Windows Security Page
This is a harden-your-boxen guide for Microsoft Windows 2000/XP. Protection from spyware, worms, backdoors, viruses, and other exploits are discussed here.
- ZoneAlarm is NOT the answer. You cannot firewall the same machine the firewall software is on.
- Norton Internet Security is NOT the answer. If you want to be pestered by a bunch of false positives and have your standard Internet programs blocked, then go ahead and purchase a false sense of security.
- Windows Updater and Windows Security Center (including Windows firewall) are not covered here. Windows Firewall is problematic. Use a hardware firewall wired between your PC and your Internet source.
- Although it is important to keep your Windows installation up to date, Auto Update may install useless annoyances like WGA and Microsoft spyware such as that which is built into the new Windows Media Player. It is recommended that you review and install all updates manually.
Now for the REAL tips:
- Know what is running in memory. Be familiar with Processes in the Windows Task Manager. You may find something that doesn't belong there. Task Manager provides information about programs and processes running on your computer. It also displays the most commonly used performance measures for processes.
Contents
AntiVirus Software
- Any one of the following products is fine.
- ClamAV for Windows - recommended because it is relatively current with virus definitions, as well as being completely free and open source.
- F-Prot Antivirus - commercial. Works well and is well priced for individuals.
- Symantec AntiVirus Enterprise Edition - Works very well but is very expensive. The Symantec AntiVirus is premium compared to their SOHO Norton AntiVirus.
Avoid: McAfee antivirus products, which detect false positives and block useful Internet applications. Also be sure to avoid Norton Internet Security. Both of these products are annoying, poorly designed, and give the naive user a false sense of security.
Spyware and Junkware
Malwarebytes Anti-Malware has become very popular among PC service technicians and end users alike. It detects and removes many known malware programs. The free version does not offer real-time protection. It does allow you to conduct a manual scan whenever you want and definition updates are free.
- Spybot Search and Destory - free and despite a few dopey design issues, does an okay job. Don't get too excited about the "tracking cookies" it detects. Cookies are, for the most part, harmless. They just want you to feel like the program is catching stuff.
- Adaware
Three useful tools for removing PUP and junkware programs, including marginal malware:
- AdwCleaner.exe - Xplode Adware Cleaner
- JRT.exe - thisisu Junkware Removal Tool
- rkill.exe - RKill terminates and removes malware infections
Rootkit detection and removal
- tdsskiller.exe - Kaspersky Lab, TDSSKiller can detect and remove many rootkits.
Windows Registry Backup and Change Tracking
A key component of Microsoft Windows Registry Security is the ability to track file and registry changes made by software you are installing. Spybot Search and Destroy has registry monitoring capabilities. However, it is ideal to have an application watch and log every registry key modified in every hive by the software you are running or installing.
Spyware, and backdoors are programs that have to be loaded into memory to be a threat. They often hide in the registry, under misleading names, and link to files hidden within the Windows system folders. It may be next to impossible to tell what is legitimate and what is a backdoor Trojan when looking though the registry and system files without knowing what was touch by that latest program you installed.
You need the ability to revert to a registry state prior to a problem. This is useful in getting rid of spyware, as well as extending the free trial period on a lot of freeware software, which hides expiry data as disguised keys in the windows registry.
Traffic Monitoring
There's simply so much spyware and backdoor trojans, and so on out there that no tool is going to be able to detect them all. If you download and install software much then you need to be monitoring your computer traffic. Find out who your computer is talking to and what information it is sending by "sniffing the wire."
- windump - covered in the page Winpcap and Windump
- Ethereal / Wireshark - packet sniffer
- TCPView - Part of Microsoft Sysinternals
* The Ethereal project was forced to change names in May 2006 due to trademark issues. It is now called Wireshark.
Monitoring traffic from the infected host machine itself my not be helpful as the traffic might be hidden. The traffic needs to be intercepted from a healthy node along the way. Use a smart switch, or smart router. Another option is to route traffic though a hardened Linux machine between the infected host and the router. A router running aftermarket firmware such as OpenWRT, just like using a Linux PC, allows access to powerful tools such as: wireshark, tcpdump, and snort.
Securing Files
If your PC or network storage is compromised it means hackers could gain access to sensitive data such as financial data or bank documents. Although securing your network is wise, you can add an additional layer of security by encrypting files. A strong encrypted file with a random key can make the difference from the hacker reading your bank account details or spending hours trying to open an encrypted file without success. If files get stolen, make them useless to the hacker by encrypting them using non-dictionary based password keys.
You can add encryption to your most important or sensitive files on a file by file basis. There are different software to allow for this. An Open Source file encryption software for Microsoft Windows that is gaining a lot of praise is AxCrypt by Axantum software. It integrates with Windows to compress, encrypt, decrypt, and store files. You can password Protect any number of files using strong encryption.
AxCrypt is free and Open Source, however, the primary download installer has OpenCandy, the developer offers several alternative download options that are OpenCandy free, and free of any other adware/spyware/malware (as of this writing). To access the versions without OpenCandy you must register with an email address on the site. The .msi installers do not have OpenCandy.
AxCrypt is password based and uses a 128-bit key. Although the developer promises 256 bit encryption in the future, it is explained on the site why 128 bit is enough.
AxCrypt is superior to Windows Compressed Folder password protection in many ways. Windows Compressed Folders in Windows XP uses a WinZip compatible extension of the Windows Shell with the same weak algorithm in WinZip. WinZip encryption has been compromised and there are multiple documented examples.
