasel - A Debian distribution of Firefox (also for other *Nix operating systems) that is supposed to be unencumbered by any patent or trademark issues. There is no Windows version.
- IceCat - a GNUzilla project for GNU and other *Nix operating sytems to provide a completely free version of Firefox that is unencumbered by any patent or trademark issues. There is no Windows version.
Netscape - UPDATE: AOL officially ended support and further development of the Netscape browser and Communicator suite on February 1, 2008. This means it will no longer be updated against future online threats and you should STOP USING IT. Netscape recommends switching to Firefox (on which Netscape's browser was based). If you were using Netscape Communicator (browser, mail, composer, etc.) consider using SeaMonkey instead.
Opera - this browser has always bragged about it's ability to render web pages really really fast. It also has so many user customizeable features it will make your head spin. It's actually ADWARE though, unless you pay for it you have to put up with an ever-present banner ad on it (it's easy to ignore it though). Downside is that not many people design web pages for Opera, but it can "pretend" to be either Mozilla or Internet Explorer, which often gets stubborn web sites to work with it. It's only a 3.7 Megabyte download too.
Safari - Apple's browser that is bundled with OSX is now also available for Windows users. It renders pages VERY fast and is "standards compliant." Also has a nice "font smoothing" feature that makes web pages look a bit nicer - especially on a LCD screen. It is a 39 MB download, however, so if you're still on dial-up it will be a bit of a wait.
If you are running your computer without a current anti-virus program on it you're just asking for trouble. You might think, especially if you use a Web Mail service, that you're pretty safe. Untrue! Viruses don't just sneak onto your computer through e-mails. They can come attached to the end of programs you've downloaded, disks (floppies, CDs, or DVDs) others have shared with you, or even just by viewing an infected web page in your browser. You absolutely MUST have a current, effective anti-virus program on your computer.
A lot of people use Industry Standards for this like Norton or McAfee, mostly because that was what was installed on it when you bought it. But commercial anti-virus programs are SUBSCRIPTION services - you have to PAY to keep them up-to-date. And if your anti-virus program isn't up-to-date you may as well not even have one.
But what if you don't have a lot of money? How do you protect your computer against viruses then? Luckily, for home users, there are still some FREE options available, here are my picks:
Avast! Home Edition - All they ask is that you give them your e-mail address and you'll get a license key to run the program for FREE (if you're a home user who only uses your computer for personal, non-commercial purposes - in other words, it's NOT free if you run a home business with your computer). It has some really nice features - like the ability to run a scan at boot-up (before Windows loads) to ferret out "root-kit" and "boot sector" infections. It also acts as a "proxy server" for your web applications (like your browser), so all traffic into your web browser is scanned in real-time - a wonderful way to catch viruses from infected web pages before they do any damage. If you are using Outlook, this also will scan incoming e-mails for infection. I highly recommend this program.
Anti-Vir Personal Edition Classic 7 - Another great FREE anti-virus program. It doesn't intercept e-mails like Avast! does, but as soon as an infected file is written to your local drive it is scanned and caught. I currently have a "commercial" anti-virus program running on my computer, which is going to switch from "free virus updates" to a "subscription update service" in the near future - at which point I plan to dump them and go with Anti-Vir (since I use my computer for business purposes). Note that there are different versions available depending on what operating system you use, make sure to download the correct one.
COMODO AntiVirus - This is a new-comer to the free antivirus business, but the company making it has been in the network security business for many years. It integrates nicely with their other free software to form a "security suite" that doesn't cost you a thing. It can be rather annoying at first, however, as it "learns" from you what software you WANT to allow access to the Internet. But as long as you check the "remember my answer" box it will eventually stop bothering you so much.
If, for whatever reason, you can't install either of those programs or don't want to (though I can't fathom why you wouldn't), you can always opt for a FREE ONLINE scan. Pretty much every major anti-virus software publisher offers some sort of online scanning service - but it's not as effective as having anti-virus software INSTALLED ON your computer, and an online scan can be excruciatingly slow (especially over a dial-up connection) - here are the "major players" free scans:
Symantec Security Check (Norton)
Also, many of the larger ISP companies now provide some kind of free anti-virus software for their customers. For example, AOL and Comcast - before you go out and BUY anything, you might want to see if your ISP will provide anti-virus software for you gratis.
