Here are some tips on how to secure your Microsoft Windows system, if you’re a home user, small business user, or other small organization user (such as small non-profits).
Since I work in computer security I occasionally get asked by Microsoft Windows users questions like “I got this strange error message -- do I have spyware?” or “How do I keep my [Windows] computer secure?” Large businesses employ people who secure computer systems as a full-time job, but that doesn’t help if you’re a home or small business user.
You can’t ignore the problem -- if you ignore security, and connect to the Internet, your Windows machine will almost certainly have serious security problems, and soon. One study found that an unpatched Windows XP system only lasted 4 minutes on the Internet before it was compromised. The “AOL/National Cyber Security Alliance Online Safety Study” of October 2004 determined that 80% of Windows users were infected by at least one spyware/adware product. Many organizations such as BusinessWeek have reported on spyware and other Windows security problems. Researcher Ben Edelman did a test where he installed one WindowsMedia video file, and through its digital rights management mechanisms it deceptively installed 31 spyware/adware programs He noted that "All told, the infection added 58 folders, 786 files, and an incredible 11,915 registry entries to my test computer. Not one of these programs had showed me any license agreement, nor had I consented to their installation on my computer." (Edelman provides much more information about spyware if you're curious). The top six reasons that Explorer crashes aren't traditional defects - they're side-effects of a virus infection (Windows is the only OS with a serious virus problem).
Attacks are more serious now, because they’re not longer just kids’ pranks. BusinessWeek reported in February 2006 that profits from cyber crime were higher than profits from the sale of illegal drugs for the first time in 2005. NetworkWorldFusion stated in December 13, 2004 that “a spyware program can send corporate data directly from your company’s client computers to an Internet-based data collection facility, such as a shady adware site or other group of bad guys.” It also said that “some spyware sends captured data to North Korean intelligence agency servers. The North Korean government analyzes what it captures, sells the data to criminals and organizes international distributed DoS attacks. South Korea’s defense ministry recently said that North Korea has trained more than 500 computer hackers to wage cyber-warfare against the U.S. The ministry reported that North Korean militant hackers, who have undergone a five-year university course geared toward penetrating the computer systems of the U.S., South Korea and Japan, are among the best in the world.” Imam Samudra’s fall 2004 jailhouse autobiography contained virulent justifications for his part in Bali attacks that murdered 202 innocent people -- and a chapter titled “Hacking, Why Not?”, where he urges others to attack U.S. computers, especially to perform credit card fraud (”carding”) to finance murder and terror. RIAA/MPAA contractor Overpeer distributes files that appear to be music, but instead open multiple ad pages and attempt to install software on the viewer's computer without permission (see articles by PC World and P2PNet). And many businesses have discovered that they can make a profit exploiting your privacy, harrassing you with ads, and so on. In short, companies doing corporate espionage, organized crime, terrorists, foreign governments, and people who simply enjoy causing damage can cause you serious problems with the click of a button if you don’t watch out.
