Talk about Security
================
I'd first like to start out by saying,
"Security of a system, is only as strong as the weakest link in the chain"
To maintain the security of your system as a whole, you have to ensure that
there are no weak links, or at very least minimize them.
Someone was asking me today, what I would recommend for a good piece of
anti-virus / anti-malware, and so I thought I'd touch on the topics of Computer
security and my experiences.
First of all, I'd like to point out, that there is no such thing as a perfect security
solution. If someone is determined to get into your PC, with enough time and
effort, they will find a way. The idea is, to remove your computer as low-hanging
fruit, to the people who have automated the process of looking for vulnerabilities
on computers.
Security in Obscurity
=================
If you don't browse the internet you are safe... wrong! That's a common misconception,
that, as long as you aren't perusing the web, that nobody can get your IP, and all
is well. The second your computer is assigned an IP address and the network icon
indicates you are online, your computer is immediately fair game. There are programs
out there who scan every single IP-range, and trying their luck. On top of that, any
program with update features built-in, whether its Microsoft, Chrome, etc. will be
be connecting behind the scenes.
Rolling the Dice
=============
Its a game of probability, its likely you reduce your odds of being attacked online
by not browsing the web. If you update windows periodically, you reduce that chance
even more. If you have good software security in place. you reduce the odds even greater.
If you stick to the mainstream popular websites, ie gmail, google, microsoft, and such, you are
not likely to run any risk of picking up anything you shouldn't. As these mainstream websites
are frequently policed and have mastered filtering a lot of the malware.
When you stray from the path though, thats when things get dicey, and your security is no
longer guaranteed. Usually websites that host immoral or questionable, or just plain illegal
content, are safe-havens for malware. They slip in through seemingly innocent ads, typically
through Javascript, or web exploits... or if its a torrent website, or a download website, they
are just packaged together, and pray you don't have the software to recognize it, until its too late.
To Flash or Not to Flash
===================
If you've been paying attention, you'll notice, a lot of browsers are starting to reject Flash entirely.
Mozilla (Firefox) has refused to allow Flash, until they start upgrading their software. Just this week
Chrome announced that it also is going to refuse to accept Flash. Adobe Flash lets browsers kind of
run these little programs inside the browsers, which are popular for hosting media content. I actually
refuse to run Flash, and its surprisingly just how little I've ever needed to use it...
So what the heck is HTML5? html5 is a new standard, introduced a couple years ago, that allows you
to host media content and is a huge improvement to the web in general. It has more or less been used
to stop the heavy reliance on Adobe Flash, who has refused to update the vulnerabilities in their software.
So, do yourselves a favor, and uninstall Flash... there's rare circumstances where you might need it,
but if that's the case, I prefer to "Disable" it in the Addons menu, until I do need to use it. Never let it
run automatically on its own.
Blocking Ads
===========
I recommend a few Addons for Firefox, usually you can find a few alternatives in Chrome:
The first two addons, blocks with great accuracy, all of the common ads you encounter.
There is very little maintenance with these two, and you just let them run in the background.
Request Policy blocks cross-site requests
Cross-site requests are requests that your browser is told to make by a website you are visiting to a completely different website.
Though usually legitimate requests, they often result in advertising companies and other websites knowing your browsing habits,
including specific pages you view throughout the day.
Noscript
This is a must-have, it blocks all of the interactive scripting that goes on behind the scenes. It may seem like a bit of a hassle at first
but if you realized how much it was protecting you, you might reconsider it ultimately worth it.
The mainstream websites, definitely need javascript to function smoothly, so you have to allow them to run usually no matter what.
Its when you start browsing news-sites and such, that you realize its importance... when you start seeing a site that has about 30
affiliated websites it wants to connect to, for one simple article... generally i'd say its not worth the risk.
Ultimately, security isn't about the best programs, its changing your behavior and using common sense, not just some of the time,
but all of the time. Consider, it only takes a lapse in judgement of a matter of seconds, and before you know it, your weekend is
ruined, and you're reformatting your hard-drive. So it pays to be a little vigilant, when it comes to your computer security.
Who Am I Connected To?
===================
A good program to see exactly whats going on behind the scenes, is called, TCPview
https://technet.microsoft.com/en-us/sysi...pview.aspx
(Note, this comes directly from Microsoft, so its likely safe to run.)
Downloading Blunders
===================
Don't make the mistake of downloading a program from popular download sites like
These websites may offer the program you want, but will also bundle their own software with it,
and although might not be entirely dangerous, it often times puts your computer at risk.
