pilobilus.net a website that might grow on you

Basic MS Windows Security

Copyright © 2012 SF Kinney, Version 2.2, May 2013
released under CC BY-NC-ND 3.0 License
http://creativecommons.org/licenses/by-nc-nd/3.0/

There is no product for sale that will keep Bad Things from taking over computers with Microsoft Windows installed. The only real "security solution" is to learn what the most common attacks are, how they work, and what practices make Microsoft operating systems more (or less) resistant to attack. Armed with this knowledge, users can make the informed decisions that add up to safer computer practice. This is easier than it sounds; the basics are what matters and they really are "basic."

There is no such thing as an evil genius super hacker. It is impossible to break into a computer unless an opening exists for an attacker to use. These openings can be created by user error, by a defect in the operating system, or by a defect in a specific piece of software. In this tutorial we will cover today's key security topics for MS Windows users, more or less in order of importance. The practical suggestions presented here will enable a computer owner or Administrator to lock hostile parties out of computers running Microsoft operating systems. 100% security is not possible, but upgrading from 5% coverage against hostile action to 95% coverage is well worth the effort. You don't have to outrun the tiger, you just have to outrun the rest of the villagers.

This guide was written in 2009, when Windows XP was still the world's dominant operating system. XP is now giving way to Windows 7, and efforts are underway to push users into Windows 8, with a radically redesigned desktop intended for use on touchscreen devices. Under the hood, all Microsoft operating systems now in use are variations on Windows NT5, a.k.a. Windows 2000. From a network security standpoint only appearances - like where to find the menu commands to turn on security features or disable dangerous malfeatures - have changed.

attention

Current Security Threats

Botnet worms are the leading security threat on today's networks, infecting up to 40% of all computers connected to the Internet. A botnet is a large group of compromised PCs, controlled by invading software without their owners' knowledge. Botnet infected computers communicate with one another and conduct coordinated operations at the bidding of the "botnet herders". Every botnet infected machine is running Microsoft Windows, and most of them are owned by people who think they are using proper safety precautions. In a test by Secunia, a computer security company, 12 leading "Windows security packages" covered only 64 out of 300 security holes that permit botnet infections. Botnet infected PCs are used by organized crime syndicates to broadcast spam, conduct phishing attacks and identity theft, execute denial of service attacks, and of course, to infect and take over other computers.

Other major MS Windows security problems include fake security software that shreds the victim's operating system then announces that an attack "has been detected" and offers to repair it for a price. Browser hijack code that presents unwanted pop-up windows and diverts search engine results to unwanted websites is very widespread. Botnet worms and other malware infections may include a "rootkit" that alters the entire operating system, to conceal and protect their operation from diagnostic and security tools. If a rootkit is present, the only reliable way to fix the computer is to format the hard drive and reinstall the operating system.

Malicious software may be installed by the so-called drive by download, where the user is lured to a website that installs malware via security holes in Internet Explorer. Another common attack uses bogus links on social network sites that appear to be from your "friends" but actually lead to web pages that prompt you to install a "media codec" so you can watch a video or play a game - but what it really installs is a botnet with a rootkit. Malware installations often start a domino effect where more and more malicious programs are installed until the computer becomes unusable. In addition to these relatively new problems, old fashioned viruses and the full spectrum of "harmless" adware and spyware are alive and well. A survey conduced in January of 2011 found 50% of computers tested had malicious software on board, with "trojans" topping the list.

lock

Passwords

Security researchers compile and publish lists of the most commonly used passwords. Armed with these lists, a botnet can reliably break into thousands of web server accounts, mailboxes, shared directories, and remote desktop servers per day. Brute force password cracking that tries every possible combination is much slower, but can also succeed if the password in question is too short. Password cracking programs can, depending on the circumstances, try dozens or hundreds or millions of combinations a minute. Under these conditions, a simple password made up by a human is simply not adequate.

