Securing Windows If you are running Windows on your PC, you need to be concerned about the safety of your computer for several reasons: Bugs - Every software contains bugs - so does Windows. Some bugs might be in parts of the operating system that you never use, others might be in vital parts of the operating system that could crash your machine at any moment. To prevent downtime and/or data loss caused by bugs you need to install service packs, patches and hotfixes to minimize the risk. Intruders - As every day new vulnerabilities are being discovered, Windows is never completely safe from intruders. A large number of computer invasions happen when crackers find a vulnerability in the operating system and exploit it to break into the system and take control. While crackers are always a step ahead of you, you should install any fixes for those vulnerabilities as soon as they are released. Virus Infections - viruses are rampant these days. Currently there are approximately 60,000 known viruses in circulation. Some are harmless, some are annoying, some are malicious and destructive. To prevent your system from being infected you need to have adequate protection in form of capable antivirus software. Violation of your privacy - Marketeers are getting more desperate and sneakier every day, trying to get your personal data and study your habits in order to be able to profit by selling your data and helping advertisers to annoy you more efficiently. While the relatively honest ones usually give you the chance to opt out and say 'no', the scumbags of the advertising industry try to violate your privacy without your knowledge by installing so-called spyware, software to collect data about you and secretly send it home. But you can ensure that no spyware exists on your system by scanning it on a regular basis. It is your responsibility to keep Windows safe and updated at all times to protect yourself, your privacy, your data, your computer from being compromised one way or another. We'll show you how to take a basic Windows installation and apply a number of security measures to strengthen the defenses of your operating system. It doesn't matter whether you just clean-installed Windows, got a new PC with Windows preinstalled, or want to improve your current Windows installation. The steps in this article apply to any computer running any version of Windows and can be performed at any time. Service Packs Microsoft releases so-called service packs for Windows. These service packs contain hundreds of bug and security fixes and enable you to apply these fixes in one fell swoop. Your first step towards a safer operating system is to visit the Microsoft web site to download the latest service pack for your operating system. Check to see what service pack you have currently installed by going to Start / Settings / Control Panel / System / General. For Windows 2000, get the latest service pack here: http://www.microsoft.com/windows2000/downloads/servicepacks/ For Windows NT 4, get the latest service pack here: http://www.microsoft.com/ntworkstation/downloads/ Tip: If at all possible, download the complete service pack to your system and save it e.g. on a Zip disk or burn it to a CD so you have it handy for future use and don't have to download it again. Another tip: Instead of running the service pack by simply double-clicking on it in Windows Explorer, run it from the Windows Run dialog so you can add a switch to it. For example, if you saved the service pack named w2ksp2.exe on your hard drive in C:\Install\W2KSP2, install the service pack by clicking Start / Run, typing C:\Install\W2KSP2\w2ksp2.exe -u, and click OK. This switch performs an unattended installation, meaning it does not require you to click anything during the installation or agree to the subsequent reboot. You can walk away for half an hour and return to an updated and rebooted system. Windows Update Service packs are available only for certain versions of Windows, not all of them. If no service pack is available for your operating system, you can obtain most updates and patches via the Windows update web site. And even if you already installed the latest service pack for your operating system, you are far from finished. Updates are being released constantly, and the Windows update web site is the place to obtain most updates that were released since the latest service pack. No matter what version of Windows you have, you can find the Windows update web site at http://windowsupdate.microsoft.com/. The site will ask your permission to install a small program, identify what version of Windows you're running, and then display a list of all available updates for your system. Select the updates you wish to install. Remember that some of them are highly recommended and you should install them, others are recommended but not necessary, while others are completely unnecessary. Also be aware that some of the updates can only be installed separately from other components. Installing Hotfixes You'd think that after installing big service packs and numerous Windows updates you're