This is called "Riskware", or a PUP --- "Potentially Unwanted Programs"
Routers
========
You may not know it, but your router is actually a firewall, if you don't have a router in
between your modem and your computer, you really should get one. Its really the first
defense, and it can protect you from DDOS attacks.
Whats a DDOS attack?
==================
Do you remember that childhood game, you call Marco! and someone else calls Polo!
Its more or less like that, one computer says "hey! anybody there?", and the other says, "here i am!"
So what happens when somebody says "hey! is anybody there?" thousands of times in
succession? The computer or hardware replies to each request as quickly as it can, and the other
traffic gets put on low priority... end result is, the connection slows down to the point it can no longer function.
This is whats called a DDOS attack, with a protocol called ICMP or with similar protocols. The theory is the same.
Routers can block this kind of behavior, or allow it...
That's where YOU come in, all of your hardware/software by default, is designed for a perfect world,
where everybody trusts each other, and everything is supposed to be connected with everybody.
Which means, you have to set it right, by changing the settings in your Router.
Its a "very" good idea to become familiar with your router options.
* Disable ICMP replies. - this means you will be blocking ICMP requests.
* Disable WIFI (if you're not using it)
* Set a WIFI password, using WPA2 - Every week, and or month.
All WIFI traffic can be picked up by your neighbors, and if you have a really geeky
neighbor, they may decide to snoop on you. If they collect enough of your packets
Over time, they can decrypt everything you ever sent over the connection.
Even the WPA2 does not ensure your network traffic can not be decrypted, it just slows
that person down drastically... why its a good idea to change passwords, reasonably
every month or so.
Why a wired connection is typically much more secure than a WIFI connection.
Really, you should just try to understand each and every setting in your router,
like disabling uPnP can also be a good idea, just remember you disabled it, if a program
later needs it.
If things stop working, you can generally press the reset button on your router,
and everything returns to factory defaults, but you learned something new about what
worked, and what didnt'.
Never DMZ your router... this is basically like turning off the router firewall and allowing
all the traffic through.
Software Firewalls
===============
So whats a good firewall?
I think a lot of people get firewalls confused with anti-malware software.
Scanning your computer for malware, is not a firewall. A firewall is blocking internet traffic.
Although a lot of mainstream malware software might include a firewall, that's' not often the case
Windows by default, does come with a Firewall, but its back to the philosophy of all sunshine, puppy dogs and kittens,
everything is supposed to connect with everything, and it all just works. Which is not the way it should be set up.
For a firewall to be absolutely secure and functional, you generally have to configure it manually, and
know exactly what you are doing, else you run the risk of A. allowing something you didn't mean to.
or B. blocking something that you need.
I think that's the biggest misconception when you buy a software firewall, is that they typically have
"automated" settings that is supposed to make the hard decisions for you. They make these decisions
based on a huge group of computers, and they work under the premise that... if your stuff stops working,
you're going to be hitting the forums and complaining about it. So they have to keep their settings loose
enough that everything works for a wide range of people.
To understand which programs are absolutely required, and which ones are not, and what settings
can be locked down, can literally take years, and a lot of fiddling around. Which kind of defeats the purpose
of the software, whose entire goal is to have the strictest security without configuring it.
So in that respect, I think the software companies really take advantage of peoples ignorance. It really is
suggestive, your software says "You are protected!" and without wasting the better part of your life
investigating whether thats true, how will you know any different?
So what I use is Emsisoft, it features a malware scanner, website blocker, file guard, and behavioral blocking.
Its not perfect, as it employs that same mentality, that everything is trustworthy, but its minimal design
and settings I feel can't be beat.
Anti-Malware Scans vs Real-Time Protection
=================================
Another concept people also get confused by, is that just because their malware detector does scans and
looks for malware when you tell it to, that it has real-time protection, wrong!
Real-time Protection is basically, like catching a criminal the moment he stepped out of line, and did something wrong.
While anti-malware, is like a police patrol car, that found the clues, linking a criminal to the crime, and arrests him on the
spot... the reason why this is bad, is because you don't know what other havoc he caused and didn't confess to, he could
have also drove some of his buddies in, who are just laying low until the cops blow over.
Its always definitely better to prevent it, before it ever happens.
Thats what i like about Emsisoft, is that it has real-time protection, that is constantly looking for
suspicious activity, and lets you know about it.