Anti-virus isn't enough protection. You also need to be running a firewall. A firewall is like a guard posted at the gates of your computer, deciding who gets in or out. Those gates are called "ports." No, these aren't the physical ports on your computer that you plug things into (like a mouse, keyboard, joystick, scanner, etc). These are NETWORK ports, defined by software - and your computer has over ONE-THOUSAND of them! That's a LOT of doors for one security guard, but if you have the right firewall it shouldn't be a problem.
Typically even IT Directors (well, the bad ones) in companies with firewalls still believe ports higher than 1024 can be left open to external traffic (FROM the Internet), and that every port for traffic originating internally (from a workstation out TO the internet) should be left open. THIS IS INSANELY STUPID THINKING from a network security standpoint. Here's why:
While NORMAL network traffic normally doesn't use ports above 1024 there is nothing stopping a virus from picking a random port number above that. Think about it, if you were a cat burgler and knew that the ground floor of the house you were going to break into was secure, but all the upstairs windows were wide open, which way would YOU choose to get into that house?
When a virus hit corporate servers back in 2003 it walked right in through port 1434. The exceptionally stupid IT people, acting stupidly, set their firewalls to then block 1434 - continuing the previous analogy, it's as if they heard there was a cat burgler operating in their neighborhood who entered through an upper-story window on the front of the house, so they closed THAT window while leaving all the other windows upstairs wide open.
A lot of people these days have "home networks" set up, especially if they have a broadband connection. Like a lot of the corporate world, people figure there's no reason to have "high security" between the computers on their Local Area Network (LAN) - they're all YOUR computers, you TRUST them, right? Well, you shouldn't. In the aforementioned 2003 virus attack, once it got inside to the LAN it was able to propagate itself from workstation to workstation - jumping from desk to desk - throughout the building. That was because the ports were left open on the LAN under the misguided belief that internal communications to other internal systems was inherently "safe." Here's why it isn't: In that virus infection, it "talked" to the Microsoft Database Engine (MDSE), which operated on port 1434, and was running on pretty much ever Windows workstation on the LAN. Arguably the majority of people had no idea what MDSE was, much less that it was running on their computer. While the attack was targeted at corporate database servers, a post-mortem analysis showed that the majority of the infected systems were not corporate servers, but desktop workstations that had MDSE running on them (for no reason). The virus jumped from system to system so fast that entire portions of the Internet were cripple within minutes. Lesson learned: you shouldn't have the computers on your LAN set up to unquestionably TRUST one another, because any one of them could, at any time, become compromised. Not only should you close ALL the upstairs windows in the house, you should secure interior doors as well, so if a bad guy gets into one room he'll have a hard time getting into any others.
Trojan Invasion!
or "Beware of Geeks Bearing Gifts""Hackers" generally don't, as you see in the movies, sit there trying to "crack codes" by frantically typing in commands to gain access to some supposedly "secure" system. That's Hollywood. The reality is a lot more dull - they use "bots." Bots are automated programs that are released on the Internet, they're a kind of virus usually referred to as a "Trojan." The object of a lot of them is to pick a random port number and "ping" a computer to see if it responds. If it does respond to the ping, it's like an invitation to the Trojan to come on in. Once inside it might turn the system into a "zombie" (give the Hacker who released it total control of the compromised system) or it may just allow them to set up a private IRC chat room on that machine without the owner's knowledge. Some hackers have virtual armies of Bots stored on servers they've compromised around the Internet, the Bots can be rather sophisticated too - doing more than just "phone home" to their master, as I mentioned they might set up a secret chat room, they might inform other Trojans of the open port on the machine that was exploited, they might allow a hacker to remote control your computer, they might just sit there logging every keystroke you make and then - at some point - send all that data back to their master or upload it to a hidden server or IRC channel somewhere, or consume all your bandwidth sending out garbage data in a Denial of Service attack designed just to bring some portion of the Internet to it's knees. There's an easy way to check and see if your computer is infected with an IRC Bot/Zombie/Trojan:
(before starting these tests, exit/quit any IRC Chat programs you use or the tests will give you a false positive result)
TEST #1
1. Open a Command Prompt (go to START-->PROGRAMS--->ACCESSORIES-->COMMAND PROMPT). A black window with text will open on your screen.