finally done - it ain't so. Microsoft releases additional patches called Hotfixes that have to be installed individually. These hotfixes address one particular problem at a time and are usually published shortly after the problem was discovered in order to provide a quick solution to the enduser to fix the bug or correct the vulnerability. In order to stay current you'll have to subscribe to Microsoft's Security Bulletin - http://www.microsoft.com/technet/security/bulletin/notify.asp - or the CERT Advisory Mailing List - http://www.cert.org/contact_cert/certmaillist.html. You will receive regular e-mail notifications about vulnerabilities and fixes you might need to apply to your system. The problem with hotfixes is that you have to make sure you keep up with the countless hotfixes released for Windows, figure out which ones apply to your system, install the correct ones, and keep track of them in case you need to reinstall. One way of doing that is by going to Microsoft's download site - http://www.microsoft.com/downloads/ - selecting your operating system, searching for the keyword "Hotfix", and finally reading through the dozens of hits trying to decide which ones apply to you. That's no fun. Thankfully there are now several tools available that, used in combination, make hotfix tracking and installation much easier. We'll explain those tools in detail in a moment. After reading the next section you'll understand why. Microsoft Baseline Security Analyzer Microsoft now offers the Microsoft Baseline Security Analyzer (MBSA), a new security tool that combines the capabilities of the now defunct Microsoft Personal Security Advisor website and the HFNetChk tool. MBSA allows you to check your Windows NT4, 2000, or XP installation for a number of security issues, i.e. Windows vulnerabilities, weak passwords, IIS vulnerabilities, SQL vulnerabilities, and missing hotfixes. MBSA offers several advantages over MPSA and HFNetChk, for example you can now scan both workstation and server versions of Windows, it offers a user- friendly graphical interface with a close resemblance to the Windows XP Update UI, and most important for network admins you can scan a whole range of machines all at once by specifying a domain or a range of IP addresses. To find out what security holes or missing hotfixes your system has, go to http://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp and read about MBSA and how it works. Even more detailed info can be found in this white paper about MBSA - http://www.microsoft.com/technet/security/tools/Tools/MBSAWP.asp. Click the link to download and install MBSA. The graphical UI of the MBSA is user-friendly and self-explanatory. Scan a computer allows you to scan one computer at a time. This can be the machine you installed MBSA on, or another machine that you have admin privileges for. Scan more than one computer allows you to scan multiple computers at the same time. You can either scan machines in a domain that you specify, or a certain range of IP addresses. Again, you need admin privileges on any machine you wish to scan. View existing reports allows you to view reports of previous scans, which are automatically stored. You can sort the list of saved reports, as well as the contents of each report by different criteria. The main screen also contains links to a program help document as well as related Microsoft web sites for quick reference. After completing the scan, you'll get a security report consisting of three columns. The left column shows the score of each test, indicating how good or bad the PC faired in each test. The second column contains the name of each test. The third and most important column contains the results of each test, a link to an explanation of each test, a link to detailed results, and a link to information on how to correct the issue. Since everything is very well documented and explained, it would be redundant to repeat the explanations here. It is recommended that you take the time and read the details and explanations to help you understand the issues and learn a little bit more about each topic, it's worth it. However, one of the issues addressed in the security test deserves a little bit more attention. Depending on the general state of the PC, it is possible that the MBSA requires you to install a good number of hotfixes. The good news is that this security test is a very easy and efficient way of finding out which fixes you need. But almost every hotfix requires a reboot immediately after installation. If it takes 1 minute to install the hotfix and 3 minutes to reboot, it would take at least 40 minutes and 10 reboots to install a list of 10 hotfixes for example. The reason you normally have to reboot is that multiple hotfixes could modify the same system file. If you have multiple modifications to the same file there can be confusion as to which version to install. But as mentioned above, there are a few nifty tools that Microsoft offers to make this process a lot quicker, safer, and a lot less painful. Let's take a closer look. Batch-Installing Multiple Hotfixes For