Securing Windows Machines

Are you installing a new operating system or cleaning up after a worm or virus? One of the most important things you can do is to insure your machine is clean from the very beginning. If you are installing or reinstalling your operating system, you can be hacked in the time it takes you to go to WindowsUpdate to download and install a patch.

The easy way around this is to download the latest service pack, Norton AntiVirus, and a firewall software, such as ZoneAlarm (at home) or ZoneLabs Integrity (on campus) from a CD. ZoneLabs Integrity is the Enterprise version of ZoneAlarm, and you can download it under a UIC site license using e-sales.

Don't have a PC with a CD writer available to you? The ACCC has Windows machine(s) with CD writers in every Windows public lab.

Only after all the software is installed and your firewall has been configured to have both the Internet Zone Security and Trusted Zone Security set to "High" should you go online to install additional patches and updates.

Windows 2000, XP, and 2003 all support the use of Windows's built-in Automatic Updates, located in the Control Panel. Make sure the first check box, Keep my computer up to date, is checked and choose any of the three options you prefer. The last option -- automatically downloading, installing, and rebooting your system (if necessary) -- is good if you want the process totally automated. Please note that on rare occasions an update has made certain applications unusable. However, I personally have not yet seen that happen to any of the machines here on campus.

In the same way that antivirus software protects your computer from attacks that come via email, a firewall -- either software or hardware -- protects your computer from attacks that come directly from the Internet. You should use a firewall to go along with the protection that your antivirus gives you.

You could buy a hardware firewall -- say a DSL router -- and connect the machine you're working to it. With a private IP, your machine is protected because there wouldn't be any way to communicate with it directly from the Internet.

If you are using Windows XP or Windows 2003 you can use their built-in firewalls. You can enable this feature by going to the Properties dialog box of your Network Connection and clicking on the Advanced tab. (Start -> Settings -> Network and Dialup Connections. Right-click on your network connection, and select Properties, and click the Advanced tab.) Once there, click on the check box to enable the Internet Connection Firewall.

Or you could use a software firewall. For your home machine, check out the five software firewalls compared in the Smart Comparison Firewalls site at http://www.firewallguide.com/software.htm

For on-campus machines belonging to faculty and staff, we now have a site license for Zone Lab's Integrity Desktop, the Enterprise version of Zone Lab's ZoneAlarm firewall. Its program control protects your programs from hackers and keeps hacker programs from doing damage to your computer. It prevents software that hasn't been authorized from sending outgoing email, including email worms. It also has Web privacy features, which control Web cookies, Web bugs, banner ads, pop-up and pop-under ads, animations, and whatever types of active code you want blocked (javascript, vbscript, java, ActiveX, and so on). Use e-sales to download Integrity. It's free.

Download and install Symantec/Norton AntiVirus, which is available at no cost to the entire UIC community for use on any of their computers, Windows or Macs, on or off campus. See http://www.accc.uic.edu/software/antivirus/ for more information.

Configure Norton AntiVirus to update its virus definitions, once a week at the very least. Double-click on the Norton AntiVirus Corporate Edition icon in the Windows System Tray at the bottom right of your monitor. Then go to the File menu and navigate to Schedule Updates. Here you can define how often and at what time Norton AntiVirus will check for updated antivirus definitions. If you schedule it for once a week, schedule it on or after Wednesday afternoon, which is when Norton/Symantec releases their regular updates.

You don't need an account with administrative privileges for most of your day-to-day computer usage such as email and Web browsing. Many of the email and Web attacks take advantage of your use of an administrative account by using your security context to install executables on your machine.

A better way is to log in as a user with limited privileges -- a restricted user. If you need administrative privileges, use the Run As option by holding down Shift while right-clicking on the shortcut or application to install or run it.

You can check and change what group a user belongs to with Users and Passwords, located in the Control Panel. Highlight the user name that you want to check or change and click the Properties button. On the Group Properties tab, you can choose to make them a standard user (who can run and install programs), a restricted user (who can only run programs), or other types of users.

Figure 6: Windows Users and Passwords Start -> Settings -> Control Panel -> Users and Passwords

Ask the ACCC security people what type of machine is most likely to get hacked and they'll tell you without hesitation Windows 2000 machines with no passwords on their administrator account.

So make sure that all your accounts, especially all accounts with administrative privileges, have good passwords. Again use Users and Passwords, located in the Control Panel. In the Users tab, click on the name of the user whose password you want to set or change and click the Set Password... button. Type the new password twice and click OK.

If coming up with a complex password is difficult for you, try a pass phrase instead of password. A pass phrase of "Ilikepeanutbutter" is very complex, even though it doesn't have any numbers or special characters, and should be easy to remember.

For more detailed information on Windows security please see this and last year's REACH security presentation, which can be found at:

http://www.accc.uic.edu/reach/reach/reach2004/reach2004%20-%20windows%20security.pdf

http://www.accc.uic.edu/reach/reach/reach2003/windows-security-full.pdf

Comments are welcome; please send them
to Brian Ng, bng1@uic.edu