Guaranteed strong passwords are easy to make and easy to remember, using the Diceware system. Diceware is a printable dictionary of over 7,000 words, indexed by five digit numbers from 1 to 6. Throw five dice, line them up, and look up the resulting five digit number in the word list. There's your first word. Repeat to obtain as many words as you need. Three random words are adequate for user accounts on PCs and most network login credentials. For passwords that might be subjected to intensive attacks - for instance, cryptographic keys - five words should be sufficient to make it cost more than it is worth to crack your combination. Diceware is free, just download and print the word list, find five dice, and you are ready to lock your stuff up properly.

Some security gurus say "Never write a pass phrase down!" To which I say, always write your pass phrases down - on a card that you carry in your wallet next to your ID, to assure that you will not lose it or forget where it is. Re-using passwords on multiple sites and services is a very bad idea - this habit enables an attacker to use a password stolen from one site or service to take over all the accounts the user owns. Bruce Schneier's Password Safe makes managing any number of passwords painless. I store mine in an encrypted Libre Office word processor document.

Account Permissions

In every operating system except Microsoft Windows, all user accounts - the identities you "log into" when using a computer - are "restricted" accounts that can not be used to change critical system settings. Working in a restricted account, a casual user error can not open the system to attack, a child or helpful relative can not open the system to attack, and perhaps most importantly, hostile code hidden in an e-mail message, web page, or word processor document opened by the user can not install malicious software or change important system settings. "Do not use an Administrator account for routine daily work" is the first rule of safe computer use.

When your regular user login is an Administrator account, things sure are convenient: You can change network and system settings, and install and remove software, without having to log out and re-enter as an Administrator. The only price tag on this convenience, is a high risk that the computer will be taken over and trashed by criminals half a world away.

The first step in securing any computer with a Microsoft operating system, is to log into the real Administrator account (or create one), and assure that all "regular" user accounts are Restricted. This is slightly inconvenient; you will have to log into your Administrator account to install software or change network settings. That's a small price to pay, for knocking out at least 80% of potential attacks against the system. You can make this change at any time, and the sooner the better. The menu you need is located in the Control Panel, as Users and Passwords. (Or similar, depending on which version of MS Windows you are using.) For once the "easy to use" operating system really is: Everything you need to know can be figured out on the first try just by reading the menu items. Just don't forget your new password(s)!

Microsoft offers "Home Edition" versions of their operating systems, with critical security features like user account permission settings removed. If you find that there is no option to set user accounts on a system to Restricted status, the only solution to this problem is to purchase an upgrade to an "Enterprise Edition" from Microsoft. Or, replace the entire operating system with one that includes effective security features in all versions.

do not enter

Back Up Your Data

Would you miss the files on your computer(s) if they were all gone tomorrow morning? This can easily happen even if you never have a security breach, because hard drives are not immortal. Sometimes they give advance warning of failure, sometimes not, but if used for long enough any hard drive will eventually fail.

Therefore, back up your data. Burn it to CD or DVD, send copies to another computer or an FTP site, copy it onto a portable hard drive, or whatever makes the most sense in your situation. Make sure you do this on a regular schedule, so you will not lose more than a few days' work when - not if - your hard drive crashes. For many users, this is the single most important item of security advice in this whole paper. If you only use one of the ideas discussed here, it should be this one.

Recent Microsoft operating systems include an automated backup tool. Here are the official setup instructions for making automatic backups to an external hard drive. (Microsoft has removed the instructions for Windows XP, but the differences are minor.) Independent reviews indicate that a freeware tool for making automatic backups might be a better choice than the built in tool. (That last link was an article critical of a Microsoft product. It has been scrubbed off the Internet, including even the Wayback Machine at archive.org)

This tutorial is not here to endorse commercial products, but I will make one exception: Carbonite provides automatic daily offsite backups of the files and directories of your choice. Your files are encrypted on your own machine before they are transmitted to the Carbonite servers, protecting the confidentiality of your backups. If you lose your files or even your whole computer, you can recover them with a few mouse clicks (and your pass phrase). I did a QA vendor survey of Carbonite a while back and they more than met all requirements including competent, accessible U.S. tech support.

no open flames

Remove Insecure Software

A restricted account should be nearly 100% effective in preventing security breaches, and it is in most operating systems. But unfortunately, Microsoft's operating systems include de facto "cheat codes" that allow their own software - Internet Explorer, Outlook, Word, etc. - to access system level commands from inside a restricted account. Why? So they will load and run faster than software made by their competitors. When J. Random Hacker figures out a way to use these holes in system security to attack a computer, it is called an "exploit." If this exploit enables him to run any command he chooses with full Administrator rights, just by luring you to a rigged web page or by sending you an e-mail or Word document that you will open, it is called a "remote root exploit" - and he owns your machine.