this example the security check was run on a machine with a clean Windows 2000 installation that was updated with Service Pack 2 and any applicable updates from the Windows update web site. According to the test it was missing 8 important hotfixes, a good example why these extra steps are necessary to secure your machine. The first thing to do is downloading each hotfix by clicking on the appropriate link in the URL column. Download all patches and save them on your hard drive in a separate directory. In this example the folder C: \Install\Patches was used. The next thing to download is a tool that allows a batch of hotfixes to be installed simultaneously, it is called qchain.exe. Download this tool from the Microsoft web site at http://download.microsoft.com/download/win2000platform/Utility/Q296861/NT4 5/EN-US/Q296861_x86_en.EXE. More information about this tool can be found in the following Microsoft knowledge base article: http://support.microsoft.com/support/kb/articles/q296/8/61.asp Double-click the downloaded file to install the tool. When asked where to extract it to, extract it into the same folder that you saved the hotfixes in! If you are running Windows 2000 or XP, you also want to download a tool that allows easy verification afterwards that all hotfixes were installed properly, it is called qfecheck.exe. Download this tool from the Microsoft web site at http://download.microsoft.com/download/win2000platform/Patch/q282784/NT5/E N-US/Q282784_W2K_SP3_x86_en.EXE. More information about this tool can be found in the following Microsoft knowledge base article: http://support.microsoft.com/support/kb/articles/Q282/7/84.ASP Double-click the downloaded file to install the tool. You're all set. If you look at the folder in explorer, it should look similar to the picture below. Now you're going to write a little batch file. Don't worry, it is very easy. Copy the following section and paste it into Notepad or any other text editor of your choice. @echo off setlocal set PATHTOFIXES=C:\Install\Patches %PATHTOFIXES%\q299796_w2k_sp3_x86_en.exe -z -m %PATHTOFIXES%\q276471_w2k_sp3_x86_en.exe -z -m %PATHTOFIXES%\q285851_w2k_sp3_x86_en.exe -z -m %PATHTOFIXES%\q285156_w2k_sp3_x86_en.exe -z -m %PATHTOFIXES%\q296185_w2k_sp3_x86_en.exe -z -m %PATHTOFIXES%\q299553_w2k_sp3_x86_en.exe -z -m %PATHTOFIXES%\q302755_w2k_sp3_x86_en.exe -z -m %PATHTOFIXES%\q298012_w2k_sp3_x86_en.exe -z -m %PATHTOFIXES%\qchain.exe You will need to modify the third line and change the path to whatever folder on your hard drive you chose to download the patches to. Then you'll need to edit the 8 lines with the names of the patch files to match the ones you downloaded. The listing above is what was used for this example, but your results will of course be different. The number of lines and file names will be different depending on which and how many hotfixes you have to install. Tip: Instead of having to type each hotfix file name and possibly make typos, highlight each hotfix file name in Windows Explorer, press the F2 key on your keyboard which makes the name field editable, press Ctrl-C to copy the file name, press the Escape key to quit editing the file name without making any changes, then switch back to Notepad and paste the name into the appropriate spot. Be careful to modify only the patch folder path and the file names, nothing else. The -z switch at the end of each line means not to reboot after installing the patch (which is the point of this whole exercise - duh!), and the -m switch means quiet mode as in don't display any annoying messages during each install. Also make sure that qchain.exe is in the last line of this batch file. Now save this batch file in the same directory where the patches are located. It doesn't matter what you call it, we suggest patch.bat. To ensure that the file gets saved with the correct extension put quotation marks around the file name in the file name field of the Save As dialog box, e.g. "patch.bat" - this prevents the text editor from appending the default txt extension which would ruin the batch file. We're finally getting ready to do the deed. Open a command prompt windows and go to the directory where you saved the patches and the batch file. Performing the actual installation is pretty anticlimactic. Type patch.bat at the command prompt and press Enter. You'll see a few file copy dialog boxes flashing by, and eventually be returned to a new command prompt line which indicates that all went well. Now you immediately need to reboot the system! Once your machine is rebooted, open another command prompt window. If you are running Windows 2000 or XP, and if you installed the hotfix verification tool qfecheck.exe, you can now make sure that everything went as planned. Type qfecheck -v (the 'v' stands for verbose) and press Enter. After a few seconds you'll see the service pack and a list of installed hotfixes. Alternatively, you can return to the Microsoft Baseline Security Analyzer and run the security check again. It should now come up clean and not require any hotfixes. If you ever want or need to uninstall any of the