2. In that window type: netstat -an | find ":6667" and hit [ENTER]
3. You shouldn't get anything but another command prompt in the window. But if you see a message that looks something like this:
TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED
then you'd be wise to disconnect your computer from the internet immediately and start hunting for a Trojan on your machine.Even though the Trojan probably used a random port to get INTO the machine, to "phone home" it still has to use an IRC Chat Server, and most of those will be running on 6667 (though, they could be configured to run on some other port).
TEST #2
1. If you closed the Command Prompt from Test #1, open a new one.
2. In that window type: netstat -an | find ":113 " (notice the [space] after the 3) and then hit [ENTER]
3. Again, you shouldn't get anything but another command prompt in response. However, if you see something like:
TCP 0.0.0.0:113 0.0.0.0:0 LISTENING
disconnect your computer from the Internet post haste and start hunting for a Trojan.This test is because IRC Chat Servers usually require some kind of "identity" server to be running on the client machine. So most IRC programs (including malicious ones) try to keep the IRC servers happy by providing a local "Ident server." If you're not running any IRC programs and it says you've got an IRC Ident Server running on your machine, you've got problems.
Here's a web site with a great list of known Trojan viruses and the ports the exploit. However, there's nothing stopping someone from tweaking them to exploit some different port, which brings me to the next section. . .
Best Security Practices for You LAN
So, here's the general plan you should implement on your network:
1. Close EVERY port, from 1 - 65536, for all INTERNAL IP addresses and every EXTERNAL IP address, and block them for both Internal and External traffic. Starting configuration means there is no traffic going in to out or out to in. As noted above, you KNOW you can't trust computers out in the wilds of the Internet, but you also can't trust any local computers either.
2. Only open up a port for a specific reason. For example, port 80 (HTTP Web Port) can be opened for traffic FROM all computers on your LAN and then allow all those computers to connect (internal to external) so they can view web pages from the Internet. Do the same for port 443 (HTTPS - Secure Server Port). Ideally you should route all traffic through a Proxy Server, in which case ONLY the Proxy should have ports 80 and 443 opened to the outside world - individual computers on your LAN would then only have port 80 open to other local computers on the same network. Do the same for any other ports you need open either between computers on the LAN (so they can talk to each other) or between your LAN and the outside world. Here's a quick reference list of common port numbers and what they do.
3. Don't confuse "client" and "server" access. Client = Individual desktop workstation serving ONE user, Server = a computer serving (or capble of serving) MULTIPLE users. For example, if you don't have a Proxy Server on your network, each computer (Client) on your LAN would need port 80 open to surf the Web. In a corporate enviornment they'd probably have their own E-mail Servers, FTP Servers, DNS servers, etc., on their LAN. I'm going to assume most home networks aren't that "hardcore." But if, by chance, you are setting up a network that complex the same applies. In a properly designed network desktop computers (clients) talk to servers, and servers talk to the outside world. No traffic originating out on the Internet should ever communicate directly with a desktop workstation.
4. Close any VPN Tunnels! If you allow a VPN (Virtual Private Network) connection from a remote client machine, then basically you've left the front door wide open to infections because it will treat any VPN connection as if it were originating on the LAN (instead of remotely - like say, from the Internet). If you're not going to treat other machines on your LAN as inherently trustworthy, you shouldn't treat machines on a VPN connection as trustworthy either. VPN opens up the ports between your network and whomever is on the other end of the tunnel. The whole point of this security exercise is to SECURE ports, so if someone remotely needs access to something specific on your LAN (for example, say your are running an FTP server) the smart thing to do is open JUST Port 20 to external traffic so they can connect to JUST the FTP server. Some programs (like NetMeeting) connect using random ports, so you don't know ahead of time which ports you'll need to open. If you happen to use an application like that to communicate with a remote system, then AND ONLY THEN, should you open a VPN Tunnel - and JUST during the time you're communicating with them. Close it as soon as you're done. In a corporate environment VPN Tunnels should be booked for time just like meeting rooms. In a "home network" environment it's doubtful you'd EVER need a VPN Tunnel, but if you did the same rule applies - open for the time period you're using it and close it when you're done.
