Wireless Group Policy WLAN Radius Part 3 WLAN Radius Config WLAN Client Config Linksys BEFSR41 Firmware Linksys BEFSR41 101 Linksys WAP54G config More Linksys BEFSR config Security how-to Writing DNS Zonefiles Is ZoneAlarm Spyware? Linksys Wishlist Sendmail spamblock Bind


Privacy Feedback

Securing your Windows TM computer.

Unfortunately, Windows computers still come with default settings that favors usability and ignores security. The fact that Microsoft changed the default setting on the Firewall that comes with Windows XP SP2 from "disabled" to "automatic" doesn't really change a whole lot. There's still quite a few things that are not configured correctly, and I'll try to go over some of this here.

1. Install operating system on an NTFS partition.

It is preferable to install the OS on an NTFS partition. This way, access to files are restricted. If the OS is installed on FAT or FAT32 partition, it is still possible to convert to an NTFS partition, but you won't have the default restrictions on files and folders.

2. Changes to local security policy.

The first thing you should consider doing is importing on of the Local Security Policy templates that comes with your computer. These templates are located in the %systemroot%\security\templates folder. On a new Windows XP installation that would be C:\windows\security\templates.

To open the Local Policy Editor, click start -> Run, then type gpedit.msc.

There are several templates in there, but we'll focus on the ones for workstations. The templates are compatws, securews and hisecws. There's also a Setup security template, which contains the default settings that the OS uses out of the box. For a more secure installation of Windows, you should choose either the securews or the hisecws templates. I recommend going with the securews template, as it has all the necessary settings in it to make your computer more secure than the default configuration. The difference between the securews and hisecws templates is that the later enables auditing of many more events, prevents caching of logons (only applicable to domains), clears out the name of the last person logged in and also clears out the pagefile. Using the hisecws template may also break file and print sharing, especially if you are also running older versions of Windows.

Here's a few of the changes that are made by using these templates:

This may not sound like much, but there are more things that are changed that are of less significance. The above settings are things you would have to manually add either in the Local Security Policy or in the registry, and importing this file certainly makes this easier.

3. Disable unnecessary services.

The easiest way to disable services on your computer is through the services control panel. Perhaps the quickest way of getting there is to right-click on "My Computer" and select Manage from the menu, or click on Start, select "Run" then type in gpedit.msc. Either way, you'll get access to the services. Another option is to control this through Group Policies, but that only applies to computers in a Domain. The following recommendations are for stand-alone computers or computers in a small home or SOHO network. Now, here's some of the services you should consider disabling:

4. Disable DCOM.

This is another service that is unnecessary for most users. It can safely be disabled without any adverse affect for most users. Follow the instructions in this MS KB Article to disable this service. If something doesn't work afterwards, simply reverse the procedure. I strongly recommend using the dcomcnfg.exe tool. 

5. Use anti-virus software. Always.

This is an absolute necessity today; get your hands on some good anti-virus software. Not everything has to cost money either, there are a number of free solutions available for home users.

6. Consider alternative web browsers.

Even if Internet Explorer looks pretty and comes with your Windows computer, you really should consider using a different browser. Historically, there have been so many problems with Internet Explorer that many people in security have given up hope that it'll be fixed. So, it's time to go looking for an alternative web browser. The three leading candidates at this moment are:

7. Be careful with that e-mail.

Just as many are taking issue with Internet Explorer, many are having the same concerns regarding Microsoft Outlook and Outlook Express. To put it very simply, Outlook and Outlook Express may execute code that arrive via e-mail (either contained in the message or just linked to). This may allow the installation of software on your computer. Now, that's not good. There's two ways to avoid this problem:

First things first, here's a quick list of alternative mail clients.

Despite much of the hoopla over Outlook and Outlook Express, these e-mail clients still have a lot to offer, but unfortunately, the default settings leaves a lot to be desired. Here's a few steps you can take to re-claim your mailbox using Outlook and Outlook Express.

8. Consider getting a NAT router.

Last, but not least, getting a NAT router will certainly improve your security regardless of your Operating system. Simply put, the NAT router prevents any traffic from the outside to reach your computer. The exception is any traffic that are considered to be a response to any action you have taken. For instance, when you request a web page, the router will allow any traffic in that is a direct response to this request, while still preventing any unsolicited traffic from coming in from the outside.

A NAT router is not a perfect solution, and most of these cheaper routers (also called Broadband routers) does not prevent any traffic getting out. Since there are more and more spyware and other malware that are making outbound connections, these routers doesn't offer much protection against these types of "attacks". However, it is still a worth-while investment to make. Combining the router with some common sense (some of which I hope you have learned from this article), you should fairly safe on the Internet, even with Windows and Internet Explorer.

There are more powerful devices available as well. These are called Firewall Appliances or Hardware firewall. These will block inbound and outgoing connections as well as offer extended logging and other features that means these devices offer better protection for your computer and network than the cheaper NAT routers. But, these are often more expensive than what a home user are willing to spend. Yet, if you are interested, here's a couple of links.

These are not all the products available, but just a short list of products that are getting good ratings from the user community. For a more comprehensive list of available and certified firewalls, take a look at ICSA Labs web pages.

1999 - 2005 Lars M. Hansen