hotfixes, you can do so by going to Start / Settings / Control Panel / Add/Remove Programs. All hotfixes will be listed here. Tip: If you have a Zip drive or CD burner, take a few extra minutes to save/burn the entire patch directory for safekeeping. That way you'll be prepared for when you do your next clean install. After installing the OS and applying the service pack, simply copy the directory back to the hard drive, run the batch file, and reboot. You have successfully batch-installed the hotfixes for your system. Even though you spent a few extra minutes downloading and installing the qchain tool and creating the batch file, you saved yourself probably an hour or so in reboot time, making this little operation more than worthwhile. Now that the operating system is fortified, let's move on to the next level of security: virus protection. Virus Protection Virus protection is a big issue in Windows. There are currently approximately 60,000 known viruses in existence, and you need two things to protect yourself. 1. Antivirus Software - A good antivirus program will protect you against any known viruses if installed correctly and updated on a regular basis. Ideally it is constantly running in the background, scanning any files you try to open, as well as automatically monitoring incoming and outgoing e- mail for malicious attachments. An excellent freeware (for personal use) solution that does a great job, is user friendly, and includes automatic updating is Grisoft's AVG. You can download this software from Grisoft's web site at http://www.grisoft.com/. You can read a more detailed review of AVG in our review section at http://www.pcnineoneone.com/reviews/sw/avg6.html 2. Common Sense - To protect yourself against new viruses that are still unknown to your antivirus software only common sense can protect you. This means that you practice safe e-mail with every e-mail attachment that you receive. DON'T OPEN ATTACHMENTS FROM UNKNOWN SOURCES! We can't emphasize this enough. If you get an e-mail with an attachment from a person you don't know - DO NOT OPEN IT - DELETE IT! If you get an e-mail with an attachment from a person you know but you didn't ask for it and didn't expect it - DO NOT OPEN IT - DELETE IT! If it really was legit, the person will follow up with you or send it again and no harm is done. If it was malicious and you deleted it - you're safe. viruses can only spread if they are activated. As long as the e-mail is not opened and the attachment is not activated, you're safe. For more information about virus protection please take a few minutes to read our article about virus protection at http://www.pcnineoneone.com/howto/antivirus.html You are strongly encouraged to install the antivirus software and practice the rules explained in the article. It can save you from a world of trouble! Firewall Protection Anytime you're connected to the Internet your PC is exposed to the whole world. If it is not protected properly, crackers can detect the PC, probe it for vulnerabilities, exploit them to gain access to your machine and either openly wreak havoc by stealing and/or deleting data, or secretly plant malicious code that turns your PC into a zombie to be part of an attack on somebody's server or network. This issue is especially important for PCs with a highspeed connection to the Internet via DSL or cable modems because they are prime targets for crackers. To find out how vulnerable your machine is, visit this excellent web site that offers some online tools to test your machine's security. Open your browser, go to http://grc.com/default.htm and click on Shield's UP!. Read the information on this page, then click Test My Shields! and Probe My Ports!. These tests check for obvious vulnerabilities of your PC and you might be surprised at the results. Chances are you have a number of open and/or visible ports that can make your machine a target for crackers. You can protect your machine by closing these security holes with the help of a program called a firewall. Firewall software monitors your Internet connection and filters all traffic to keep undesired traffic out and only allow legitimate traffic through. There are a number of software firewalls available on the Internet and in stores. The one we recommend is ZoneLab's Zone Alarm, we'll get a little more into detail why this is our favorite in a moment. You can download a free version (for personal use) from ZoneLab's web site at http://www.zonelabs.com. After installing Zone Alarm, go back and perform another Shields UP! test and Port Probe. You should see a big difference and find that all tested ports are now closed and in stealth mode. Since Steve Gibson did an excellent job at explaining firewalls, the tests, and the dangers, and the topic is beyond the scope of this article, we'll refrain from going more into detail at this point, but you are encouraged to read more about this fascinating topic at http://grc.com/su- explain.htm. Spyware Protection Another form of attack you have to defend yourself against these days is invasion of your privacy which can come in