Hardware Firewalls (for Serious Security)
Technically the only REAL firewalls are dedicated hardware - a box - with some ethernet ports that don't run any services other than those of a firewall. There are companies that make such devices, but you can also build one yourself for not much money.
1. The Sacrificial Lamb - If you've got an old, but still functional computer (or don't mind picking one up for $100 or less on eBay) you can use it for a firewall. Stick some NICs (Network Interface Cards) in it - however many you can or how ever many you need - and install some NON WINDOWS operating system on it like FreeBSD or Linux, and set it up in between the desktop computer you USE and the Internet connection, following the general security guidelines above.
2. But that sounds like a lot of work. If you've got a broadband connection you may have already set up a home network with a "broadband router." Even if you presently only have ONE computer on your network, you should consider buying a router and adding it between you and the Internet. Most of them have built-in firewalls and are capable of port forwarding and filtering to a protected network - you can get them relatively cheap too.
Ideally a good firewall should just sit there on your network and do it's job and never bother you. Even more ideally, you want MULTIPLE LAYERS of security in place. If you make the bad guys WORK FOR IT to get into your computer you'll be a lot less attractive as a target.
Got Wireless?
"Wireless" is a general term for any networking that is done, obviously, without wires. Specifically I'm going to talk about wireless broadband routers. Wireless is sometimes called "Wi-Fi" or a "WLAN."
Wireless routers and access points have become very popular items these days. I have one at my house just for the convenience of not having to be restricted to the vacinity of my router when using my laptop. But I also don't want the neighbors mooching off my broadband connection or, worse yet, have some hacker driving by discover an unprotected "hot spot" he can exploit from curbside. Here are some suggestions about securing your wireless router:
1. Turn off the Wireless part of the router If you don't use any wireless devices (for example, you bought a wireless one just so you have the option in the future to go wireless or you HAD a wireless device but no longer do or don't use it). If it's not enabled, it can't be exploited.
2. B, G, or BG? No, not the Bee Gees from the Disco Era. Some wireless routers offer you the option of turning off support for one of the 802.11 standards. However, because Wireless G (802.11g) devices were designed for backwards connectivity to Wireless B (802.11b) networks I have yet to find any clarification of whether access is actually restricted, or if just the bandwidth is when set to "B only" support.
3. Restrict Access to your Wireless Network by MAC (Machine Address Code). I have mine set up with a list of "authorized MAC numbers" and it will only accept wireless connections from those listed devices (i.e.,ones you own or trust). It's easy to find your MAC:
- START-->PROGRAMS-->ACCESSORIES-->COMMAND PROMPT
or
START-->RUN -->type command
- Depending on the version of Windows you're using, type either:
- ipconfig /all <-- notice space after the "g"
or- winipcfg
- Find where it says "Physical Address" in the list. That's the number you put into your router's authorized MAC list.
4. Don't use WEP security (Wired Equivalent Privacy), switch to WPA (Wi-Fi Protected Access). I like the "Pre-Shared Iey" security option for it (called WPA-PSK). The reason to switch is that WEP (in any flavour) is notoriously easy to crack - the Federal Bureau of Investigations actually did a demonstration where they cracked WEP security in three minutes. There are only 17 million WEP key combinations, so these days a sufficiently fast laptop can try them all in fairly short order. Odds are it won't have to try ALL of them before it finds the right one. WPA was created BECAUSE of the failings of WEP, I have no idea why anyone in their right mind would continue to use WEP security (or devices which are limited to using it). Speaking of which, you may need to get an update from Microsoft in order to use WPA with WindowsXP (all versions). If it's available on your router, you should also consider switching the encryption from the TKIP (48-bit RC4) to AES (128-bit).
