July 19, 2005
Curious George: Computer security.
Can anyone point me to a geeky resource that shows all the points to hit for hardenening a personal Windows 2000 computer from exploits?
I want something besides "get a firewall"; rather something that will show me exactly the things I need to do to tighten up a fresh Windows 2000 installation, nebulous stuff like denying TFTP access, and that suggests good tools like HijackThis. I've found it's amazingly easy to get pwned by just hooking up to dialup or public WiFi, and I have no confidence that I have all my bases covered.
-
Also, for the record, I am not pooh-poohing the firewall ... Kerio is the first thing going on the new OS.
-
Feh! I clicked on this story specifically to post "get a firewall." So I will. Get a firewall! And not some 'personal firewall' running on the same machine. Get a *dedicated* firewall box. I've heard reports of windows personal firewall software being deactivated by viruses - so if malware comes in via email - it can let itself back out by disabling the firewall program. A dedicated non-windows firewall box makes sense for a few reasons: * most malware thrives in monoculture environments. two different OSs is a great start to a safer computing experience. * the external firewall box seen by the net is different from your internal box. If the world sees your computer as a BSD/*nix box, it may be less of a target to the scriptkiddies out there. * the firewall is *NOT* running on the same computer as your everyday computer - useful for both safety and performance. Once you have a good firewall set up, you can pretty much attach completely unsecured windows boxes to the net through it and not ever worry about remote exploits. There are a number of linux/bsd firewall distros which attempt to be friendly (though I have no personal experience with them). My firewall solution is a very old p166 (MMX!) running *nix with iptables. Sorry for posting "get a firewall" when it is exactly not what you wanted. (Disclaimer - My free advice is worth only half of what you paid for it.)
-
We have a router... is the firewall on that good enough?
-
Depends on the ruleset on what it blocks/allows etc I suppose. The most powerful rule on my firewall is "do not allow stuff to connect inwards unless it's part of a connection I started outwards" - so basically nothing can be initialised from the outside on any port (except for the few ports that I have forwarded for p2p stuff). If your router allows you to "block everything (but leave ports X,Y & Z open)", then it's probably fine for personal stuff. If this is the case, then I would run a personal firewall as well - just to be sure. Besides the dedicated firewall, my only other windows advice is to turn off *EVERYTHING*. Then start enabling things until your box works the way you want. Then store a drive image of this somewhere. Sorry I can't really be more help, but once you put a good firewall in, you sort of negate the need for most other hardening measures. (Disclaimer: my main box runs *nix, so it isn't that much of a target anyways)
-
Besides the dedicated firewall, my only other windows advice is to turn off *EVERYTHING*. Then start enabling things until your box works the way you want. Sound advice and I would also add that when you are doing your regular computing tasks (Surfing, email, etc) you run with limited rights and only log in as an admin when you need too. Running as a super user all the time is the biggest security hole with Windows. For dedicated firewall products, Smoothwall is a solid Linux based one that is free. FWIW, I'm a Windows sysadmin by day and a Linux user by night. :-D
-
I second the Smoothwall recommendation. In addition to that, this whitepaper has proven useful in the past: Building a Windows NT Bastion Host in Practice Hope this helps.
-
This is almost completely offtopic but greasemonkey security warning for anyone who needs to know.
-
(Disclaimer: my main box runs *nix, so it isn't that much of a target anyways) Maybe I was just unlucky, but my previous linux box (RH7) was hacked (that's right, root) right thru the router, when only 23 and 80 were open...
-
This google search should help you out plenty. The labmice.net checklist doesn't look too bad at first sight.
-
I would say if you are that worried, ditch Windows. Seriously unless you absolutely need it for something go Linux. You can put hundreds of patches on it, a full firewall, and all kinds of other bandages and it will STILL be vulnerable. Not to say Linux doesn't have its weak spots as well (see techsmith's comment above) but it's a much better place to start and a learning experience as well.
-
Linux is BULLSHIT, moran. He was always sucking on that damn blanket, and then Lucy would just come up and - WHAM! God Snoopy is cool.
-
i check my computer weekly using lavasoft's ad-aware, and spy-bot search and destroy. spybot has a resident shield that allows you to deny a change that will hijack your browser. the folks over at castle cops always are helpful when things get gnarly. they'll let you know which things to delete when hijack this comes up with some strange entries. these are all things you do after you are compromised........
-
Slashdot recently had a story about Windows 2000, including a link to an article about trimming it down. The article is really about running Win2K on modest hardware, not about securing it. As such, it includes advice that's very poor from a security point of view (like, "Don't install updates and service packs," for example). But it also lists services and features that may be turned off (along with instructions for doing so) without affecting the day-to-day operation of a typical desktop PC. I don't know for certain that turning off any of these items will improve security (by closing ports, for example), but it probably couldn't hurt. My own Win2K desktop runs a software firewall which recorded (and deflected) hundreds of attempted accesses per day, until I got a home-neworking router. Every now and then, some UDP packets will come through the router (which as far as I can tell, can't be configured to block UDP), but otherwise, the software firewall is silent - the router's address translation (NAT) blocks virtually all the worm-type attacks (the hands-off, no-user-action-requried-for-infection type) out there.
-
The Kerio Paradox: When you install it, it asks for access to the Internet so it can download the Microsoft Installer wrapper. Thus it requires you to open up to the Internet without a firewall before you can install the firewall. That's just brilliant.
-
On another note (seeing as Monkeyfilter is so slow today) I will add that I have an empty "junk laptop" that I take to use on an Earthlink dialup connection on our rural property. Every time I took that laptop out there it got pwned in mere minutes. Eventually I put Ethereal on it and noticed a fantastic amount of port scanning going on, and realized it had no firewall and had the admin logins at default values. That was an awesome demonstration of how security-weak Windows 2000 really is. And it seems the IP ranges on Earthlink dialup are being absolutely hammered, presumably because Joe Sixpacks on dialup don't have the firewall benefit of routers. An excellent breeding ground for worms. I have no idea whether the same thing is going on with our Sprint DSL, since we always use a Belkin router at home. The little laptop got an OS reinstall and Kerio, locked tight.
-
Just dont do stuff that will get you spyware or viruses. That might sound like a smart-ass remark but seriously, the only time I have ever gotten either is when i totally deserved it- running shady exe's off Limewire, or going to shady sites looking for serial #s... when I discipline myself to not do those things, I'm totally fine. As for Adaware and such, I find them useless- they catch a lot but never exactly what you need them to catch. If you can find out the name of the Spyware (a lot of them tell you), Google it and find a specific solution from a reputable source...
-
Maybe you want Security Configuration Guides from the NSA? If not, just keep your computer behind a router and don't download anything that other people send you. If my little sister can grok this, then you can too...
-
Just dont do stuff that will get you spyware or viruses. What, like use software? (I was going to say "What, like use Microsoft software?" but that sounds inflammatory.)
-
or what Capt. Jean-Luc Pikachu said...
-
Get a Linksys router. Any attempts at intrusion stop when they can't see beyond the router. If this is a home machine, a firewall is an unnecessary expense unless you have an entire network to protect. Software firewalls are not really firewalls - they're packet filters and they're next to useless if they're running on the machine they are protecting. Seriously, a router is your best reasonable defense. Any of them will work, but Linksys is the most popular because they're cheap, easy to set up and require no maintenance.
-
Plus, most Linksys routers (at least mine does) include software that allows you to connect more then one computer to the web via one cable/dsl/whatever connection.