Secure Your PC

Type in ‘tips for securing your computer’ into any search engine, and it’s surprising how many times some curiously similar basic advice crops up. They’re almost always the same tips, in the same order, looking as if they’ve been cut and pasted from site to site. But you already know how to enable your firewall, that you must install antivirus software before venturing online and that you need to enable automatic Windows updates. So what can you usefully do beyond this to help secure your network? We’ve compiled a list of 20 tips designed to give you a more secure computing environment.

1. Add a password

Enabling passwords is possibly the single most important thing you can do if your computer is used by several people. More to the point, if your computer is stolen, being able to boot Windows and log in without a password is like leaving your front door unlocked. To add a password, go to the Control Panel and double-click ‘User Accounts’. Click on the administrator account, then ‘Create a password’. Enter and confirm your password, and also enter a password reminder phrase. Make this as cryptic as you can, because anyone can see it.

2. Banish the defaults

Almost all wireless routers require an administrator password before a user can log into the device and modify the configuration settings. However, the default password is weak because lists of such passwords are available on the internet. We recommend that you change the default password. It may not be an account that you log into very often, so try to make it a memorable password. See the ‘Create strong, memorable passwords’ box on page 77 for help with this.

3. Lock Guest accounts

Some people like to give access to the Windows ‘Guest’ account when others need temporary unsupervised use of their computer. However, when you enable this account, it has no password by default. If you decide to make use of it (after all, it’s not inherently less secure than other non-privileged accounts), make sure that you give it a password. If you’re not using it, disable the account completely in the Control Panel.

4. Plug open ports

Open ports on your firewalls are vulnerable to attack in ways your antivirus software won’t necessarily detect. To close them, double-click ‘Windows Firewall’ in the Control Panel. On the Exceptions tab of the pop-up window, untick the services you no longer use. If you know you won’t be using a service again, select it and click ‘Delete’ to remove the exception for good.

5. Force the issue

You can easily force users to have passwords in Windows. On the Start menu, right-click on ‘My Computer’ and select ‘Manage’. This brings up the Windows Management Console. Expand ‘Local Users and Groups’ and select the Users folder. Right-click the account you want to change and select ‘Properties’. A box will pop up giving a number of tickboxes for controlling the account’s password. Untick ‘Password never expires’ and tick ‘User must change password at next logon’. This will force the user to change their password (thereby setting it) the next time that they use the machine.

6. Shun auto complete

If you share your computer with others, it’s a very good idea not to store account credentials for websites in your web browser. The details may be stored securely, but if your browser automatically fills in your log-in details every time you visit a site, all the encryption in the world won’t stop another user from logging in as you.

In Internet Explorer, click on the Tools menu and select ‘Internet Options’. On the Content tab of the subsequent window, click the ‘Settings’ button in the Auto Complete section and a smaller window will pop up. Here, you can set options to stop the browser from using auto complete for sensitive items. Back on the General tab, press ‘Delete’ and select the data types that you wish to delete.

In Firefox, select ‘Options’ from the Tools dropdown menu, select the Privacy tab and unclick ‘Remember what I enter in forms and the search bar’. Next, click the ‘Settings’ button. The subsequent window will allow you to specify what you want to delete.

7. Use WMA encryption

If you have an unsecured Wi-Fi network, who knows what the neighbours might be up to? However, standard WEP encryption is no longer considered secure as plenty of tools now exist to crack it. Instead, you should be using WMA to secure your network. You’ll have to read your equipment manuals to find out how to enable it, but once it’s enabled, cheapskate neighbours will finally have to buy their own broadband connection.

8. Learn to spot spam

You may be savvy enough not to fall for email phishing scams, but how clued-up are the others who use your computer? It only takes one malicious attachment to be opened and all your good security practices will have been for nothing. Make sure that everyone understands this and train them to delete all spam unopened.

9. Stay up-to-date

So-called ‘drive-by’ attacks on web browsers are incredibly common, and becoming more so. Some exploits work via unpatched vulnerabilities in your web browser, so to avoid this scan regularly for security patches. Internet Explorer is updated automatically by the Windows Update service. In Firefox, simply click ‘Scan for updates’ on the Help menu.

10. Get a better firewall

The firewall supplied with XP does not block outgoing connections (the firewall supplied with Vista does), so if you become infected with malware that sends spam or launches denial of service attacks, the firewall won’t stop it. It’s a good idea, therefore, to install a third-party firewall with more features, such as Zone Alarm.