Upgrading to the Vista version of Windows will solve it all, right? No. Experts agree that Vista will continue to have vulnerabilities. Ben Fathi, the former head of Microsoft's security group and now the chief of development in the Windows core operating system group, said at the RSA Conference 2007 in San Francisco last month that if Vista had half the security vulnerabilities that Windows XP had, he would consider Vista reaching a "great goal." Eugene Spafford, executive director of the Purdue University Center for Education and Research in Information Assurance, says that Windows is inherently insecure, which is why the market for "anti-virus software, intrusion detection systems and firewalls is so huge". Graham Cluley, senior technology consultant for Sophos PLC, said, "What isn't in doubt is that there will continue to be flaws found in Microsoft Vista." In May 2007 extensive testing by CRN determined that users of Windows Vista and Windows XP "are equally at risk to viruses and exploits and that overall Vista brings only marginal security advantages over XP... Vista's security failed to impress Test Center engineers. Vista remains riddled with holes... [offering] no improvement in virus protection vs. XP, [and] little or no security gains over its predecessor against such threats as RDS exploits, script exploits, image exploits, VML exploits, malformed Web pages and known malicious URLs". In May 2008, John E. Dunn's article "Vista laid low by new malware figures" stated that "Vista's reputation for improved security could be heading for the pages of history... new figures appear to back up [PC Tools'] claim that Vista is almost as vulnerable as its predecessors... [27% of all Vista machines probed] were compromised by at least one piece of malware over the six months to May 2008. Don't confuse nagging with security; iReboot's developers conclusively demonstrated that "Windows Vista ... [makes software development] more complicated without actually providing any any further protection for end users from malware". Vista certainly isn't making everyone happy, with its many incompatibilities. Indeed, many organizations have decided that Vista (and/or Office 2007) is a bad investment - it creates numerous incompatibilities with the rest of the world, costs a lot of money (e.g., because of forced hardware updates and retraining), so much so that in 2008, InfoWorld stated that "XP must be saved". One-third of Vista users downgrade it to XP in 2008, says one report; another says that in June 2008, 60% of IT administrators have no plans to deploy Vista. There are even statements that Vista is 'dead'; it'll sell, but mostly because it comes pre-installed or via forced upgrades.
I’ve created this page to give you, the home or small business user, a few simple things to do that will help make your existing system more secure. This paper is for those who don’t know much about computers, or for those who normally use an operating system other than Microsoft Windows but suddenly must secure a Microsoft Windows system. I hope you find this information helpful. You don’t have to do every step, but I’ve tried to describe what will happen if you don’t, so you’ll know what you’re risking. Some argue it's easier to constantly buy new machines to get rid of the spyware - a better way is to keep it off in the first place.
Many tips are independent of what system you use, but many other tips are unique or more important to Windows users. Many independent observers agree that Windows has the worst security record of all operating systems, unfortunately. You can eliminate the many Windows-specific vulnerabilities addressed here by switching to an alternative product; even The New York Times' "Tips for Protecting the Home Computer" by John Markoff in 2007 noted that using a non-Windows system is a defense worth considering. I always urge people to consider their options before making a decision -- it's just the smart thing to do! Nevertheless, for purposes of this paper I'll presume that you've chosen to use Microsoft Windows, for whatever reason, and that you want to reduce your risks to something manageable.
The basic ideas here are actually quite simple. We want to create a set of layered defenses (such as by using firewalls), avoid adding or running arbitrary (untrusted) programs, replace programs that have a bad security track record (particularly Internet Explorer and Outlook) with more trustworthy programs, and keep up with patches. These are all my own opinions -- I represent no one here -- but I offer up these ideas in the hopes that they’ll help others protect their systems, based on experience.
In this paper, “small business” includes small non-profits like churches, schools, civic groups, and consortiums. I’ll use the term “Windows” (with the initial capital letter) as an abbreviation for Microsoft Windows; the term “windows” is actually a generic computing term that predates Microsoft’s product by many years.
I’m not an anti-Microsoft person, and please don’t read this text as “Microsoft is always bad.” Indeed, I applaud Microsoft for recently training their developers in how to write secure software (a task their developers didn’t know how to do), and I hope that future products will be more secure (though some have pointed out reasons to be skeptical). But I’ll also condemn decisions they’ve made that harm their customers when they've occurred. It’s no secret that this has occurred; even Microsoft’s Craig Mundie admitted that their products were “less secure than they could have been” because they were “designing with features in mind rather than security” -- even though most people didn’t use those new features. For security, users need to follow some guidelines (to mitigate the problems), replace those products, or suffer the consequences.
It's not my focus, but using CCleaner and setting MyDefrag to run once a week improve performance and make performance loss more obvious.
