Securing your Windows TM computer.
Unfortunately, Windows computers still come with default settings that favors
usability and ignores security. The fact that Microsoft changed the default
setting on the Firewall that comes with Windows XP SP2 from "disabled" to
"automatic" doesn't really change a whole lot. There's still quite a few things
that are not configured correctly, and I'll try to go over some of this here.
1. Install operating system on an NTFS partition.
It is preferable to install the OS on an NTFS partition. This way, access to
files are restricted. If the OS is installed on FAT or FAT32 partition, it is
still possible to convert to an NTFS partition, but you won't have the default
restrictions on files and folders.
2. Changes to local security policy.
The first thing you should consider doing is importing on of the Local
Security Policy templates that comes with your computer. These templates are
located in the %systemroot%\security\templates folder. On a new Windows XP
installation that would be C:\windows\security\templates.
To open the Local Policy Editor, click start -> Run, then type gpedit.msc.
There are several templates in there, but we'll focus on the ones for
workstations. The templates are compatws, securews
and hisecws. There's also a Setup security
template, which contains the default settings that the OS uses out of the box.
For a more secure installation of Windows, you should choose either the securews
or the hisecws templates. I recommend going with the securews
template, as it has all the necessary settings in it to make your computer more
secure than the default configuration. The difference between the securews
and hisecws templates is that the later enables auditing of many
more events, prevents caching of logons (only applicable to domains), clears out
the name of the last person logged in and also clears out the pagefile. Using
the hisecws template may also break file and print sharing, especially if you
are also running older versions of Windows.
Here's a few of the changes that are made by using these templates:
- Password minimum length is set to 8.
- Passwords must meet complexity demands.
- Password must be changed every 42 days.
- Old passwords cannot be reused.
- 5 incorrect passwords locks out the account for 30 minutes (indefinitely
- Access to Event logs are restricted, and the size of the Security log is
- Auditing is enabled for most types of events.
- Anonymous users can't see names of shares or list user names.
This may not sound like much, but there are more things that are changed that
are of less significance. The above settings are things you would have to
manually add either in the Local Security Policy or in the registry, and
importing this file certainly makes this easier.
3. Disable unnecessary services.
The easiest way to disable services on your computer is through the services
control panel. Perhaps the quickest way of getting there is to right-click on
"My Computer" and select Manage from the menu, or click on Start, select
"Run" then type in gpedit.msc. Either way, you'll get access to the
services. Another option is to control this through Group Policies, but that
only applies to computers in a Domain. The following recommendations are for
stand-alone computers or computers in a small home or SOHO network. Now, here's some of the services you
should consider disabling:
- Server. This service allows other computers to access shared
files, folders and printers. If you don't intend to share any files or
printers with any other computer on your network, then you should disable
this service. Disabling this service will also shut down the Computer
- Computer Browser. This service just keeps track of computers on
the network and makes sure that the master browser on the network gets this
list. If you don't do any sharing of resources on your network (printers or
files), then this service can safely be disabled. If you have disabled the
Server service, this service will not start.
- Remote Registry. Allows remote access to your registry! This is a
no-no! Unless you have restricted access to this in the registry and have a
definite need to view/modify the registry on your computer from another
computer, you should turn this service off. Set it's startup type to
- Messenger Service. Not to be confused with either Windows
Messenger or MSN Messenger (which are Instant Messenger applications), this
service is responsible for popping up messages on the screen when certain
events takes place, such as messages from the Alerter service. If you don't
have a firewall, this service must be disabled, is it is abused by spammers
to send spam directly to your desktop.
- Alerter. This service is used to notify certain users of
administrative alerts. Works with the Messenger service that we disabled
- Clipbook. Allows remote access to your clipbook. Turn it off
unless you have a specific need for it.
- Infrared Monitor. If your computer has an infrared device, this
service will be installed and running. If you are not using this infrared
device for anything, disable this service.
- IPSec Services / IPSec Policy Agent. Name depends on your OS.
Unless you are using the built-in IPSec services for VPN access or for
encrypting local network traffic, then disable this service.
- Telnet. Disable this service unless you have a very specific
reason for needing telnet access to your computer.
- Routing and Remote Access. Disable this unless you have a
- SSDP Discovery Service. This is the UPnP discovery service. If
you disable this, your computer will stop looking and listening for UPnP
devices that you may have on your network. If you don't have such devices or
you simply don't want to use the UPnP features, disable this service.
- Windows Firewall/Internet Connection sharing. If you don't have
Windows XP SP2, then it'll simply be Internet Connection Sharing. If your
computer is behind a firewall or a NAT router, or you have a third-party
firewall installed on your computer, then you can safely disable this
- Wireless Zero Configuration. Unless you have a wireless network
card in your computer, you can disable this service.
4. Disable DCOM.
This is another service that is unnecessary for most users. It can safely be
disabled without any adverse affect for most users. Follow the instructions in
KB Article to disable this service. If something doesn't work afterwards,
simply reverse the procedure. I strongly recommend using the dcomcnfg.exe tool.
5. Use anti-virus software. Always.
This is an absolute necessity today; get your hands on some good anti-virus
software. Not everything has to cost money either, there are a number of free
solutions available for home users.
