 |
 Security
Tips 'n' Tricks ...
Okay, want the truth
about your (Microsoft Windows) computer security?
If you have nothing that
anyone with the know-how or money to obtain could want on your
computer, and you are accessing the Internet with a dial-up
connection, there is very little risk that anyone will ever
bother with "hacking" your computer. You might as
well not bother continuing to read this page, unless you are
interested of course!
If, however, you DO have
confidential, private or sensitive material on you computer/network,
OR if you are one of the increasing number of users accessing
the Internet via a broadband connection (cable, ADSL, ISDN,
etc.), the "Tips 'n Tricks" on this page will provide
the fundamentals of securing your computer from "hackers".
You see, being specifically
"hacked" for the purpose of stealing/accessing your
data is relatively rare (however many of our clients do keep
sensitive patient/client records on their system/network), what
is far more likely to happen if you have a high-speed, broadband
Internet connection is that someone will use your computer and
it's connection to conceal and launch a larger computer attack
somewhere else.
There are many readily-available
programs that can "scan" the Internet, randomly searching
thousands of computers in seconds for basic security vulnerabilities.
If you are unsure what protective measures have been taken on
your system, you NEED to read this page!
Want to see why you need
to worry about this? Try out Steve Gibson's online tests at
the "Shields Up"
homepage here:
Steve's website is an excellent resource for those interested
in furthering their general understanding of computing "security",
and is well worth a visit. |
Spend 30 minutes securing
your network by following these basic security tips, and you
can be assured that you have at least made it difficult for
someone to "hack" you. Use the menu below to browse
WhigWham's online Security "Tips 'n' Tricks" section:
Now don't get us wrong,
we are not advocates for Bill Gate's and Microsoft, however
this company's software is what the vast majority of our user's
are working with. The following simple steps are provided so
that instead of just going with the flow, you can bend it a
little towards your own needs.
 Your
Operating System & Internet Explorer versions. |
First things first. If you spend any time online
and especially if you have broadband access
to the Internet, your Microsoft Operating System
should be based on "NT" technology.
This means either Windows NT4.0 (at least Service
Pack 6) or Windows 2000. Unless you are quite
comfortable using a computer, we recommend Windows
2000 Professional, as this provides most of
the familiarity and "ease-of-use"
of Windows 95/98 with the nuts-and-bolts security
structure of Microsoft's NT technology.
Considering this, we know that many of our visitors
are not prepared to part with the tenuous control
they have over their current software :=)
Whatever Operating System you choose to run,
it is imperative that you keep it updated regularly
by visiting Microsoft's excellent automatic
update site HERE,
or using any of the "Windows Update"
icons scattered around your Start and program
menus. Even Microsoft acknowledges that flaws
continue to be found in their software, but
they are good at fixing them once found!
It is particularly important that you have an
updated version of your current Internet Explorer.
To check what browser you are running, use the
"Help" menu at the top any Internet
Explorer window, then click "About".
We strongly suggest that you ensure you have
at least an updated version 5.0 or higher. While
you have the "About" window up, take
a not of your cipher/encryption strength - this
is what protects you in all of those "secure"
online forms and transactions! If it anything
less than "128 bit" you should urgently
apply the small update available from Microsoft
HERE.
| Just
doing all of this AT LEAST once, and preferably
regularly, will ensure that most of the
major reproducible "bugs" in
your software are closed to any potential
threats! |
|
|
| |
|
 Install
an "Anti-virus" Package. |
One if the things that we are all susceptible
to are malicious computer "viruses".
These are small programs that, depending on
the type of "virus", can potentially
do things such as deleting/corrupting your data,
or seriously compromise your security.
Computer "viruses" are aptly named.
Not only are they small, generally harmful and
difficult to treat, they are also analogous
to their human-afflicting namesakes in that
they are spread by contact. In computer terms,
this means you either get the virus directly
(say from an "infected" floppy-disk
or "host" program) or via the Internet
(most commonly via email attachments).
Many computer viruses are specifically designed
to take advantage of security flaws already
existing within your software, so regularly
updating your operating system and browser (see
Step 1) is the first step in preventing an "outbreak"
on your computer network.
Installing almost any new free or "demo"
Anti-virus package will do two further things
to protect your computer and/or network, both
of which are vitally important:
|
It will give you at least
some defense and detection ability against
the majority of common computer viruses.