Not sure what any of these tips mean? Here is more detail about each one:
Home users can feel free to use child filters/blockers (sometimes called porn blockers), but they should not depend on blockers. In my experience such blockers don’t work well enough to be relied on; they don’t filter what you want them to, and they filter out material that you do want them to have access to. You just can’t depend on them. Worse, parental filters do nothing to stop stalkers from interacting with your kids, which I think are a much worse threat to your children. So don’t even put a network or wireless card into computers you can't easily monitor. Instead, make sure that any Internet access is limited to public access areas (like a family room or living room) or adult-only areas (like the parents’ bedroom or office). This is probably less practical as the kids get much older, but particularly for small children, just tell them those are the house rules; they’ll live! Then talk with and monitor your kids, just like you'd talk with and monitor them in physical public settings.
You can add filters as well, of course. Dan's guardian is freely available and is open source software. However, the program itself runs on Linux or BSD, so you need to create a Linux or BSD system to run it, and then have the Windows systems access the Internet through it.
A different kind of filter is one involving web search engines. Start by logging in as your child and then set their search engine's preferences. For Google, set their Google SafeSearch preferences to use strict filtering. For AltaVista, set the AltaVista family filter.
If you run a business, you may have some highly sensitive data that you don’t want copied or modified. If it’s really sensitive, don’t connect the machine holding that data to the Internet at all; make it a stand-alone computer, and use floppies, CD-ROMs, USB sticks, or other media to send data in and out. You can encrypt and decrypt data on that machine, using secure encryption algorithms like AES or 3DES, and then send/receive encrypted files. You can share passwords and keys using other means (such as an initial face-to-face meeting). If you can’t do that, at least give it only brief Internet access, and set your firewall to really limit what it can do... but that’s a far less effective method. Today computers are cheap, and dedicating a disconnected computer (or even a small network) to especially sensitive information is one of the most effective measures to prevent and limit the damage of many attacks.
Unfortunately, many Windows programs (especially many games, educational programs, and custom programs used by businesses) won’t run on these later systems without admin privileges -- if they run at all on later versions of Windows. There are historical reasons for this. Earlier versions of Windows Windows didn't support the notion of unprivileged accounts, and even now many Windows application developers do not develop and test their programs to see if they'll work without admin privileges. Indeed, Keith Brown, author of Programming Windows Security, reported in 2005 that 70% of all Windows applications cannot be run without admin privileges. This is all in contrast to Unix-like systems (including Linux and MacOS X); Unix-like systems have enforced security for decades, generally without giving users unnecessary privileges. As a result, application developers for those systems normally ship products that don't require excess privileges. This is one of the technical reasons why Windows systems get viruses so often, while Unix-based systems essentially never see viruses (see also Bruce Ediger's information on viruses).
If you’re a home user, you might want to set up a specially-designated Windows system just to run the programs that require admin privileges, and don’t connect that machine to the Internet. It's quite reasonable to make that isolated system a Windows 95/98/ME system, especially since so many programs don't work on later versions of Windows anyway. Yes, people do use older systems -- at the end of 2004, 21% of Windows users are Windows 95/98/ME users (this study includes home users). A different study by AssetMetrix of businesses found that in the first quarter of 2005, only 38% of business PCs used Windows XP (the current version of Windows), and 48% of business PCs used Windows 2000.
It’s also a good idea to rename the “Administrator” account. This is a powerful account, and renaming it counters a few attacks without harming normal use.
When you access the web, don’t use the same password everywhere. Instead, if you care about what the password protects, use different passwords for different websites and use good passwords. At one time, it was a good practice to memorize passwords and not write them down, but good passwords are too long and you need too many passwords for that to be practical nowadays. Instead, do one of the following:
There’s a “Guest” account on Windows that’s disabled in many configurations, but some attackers exploit or manage to enable it. So give the “Guest” account a password and leave it disabled (this suggestion comes from Tony Bradley’s Microsoft Windows Security 101). There’s a serious defect in Windows XP Home edition: according to LabMice, when you disable the Guest account in Windows XP Home Edition via the Control Panel, Windows only removes the listing of the Guest account from the Fast User Switching Welcome screen and the Log-On Local right. What you really wanted to remove -- the network credentials -- will remain intact and guest users will still be able to connect to shared resources of the affected machine across a network! Microsoft Knowledge Base Article: 300489 says that this horrific defect is actually intentional. The best workaround for XP Home Users is to assign a strong password to the Guest account.