5. Change the Wireless Router Name from the default setting to something unique (something outsiders won't easily guess). The router name is also called the SSID (stands for Service Set IDentifier, not that it matters).
6. Consider disabling the "SSID Broadcast" from the router if it lets you do so. What the broadcast does is basically tell the world what unique name you gave your wireless network "hot spot." When wireless devices scan for available networks they receive this broadcast signal that informs them, yes, there is a network here and this is it's name if you want to try and connect to it. If you're the only one connecting to your "hot spot" there's no good reason for you to be broadcasting it's name. Configure your wireless devices for that network name and turn off the SSID Broadcast. This isn't recommended, however, in a business environment UNLESS all wireless access points have had the SSID Broadcasts disabled. This is because Windows XP will not connect to an access point with broadcasts disabled if there is another one within range that is broadcasting (even if you don't have the passkey to log onto it). Dumb dumb dumb, but what do you expect from Microsoft? Lastly, it won't make your network access point "stealth." Just harder to find. This is because, even when the broadcasting is disabled, it will still REPLY to certain inquiries if it receives them. All someone has to do to discover your network is send out such a request from their wireless device and if your router replies they know there's a "hot spot" there. But it will keep the casual Wi-Fi Piggybacker from finding your WLAN.
7. Disable DHCP. That's Dynamic Host Configuration Protocol, and what it does is randomly, and temporarily assigns an IP address to devices as the connect and disconnect. Automation may be nice for setting up a network without knowing much about it, but it's bad from a security standpoint. You should assign a STATIC IP ADDRESS to each of your wireless devices, and if possible restrict wireless access to JUST those IP addresses. Here's a page that tells you how to configure a manual IP in Windows XP
8. Take advantage of the WIRED ethernet ports on the back of your wireless router whenever you are sending private data over the internet (for example, if you're going to pay for something online with a credit card and have to enter your card number, or if you're going to log into your bank account). Never deliver ANYTHING over a wireless connection you wouldn't want a stranger to know. That goes for your cell phone too - use a landline for any data you don't want someone to be able to "pluck" right out of the air.
PC Phone Home?!
Everything with firewalls I've mentioned so far is concerned with protecting your system from intrusion - either from other computers on your LAN (should they become compromised) or from bad guys out on the Internet. If you follow the policy listed above and install a hardware firewall between your computer and the Internet, and have up-to-date anti-virus software with real-time protection, and you don't open suspicious e-mails or download files without virus scanning them, well you don't really NEED a software firewall as well. However, the hardware firewalls don't address another threat to your security (and privacy). Software that "Phones Home" without telling you. Most people are familiar with the idea of malicious programs (viruses, trojans, spyware) taking control of your network connection to send themselves, stolen data, or whatever to whereever. But a lot of the software you installed on purpose, the software you use every day, software you PAID for, is doing the same darn thing - communicating with the software publisher. A lot of times this is innocent, it's just a program checking to see if there are updates or a newer version available for download - if you have Automatic Updates on Windows turned on even your Operating System is doing this in the background. Some software publishers, though, like to use the communication to gather marketing and demographics data, or even report back what other programs you have installed on your system. Unless you intercept and decode the data being sent, you really don't know WHAT it's telling people. Personally, I HATE this practice. Even programs I have set to automatically check for updates have to first okay their network access with me, which is the only reason I have a "Personal Firewall" (a.k.a. "Software Firewall") installed on my computers.