Updating your virus software regularly
will maximise the benefits. |
|
Most of these packages
will also update your email settings and
continue to "filter" your email
to protect you from any potentially nasty
email attachments. This will not affect
any web-based email services you may use
(the best-known of these services is "Hotmail"),
however many of these online services
now automatically virus-scan your email
for you (Hotmail uses the McAfee™
virus program, for example). |
Some of the more popular Anti-virus software
packages include:
Don't wait until it is too late, protect your
privacy and assets today - install an Anti-virus
package! |
|
| |
|
 What's
a "Firewall", & why do you need one? |
The Firewalls
FAQ defines a firewall as "a system or group
of systems that enforces an access control policy
between two networks." Essentially, this means
a firewall acts as an impenetrable wall between
your computer/network and any network connections
you may have, such as the Internet connection
you are now using. It prevents any unauthorised
access to your computer, and ideally makes your
computer "invisible" to anyone or
anything scanning the Internet for vulnerable
computer networks.
In the context of home networks, a firewall
typically takes one of two forms:
 |
Software Firewall
- specialised software running on an individual
computer. One of the best products available
is ZoneAlarm.
It is FREE, easy to use, and provides
excellent protection. As an added feature,
this software also lets you monitor what
is going OUT of your computer also (to
catch "spy-ware" and products
automatically "phoning home")!
Get it HERE:
|
|
Hardware Firewall
- a dedicated device attached to your
computer network designed to protect one
or more computers. They often afford a
higher degree of protection than the software
versions, and can be used AS WELL AS a
software firewall to provide a "dual-barrier"
against unwanted network intrusion. Many
of these products are designed with home
users (especially those with a broadband
connection) in mind, and are easy to install
and use. Products in this category include:
|
Both types of firewall allow the user to define
access policies for inbound connections to the
computers they are protecting. Many also provide
the ability to control what services (ports)
the protected computers are able to access on
the Internet (outbound access). Most firewalls
intended for home use come with pre-configured
security policies from which the user chooses,
and some allow the user to customise these policies
for their specific needs.
Whether you access the Internet via a dial-up
connection or have broadband access, WhigWham
strongly urges all readers to install some sort
of firewall. The easiest way to do this would
be to use the link above to download and install
ZoneAlarm. For the booming population with broadband
access, WhigWham recommends that you have BOTH
a hardware and software firewall - especially
if your network contains sensitive/valuable
data! |
|
| |
|
 Optimise
your Network Settings? |
Okay, this is a big subject, and there are many
websites entirely devoted to this subject. Below
you will find simple, step-by-step instructions
on how to properly configure your computer's
"network" settings.
Why do you NEED to do this?
Well, to put it simply - because Microsoft should
have but didn't!
By default, most of Microsoft's Operating Systems
(including 95, 98, NT and 2000) leave many BIG
holes in your computer and/or network's security!
Things such as your name, "username",
"computer name", "workgroup",
even your email address and potentially EVERYTHING,
are often readily available to any website you
visit or, more seriously, anyone using an Internet
"scanner" program. These are small,
readily-available programs that can swiftly
"scan" the Internet, randomly searching
thousands of computers in seconds for basic
security vulnerabilities, flagging those found
as susceptible for later use/abuse by a "hacker".
If you wish a more detailed explanation and
understanding of the concepts behind your network
security policy, or for more detailed instructions
on how to configure your network, Steve Gibson
has provided an excellent resource at his website:
When following our 3 simple steps below to protect
your computer network, there are a few things
to note first:
|
In all of Microsoft's Operating
Systems (95/98/ME/NT/2000), the locations
vary but essentially there are three places
where you may find your various network
settings:
 |
Right-click on the
"My Computer" icon on
your desktop and select "Properties"
from the menu that appears. Depending
on your version of windows, you
will find your "Network ID"
or "Network Identification"
settings here somewhere. This usually
includes your "computer name"
and "workgroup", It should
look something like this:
|
|
If there is a "Network
Neighbourhood" or "My
Network Places" icon on your
desktop, right-click on it:
Now select "Properties"
from the menu that appears. What
you want to see is the main network
settings panel. It will look something
like this:
In some versions of Windows (e.g.
2000), to get to the properties
described below you will need to
right-click again and select "Properties"
on each of the "adapters"
you see (such as your modem and/or
network card). |
|
If all else fails,
click on the Start Menu on your
toolbar, go to the "Settings"
tab, and open your "Control
Panel". You should find your
Network Settings program listed
here. Again, depending on your Windows
version, either right-click on this
and select "Properties"
or double-click on it to get to
the settings shown above. |
|
|
Unless you have installed
a new "adapter", "service"
or "protocol" for the first
time, you should NOT have to restart your
computer between changing settings for
each item described below. Just make all
of your changes and keep clicking "No"
when asked if you want to restart. Make
sure you do at the end, however. |
The 3 simple(?) steps below are integral to
your computer network's security. If you are
having difficulty following these directions,
please use the "Shields Up" links
above to see Steve Gibson's explanation.
Okay, hold onto your hats:
| Step 1: |
Do you need "File
Sharing" or "Client for Microsoft
Networks"? |
| |
These are both installed
by default for most versions of Windows,
but what is worse is that these inherently
insecure services are made available indiscriminately
to anyone on your network, AND THE INTERNET!