But if you use Microsoft Windows to access the Internet, you must deal with viruses and spyware. Windows systems are heavily attacked, and in my opinion, they don’t do a good job defending themselves. Microsoft has recently added DRM capabilities (digital restrictions management), which has made things worse; attackers are using DRM to attack users and add spyware. In short, while they are nearly unknown elsewhere, if you use Windows, viruses and spyware are serious problems you can't ignore.
Most Anti-virus programs are fairly mature, and most of the well-known ones do a reasonable job at blocking or cleaning up old (known) viruses. One example of a reasonable program is AVG, and they have a no-cost edition. Unfortunately, Microsoft's own flagship product, OneCare, is one of the worst - several independent studies have determined that it's unacceptable for use. Andreas Clementi, senior tester at AV Comparatives, declared after testing that "[Microsoft OneCare] performed very low in the test, and did not reach the minimum requirements for participation" - the only product in a large suite that failed.
So, if you use Windows, get a reputable anti-virus system, and continuously keep your virus software up-to-date (this usually requires paying continuing maintenance fees). If you are not willing to do this, consider using another operating system instead (such as MacOS or Linux).
Anti-spyware programs, unfortunately, don’t do all that well, but the reputable ones are better than nothing. You should get an anti-spyware program, and then use other methods to give additional layers of defense, since spyware is also a serious problem. More info on anti-spyware programs is at: http://www.firewallguide.com/spyware.htm and http://spywarewarrior.com/asw-test-guide.htm. A PC World review found that the reputable free programs such as Spybot Search & Destroy (S&D) were better than the heavily advertized pay-for anti-spyware programs. Network World (December 13, 2004) evaluated four anti-spyware programs, though for large enterprises (which have some different requirements such as needing centralized management); they liked Spy Sweeper Enterprise 1.5 and Omniquad AntiSpy Enterprise Edition 4.0. They thought that Spybot Search & Destroy did “quick, accurate elimination of spyware” at no cost, though they didn’t like it that technical support was only available via email (that may not matter to you). They didn’t like InterMute SpySubtract Pro 2.5 as much, saying it had very poor ease-of-use. For spyware, I’ve seen good reports about Ad-aware, GIANT AntiSpyware (now Microsoft), Pest Patrol, Spybot Search & Destroy, and Webroot Spy Sweeper. Be wary; a few of the “anti-spyware” programs are made by spyware makers, and will actually cause you problems by inserting spyware. If you have (or think you might have) spyware or viruses, it’d be better to erase the hard drive & re-install, though I understand that’s very time-consuming. But even if you re-install, you need protective programs.
More recently, Microsoft has bought GIANT and provides a derivative of it as their own product. As of 2005-01-06 this is a buggy beta product, but hopefully it will get more stable quickly.
Unfortunately, there are lots of scammers. For example, MS Antivirus is a "scareware rogue anti-virus", and in spite of its name, should not be confused with Microsoft Security Essentials or Microsoft Antivirus. This program (and ones like it) fraudulently claim that you have a problem, and then asks you to send money to "upgrade" so it can fix the problems.
Neither anti-virus nor anti-spyware programs are perfect. Anti-spyware software in particular is not very good at removing problems; they’ll probably miss about half of the problems. So, you need to take other preventative steps; certainly don’t depend on just these programs!