11. Go invisible

Most Wi-Fi routers continually broadcast the network’s name using a feature called the Service Set ID, or SSID for short. This may make setting up wireless clients extremely easy, but it also makes wireless LANs visible to any Wi-Fi devices within range. Turn off SSID broadcasting to make your wireless LAN invisible to all but you.

12. Turn off HTML

It might be pretty, but you really should turn off HTML mail in your email client. In the bad old days, it was easy to spread malware via email because programs such as Microsoft’s Outlook Express had HTML switched on and ran any embedded JavaScript.

Times have changed, but spammers haven’t. They’re still very interested in knowing if your address is active, and all they need to gain that knowledge is for you to read an HTML email. This is because HTML allows for the inclusion of remotely stored images. When accessed from the spammer’s server by rendering an HTML email, he instantly knows that you’ve read his message and your address is active. He can then either spam you again or, as is more likely, sell your address along with millions of others to other fraudsters.

13. Go to the source

Only install demo versions of software downloaded directly from the manufacturer’s site, or from a trusted third-party site such as www.download.com. It’s easy to infect software with malware and offer it for free download from a site with a similar URL to the original company. For the same reason, beware of strangers offering to give you free copies of demo software.

14. Use MAC filtering

If your wireless router supports it, use MAC filtering. This is a method of rejecting all traffic other than just that which is definitely coming from your own network cards. The IP addresses assigned when each machine boots up over DHCP are handed out on demand, but the MAC address of each network card is fixed. A determined hacker can spoof the MAC address of a network card to try to gain access to your network, but when used in combination with WMA encryption this will be enough to put off all but the most determined of hackers.

15. Go to sites directly

Internet auction fraud is on the rise. One technique that’s becoming increasingly popular is for a fraudster to ask you questions about the goods on offer and then claim to be ready to send a payment. He then crafts a fake email that’s designed to look as if it came from your auction site explaining that the transaction has been cancelled due to a problem with your account. If you click the log-in link in the email, however, you’re sent to a murky phishing site to have your username and password taken.

People with 100 per cent reputations and thousands of sales are being completely locked out of their accounts in this way while the malicious fraudster sells nonexistent goods and keeps the unsuspecting victims’ money.

This is a very good reason to always go to the auction site directly to log in, and never to click a supposed log-in link in an email for the sake of convenience. It’s also another good reason for following the advice offered in tip 12 about turning off HTML and reading your email in plain text. Any fake URLs that would normally hide behind graphical buttons are easily spotted using this method.

16. Set a BIOS password

If you own a laptop, don’t overlook setting up a BIOS password. The process varies from machine to machine, but the most common way to access low-level configuration settings is by pressing either [F2] or [Delete]. From there, navigate to the security section and select to set a password; the exact wording for the option to do this will vary from BIOS to BIOS. Don’t forget to choose a secure password, either; see the box above for tips on how to do this.

17. Do an online scan

Every now and then, scan your computer using an online antivirus scanner. The app installed on your PC may be the best, but a second opinion is always a good idea. One such online scanner is provided by F-Secure. Make sure you access it using Internet Explorer rather than Firefox or other non- Microsoft browsers.

18. Process Explorer

Install Process Explorer and use it instead of the default Windows Task Manager. Written by Mark Russinovich, Process Explorer is available free of charge from Microsoft. It provides far more information about a running Windows system than Task Manager was ever designed to give you, so it makes the perfect replacement.

To use Process Explorer, install it, run it and select ‘Replace Task Manager’ from the Options menu. Whenever you subsequently press [CTRL]+[ALT]+[Delete], Process Explorer will pop up instead of Task Manager.

If you spot a process you don’t recognise, double-click on it to bring up its details. The subsequent window has several tabs. Click on Image and press the ‘Verify’ button. This verifies the suspect program’s signature – with the developer’s website if necessary. Another useful tab is TCP/IP. This shows any connections the program has established to external servers. If you find a program that won’t verify and has external connections, you may have an infestation.

19. Reduce Wi-Fi range

If your Wi-Fi router and network cards support it, turn down the transmission power to reduce the range of the network signal. It’s difficult to contain your Wi-Fi signals to within just your home or office, but you can certainly go some way to reducing the range over which people can detect it.

20. Install an IDS

Finally, don’t throw out that old server. Install Linux on it and install an intrusion detection system (IDS). Back in Issue 274, we showed you how to use the Tripwire IDS under Linux. Such a system can help give you an early warning that your network is being probed prior to a full-scale attack.