AVG does have real-time protection as well, but AVG has started to become a bit bloated lately, and
I found the responsiveness to be far from adequate, and removing AVG was far from a breeze.
Malwarebytes is a great anti-malware tool, in many scenarios, i've found it can often detect many
threats that other software misses.
Internet Security
==============
So why do we have browser links like HTTPS, it uses SSL, it makes my connection secure,
but why?
SSL is a type of encryption, that is very strong, it can still be decrypted, it would just take
a bit longer for the typical user.
Why use it at all though, if my internet connection is secure?
All of the data that flows through the internet, like webpages, chatting, private messages,
unless its encrypted... it all goes through the data cables as plain-text.
So all it would take, is for someone to more or less wire-tap the data cable somewhere along
the way, and its all available to them.
or even easier, just convince one person at any one of the thousands of internet hub-stations to
reroute the traffic to a particular group of people.
This might sound like something out of a spy novel, and surely nobody wants my data, but
don't be so sure. All it would take is to setup a wiretap once, and then you could read
and filter everyone's messages remotely.
Don't you think that would be a power someone would like to have?
User Accounts
============
Another big mistake many people make, is to run their computer with 1 account.
This account is typically an administrator account, and it grants you permission to
do just about everything on your computer.
Which may seem pretty great at first, you're the only person using the computer,
and you know exactly what you want to do, and typing in passwords is a pain in
the butt, so why not?
Its a great idea in theory, but its not how the system was designed to be used.
Every program that runs on your computer needs to be given permission to do
its job. Even trustworthy applications like Explorer.exe has to be given permission
to do certain tasks that could affect your security.
So you set up an administrator account, and then you set up a user account.
Then you do your daily activity in your user account, when a program needs elevated
permissions, you give it your password and say "hey, im the boss, this programs okay"
This setup is primarily in place to prevent rogue applications from running silently
in the background without you noticing it.
It is possible where you can reduce your "User Account Control" settings, so that once
logged in, you can just confirm an application without entering in a password all the time.
for long-term use, this might be more acceptable, though not entirely secure.
Typically, you won't even need to login to your Admin account from startup, its just there
though to grant permission to users when you really need it.
Another huge mistake I see, is people often leaving their Admin passwords blank.
Which defeated the whole purpose of your Admin account in the first place.
Passwords & Password Keepers
==========================
So I'm not going to start out by telling you to pick a long and secure
and obscure password of both numbers and letters and uppercase letters.
Over time, that whole process will get extremely tedious, and if you measure
how much time that will take you... you will be wasting tons of time.
I'm also not going to tell you to use a password keeper, telling a program to
remember all of your passwords, in my opinion is still a bad idea.
You're basically saying that you don't trust every other application out there
to keep your computer safe, but you'll trust this one program to keep your
most important data safe.
In my mind, keeping your passwords ANYWHERE on your computer, is just a
bad idea.
So what do I recommend? Its fast, it costs about the same as your password keeper
program. you don't have to remember a single password, the passwords can even
be long and complex. plus... you can also take it with you, everywhere you go.
What I'm talking about, is a barcode scanner, you plug it into your computer,
and with another program or computer you can create your own unique and
complex passwords.
Then whenever you need to enter in a password... you just select the field, and
zap your piece of paper with your barcode, and you're logged in.
Not only does it work for passwords, but usernames as well.
Even if it wasn't just for keeping your computer secure, its a great organizational
tool, and saves you tons of unnecessary typing.
Just consider all the time you put in typing your passwords.
The great thing about it, you can take your passwords with you, so they are
not just virtually secure, but physically secure as well.
Remote Desktop
================
By default, Windows comes with Remote Desktop Assistance, automatically
enabled, this should be turned off.
Type "Allow remote access to your computer"
in Windows Start menu.
Then disable that option.
NETBIOS TCP/IP **MUST READ**
=========================
By default, Windows has something called "Netbios" enabled, this should
definitely be disabled. This setting here is responsible for a lot of hacking
attacks, and can allow someone to get access to your system.
Its an old and almost retired protocol, and only might be needed if you are
connecting two computers directly through a workgroup. (not for a typical user)
When I was a teenager, i had a friend who used Netbios exploits to get into
other peoples machines. That being said... Its on my top list of things to disable.
In your Start menu type
"Network and Sharing Center"
Click on the left "Change adapter settings"
Right Click "Local Area Connection", or the one that is enabled
for your internet.