Buy a separate component that does firewalling for you; don't just depend on the firewall built into some versions of Windows. It’s likely you already have this separate component; firewalls often come built-in with wireless hubs, cable “modems”, and DSL modems. While not as function-rich as dedicated firewalls, for most home and small business owners these firewalls are quite sufficient. Most small business’ connection to their ISP includes a firewall already (and if not, they’re easily added, and you really should). Otherwise, buy one; you may find it cheaper to buy a router or wireless hub with a firewall, even if you only need it for one computer now (if you buy a wireless hub, disable the radio or secure it as I discuss below). Alternatively, you can turn an obsolete PC into a dedicated firewall with two network cards and freely-available programs like Smoothwall (here's a Smoothwall review), Astaro, IPCop, Coyote Linux (here's a review of Coyote Linux), or floppyfw. Coyote Linux and floppyfw only require a floppy drive (no hard drive or CD-ROM needed) to run, and have trivial hardware requirements (Coyote Linux requires a 486 or better, floppyfw requires a 386 or better); you can often find such a computer for free.
Windows XP includes a built-in firewall, and Windows XP Service Pack 2 (SP2) turns on the built-in firewall. You should turn on any built-in firewalls you have available as well, but the built-in firewall of Windows is easy to disable (particularly by spyware), and for many versions it allows far more than it should. So I think a typical home/small business owners shouldn’t just depend on it. If you just can’t afford an external firewall, and you have a single system that dual-boots between Windows and some other operating system, consider disabling all network drivers in Windows as an alternative.
This is primarily a Windows problem; other operating systems such as GNU/Linux and the BSDs are better able to withstand attacks without a firewall (and in fact they’re often used to implement firewalls). There are several reasons for this. These other systems have built-in firewalls that are very strong and have been there for years. Also, these other systems don’t normally export services unless you specifically ask them to; by not providing attackers with unnecessary services to attack, these other systems tend to be a lot less vulnerable than Windows. It’s a good idea to run behind a firewall for any system, since firewalls provide some additional protection, and I’d suggest it for any system. But since Windows has an especially poor security record, external firewalls are basically mandatory for Windows users.
Keep all programs up-to-date with any patches that are available. But in particular, keep Oracle Java JRE, Adobe Reader / Acrobat, Adobe Flash, and Microsoft Internet Explorer updated. Historically, most exploits come through those programs.
You really should back up before installing a Microsoft patch; patches (especially Service Pack 2, aka SP2) can cause the system to become unusable in certain cases. But not patching (or delaying too long) will eventually cause serious problems; someone will exploit your system if you fail to do so (and you ever connect it to the Internet). Remember to firewall your system before trying to download patches! And remember that in Windows most patches require a reboot after installation (again, this isn’t true for most other operating systems), and dependencies may require that you do this several times. That means that patching can take more time to implement than on competing systems; be sure to plan for this time.
If you use Windows XP, you should install Service Pack 2 (SP2), but you must do this extremely carefully and only after you have backed everything up. SP2 is a major improvement in security and well worth it if your system and applications will still work once it’s installed. Unfortunately, many people have had a lot of problems with SP2. Thus, you need to be prepared to reinstall all your data and all your software if necessary. Some people’s critical applications stop working, and in some cases the entire system won’t even boot, after installing SP2. As noted in The Dark Side of Windows XP Service Pack 2, you’re more likely to be successful if you first remove spyware, update drivers (especially if you use nVidia), and back up your system before installing SP2. Be prepared for extra time to get your applications running again after installing SP2. Some applications don’t work at all with SP2 or have limitations; for example, security scanners like nmap can only work on Ethernet connections when Service Pack 2 is installed (if this is a problem for you, you’ll need to switch to a different operating system or avoid SP2). Use Google to find suggestions for how to configure applications that balk at SP2. But if you use Windows XP, install SP2 if at all possible. Yes, it can be painful, but security problems can be even worse.
Patching is no guarantee; attackers will attack Windows using exploits for which there are no patches. So you still need to do other steps.
