Internet Security Guidelines
May. 31st, 2004 01:12 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
lostcarparkEvery so often people ask me how they should protect their PCs from viruses, worms, hackers and other nasty things. Each time the media picks up on a high-profile attack, I get a spate of such calls (often from the same people). So I thought it would be useful to write up some of the advice I give, so I'll have it in one place and can refer to it. Naturally, as I wrote it up, I thought of more things to add in. I've probably left things out, and would welcome any additions or criticisms in comments below...
1. Configure your hardware in a way that protects you from direct internet access. If your ISP gives you a choice ot "USB" or "Ethernet" for the modem/access point, always choose "Ethernet". This allows you to insert a hardware firewall between your computer(s) and the internet. It may mean you also have to add a network card to your PC, but those are easy and cheap these days. A hardware firewall will set you back €50 to €150 (£35 to £100), but will give you a strong set of outer walls and protect you from direct attacks on your PC. Some of them have a DSL modem built in allowing you to dispense with the USB one from your ISP. Alternatively, if you have an old PC lying around, you can install Linux on it and convert it into a hardware firewall. This may seem overkill, but it is a relatively modest investment for an extra layer of protection.
2. Ensure your operating system has the latest set of patches and security updates. Bugs in operating systems are being discovered every day, and software vendors release patches to fix them. It's very important to install these patches because as soon as the bugs become public, virus writers start trying to take advantage of them. If you're running Windows, go to the start menu and click on "Windows Update" (under Windows XP it's in the "All Programs" menu. The updates are divided into three sections, "Critical Updates", "Windows Updates" and "Driver Updates". I would install everything from the Critical Updates section first, then review what's offered in the other two an decide what I want. If you're running Linux or Unix (kudos to you), there will be a separate update process for that. I would recommend checking for updates at least once a week.
3. Assuming you're running Windows, change a few configuration settings. If you're not on a network, disable file and printer sharing and Windows Messenger. Windows Messenger is often used to send annoying pop-ups (not to be confused with Internet Explorer pop-ups). To disable these, open the control panel from the start menu. In the "Networking" control panel, turn off the "Share Files and Printers" checkbox (the exact place varies between Windows versions). Then go to the "Services" control panel (this may be hidden under "Administrative Tools". Find "Messenger" in the list, click "Stop", then edit properties and change the startup setting from "Automatic" to "Disabled". Find the "Server" service and do the same thing (that is, stop it and disable it).
4. If you're running Windows on a network, you may not be able to make the changes above. If it's a small network, you probably don't need Messenger (however if you have printer notifications enabled, you do), so can disable that. For any workstations that don't need file sharing, you can disable that and disable the Server service, as above. Make sure you have a password set for every user account on the PC if you have file sharing enabled (and even if you don't, a password is not a bad idea).
5. Turn off the "file extension hiding" feature of Windows Explorer. This is used by some virus writers to trick you into thinking a dangerous file type is something harmless like a picture by using a double file extension like ".jpg.exe". To do this, open "My Computer" (or any explorer window) and select the "Tools -> Folder Options" menu item. Find the "Hide file extensions for known file types" checkbox and uncheck it.
6. Even if you have a hardware firewall, but especially if you don't, I'd recommend a software firewall on every PC. This has the advantage that it will tell you about every program that's trying to access the internet. There are any number of good software firewalls. Most of them let you try them out free, and some are totally free. I use ZoneAlarm, which is free (though they try their hardest to persuade to buy one of the "enhanced versions", but if you don't need the extra features, just download the free one). If you run this on a network, you have to set up the IP range of your local computers so it won't interfere with local access. Otherwise, it just asks you every time a new program tries to access the internet.
7. Make sure you have an up-to-date Virus Scanner installed. It's vital to keep it updated as new viruses appear all the time. There are more viruses and worms now than at any time in the (admittedly short) history of computers, and they have more ways of getting on to your PC than ever. A virus scanner will usually check email messages as they arrive, and scan everything on the computer on a daily basis to make sure there are no infected files. When an infected file is detected, it will remove the virus portion fo the file or delete the file.
8. It's also a good idea to install a Spyware Scanner. Various "free" programs will install dodgy software which will monitor your web browsing activity and serve you tailored ads. Most people I know feel their lives are not particularly enhanced by having tailored ads directed at them, and aren't terribly keen on a third party monitoring their browsing habits. Aside from that, these spyware programs often hook into the operating system at a low level, and if there are any program errors they can cause you PC to become unstable. The best thing is not to have them there in the first place, but sometimes they sneak in while we're not looking. The easiest way to get rid of them is with a scanner like AdAware. Run this at least once a week. There are a number of commercial virus scanners, and one of them still offers a free version to download.
9. Consider replacing the default web browser and email client. While a Internet Explorer and Outlook Express are not actually insecure once properly patched, they make little effort to protect the user from some of the common scams on the internet. User vigalence remains essential. It is therefore worth considering using a different web browser and email client that relies less on the user's own awareness. Mozilla, Firefox or Opera are all excellent browsers which far exceed Internet Explorer in terms of standards complience and have better protection against pop-ups and other nusciences. Thunderbird is an excellent email client, with much better protection against nasties that may show up in your In Box.
10. Keep your guard up. Just because you've got your computer and network well set up doesn't mean you can stop paying attention. Don't assume that an email attachment doesn't contain a virus because your virus checker didn't flag it. Always read the body of the email to make sure it sounds like the sender and not an autmoated robot. Never open any attachment unless you know what it is and who sent it (and why). Always double-check the file type of the attachment, being especially cautious of ".pif", ".scr" and ".wmf". Watch out for double extensions like ".jpg.pif". Also beware of websites that attempt to install "Plug-Ins". If a website asks you to install something, check carefully what it is an whether you want it. Often sites try to inatall their "custom browser toolbar", which in the majority of cases you won't actually want. There are also plug-ins to display fancy graphics or 3D logos, and are not necessary to read the information on the site. If in doubt, don't install anything. Always scan for spyware after such installations.