Software Firewalls
So, yeah, the ONLY reason you should have one of these installed on your machine is if you like to keep tabs on what programs installed on your computer are trying to communicate with the outside world. Now, if anti-virus programs were 100% efficient at catching EVERY virus, if Spyware Sweepers found every spy, and if Firewalls were "un-hackable" there'd be no reason to have a Software Firewall at all. The odds of someone hacking into your home network's hardware firewall are remote - hackers are going to expend their efforts on targets that will yeild the most reward (corporate and government servers). Your home computer *might* yield some information of use to Identity Thieves, but that's about it - and people who have connected unprotected computers to the Internet are much easier targets, so honestly I wouldn't worry too much about someone hacking your home network firewall. On the other hand, viruses and spyware DO slip into your system even when you've installed programs to catch them. THAT is why I want a software firewall - to tell me what programs (spyware and viruses are just malicious types of programs) are trying to access the Internet from my comptuer. If I see a warning about some program I don't recognize suddenly trying to use my network I write down what it is and go into "reasearch mode" to find out just what kind of Internet nasty has slipped inside and taken up residence on my system. Even if my firewall was tricked into letting the malicous program access the network, odds are it would try to use a non-standard port my hardware firewall was blocking (in which case I'd see it listed when I looked at my hardware firewall's log file).
Recommended Software Firewalls
COMODO Firewall - this is a new addition to the free firewall market, but it's actually pretty good. If you've been using something like McAfee or ZoneAlarm than this is really quite similar. Like McAfee, this firewall will integrate nicely into the COMODO Security Suite, which is a good replacement for the Windows Security Center that comes with Windows XP and Vista.
Sygate Personal Firewall v5.6 - one of the best out there, unfortunately no longer being updated because Symantec bought out Sygate and announced in November 2005 that the "Personal Firewall" product line was being scrapped. The nicest feature of it is detection of "Internet Hijacking" (when one application launches another with intent of accessing the network). On the downside it can be hard for novices to configure and the warnings it displays are sometimes cryptic or confusing to average users.
Kerio Personal Firewall 2.1.5 - This is the last fully functional and free version of the popular Kerio Firewall. A lot of people swear by this thing, though like the Sygate one, it is no longer being updated because Kerio sold it to another company called Sunbelt (see next entry).
Sunbelt Kerio Personal Firewall 4 - Still free for personal use, albeit as a "crippled" version. You download the program and run it as a fully functional "trial version" for 30 days, after which (if you don't pay for a license) it goes into "free" mode where some features are no longer functional. Still considered a quite good firewall, though, even in it's hobbled form, though some people have experienced instability issues while running it (see GRIPES site)
Zone Alarm 6 - A lot of people still love this firewall. I used it for years myself and recommended it to friends and family. However, the latest versions aren't as good as the earlier ones in my opinion (especially since Zone Labs was purchased by Checkpoint Security). The user interface is still simple and (for the most part) intuitive enough for even novice users, but there are growing lists of "compatibility" problems with it, reports that it is secretly "phoning home," and pop-up windows designed to look like warnings and software update notices which are actually spam trying to coerce users into upgrading to the "full" version. Because of these issues I'm almost reluctant to recommend it anymore, but the main point is (annoyances aside) it still blocks ports and alerts you to program level access to your network. Before you use it, though, you might want to look at the GRIPES site.
BUILT-IN FIREWALL OPTIONS
If for whatever reasons you don't want to use a third-party firewall, there ARE some built-in options on some versions of Windows.
Internet Connection Firewall (Windows XP Service Pack 1) - If you haven't updated Windows XP, and especially if you're using Internet Connection Sharing to allow other computers on your LAN access to the internet (through your WinXP-SP1 machine), you can set some firewall restrictions with ICF.
Windows Firewall (Windows XP Service Pack 2) - This is a key part of the security upgrades in Service Pack 2. Some people say that it's every bit as good as the third party offerings, other people decry it as worthless. You can decide that for yourself if you choose to use it go to the Sheilds Up web site and test it.
DIY Windows 2000 Firewalling (Windows XP Pro & Windows 2000) - If you're a real Do It Yourselfer (or exceptionally frugle) and are running Windows 2000 or Windows XP Professional Edition, you can "firewall" your computer without ANY third party software by manually configuring IP Security Policies. Here's a step-by-step guide with screenshots.