form of software installed on your machine with or without your knowledge that tracks and collects data about you and your computer and sends it back to a central database for processing and analyzing, usually by marketing companies for the purpose of more intrusive and annoying advertising. Such software is called spyware. Thankfully there are tools available to help protect yourself from such criminal software. One of the better ones is Lavasoft's Ad- aware. It is also freeware and can be downloaded from Lavasoft's web site at http://www.lavasoftusa.com/. After installing this software you can scan your entire system including hard drives and registry for any traces of spyware. If any spyware components are found you will see a list and get the chance to safely remove them from your system. It is recommended to run this utility on a regular basis to keep your system clean and your privacy protected. Zone Alarm, the software firewall recommended earlier, actually plays an active role in protecting your privacy. Most firewalls are a one-way street, they check only incoming traffic but let anything go out to the Internet. Zone Alarm, however, also controls outgoing traffic and alerts you to any suspicious activity that could indicate that a program on your computer is seeking unauthorized access to the Internet, which can be spyware trying to send data home. Malicious Script Protection A lot of e-mail viruses are scripts attached to e-mail. In order to function they need to be executed. The authors of these e-mails and scripts are getting extremely sneaky trying to disguise the script as something harmless and coaxing you into double-clicking that attachment. To prevent you from accidentally launching a malicious script that was not caught by your antivirus software, or that was delivered to you another way, there is an additional level of protection you can add to your system by installing script monitoring software such as AnalogX's Script Defender. Download and install Script Defender at http://www.analogx.com/contents/download/system/sdefend.htm Once Script Defender is installed and configured, it will then intercept any script type specified and alert you, giving you the option to allow or deny execution of the script. Summary If you followed all the suggestions and links in this article you've probably spent several hours testing, reading, installing, scanning, patching your system. Rest assured that this was time very well spent. You took several huge steps towards a safer computing experience. To summarize, you just protected your system again - bugs in the operating system - security holes in the operating system - security holes in your Internet connection - invasion of your privacy Make no mistake though. This article is far from complete. Its intention is simply to make you aware of the major issues and help you make a big first step into the right direction. There are many other things that can be done to improve your system security. While your level of security is a lot higher now, it will never be perfect. There is no bullet-proof version of Windows, and crackers and virus authors are always one step ahead of you. In addition to the security measures discussed in this article you'll still have to be alert, exercise caution, and use common sense. Your To-Do List Now that you established a solid foundation, it is relatively easy to maintain a secure system. All you have to do is perform the following tasks on a regular basis. Run the Microsoft Baseline Security Analyzer check - Do this once or twice a month to keep track of any security issues and hotfixes that Microsoft has to offer for your version of Windows. Update your virus definitions - AVG and most commercial antivirus software can be scheduled to automatically check for updates and install them if needed. Take advantage of this feature and schedule regular updates, but double-check frequently to make sure that the updates are taking place. Run the Port Probe and Shields UP! test - Do this once or twice a month to make sure your system is still tightly secured against intruders. Check for Spyware - Do this as needed, preferably after every software installation to make sure no unwanted software was introduced to your system. It's a short list of things to do, and each item only takes a few minutes, but it is worth the time. The possible repercussions if you don't keep your machine secure could be devastating. Make your computing experience a safer one. You now know how. Links In addition to this article we have several other useful articles about safe computing on our site. You can find them at http://www.pcnineoneone.com/howto.html#safe computing. There are a number of excellent web sites that deal with computer security (mostly in regards to Windows). Below are links to a number of recommended computer security web sites. http://www.securitypointer.com http://www.firewallguide.com http://grc.com/ http://www.cert.org/ http://www.microsoft.com/security/ Props to Scotterpops for his suggestions and corrections to this article. http://www.PCNineOneOne.com