6. Consider alternative web browsers.
Even if Internet Explorer looks pretty and comes with your Windows computer,
you really should consider using a different browser. Historically, there have
been so many problems with Internet Explorer that many people in security have
given up hope that it'll be fixed. So, it's time to go looking for an
alternative web browser. The three leading candidates at this moment are:
- Mozilla Firefox. A very good and
popular browser. May be incompatible with some sites that are specifically
designed to only work in IE. I love the RSS (Live Bookmarks) feature. On the
downside, it seems to have some problems with pages with heavy flash
- Netscape. The good old Netscape
browser is still around, and still has a large fan base.
- Opera. A Norwegian product. This is
technically ad-ware, unless you pay for it. The free version will display
some ads on a reserved area on top of the browser. Some might find that
annoying, personally, I never noticed it...
7. Be careful with that e-mail.
Just as many are taking issue with Internet Explorer, many are having the
same concerns regarding Microsoft Outlook and Outlook Express. To put it very
simply, Outlook and Outlook Express may execute code that arrive via e-mail
(either contained in the message or just linked to). This may allow the
installation of software on your computer. Now, that's not good. There's two
ways to avoid this problem:
- Use an alternative e-mail client. There are so many e-mail programs out
there that will allow you to send and receive e-mail without the fear of
what Outlook or Outlook Express may or may not do to your computer.
- Learn to use Outlook or Outlook Express in such a way that it is less
likely to cause any problems to your computer.
First things first, here's a quick list of alternative mail clients.
- Mozilla Thunderbird.
From the makers of Firefox comes an e-mail client that is getting about as
much good press as the browser.
- Netscape. Good old Netscape comes
with an e-mail client.
- Opera. This browser also comes with a
built-in e-mail client.
- Eudora. This e-mail client has been
around since the beginning of time. A well-liked, well-supported e-mail
client with a number of features that'll keep your inbox spam-free.
Despite much of the hoopla over Outlook and Outlook Express, these
e-mail clients still have a lot to offer, but unfortunately, the default
settings leaves a lot to be desired. Here's a few steps you can take to
re-claim your mailbox using Outlook and Outlook Express.
- Disable all preview features. This includes the AutoPreview and the Reading
Pane features. At the very least, these features should be disabled on your
- Learn how to use the rules to sort your mail. Create rules to automatically
move mail to different folders. For instance, newsletter can be moved to
individual newsletter folders within another Newsletter folder. This way, you
can enable the Reading Pane and/or the AutoPreview feature for these folders.
- Consider using Plain Text to view all messages. In Outlook, go to the
Options dialog box, and click on E-Mail Options on the Preferences tab. There's
a checkbox for enabling reading all messages in plain text. This can improve
blocking viruses and malicious scripts.
- Set the spam-filter on "High". Even if there's an increased chance of false
positives, it's definitely worth it to get all the junk moved out of your Inbox
and into the Junk E-Mail folder.
- Consider blocking e-mail from certain countries and using certain types of
encoding. Even though the U.S. is the
biggest source of spam, blocking messages from some countries may improve
your chances of blocking spam and messages with malicious scripts. The same goes
for e-mail using different language encoding. For instance, Asian and Cyrillic
characters. Unless you have friends or family that are likely to send you
e-mails using these character sets, it's fairly likely that any e-mails with
those types of encoding will be spam. The same can be said about e-mail from
countries such as Brazil, Hungary, China, Korea and a the Netherlands.
Obviously, don't block countries in which you have friends or family, as that
would prevent them from e-mailing you.
- Compose e-mails using plain text format. HTML is pretty, but it may also
include things that people don't want. And, if they are converting it to plain
text on the receiving end anyways, why go through the trouble?
8. Consider getting a NAT router.
Last, but not least, getting a NAT router will certainly improve your
security regardless of your Operating system. Simply put, the NAT router
prevents any traffic from the outside to reach your computer. The exception is
any traffic that are considered to be a response to any action you have taken.
For instance, when you request a web page, the router will allow any traffic in
that is a direct response to this request, while still preventing any
unsolicited traffic from coming in from the outside.
A NAT router is not a perfect solution, and most of these cheaper routers
(also called Broadband routers) does not prevent any traffic getting out. Since
there are more and more spyware and other malware that are making outbound
connections, these routers doesn't offer much protection against these types of
"attacks". However, it is still a worth-while investment to make. Combining the
router with some common sense (some of which I hope you have learned from this
article), you should fairly safe on the Internet, even with Windows and Internet
There are more powerful devices available as well. These are called Firewall
Appliances or Hardware firewall. These will block inbound and outgoing
connections as well as offer extended logging and other features that means
these devices offer better protection for your computer and network than the
cheaper NAT routers. But, these are often more expensive than what a home user
are willing to spend. Yet, if you are interested, here's a couple of links.
- Watchguard SOHO 6.
Comes in a couple of variations, with and without wireless access point. The
price tag on the non-wireless model is around $275(US).
- Sonicwall TZ 150.
A good firewall from Sonicwall, a leading provider of firewalls for many years.
This model will set you back about $330(US).
Zywall 10. Same class of device as the two above. Price tag is about
These are not all the products available, but just a short list of
products that are getting good ratings from the user community. For a
more comprehensive list of available and certified firewalls, take a
ICSA Labs web pages.
© 1999 - 2005 Lars M. Hansen