Well, spyware is, that's for sure. The last major threat to your system regularly comes into your system via file downloads, software intallations, or just viewing a web site. Most of them don't really present a huge security threat - they're deployed by marketing companies to gather usage pattern and demographics data, and more often than not it's boring stuff like grabbing the "History" listing of web pages you visited out of your browser or noting what operating system you're running or reporting your IP address (which usually gives your general geographic location). Most of the spyware out there isn't snooping through your hard drive or monitoring you when you type in your name, phone number, or address. If it is, it is usually no longer considered JUST spyware, but "malware" (software with malicious or illegal intent). The majority of spyware is just annoying. Annoying in that it's spying on you in some way, sure. But more importantly it's doing things on your system without your authorization (or often your knowledge) and when it's running it is consuming YOUR system resources - which can make your computer run slower, and it's consuming YOUR internet bandwidth when it sends it's data whereever it sends it. At the very least you should be upset that they're stealing electricity and internet service from you - even if the "burden" is minimal, you shouldn't have to put up with it at all. Good news! You don't have to.
RECOMMENDED SPYWARE SWEEPERS
Spybot Search & Destroy - This is the one I use. Does very good scans and often can tell you detailed information about WHO made the spyware and what it allegedly does.
AdAware SE Personal - A very popular choice for many people. I used to use it myself, until I found Spybot S&D and ran it AFTER my system was supposedly already cleaned by AdAware and Spybot S&D found additional spyware. On the other hand I've heard people say AdAware can catch some stuff Spybot doesn't.
(Note: AdAware and Spybot S&D don't coexist well together on the same system because they can mistake the "spyware definition files" of each other for actual spyware, I'd recommend you install only one of them on your system - if evaluating, install - try - uninstall - install the other one - try and determine which one you want to keep).
COMODO BOClean - If you've downloaded the other free security software from COMODO then you'll probably want BOClean too. This is still "beta" software at the time of this writing, so your mileage may vary with it.
OTHER ANTI-SPYWARE OPTIONS
Microsoft Windows Defender - this is an effort from Microsoft to create an anti-spyware program. It's actually a FREE program, but you can only download it if your Windows XP, 2003, or Vista installation are "validated" by Windows Genuine Advantage. If you haven't validated your install, some error prevents your Windows from validating, or if you've got a pirated Windows installed (which you obviously shouldn't, but some people do without even knowing it), then you won't be able to install this.
ONLINE SPYWARE SCANS
Like the online Virus Scanners these aren't as good as having a scanner installed on your computer, but if you can't install one of the above (or don't want to) these are better than doing nothing:
Trend Micro Anti-Spyware for the Web
PC Pitstop Spyware Quick Scan (requires Internet Explorer)
PC Pitstop eTrust PestPatrol Spyware Deep Scan (uses ActiveX)
SECTION 2: WINDOWS SETTINGS
Services? We Don't Need No Stinkin' Services!
Another layer of defense you can enable on your system comes from DISABLING services you don't use. Microsoft has a bad habit of shipping their software with tons of network services - many of them essentially acting as SERVERS - enabled by default when you install your Operating System. Despite the fact that it is well known this presents a serious security risk to end users, as well as helps propagate viruses and Denial of Service attacks that can temporarily bring down entire portions of the Internet, for whatever reasons Microsoft refuses to ship their software with these services DISABLED by default. Frankly, I'm surprised there hasn't been a class action lawsuit against them over this negligent behavior, but I'm supposing from a legal standpoint the responsibility falls to individuals to secure their computers - unfortunately only the more saavy users even know these services exist on their systems, much less what they do or that they are running.
Another thing to know about services, besides the fact that some of them pose a security threat, is that they consume system resources to run. If you ever CTRL+ALT+DEL and look at the "Services" tab in the Task Manager, you'll see tons of stuff running in there, each thing gobbling up a little bit of memory. Now, if you have a more contemporary system with a fast processor and a decent amount of memory, turning off the services probably won't yield any noticeable performance gains. On the other hand, if you're running an old system with a low clock-speed and limited memory installed, turning off unnecessary services will likely produce a very noticeable gain in performance and cut boot up and shutdown times.