Many others say the same thing: switch away from Internet Explorer. Security expert Bruce Schneier recommends not using IE. An editorial in Redmondmag.com also recommended switching from IE to Firefox. The Wall Street Journal’s Walter S. Mossberg says “I suggest dumping Microsoft’s Internet Explorer... I recommend instead Mozilla Firefox.” (he repeats this again at the end of 2004). USA Today's Byron Acohido and Jon Swartz recommend switching from Internet Explorer to Firefox for improved security, and Forbes' Arik Hesseldahl recommends switching from Internet Explorer to Firefox as well. In 2005, Forbes labelled Firefox as their favorite web browser in their "best of the web" awards. eWEEK.com Senior Editor Steven J. Vaughan-Nichols thinks IE is too dangerous to keep using (he says Internet Explorer is insecure junk, and it’s time for Windows users to move to Firefox if they want to protect their systems). Government Computer News' product review of Firefox stated: "Put simply, Firefox is everything you need in a browser, minus the security risks common with Explorer." Washington Post columnist Rob Pegoraro says “I think anybody using Internet Explorer should switch to Firefox today. Seriously.” He also says that “Firefox’s security goes deeper than that. It doesn’t normally support Microsoft’s dangerous ActiveX software, which gives arbitrary Web sites (and any attacker who has taken them over) control of your computer as though they were you. It omits IE’s extensive hooks into the rest of Windows, which can turn a mishap into a systemwide meltdown.” Gartner noted that IE has many design flaws that fundamentally impede its security: "because IE is integrated into the Windows operating system, flaws in IE have a greater impact than flaws in a stand-alone browser. Also, it takes longer to create fixes (since regression testing must include the entire operating system), and applying IE patches is often more time-intensive and expensive (requiring reboots, for example)." In March 2005 the Denver Post said "Experts agree these two programs [Linux and Firefox] are less susceptible to viruses and other Internet ills than Microsoft's [products]." Longtime Internet guru Peter da Silva reports that "when Microsoft started integrating the browser and the desktop, I managed to get Internet Explorer, Outlook, and other applications that used the same interface banned... we continued to use Windows... and we took a relatively lightweight approach to security other than banning IE. Result? Occasional single-workstation virus alerts, almost never an infection beyond one user's machine... and a large percentage of the time it was a user running Outlook "unofficially" that caused the problem. Far fewer problems than my counterparts at sites that imposed heavy restrictions but standardized on IE." The article Spyware, Adware, Windows, GNU/Linux, and Software Culture notes that it's very important to switch to a browser other than IE. Desktop Pipeline's Scot Finnie praises Firefox as well. Even many who are often supporters of Microsoft recommend dropping Internet Explorer. MCSE Daniel Miessler "I happen to like quite a few of Microsoft's products... [but] Don't use Internet Explorer." He gives two reasons for saying this:
Vulnerabilities have repeated with such regularity in IE that in December 2004 Pennsylvania State University issued an alert to students and staff telling them to drop IE and use an alternative. David Hammond's Internet Explorer is dangerous article explains in more detail why switching is a good idea. Scanit's Browser Security Test group found that in 2004, 98% of time Internet Explorer was vulnerable to dangerous known remote attacks, with no patch available to prevent it, compared to 17% for Opera and 15% for Mozilla/Firefox. There were only 7 days in 2004 where Internet Explorer could be safely used (where patches were available for all publicly-known worst-case vulnerabilities). A 2006 survey found that again, IE was far more dangerous to use than Firefox. No browser is perfect, but why choose one that is so much worse than the alternatives?