Microsoft and the technology press advise you to address this problem by turning on automatic updates and making sure that you install patches as soon as they are issued. That's certainly better than no protection at all. But "automatic update" is at best a partial solution, because it often takes Microsoft months to develop and release a patch for a security hole in any of their programs. Over the years, on any given day there have been an average of two publicly known remote root vulnerabilities in any computer running Microsoft Windows with Microsoft Office installed, in factory original default configuration. Enabling automatic updates is a good idea, but it is a better idea to stop using programs that have a consistent long-term track record of critical security defects.

This table of suggested replacements for programs with chronic and severe security problems is a good starting point for those who want to move away from running dangerous software. In addition to a night vs. day improvement in security they also offer the advantages of higher performance and reliabliity, and a combined price tag of zero dollars:

MS Internet ExplorerMozilla Firefox
MS OfficeLIbre Office
MS OutlookMozilla Thunderbird
MS Media PlayerVLC
Adobe Acrobat ReaderEvince

All the programs in the list are real Free Software, with no parasitic browser toolbars, "special offers," or spyware included. For maximum security, make sure to keep ALL your software updated to the latest versions - including these inherently "safer" tools.

Many people can not believe that free software could be as good as, much less better than, grossly overpriced tools. Show them the above listed programs in action to correct that perception. Others worry that "there is no one to sue" if they did not pay for the product. But the sad truth is that Microsoft, and every other software maker, is immune from product liability under U.S. law and can never be sued for selling defective products. If Microsoft could be taken to court for knowingly selling defective software, they would be facing judgements in excess of $10 billion USD. In one infamous incident, the so-called "Love Letter Virus", an Outlook worm, caused over $2 billion in documented damage to business users in just three days - because of widely reported defects Microsoft had resolutely refused to acknowledge and fix for many months. Microsoft's net liability for willful negligence: Zero dollars.

brick wall

Firewalls: Software

Unlike every PC firewall program in the last ten years, the Microsoft one does not scan or control outgoing connections. It does not reliably close open ports. I have seen it intermittently interfere with the operation of products that were not made by Microsoft, making them appear to be unreliable. A recent Microsoft update (May 2012) fixed a remote root vulnerability that was found in the firewall itself. The best thing to do with the Microsoft "firewall" is to turn it off and leave it off.

Any industry standard PC firewall takes control of all network connections, rejects all incoming connections that it has not been specifically instructed to allow, and blocks outgoing connections except from programs the user has authorized to talk to the world. Firewall software interferes with the operation of many trojans, and closes open ports created by incorrect network settings. Even if your computer is behind a hardware firewall (and today, most are), a good software firewall is still a good precaution.

If your computer is connected to a LAN that may have insecure machines connected to it, a software firewall will assure that an attack coming from inside the local network - i.e., an infected machine in the next room - will not find an open service port it can use to take your system over.

The best rule for selecting a PC firewall program, is to go with the simplest tool that will do the job. My personal preference for a PC firewall program used to be the "free trial" version of Sunbelt Kerio Personal Firewall but, alas, it is no longer available as of January 2012. From a quick survey of technical reviews, it looks like the free version of Zone Alarm is one of the better options now that Kerio is gone.