How to Get At Services to Turn them On and Off:
In Windows XP and 2000 you go to START-->CONTROL PANEL-->Administrative Services and then open the "Services" control panel. You'll see a nasty long list of all the services on your computer. To change how a service runs, Right+Click on the service name and select "Properties." A dialogue box comes up with four tabs on it:
1. General - This pane tells you the name of the real name of the service, the name displayed in the list (if different), a short description of the service (which is usually too confusing for average users to understand), the file path to where the service program is stored, and then some stuff you'll actually need:
A. Startup Type: this is a drop-down menu with options on what the service does when you start your computer. The options are "Automatic," "Manual," or "Disabled."
B. Service Status: Buttons to "Start," "Stop," "Pause," or "Resume" a service.
2. Log On - This pane defines how the service is logged into - either using the Local System Account or as some other account, and whether the service should be automatically enabled or disabled under specific "Hardware Profiles." Confused yet? Most users will probably never have ANY reason to deal with these configurations - my advice is to ignore them.
3. Recovery - This pane tells the service what to do if it fails to start when it's supposed to, there are drop-down selectors for "First Failure," "Second Failure," and "Subsequent Failures." If you properly disable a service it won't matter what these setting are, so again I'd advise you to ignore them.
4. Dependencies - This pane will tell you if the service you are looking at uses some other service or if some other service uses the one at which you're looking. Basically it warns you that some other service may depend on this one to work - in which case you'll want to check and make sure that the other service is one you don't need either.
The list of services is, as I said, VERY long and this page is already long enough so I'm putting all the Servies in a seperate page:
Windows XP/2000 Services Guide
Tweaking Made Easy (well, Easier)
Tweaking can be a daunting, even scary, thing for someone who has no idea what they are doing. The warnings about changing items in your system Registry possibly making your computer unusable are not just scare tactics to keep you out of there. But you CAN still tweak some of your system settings without too much trouble and with little danger of damaging your system.
Advanced Windows Care - This is a nice little freeware utility that will "optimize" your system for you. If you're not comfortable tweaking settings manually, or you just don't want to do all that work, this will do it for you. You install it (on WinXP or Win2K) and hit the "Analyze" button. Then, if you like, view the "Details" and it will show you what it thinks needs to be changed. Click "Go" and it will do all the tweaks for you. Serious tweakers would probably hate this, but for someone who isn't very tech saavy, this is an easy way to shut off a lot of the aforementioned Windows Services with just the click of a button.
NOTE: you should really have more than 128 MB of memory on your computer to use this. It warns you on installation, and you CAN run it if you have less memory, but the tweaks it does may actually make a computer with less memory run more poorly than it did before the tweaks.
Dead Knight's Optimizer XP - Despite the "XP" in the name, this Optimizer is for all versions of Windows. It basically offers you selectivity of what tweaks you'd like to use on your system. It often takes some playing around to find settings that give you a performance boost.
Xteq X-Setup 6.6 - The last freeware of my favourite tweaking utility. Works with Windows 95, 98 (SE), NT 4, 2000, ME, and XP. Allows access to more than 1,600 HIDDEN system functions. I use it all the time to tweak my startup programs (instead of using msconfig), and I've used it on systems I set up to get rid of the IE icon on the desktop or remove items from the START menu.
Disabling Performance Counters
Never heard of them? Don't know what they are? Basically what they are is "system monitors" that record data about the performance of things like the processor, memory, threads, events, etc., for the purposes of detecting problems or "tuning" applications or hardware for maximum performance. If you're a software or hardware developer, one of those people who "overclocks" your machine, or otherwise tweaks your system right to the edge of stability you'll probably need this data. The average user, though, has no use for it whatsoever.
These were disabled by default in Windows NT and are now ENABLED by default in Windows 2000 and XP. Why? No idea. It's a process that sucks up resources and actually HURTS performance so I say "turn it off." Thankfully this is one thing Microsoft realizes people might not want running, so you can download a handy utility from them that allows you to easily turn these off. Go to Microsoft and DOWNLOAD THE UTILITY. Then go through each item on the list and make sure the "Enable Performance Coutner" checkbox is cleared. Restart your system and Voila! No more Performance Counters. Though apparently third party software can also install DLLs to this list, so occasionally you might want to fire it up and see if anything new has been added and enabled.