Many other security organizations have expressed serious concern. The US-CERT listed as one of its solutions to IE vulnerabilities switching to a different web browser; they report vulnerabilities in many products, but typically don’t include switching to another product as one of the options. The simplest summary was that US-CERT was warning Web surfers to stop using icrosoft's Internet Explorer (IE) browser. US-CERT noted that the fundamental design of IE makes it much more vulnerable than alternatives; it said that “there are a number of significant vulnerabilities in technologies relating to [IE]” and that “IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.” Other news organizations widely noted this concern. According to Secunia, as of 2004-12-17 IE has many more unpatched yet known security vulnerabilities compared to other widely-used browsers (see their reports for IE, Firefox, and Opera). The SANS Most Critical Internet Security Vulnerabilities lists 10 critical vulnerabilities for Windows, and the Version 5.0 (October 8, 2004) edition includes web browsers (#5) and mail client #9. Once you delve in, you discover that the real dangers are really IE and Outlook, since the alternatives don’t have many of the same problems. SANS identifies 6 serious problems with IE, compared to alternatives: (1) IE has a larger number of vulnerabilities than other browsers, (2) it’s taken a longer time to patch known IE vulnerabilities (sometimes in excess of 6 months), (3) ActiveX and Active Scripting can be used to bypass the security constructs of the browser, (4) A large number of unpatched vulnerabilities, (5) Spyware/Adware vulnerabilities, and (6) Integration of IE into the operating system (OS) makes the OS more vulnerable to exploitation. SANS states that “If using an alternative browser is not an option, consider disabling ActiveX entirely except for internal ActiveX applets that can be preinstalled on the machine.” The article Can You Bank on IE Security? from Bankers Online (a magazine for bankers) noted that respected organizations like CERT, SANS, and NIPC have all essentially suggested switching from Internet Explorer, and tells banks to prepare for the many users who will be switching away from IE. Scott Granneman's article on SecurityFocus pleads for users to stop using IE, too, because of its legions of security problems.
Trying to visit only trustworthy sites won’t protect you as much as you’d think. Attackers have found many ways (such as breaking into those sites or their advertizers, or redirecting data through them) to send malicious data to IE users. BusinessWeek’s Stephen H. Wildstrom believes that using Internet Explorer is just too risky, after exactly that kind of attack exploiting known but unpatched flaws in Microsoft IIS and IE impacted a vast number of IE users; as a result, many IE users had their keystrokes (including bank account information and passwords) logged and sent to a computer in Russia.
I suggest that you switch to the freely-available Firefox web browser instead (a suggestion many others make, as you can tell above). Firefox costs nothing, it’s more secure, and it’s generally a better browser. Firefox has rapidly grown in market share, (with 25 million downloads in just 99 days), and lots of reviewers like Firefox. Some January 2005 statistics from Net Applications show that Firefox use has continued to grow, while IE's usage has been steadily shrinking. Firefox's source code and internal documentation are publicly available and it has been widely scrutinized; indeed, the Mozilla bug bounty program pays people who report critical security bugs, and they’re given all that information to work with. Thus, there are no “secret spying codes” in it (people have looked!), and it has a far lower security risk. It’s a spin-off from Netscape Navigator, so most people have no trouble using it (indeed, if you’ve ever used Netscape Navigator it’ll seem familiar). And many are supporting it; for example, Google employs Firefox's leading developer (see Goodger's blog entry). Even one of Internet Explorer's former developers switched to Firefox. The tabbed browsing and built-in search window capabilities alone are enough reasons to switch, but if you don’t want viruses, spyware, and endless pop-ups, this is a serious help. It has much better for standards, and Google works more quickly with Firefox than with IE (because Firefox supports something called "prefetching"). If you're curious to learn more about how browsers work, see How Firefox Works.
Just about any other browser (such as Netscape and Opera) would be better too. In a few cases websites won’t look right, but I find that’s pretty rare, and there are many sites IE won’t display correctly as well. You can run IE for a specific website if you need to, and tell the site owner to fix their website while you do (there is even a Firefox extension, IE View that lets you view the current page in IE if necessary). Besides, if it won’t work for Firefox, it won’t work for most PDAs, cell phones, TVs, and the many other gadgets that can access the web, so they’ll need to fix their site anyway. There are other alternatives, too, such as Opera and Mac OS Safari.