Click Properties
Here is a list of all of the protocols your connection uses.
You really only need "Internet Protocol Version 4 (TCP/IPv4)" enabled.
Thats up to you though, what I really want to show you... is up ahead.
Double-Click "Internet Protocol Version 4 (TCP/IPv4)"
Click "Advanced..."
Click "WINS" tab.
So click "Disable NetBIOS over TCP/IP"
Press OK, OK, OK
and you're all set.
Services
========
Windows Vista and 7 comes with something called "Services", these are programs that
run in the background under the name "svchost.exe", you have likely seen them before.
You also probably know.... if you try to close the wrong one, your Windows will stop working
and close automatically. So its kind of an annoyance, that Microsoft doesn't tell you which svchost
goes to which service.
Services have to be disabled through the "services.msc" program.
If you disable the wrong one, things can stop working, so it definitely helps to know which ones
to disable.
I recommend disabling the following:
Priority
Its probably a good idea to turn off these as well,
but are less of a priority. Just remember the changes
you made, so you can change them later if you need to.
Overall Security (+philosophy)
========================
Ultimately, when designing software, a program has to adhere
to 3 basic concepts.
1. Usability (Ease of use)
2. Security.
3. Functionality.
If you strengthen or focus on any one of these more than the other, than the others suffer.
Part of the reason why I don't think software has grown half as fast as the computer hardware
industry has, (other than perhaps they're apples and oranges), is i think as a developer, for every
piece of code you write for functionality... you have to write something like 10 lines, to ensure its
not misused. The solution is often, building layer on top of layer, opposed to addressing the root
of the issues.
Well, that's all for now, keep the bugs off your bumper, and the bears off your a**.
I'll be interested to hear your thoughts or opinions.
- Warren
================
I'd first like to start out by saying,
"Security of a system, is only as strong as the weakest link in the chain"
To maintain the security of your system as a whole, you have to ensure that
there are no weak links, or at very least minimize them.
Someone was asking me today, what I would recommend for a good piece of
anti-virus / anti-malware, and so I thought I'd touch on the topics of Computer
security and my experiences.
First of all, I'd like to point out, that there is no such thing as a perfect security
solution. If someone is determined to get into your PC, with enough time and
effort, they will find a way. The idea is, to remove your computer as low-hanging
fruit, to the people who have automated the process of looking for vulnerabilities
on computers.
Security in Obscurity
=================
If you don't browse the internet you are safe... wrong! That's a common misconception,
that, as long as you aren't perusing the web, that nobody can get your IP, and all
is well. The second your computer is assigned an IP address and the network icon
indicates you are online, your computer is immediately fair game. There are programs
out there who scan every single IP-range, and trying their luck. On top of that, any
program with update features built-in, whether its Microsoft, Chrome, etc. will be
be connecting behind the scenes.
Rolling the Dice
=============
Its a game of probability, its likely you reduce your odds of being attacked online
by not browsing the web. If you update windows periodically, you reduce that chance
even more. If you have good software security in place. you reduce the odds even greater.
If you stick to the mainstream popular websites, ie gmail, google, microsoft, and such, you are
not likely to run any risk of picking up anything you shouldn't. As these mainstream websites
are frequently policed and have mastered filtering a lot of the malware.
When you stray from the path though, thats when things get dicey, and your security is no
longer guaranteed. Usually websites that host immoral or questionable, or just plain illegal
content, are safe-havens for malware. They slip in through seemingly innocent ads, typically
through Javascript, or web exploits... or if its a torrent website, or a download website, they
are just packaged together, and pray you don't have the software to recognize it, until its too late.
To Flash or Not to Flash
===================
If you've been paying attention, you'll notice, a lot of browsers are starting to reject Flash entirely.
Mozilla (Firefox) has refused to allow Flash, until they start upgrading their software. Just this week
Chrome announced that it also is going to refuse to accept Flash. Adobe Flash lets browsers kind of
run these little programs inside the browsers, which are popular for hosting media content. I actually
refuse to run Flash, and its surprisingly just how little I've ever needed to use it...
So what the heck is HTML5? html5 is a new standard, introduced a couple years ago, that allows you
to host media content and is a huge improvement to the web in general. It has more or less been used
to stop the heavy reliance on Adobe Flash, who has refused to update the vulnerabilities in their software.
So, do yourselves a favor, and uninstall Flash... there's rare circumstances where you might need it,
but if that's the case, I prefer to "Disable" it in the Addons menu, until I do need to use it. Never let it
run automatically on its own.