If you only have one computer at home
and do not ever directly connect to another
computer "network", then you
do not need either of these "services"
- you can and should remove them entirely!
To do this select the "Client for
Microsoft Networks" entry and then
click "Remove", then click the
"File and Print Sharing" box
and make sure that it is not enabled.
It should look like this:
If you are connected to the Internet via
a broadband connection, or if you are
using a "network" of computers
at your location, you will most likely
want to keep these services installed.
Step 2 describes how to safely accomplish
that, but you should first ensure that
all computers on your network have unique
"computer names" and that they
all belong to the same "workgroup"
as you were shown above.
If you have decided you do not require
either of these services and have disabled
them, you can safely skip Step 2. |
| Step 2: |
Add NETBEUI and
Isolate TCP/IP? What!? |
| |
To put it VERY simply,
the "language" of the Internet
is TCP/IP. You will most likely notice
entries in your network settings using
TCP/IP already. Other "languages"
or "protocols" that your computer
can use include NETBEUI and IPX/SPX. The
"Client for Microsoft Networks"
and "File and Printer Sharing"
services are inherently insecure, however
by default Microsoft indiscriminately
allows both of these services to use the
TCP/IP protocol. This can give unscrupulous
websites and "hackers" a clear
path to your system/personal information
and stored data.
What we are going to do here is use one
of the safer protocols, NETBEUI, to handle
the local network traffic generated by
the "Client for Microsoft Networks"
and "File and Print Sharing"
services. We are also going to isolate
your TCP/IP protocol so that it does not
have access to any of your computer settings/data.
Open your network settings window as shown
above. If you do not see an entry for
either of these, then you should add NETBEUI
by clicking "Add", then selecting
"Protocol" and select NETBEUI
under the Microsoft heading, as shown
below:
Select
"Protocol" and click "Add"
- you should then see a window like
this:
|
If you have had to do this, you should
keep clicking "Okay" until all
of your network settings windows are closed.
If you are prompted to restart, do
so now.
Once you have NETBEUI installed, you should
see it listed in the network settings
window. Right-click on it and select "Properties".
If there is a "bindings" tab,
select it and confirm that "Client
for Microsoft Networks" and "File
and Print Sharing" are "bound"
to the NETBEUI protocol.
Now we want to check each TCP/IP listing
in your network settings (there should
be one for each "adapter such as
your modem and network card). Go to the
bindings tab and make sure that "Client
for Microsoft Networks" and "File
and Print Sharing" are NOT checked.
It should look like this:
Click "Okay" once you have cleared
each TCP/IP entry's bindings, and ignore
the hostile alert that windows throws
at you:
Keep doing this for all of the TCP/IP
entries. What you are then left with is
a situation where ONLY the adapter that
you use for your Internet connection has
TCP/IP enabled, AND that the TCP/IP protocol
it uses is NOT "bound" to "Client
for Microsoft Networks" and "File
and Print Sharing". These use the
NETBEUI protocol and, ideally, should
have nothing to do with your "Internet
adapter".
Depending on whether or not you have a
computer "network", and also
on whether or not whether or not you access
the Internet via a dial-up or broadband
connection (where you usually connect
to the Internet using the same "adapter"
that you access your network with), your
network configuration should conceptually
be set up as shown in one of the four
scenarios below:
Dial-up
connection with no LAN (Local Area
Network):
Dial-up connection + LAN:
Broadband connection with
no LAN:
Broadband connection +
LAN:
|
|
| Step 3: |
Disable "NetBIOS
over TCP/IP"? Huh!? |
| |
Let your computer restart
after you have completed the first 2 steps
above. You do not really need to understand
why we are checking this setting, and
it should now be disabled for you if you
have completed the steps above, however
we are going to check it anyway.
Reopen your network settings window and
right-click on your TCP/IP entry (there
should be only one now!), then open it's
settings by selecting "Properties".
Select the "NetBIOS" tab in
the window that appears. If it is still
selected uncheck the option for "NetBIOS
over TCP/IP". It should look like
this:
Apparently, even if Microsoft's Client
or File and Print sharing is disabled,
your TCP/IP protocol will still be insecure
if NetBIOS over TCP/IP is enabled. If
you would like to know more on why this
is done, consult Steve Gibson's "Shields
Up" site (you can use one of the
links higher on this page), and look for
references to "TCP port 139". |
|
|
| |
|
If you have made it this
far on this page and have followed WhigWham's 4 Steps to Windows
computing security, you should congratulate yourself - you have
now closed most of the major "holes" in your Microsoft
software that can be used to compromise your privacy and security.
Have a rest, but be sure
to return and check out the rest of WhigWham.com later!
|
|
/
/
/