Today, PC firewall software offers all kinds of extra bells and whistles - content filtering, ad blocking, etc. - that's the difference between paid for and free trial versions of Kerio and similar products. These features offer a small amount of convenience at the cost of a large reduction in network performance. If you want ad blocking and cookie control, get the AdBlock Plus plugin for Firefox, and change the browser's own settings to delete all cookies every time the program is closed. If your favorite browser does not support AdBlock, you can use Privoxy to accomplish similar results.

brick wall

Firewalls: Hardware

A "real" firewall is a hardware firewall. If you have a cable, DSL, or fiber optic Internet connection, your router is a firewall - it does not forward incoming connection requests to your machine, unless you have specifically set it up to do so. A protocol called UPnP enables software that needs to accept incoming connections - Bit Torrent, some network games, etc. - to open up your router and let connection requests come in to specific ports on your PC. UPnP can and should be turned off. Routers can be accessed from any computer connected to them via an ethernet cable, by typing one of these numbers in the address bar of a web browser:

192.168.0.1 or 192.168.1.1 or 192.168.2.1

Your router's help menu should tell you how to configure UPnP including how to turn it off. Or if you like the idea that any program running on your PC can open up your firewall to accept inbound connection requests at will, you can leave UPnP enabled.

While you're in there, turn off wireless networking if you do not actually use any wireless network connections. Note that using an Ethernet cable to connect your PC to your router gives faster, more stable and reliable service. If you do use wireless networking, be sure that WPA encryption is enabled. Do not use WEP encryption - it can be broken using simple, free tools. The pseudo-random passwords routers generate are normally good enough.

If you are using programs that need to accept inbound network connection requests from the Internet, forward the specific ports manually using your router's configuration pages. The program's help menu will include an entry for port forwarding, listing the specific port numbers it will be listening on. Your router's help menu will tell you how to forward ports. Port forwarding is very simple, all you need to know is what ports to forward and what page of your router's configuration menu to go to.

malware

Antivirus Software

Most people's first (and only) thought when it comes to PC security, is antivirus software. I have put it this low in the list, because antivirus software is not nearly as important as it used to be. Modern attacks like botnet worm infections are often ignored by antivirus software, and the first thing many botnet programs do during their installation process is to turn the antivirus software off. Anti-virus vendors like Norton and McAffee whose products are "pre-installed" on new computers don't worry about quality or spend a dime on it - they don't have to, people blame "the hackers" when their products fail. Some users will even reward the failed AV vendor by purchasing a premium upgrade that substantially degrades overall system performance.

AV software works by comparing a digital signature of a program or data file, with a database of known hostile software. These databases are always at least a week out of date, because the "best" botnet operators change their attack code every few days. AV software is still necessary on any machine running Microsoft Windows, because there are still many viruses in the wild, and the less sophisticated botnets do not change fast enough to evade detection by AV signature files.

I used to recommend AVG antivirus, but unfortunately AVG has taken a turn for the worst, prompting the user to install a web browser toolbar and other useless junk, while falling behind in real coverage against malicious software threats. Today, most of the professional technicians I know recommend Avast, a very powerful antivirus program available at no cost for personal use. Avast provides outstanding coverage and its "boot scan" function can find and remove well protected malware including even some rootkits. As with firewall software, avoid extra bells and whistles - all you want is good basic antivirus protection, not a whole suite of junk that costs extra, bogs down the machine, and does nothing that is actually useful.

When changing antivirus software, it is necessary to uninstall whatever antivirus package is already on the machine before installing the new package. This is not normally required when upgrading to a new version of the same antivirus package. If the antivirus software you are removing refuses to be removed, even in Safe Mode - an increasingly common abusive practice by many vendors - do a web search and download a "removal tool" for the product in question.

Helpful household hint: You don't need to let your antivirus software scan your whole hard drive every day, because it always scans every file you access when you access it. The only time it really makes sense to do a full hard drive scan is right after installing a new antivirus program. You will find an option to turn off the daily full scan in the antivirus program's configuration menu - and while you're in there, make sure it is checking for updates every day, and installing them automatically.

zap

Electromagnetic Security

ZAP! The power coming out of that wall socket is not filtered or regulated. Brownouts and power failures can cost you whatever data you had "in process" at the time. When the power comes back on after a failure, there is often a voltage spike that can, if your number is up, fry your system. And of course, lightning is lightning. Therefore, you need a UPS - Uninterruptable Power Supply - on every computer under your control, and every gadget that plugs into it also needs to be plugged into the UPS.