Blocking Ads
===========
I recommend a few Addons for Firefox, usually you can find a few alternatives in Chrome:
Quote: Adblock Plus
uBlock Origin
Request Policy
Noscript
The first two addons, blocks with great accuracy, all of the common ads you encounter.
There is very little maintenance with these two, and you just let them run in the background.
Request Policy blocks cross-site requests
Cross-site requests are requests that your browser is told to make by a website you are visiting to a completely different website.
Though usually legitimate requests, they often result in advertising companies and other websites knowing your browsing habits,
including specific pages you view throughout the day.
Noscript
This is a must-have, it blocks all of the interactive scripting that goes on behind the scenes. It may seem like a bit of a hassle at first
but if you realized how much it was protecting you, you might reconsider it ultimately worth it.
The mainstream websites, definitely need javascript to function smoothly, so you have to allow them to run usually no matter what.
Its when you start browsing news-sites and such, that you realize its importance... when you start seeing a site that has about 30
affiliated websites it wants to connect to, for one simple article... generally i'd say its not worth the risk.
Ultimately, security isn't about the best programs, its changing your behavior and using common sense, not just some of the time,
but all of the time. Consider, it only takes a lapse in judgement of a matter of seconds, and before you know it, your weekend is
ruined, and you're reformatting your hard-drive. So it pays to be a little vigilant, when it comes to your computer security.
Who Am I Connected To?
===================
A good program to see exactly whats going on behind the scenes, is called, TCPview
https://technet.microsoft.com/en-us/sysi...pview.aspx
(Note, this comes directly from Microsoft, so its likely safe to run.)
Downloading Blunders
===================
Don't make the mistake of downloading a program from popular download sites like
Quote:
CNET
Downloads.com
Softonic
Tucows
etc.
These websites may offer the program you want, but will also bundle their own software with it,
and although might not be entirely dangerous, it often times puts your computer at risk.
This is called "Riskware", or a PUP --- "Potentially Unwanted Programs"
Routers
========
You may not know it, but your router is actually a firewall, if you don't have a router in
between your modem and your computer, you really should get one. Its really the first
defense, and it can protect you from DDOS attacks.
Whats a DDOS attack?
==================
Do you remember that childhood game, you call Marco! and someone else calls Polo!
Its more or less like that, one computer says "hey! anybody there?", and the other says, "here i am!"
So what happens when somebody says "hey! is anybody there?" thousands of times in
succession? The computer or hardware replies to each request as quickly as it can, and the other
traffic gets put on low priority... end result is, the connection slows down to the point it can no longer function.
This is whats called a DDOS attack, with a protocol called ICMP or with similar protocols. The theory is the same.
Routers can block this kind of behavior, or allow it...
That's where YOU come in, all of your hardware/software by default, is designed for a perfect world,
where everybody trusts each other, and everything is supposed to be connected with everybody.
Which means, you have to set it right, by changing the settings in your Router.
Its a "very" good idea to become familiar with your router options.
* Disable ICMP replies. - this means you will be blocking ICMP requests.
* Disable WIFI (if you're not using it)
* Set a WIFI password, using WPA2 - Every week, and or month.
All WIFI traffic can be picked up by your neighbors, and if you have a really geeky
neighbor, they may decide to snoop on you. If they collect enough of your packets
Over time, they can decrypt everything you ever sent over the connection.
Even the WPA2 does not ensure your network traffic can not be decrypted, it just slows
that person down drastically... why its a good idea to change passwords, reasonably
every month or so.
Why a wired connection is typically much more secure than a WIFI connection.
Really, you should just try to understand each and every setting in your router,
like disabling uPnP can also be a good idea, just remember you disabled it, if a program
later needs it.
If things stop working, you can generally press the reset button on your router,
and everything returns to factory defaults, but you learned something new about what
worked, and what didnt'.
Never DMZ your router... this is basically like turning off the router firewall and allowing
all the traffic through.
Software Firewalls
===============
So whats a good firewall?
I think a lot of people get firewalls confused with anti-malware software.
Scanning your computer for malware, is not a firewall. A firewall is blocking internet traffic.
Although a lot of mainstream malware software might include a firewall, that's' not often the case
Windows by default, does come with a Firewall, but its back to the philosophy of all sunshine, puppy dogs and kittens,
everything is supposed to connect with everything, and it all just works. Which is not the way it should be set up.