1. Configure your hardware in a way that protects you from direct internet access. If your ISP gives you a choice ot "USB" or "Ethernet" for the modem/access point, always choose "Ethernet". This allows you to insert a hardware firewall between your computer(s) and the internet. It may mean you also have to add a network card to your PC, but those are easy and cheap these days. A hardware firewall will set you back €50 to €150 (£35 to £100), but will give you a strong set of outer walls and protect you from direct attacks on your PC. Some of them have a DSL modem built in allowing you to dispense with the USB one from your ISP. Alternatively, if you have an old PC lying around, you can install Linux on it and convert it into a hardware firewall. This may seem overkill, but it is a relatively modest investment for an extra layer of protection.
2. Ensure your operating system has the latest set of patches and security updates. Bugs in operating systems are being discovered every day, and software vendors release patches to fix them. It's very important to install these patches because as soon as the bugs become public, virus writers start trying to take advantage of them. If you're running Windows, go to the start menu and click on "Windows Update" (under Windows XP it's in the "All Programs" menu. The updates are divided into three sections, "Critical Updates", "Windows Updates" and "Driver Updates". I would install everything from the Critical Updates section first, then review what's offered in the other two an decide what I want. If you're running Linux or Unix (kudos to you), there will be a separate update process for that. I would recommend checking for updates at least once a week.
3. Assuming you're running Windows, change a few configuration settings. If you're not on a network, disable file and printer sharing and Windows Messenger. Windows Messenger is often used to send annoying pop-ups (not to be confused with Internet Explorer pop-ups). To disable these, open the control panel from the start menu. In the "Networking" control panel, turn off the "Share Files and Printers" checkbox (the exact place varies between Windows versions). Then go to the "Services" control panel (this may be hidden under "Administrative Tools". Find "Messenger" in the list, click "Stop", then edit properties and change the startup setting from "Automatic" to "Disabled". Find the "Server" service and do the same thing (that is, stop it and disable it).
4. If you're running Windows on a network, you may not be able to make the changes above. If it's a small network, you probably don't need Messenger (however if you have printer notifications enabled, you do), so can disable that. For any workstations that don't need file sharing, you can disable that and disable the Server service, as above. Make sure you have a password set for every user account on the PC if you have file sharing enabled (and even if you don't, a password is not a bad idea).
5. Turn off the "file extension hiding" feature of Windows Explorer. This is used by some virus writers to trick you into thinking a dangerous file type is something harmless like a picture by using a double file extension like ".jpg.exe". To do this, open "My Computer" (or any explorer window) and select the "Tools -> Folder Options" menu item. Find the "Hide file extensions for known file types" checkbox and uncheck it.
6. Even if you have a hardware firewall, but especially if you don't, I'd recommend a software firewall on every PC. This has the advantage that it will tell you about every program that's trying to access the internet. There are any number of good software firewalls. Most of them let you try them out free, and some are totally free. I use ZoneAlarm, which is free (though they try their hardest to persuade to buy one of the "enhanced versions", but if you don't need the extra features, just download the free one). If you run this on a network, you have to set up the IP range of your local computers so it won't interfere with local access. Otherwise, it just asks you every time a new program tries to access the internet.
7. Make sure you have an up-to-date Virus Scanner installed. It's vital to keep it updated as new viruses appear all the time. There are more viruses and worms now than at any time in the (admittedly short) history of computers, and they have more ways of getting on to your PC than ever. A virus scanner will usually check email messages as they arrive, and scan everything on the computer on a daily basis to make sure there are no infected files. When an infected file is detected, it will remove the virus portion fo the file or delete the file.
8. It's also a good idea to install a Spyware Scanner. Various "free" programs will install dodgy software which will monitor your web browsing activity and serve you tailored ads. Most people I know feel their lives are not particularly enhanced by having tailored ads directed at them, and aren't terribly keen on a third party monitoring their browsing habits. Aside from that, these spyware programs often hook into the operating system at a low level, and if there are any program errors they can cause you PC to become unstable. The best thing is not to have them there in the first place, but sometimes they sneak in while we're not looking. The easiest way to get rid of them is with a scanner like AdAware. Run this at least once a week. There are a number of commercial virus scanners, and one of them still offers a free version to download.
9. Consider replacing the default web browser and email client. While a Internet Explorer and Outlook Express are not actually insecure once properly patched, they make little effort to protect the user from some of the common scams on the internet. User vigalence remains essential. It is therefore worth considering using a different web browser and email client that relies less on the user's own awareness. Mozilla, Firefox or Opera are all excellent browsers which far exceed Internet Explorer in terms of standards complience and have better protection against pop-ups and other nusciences. Thunderbird is an excellent email client, with much better protection against nasties that may show up in your In Box.
10. Keep your guard up. Just because you've got your computer and network well set up doesn't mean you can stop paying attention. Don't assume that an email attachment doesn't contain a virus because your virus checker didn't flag it. Always read the body of the email to make sure it sounds like the sender and not an autmoated robot. Never open any attachment unless you know what it is and who sent it (and why). Always double-check the file type of the attachment, being especially cautious of ".pif", ".scr" and ".wmf". Watch out for double extensions like ".jpg.pif". Also beware of websites that attempt to install "Plug-Ins". If a website asks you to install something, check carefully what it is an whether you want it. Often sites try to inatall their "custom browser toolbar", which in the majority of cases you won't actually want. There are also plug-ins to display fancy graphics or 3D logos, and are not necessary to read the information on the site. If in doubt, don't install anything. Always scan for spyware after such installations.