Don't neglect the network cable running into your computer. Trust me on this one - I made this mistake, and it cost me a whole computer and the contents of two hard drives when lightning struck a cable TV company's lines outside the house. (Fortunately, most of that data was backed up elsewhere - is yours?) A UPS that includes protection for the network cable costs a little extra, but a UPS that does not have this is not worth a dime.

Don't believe in surge protectors. As a trained electronics technician, I don't. They are for fire prevention, and will not reliably protect digital equipment against high voltage spikes.

lock

Malware Repair

So far so good - but what do you do if a computer is already compromised? In some cases, the only thing to do is back up the data, wipe the hard drive, and reinstall everything from scratch. But very often, a computer with a Microsoft operating system can be restored to normal function after infection with malware. You don't have to be a real "computer expert" to do this yourself, you just have to know what tools bench technicians use, where to get them and how to use them. What follows is a superior, free version of the "clean your PC" products seen on TV. One special advantage compared to the TV "cleaners" is that you don't have to enter your credit card info on a known infected machine, to "turn on the repair features" of the repair tools listed here.

If the computer's behavior seems downright bizarre, try plugging in a different keyboard and mouse. Failures in this hardware can, on rare occasions, cause symptoms that resemble severe operating system corruption. If another keyboard and mouse are available, trying this is worth the time it takes - at worse, it couldn't hurt.

To start any Microsoft operating sytem in Safe Mode, turn the machine off, turn the machine on, and hold down the F8 key on the keyboard while it is booting. If at first you don't succeed, just try again. If that does not work, turn the machine off at the main power switch while it is booting, and it will start in Safe Mode "all by itself" when you turn it back on. Safe Mode is a maintenance feature, loading just enough programs to make the machine usable during troubleshooting and repair. From the Safe Mode menu, select "Safe Mode with networking." Most malware will not load and run when booting into Safe Mode, and this prevents it from interfering with malware removal and repair tools. Safe Mode gives the user full Administrator privileges.

Once booted into Safe Mode, download and install Malwarebytes. This is a very powerful scanning and removal tool, presently (2012) the most popular tool of its kind among bench technicians. Install Malwarebytes, start it, update the program and its database when prompted, and run a full system scan. This will take a while. Protip: Make sure that the web browser cache files on the machine are deleted before you run any malware scanner - on a typical PC this will cut scanning time way down. When Malwarebytes is done, it will present a list of all the junk it found, some harmless and, with any luck, some not so harmless. Tell Malwarebytes to delete all "problem" files.

Next, do all the same steps with Spybot Search & Destroy. This is an older program than Malwarebytes, that does more or less the same things. It will often find and remove things that Malwarebytes has missed.

I have never used it myself, but a field technician I know recently advised me that he considers the Kaspersky Virus Removal Tool a useful and reliable tool, and I am inclined to trust his judgment.

Finally, boot the system normally and check to see if its behavior has returned to normal. If so, you just saved some money - something in the hundred dollar range, at an honest repair shop - and learned how to repair malware problems "just like a professional" by using professional tools and techniques.

If the computer still ain't right, the next thing is to put it back in Safe Mode and install the free version of Avast anti-virus if it's not already on board. (Remove any other anti-virus software that may be present first.) Avast will update itself, then ask for a reboot - when you do the reboot, go back into Safe Mode. Open the Avast configuration menu, and follow the instructions presented here: How to Perform a Boot-Time Scan. This procedure will enable Avast to interrupt the normal boot process to perform a low level scan that attempt to detect rootkits - a species of malware that alters the operating system to hide its presence and activity from antivirus software and other diagnostic and repair tools. This is far from 100% effective, but it's your last chance to repair the system without wiping the hard drive and reinstalling the operating system.