For a firewall to be absolutely secure and functional, you generally have to configure it manually, and
know exactly what you are doing, else you run the risk of A. allowing something you didn't mean to.
or B. blocking something that you need.
I think that's the biggest misconception when you buy a software firewall, is that they typically have
"automated" settings that is supposed to make the hard decisions for you. They make these decisions
based on a huge group of computers, and they work under the premise that... if your stuff stops working,
you're going to be hitting the forums and complaining about it. So they have to keep their settings loose
enough that everything works for a wide range of people.
To understand which programs are absolutely required, and which ones are not, and what settings
can be locked down, can literally take years, and a lot of fiddling around. Which kind of defeats the purpose
of the software, whose entire goal is to have the strictest security without configuring it.
So in that respect, I think the software companies really take advantage of peoples ignorance. It really is
suggestive, your software says "You are protected!" and without wasting the better part of your life
investigating whether thats true, how will you know any different?
So what I use is Emsisoft, it features a malware scanner, website blocker, file guard, and behavioral blocking.
Its not perfect, as it employs that same mentality, that everything is trustworthy, but its minimal design
and settings I feel can't be beat.
Anti-Malware Scans vs Real-Time Protection
=================================
Another concept people also get confused by, is that just because their malware detector does scans and
looks for malware when you tell it to, that it has real-time protection, wrong!
Real-time Protection is basically, like catching a criminal the moment he stepped out of line, and did something wrong.
While anti-malware, is like a police patrol car, that found the clues, linking a criminal to the crime, and arrests him on the
spot... the reason why this is bad, is because you don't know what other havoc he caused and didn't confess to, he could
have also drove some of his buddies in, who are just laying low until the cops blow over.
Its always definitely better to prevent it, before it ever happens.
Thats what i like about Emsisoft, is that it has real-time protection, that is constantly looking for
suspicious activity, and lets you know about it.
AVG does have real-time protection as well, but AVG has started to become a bit bloated lately, and
I found the responsiveness to be far from adequate, and removing AVG was far from a breeze.
Malwarebytes is a great anti-malware tool, in many scenarios, i've found it can often detect many
threats that other software misses.
Internet Security
==============
So why do we have browser links like HTTPS, it uses SSL, it makes my connection secure,
but why?
SSL is a type of encryption, that is very strong, it can still be decrypted, it would just take
a bit longer for the typical user.
Why use it at all though, if my internet connection is secure?
All of the data that flows through the internet, like webpages, chatting, private messages,
unless its encrypted... it all goes through the data cables as plain-text.
So all it would take, is for someone to more or less wire-tap the data cable somewhere along
the way, and its all available to them.
or even easier, just convince one person at any one of the thousands of internet hub-stations to
reroute the traffic to a particular group of people.
This might sound like something out of a spy novel, and surely nobody wants my data, but
don't be so sure. All it would take is to setup a wiretap once, and then you could read
and filter everyone's messages remotely.
Don't you think that would be a power someone would like to have?
User Accounts
============
Another big mistake many people make, is to run their computer with 1 account.
This account is typically an administrator account, and it grants you permission to
do just about everything on your computer.
Which may seem pretty great at first, you're the only person using the computer,
and you know exactly what you want to do, and typing in passwords is a pain in
the butt, so why not?
Its a great idea in theory, but its not how the system was designed to be used.
Every program that runs on your computer needs to be given permission to do
its job. Even trustworthy applications like Explorer.exe has to be given permission
to do certain tasks that could affect your security.
So you set up an administrator account, and then you set up a user account.
Then you do your daily activity in your user account, when a program needs elevated
permissions, you give it your password and say "hey, im the boss, this programs okay"
This setup is primarily in place to prevent rogue applications from running silently
in the background without you noticing it.
It is possible where you can reduce your "User Account Control" settings, so that once
logged in, you can just confirm an application without entering in a password all the time.
for long-term use, this might be more acceptable, though not entirely secure.
Typically, you won't even need to login to your Admin account from startup, its just there
though to grant permission to users when you really need it.
Another huge mistake I see, is people often leaving their Admin passwords blank.
Which defeated the whole purpose of your Admin account in the first place.
Passwords & Password Keepers
==========================
So I'm not going to start out by telling you to pick a long and secure
and obscure password of both numbers and letters and uppercase letters.
Over time, that whole process will get extremely tedious, and if you measure
how much time that will take you... you will be wasting tons of time.
