FA+
Shop
A Couple of Notes about Computer Security...
17 years ago
Lately I've seen a load of crap being given under the guise of "Advice" to people that are suffering compute troubles so here's my quick and dirty guide to both keeping a computer running and fixing it when it gets borked.
SECURITY
If your a Windows user you've know doubt realized that due to the fact that you and everybody else run the same operating system you're a target. If your a sucker for propaganda you go buy a Mac, if your not and still scared you might attempt Linux, or one of the other 'nix's. If you're still here you're either confident in your security, just ignorant of your nakedness, or maybe are a prime candidate to read this journal and learn a few things.
So what do you need to keep a Windows Machine secure? Well an internet connection for one, passing odd as it is you need the internet to keep your machine up to date as every year hundreds of patches fixing everything from security flaws to stability issues are released. Most of these don't affect you or only affect you under x, y and z conditions; nevertheless this leads us to the first guideline of security: Always stay current on your patches and updates. In Windows XP or Vista this is easy just turn on Automatic Updates and your Computer does it for you. If you have office installed it is imperative that you also get patches for it too, on Vista it will offer to do this for you on XP you will have to navigate to http://update.microsoft.com and select the option to use "Microsoft Update" instead of Windows Update this will ensure all MS products on your system are patched and up to date.
Guideline the second: You need a firewall the irony here is that Windows XP SP2 and SP3 has the best firewall for Windows XP and an updated version of that same firewall exists in Vista, tests have shown that third party firewalls such as Norton, ZoneAlarm, etc. are actually less secure than the one Windows ships with. To those who argue "but, but X firewall allows me so much control!!" I say go to Control Panel->Administrative Tools->Local Security Policy->Windows Firewall with Advanced Security and have a field day.
Third: you do need an anti-virus (ok there are exceptions to this rule but, in general unless you know what you're doing which the likelihood is that you don't don't try running without) Personally I recommend Avast! Which is free and works and provides features that even Norton leaves out such as script blocking and mail scanning. It's fairly light wight and doesn't tend to cause problems and updates itself regularly (note the auto update !!! this is a good thing!!)
Browsers:
This is interesting and very debatable... but the fact of the matter is that any browser is really as good as the next provided it's a current generation browser (IE using IE 6 isn't really a good Idea, same as Firefox 2 etc.) again patching enters the picture keep your browser patched and be secure. Oh and a very important side note: NO MATTER HOW SECURE YOUR BROWSER IS IF YOU HAVE AN OLD VERSION OF ADOBE FLASH YOU MIGHT AS WELL HAVE A TARGET ON YOUR FOREHEAD there are several critical flash vulnerabilities that have been the bane of many a computer.
Hardware:
Newer hardware supports newer features to protect you the easiest one is called Data Execution Prevention. Many viruses come down as "data" but then try to execute as code DEP flags each of these in memory, if a virus tries to call into something marked "data" the CPU prevents it and tells the OS which kills it and gives you a little error message saying why. To turn it on go to Control Panel-> System -> Advanced (vista users will have to do this twice becuase of UAC) -> The settings button under Performance under the Advanced Tab-> The tab marked Data Execution Prevention. Ok if the little radio button doesn't indicate that DEP is on for all programs then set it so and click apply. Windows will tell you you have to restart to apply the change, or will pop a little box telling you your processor doesn't support it. click ok and restart, congratulations your now protected against most viruses right there.
Users:
Strictly speaking on XP you should have two users an Administrative account that installs software and other system mantinence stuff and a regular user that you work with. Because nobody ever does this Vista got User Account Control (UAC) that did this for you without having to actually switch users every time. However UAC got a bad rap beacuse it did it's job and made sure security rules were enforced and people foolishly turned it off. MS realized this and scaled back to reasonable levels UAC in SP1 for Vista. Thus if you have UAC turned off you have just removed the biggest safeguard against an attacker you had.
So you got a virus because you didn't listen to me now what?