If all else fails, you can wipe the hard drive and reinstall the operating system. If your computer came with a System Restore CD, you are in luck: You will need that. If you don't have one, and your computer is still working, find the owner's manual for the machine (search the maker's website if necessary) to find out how to get one. It is likely that there is a copy of this disc hidden on your hard drive, and you should be able to burn a System Restore CD using this. If it's too late for that, you can buy a retail copy of a Microsoft operating system, or download a Free operating system like Linux Mint. Even if you don't intend to install the Linux operating system, it is very handy to have: You can boot your computer from this CD and use it more or less normally, even if the hard drive has completely failed, which can be a life saver. Or you can just tinker with it - it won't affect your installed operating system in any way - to see what it's like. If your machine does not want to boot from a Live CD, check your BIOS settings - see LiveCD.com for detailed instructions.

To save your data files before you wipe your hard drive and reinstall the operating system, you will need an external hard drive (or some CDs or DVDs) - and a Linux "live CD" like the Mint installer mentioned above. Boot the system using the Linux LIve CD, and use that operating system to copy your personal files to the portable hard drive or burn them to CD or DVD. You will find them on your hard drive in a directory called "C:\Documents and Settings" or "C:\Users". Remember to be be careful about that backed up data - it may include the very file that originally infected the machine, sitting there like a land mine waiting to be stepped on again. For instance, suspect MS Office files should only be opened with Libre Office or Open Office, which will not execute hostile code hidden in documents. Once you have your files safely stored outside your computer, you can either double click on the desktop icon to install Linux, or remove the CD, put in a Microsoft operating system installer, and run that. You will also need to install your application software from scratch - the list of suggested Free Software tools above will provide most of what you need for work and play, free of charge.

idea

Conclusions

The security methods outlined above can be used to make a Microsoft Windows operating system last as long as possible in a hostile network environment. In addition to closing many avenues of attack that invite serious damage, the specific tools suggested will improve the overall performance of the machine, compared to using the software that most likely came with the computer. But if security and performance are real issues, Microsoft operating systems could be thought of as "malicious software" in and of themselves.

Microsoft operating systems were born to die: If they did not slow way down after a couple of years of normal use, sales of new computers and with them new Microsoft license fees would slow down instead. Despite claims of "the most secure operating system ever!" with every release of a new product or version number, the ongoing nightmare of botnet worms, rootkits, etc. makes is very clear that Microsoft regards security as a marketing issue, not an engineering issue: Fundamental defects that drive replacement sales are features, not bugs.

Earlier I said that there is no "product" that will keep Bad Things away from your computer. But as a matter of fact, there are two of them: Mac and Linux. Compared to Microsoft products, neither has any security problems worth noticing - it takes more work to make either of these platforms insecure, than it does to make a Microsoft platform secure enough for routine uses. For most users, either will outperform Microsoft products on all fronts except the "I already know how to use it" one - and you do already know how to use Mac and Linux, things just "look different" here and there. In some rare instances a user needs a particular program that will only run on Windows, but this problem is almost gone and with every passing year it shrinks more.

Mac includes high prices for both hardware and software, but on the plus side Mac hardware is very durable and comes fine-tuned for multimedia production work. Mac is ideal for many users who make no bones about the fact that they do not know or care how computers work as long as they do work. Linux offers very low prices (free operating systems that perform well on generic hardware), a giant variety of powerful free software, and the burden of having to learn just a little about how a computer actually works. "Computer literate MS Windows user" is not a contradiction in terms - for most it is a temporary inconvenience, easily resolved by installing Linux.

Mac and Linux operating systems are directly descended from UNIX, which was developed for use in telecommunications switching centers. From the ground up, UNIX class operating systems are designed for stable, secure operation in hostile network environments. Driven by the demands of commercial and military networking engineers, UNIX based operating systems have remained stable and secure, even as they have evolved to include desktop operating systems suitable for home and office use. Microsoft operating systems, descended from a "Quick and Dirty Operating System" designed for a hobby kit microcomputer, simply can't compete.

If you are interested in network security "above and beyond" the struggle to keep Microsoft products running day to day, see An Introduction to Network Security.