I'm also not going to tell you to use a password keeper, telling a program to
remember all of your passwords, in my opinion is still a bad idea.
You're basically saying that you don't trust every other application out there
to keep your computer safe, but you'll trust this one program to keep your
most important data safe.
In my mind, keeping your passwords ANYWHERE on your computer, is just a
bad idea.
So what do I recommend? Its fast, it costs about the same as your password keeper
program. you don't have to remember a single password, the passwords can even
be long and complex. plus... you can also take it with you, everywhere you go.
What I'm talking about, is a barcode scanner, you plug it into your computer,
and with another program or computer you can create your own unique and
complex passwords.
Then whenever you need to enter in a password... you just select the field, and
zap your piece of paper with your barcode, and you're logged in.
Not only does it work for passwords, but usernames as well.
Even if it wasn't just for keeping your computer secure, its a great organizational
tool, and saves you tons of unnecessary typing.
Just consider all the time you put in typing your passwords.
The great thing about it, you can take your passwords with you, so they are
not just virtually secure, but physically secure as well.
Remote Desktop
================
By default, Windows comes with Remote Desktop Assistance, automatically
enabled, this should be turned off.
Type "Allow remote access to your computer"
in Windows Start menu.
Then disable that option.
NETBIOS TCP/IP **MUST READ**
=========================
By default, Windows has something called "Netbios" enabled, this should
definitely be disabled. This setting here is responsible for a lot of hacking
attacks, and can allow someone to get access to your system.
Its an old and almost retired protocol, and only might be needed if you are
connecting two computers directly through a workgroup. (not for a typical user)
When I was a teenager, i had a friend who used Netbios exploits to get into
other peoples machines. That being said... Its on my top list of things to disable.
In your Start menu type
"Network and Sharing Center"
Click on the left "Change adapter settings"
Right Click "Local Area Connection", or the one that is enabled
for your internet.
Click Properties
Here is a list of all of the protocols your connection uses.
You really only need "Internet Protocol Version 4 (TCP/IPv4)" enabled.
Thats up to you though, what I really want to show you... is up ahead.
Double-Click "Internet Protocol Version 4 (TCP/IPv4)"
Click "Advanced..."
Click "WINS" tab.
So click "Disable NetBIOS over TCP/IP"
Press OK, OK, OK
and you're all set.
Services
========
Windows Vista and 7 comes with something called "Services", these are programs that
run in the background under the name "svchost.exe", you have likely seen them before.
You also probably know.... if you try to close the wrong one, your Windows will stop working
and close automatically. So its kind of an annoyance, that Microsoft doesn't tell you which svchost
goes to which service.
Services have to be disabled through the "services.msc" program.
If you disable the wrong one, things can stop working, so it definitely helps to know which ones
to disable.
I recommend disabling the following:
Priority
Quote: TCP/IP NETBIOS HELPER - netbios/networking related.
SECONDARY LOGIN - provides a secondary means of logging in.
SHELL HARDWARE DETECTION - autoruns programs when a CD or media is opened.
REMOTE REGISTRY - allows remote access to registry.
ROUTING AND REMOTE ACCESS
REMOTE DESKTOP CONFIGURATION
SQL SERVER - if you're not running a MySQL server (most people dont)
Its probably a good idea to turn off these as well,
but are less of a priority. Just remember the changes
you made, so you can change them later if you need to.
Quote:PRINT SPOOLER - if you dont have a printer or plan to.
HOMEGROUP PROVIDER - if you don't have two computers networked together.
WORKSTATION - if you don't have two computers networked together.
SERVER - if you don't have two computers networked together.
Overall Security (+philosophy)
========================
Ultimately, when designing software, a program has to adhere
to 3 basic concepts.
1. Usability (Ease of use)
2. Security.
3. Functionality.
If you strengthen or focus on any one of these more than the other, than the others suffer.
Part of the reason why I don't think software has grown half as fast as the computer hardware
industry has, (other than perhaps they're apples and oranges), is i think as a developer, for every
piece of code you write for functionality... you have to write something like 10 lines, to ensure its
not misused. The solution is often, building layer on top of layer, opposed to addressing the root
of the issues.
Well, that's all for now, keep the bugs off your bumper, and the bears off your a**.
I'll be interested to hear your thoughts or opinions.
- Warren
![[Image: 2m4dtfs.png]](http://i66.tinypic.com/2m4dtfs.png)
