ACCC Home Page ACADEMIC COMPUTING and COMMUNICATIONS CENTER
Accounts / Passwords Email Labs / Classrooms Telecom Network Security Software Computing and Network Services Education / Teaching Getting Help
 
How to Secure Your PC
0 Contents 1 Introduction 2 Win9x 3 Win2000 4 Linux

Securing Your Windows 2000/XP Workstation

   
 
     
Disabling all Unnecessary Network Services
 

What is a service?

Before you can disable a service on your machine, it helps to understand what a service is. When we say service we mean a program running on your machine that allows people who are not on your machine to access it and perform some function. For example, if you were running a web server on your machine so other people could connect to your machine and view web pages, that would be a service.

When you are running a service on your computer that allows others access via the network, that service is listening on a port. Each service has a well known port number that is assigned by an internet agency. For example, telnet listens on TCP port 23 and a mail server will listen on TCP port 25.

Notice that the above says "TCP port 25". Where did the TCP come from? TCP (short for Transmission Control Protocol) is one of the two main protocols that your computer uses to accept connections. The other is UDP (User Datagram Protocol). For each protocol there are 65,535 possible ports for a service to listen on for each protocol. In other words, since we have both TCP and UDP, there are 65,535 x 2 or 131,070 possible ports for a service to be active on.

Why should these services be disabled?

So why do we care about what ports are being used (open) on the computer? Each port that is open has a program listening on that port and accepting connections from remote computers. If there are bugs in the programs listening on those open ports, or if the programs are not configured properly, many times they can be exploited by the remote user and tricked into doing things that they never intended to do such as giving someone more power and control over your computer than they should have.

You may think that if you keep your patches up to date, that you will be okay. For the most part, this is true. Unfortunately, oftentimes hackers are quicker to exploit newfound bugs than operating system vendors are to patch them. Also, you cannot be sitting at your computer 24 hours a day watching the vendor web sites for patches. Thus, it is in your best interest to minimize the number of services running. In addition, there are a number of services that are known to be weak points but due to either their usefulness or the fact that people are used to using them they are still in use.

What are the most common services that might be running on my desktop?

For a Windows 2000/XP desktop computer, there is only one common built-in service that you need to be worried about and would want to disable. This service is "Windows file sharing". In addition, there are many programs available that can run as a service on your machine. The most common type of service that people run on their machine (and oftentimes they are not even aware that they are doing so) is peer-to-peer file sharing. Most people have heard of Napster due to it's past popularity. These days there are many other programs that offer similar functionality and they, like Napster, allow other people to download files from your machine. This is done by having your computer act as a server as well as a client.

How can these services be disabled?

Windows file sharing can be disabled by right-clicking on any icon you see while browsing your files that has a hand underneath the icon. After right-clicking, you can click on the "File Sharing" menu selection. On the file sharing menu select the "not shared" box and click "OK".

Disabling services that are started in the Startup menu

The first place to check for services that are started is in the Startup menu. To look at what programs are being started in the Startup menu in Windows, try the following:

  1. Right-click on the task bar (the bar at the bottom of your screen)
  2. Select Properties from the menu that appeared when you right-clicked
  3. Click on the Start Menu tab
  4. Click on the XXX
  5. In the right-hand window that appears, click on the folder named Startup
  6. The programs listed in the window that appears are programs that will be started when you start the computer

In addition, there are other ways to start services on windows machines. These invariably involve system files that if modified incorrectly could cause your machine to not boot. If you suspect that there is a problem with your machine in this regard, contact your departments administrator or the CSO for help.

 
     
Install and Run a Personal Firewall
  These days there are many hackers on the internet who run programs that scan (try to access all of the ports on your computers) using programs called scanners. They might scan all of the ports on your machine or only one specific port. They're looking for a way to take control of your machine.

You might have heard of a firewall before. In the car sense, it is the line defense between the passenger portion of a vehicle and the engine compartment. The idea is that it is a place to stop the fire from getting to you in the driver seat.

Similarly, a computer firewall is designed to keep the hackers from getting at your computer. A slight difference between your car and a computer though is that in the computer scenario you not only want to stop the traffic from the internet to your computer, but also from your computer. Why, you ask? One trick of hackers is to include their "bad" program inside another "good" program that you purposely download from the internet. This type of bad program is know as a trojan (per the Trojan horse of Greek mythology).

When you receive a program that is infected with a trojan, executing it causes the trojan to be installed on your computer. Obviously the program needs to communicate with the person who sent it to tell them that your computer is now infected and it will attempt to do this over the internet. If you have a firewall installed however, you can keep the trojan from ever being able to communicate to the outside world which will keep your machine safer. Needless to say, running a personal firewall on your computer does not mean that now you don't need to be careful or that you don't need to run/keep up-to-date your antivirus software.

There are many personal firewalls available for Windows these days. UIC has a site license for ZoneLabs Integrity Desktop firewall product for faculty and staff. For the rest of us, some vendors offer free basic versions of their firewalls that you can download and install. Some of the more popular Windows firewalls are:

See Securing Your Internet Connection for firewalls for Macs, and links to more information. 		 
     
Apply Patches
 

The application of patches to your system on a timely basis is crucial to the security of your system.

Some versions of Windows come with a program called Windows Update installed. This is by far the easiest way to download and install patches to your system. To use Windows Update, click on the Start Menu and find the icon that says Windows Update next to it. Click on this to start the process.

Some older versions of Windows (such as Windows 95) did not come with Windows Update, so if you do not see the icon, you probably have one of these older versions. The only alternative in this case is to go Microsoft's web site to download the patches.

Search Microsoft's web site for the appropriate patches.

 
 

CGI Previous: 2 Win9x Next: 4 Linux

2004-11-20  security@uic.edu
UIC Home Page Search UIC Pages Contact UIC