Well the short answer is boot into safe mode and move your data off then wipe and reinstall. Why the wipe? Because Viruses are VERY good at making sure you can't get them off, so rather than take the risk it's better to clean it and start from scratch Hopefully following my recommendations above.
SECURITY
If your a Windows user you've know doubt realized that due to the fact that you and everybody else run the same operating system you're a target. If your a sucker for propaganda you go buy a Mac, if your not and still scared you might attempt Linux, or one of the other 'nix's. If you're still here you're either confident in your security, just ignorant of your nakedness, or maybe are a prime candidate to read this journal and learn a few things.
So what do you need to keep a Windows Machine secure? Well an internet connection for one, passing odd as it is you need the internet to keep your machine up to date as every year hundreds of patches fixing everything from security flaws to stability issues are released. Most of these don't affect you or only affect you under x, y and z conditions; nevertheless this leads us to the first guideline of security: Always stay current on your patches and updates. In Windows XP or Vista this is easy just turn on Automatic Updates and your Computer does it for you. If you have office installed it is imperative that you also get patches for it too, on Vista it will offer to do this for you on XP you will have to navigate to http://update.microsoft.com and select the option to use "Microsoft Update" instead of Windows Update this will ensure all MS products on your system are patched and up to date.
Guideline the second: You need a firewall the irony here is that Windows XP SP2 and SP3 has the best firewall for Windows XP and an updated version of that same firewall exists in Vista, tests have shown that third party firewalls such as Norton, ZoneAlarm, etc. are actually less secure than the one Windows ships with. To those who argue "but, but X firewall allows me so much control!!" I say go to Control Panel->Administrative Tools->Local Security Policy->Windows Firewall with Advanced Security and have a field day.
Third: you do need an anti-virus (ok there are exceptions to this rule but, in general unless you know what you're doing which the likelihood is that you don't don't try running without) Personally I recommend Avast! Which is free and works and provides features that even Norton leaves out such as script blocking and mail scanning. It's fairly light wight and doesn't tend to cause problems and updates itself regularly (note the auto update !!! this is a good thing!!)
Browsers:
This is interesting and very debatable... but the fact of the matter is that any browser is really as good as the next provided it's a current generation browser (IE using IE 6 isn't really a good Idea, same as Firefox 2 etc.) again patching enters the picture keep your browser patched and be secure. Oh and a very important side note: NO MATTER HOW SECURE YOUR BROWSER IS IF YOU HAVE AN OLD VERSION OF ADOBE FLASH YOU MIGHT AS WELL HAVE A TARGET ON YOUR FOREHEAD there are several critical flash vulnerabilities that have been the bane of many a computer.
Hardware:
Newer hardware supports newer features to protect you the easiest one is called Data Execution Prevention. Many viruses come down as "data" but then try to execute as code DEP flags each of these in memory, if a virus tries to call into something marked "data" the CPU prevents it and tells the OS which kills it and gives you a little error message saying why. To turn it on go to Control Panel-> System -> Advanced (vista users will have to do this twice becuase of UAC) -> The settings button under Performance under the Advanced Tab-> The tab marked Data Execution Prevention. Ok if the little radio button doesn't indicate that DEP is on for all programs then set it so and click apply. Windows will tell you you have to restart to apply the change, or will pop a little box telling you your processor doesn't support it. click ok and restart, congratulations your now protected against most viruses right there.
Users:
Strictly speaking on XP you should have two users an Administrative account that installs software and other system mantinence stuff and a regular user that you work with. Because nobody ever does this Vista got User Account Control (UAC) that did this for you without having to actually switch users every time. However UAC got a bad rap beacuse it did it's job and made sure security rules were enforced and people foolishly turned it off. MS realized this and scaled back to reasonable levels UAC in SP1 for Vista. Thus if you have UAC turned off you have just removed the biggest safeguard against an attacker you had.
So you got a virus because you didn't listen to me now what?
Well the short answer is boot into safe mode and move your data off then wipe and reinstall. Why the wipe? Because Viruses are VERY good at making sure you can't get them off, so rather than take the risk it's better to clean it and start from scratch Hopefully following my recommendations above.