Now this does not mean that Firefox will be free of any security problem. Firefox will have security problems too! But past history strongly suggests there will be far fewer of them that affect you than in IE, which means that you greatly lower your risk by switching.
Firefox automatically disables pop-ups; pop-ups are serious problem with most versions of Internet Explorer. Older versions of Internet Explorer let pop-ups fly through; while XP Service Pack 2 tries to close this problem, there are still attacks that break through Internet Explorer’s pop-up protection on SP2).
Perhaps more importantly, switching away from IE will automatically disable ActiveX, a very good thing since ActiveX is a constant source of serious security problems (ActiveX has been noted as a design flaw for years, and in fact it's endemic of the general problem that Microsoft often reuses code for new purposes even when it's unsafe to do so). You can also disable Java and JavaScript for an additional measure of security, but both are needed by many websites, and they’re much less dangerous than ActiveX. JavaScript and Java run in a “secure sandbox” that tries to protect you from problems (and it usually succeeds), while ActiveX components disable all application security when they run -- a key reason why ActiveX is so dangerous. This isn’t just my opinion; the CERT/CC notes that ActiveX is a far greater danger than sandboxed techniques like Java, and the Department of Defense defines ActiveX as a Category 1 (maximum risk) technology. As pointed out by Professor Edward Felten of Princeton University, “ActiveX security relies entirely on human judgement. ActiveX programs come with digital signatures from the author of the program and anybody else who chooses to endorse the program. ... The main danger in ActiveX is that you will make the wrong decision about whether to accept a program. ... The most dangerous situation, though, is when the program is signed by someone you don’t know anything about. You’d really like to see what this program does, but if you reject it you won’t be able to see anything. ... The only way to avoid this scenario is to refuse all programs, no matter how fun or interesting they sound, except programs that come from a few people you know well.” Some of the security problems of ActiveX were demonstrated back in February 1997 by the Chaos Computer Club (CCC). The CCC showed that an ActiveX control that could use Intuit’s Quicken financial software to automatically transfer money from a user’s account to the CCC bank account. Microsoft’s Charles Fitzgerald, program manager of Microsoft’s Java team, stated that “If you want security on the ‘Net,” said Fitzgerald, “unplug your computer. ... We never made the claim up front that ActiveX is intrinsically secure.” Given today’s attacks, it’s absurd to depend on such a poor foundation. A quick search through the CVE vulnerability database using ICAT demonstrates that ActiveX is dangerous. Yes, you can get ActiveX components signed, but that doesn’t tell you what you need to know; anyone can get a digital signature by paying for it. If you use some internal application with ActiveX, work with the developer to wean them from ActiveX quickly, or drop it quickly. ActiveX is a bad idea anyway; its non-portability means you can’t use it on many useful platforms that have web browsers (including Macs, Linux, PDAs, cell phones, and so on). But from a security point-of-view, allowing ActiveX to run is an unacceptable risk today -- today’s computers are under constant attack. Intrinsically insecure ActiveX is just a bad bet.
Firefox has become such a threat that Microsoft has started developing IE again. But there's no need to wait, and there's no evidence that the next version of IE will actually be better (from a security point of view) than Firefox or other alternatives. For example, Microsoft has not committed to disabling ActiveX as the default, or to separating the browser from the operating system. And security is not something you just "add in" in a few months; it takes years, hard work, and lots of review to really create a secure product. It's easy to say "we'll eliminate security bugs" -- but the only real proof is in the pudding, and Mozilla/Firefox is in a lead measured by years from a security point-of-view.
Also, Microsoft still hasn't committed to implementing critical web standards (such as the W3C's CSS2), even though they were released many years ago, others have done so, and services like Google Maps have shown the value of supporting these standards. Web developers have complained to Microsoft for years about their inadequate standards support; if you switch now, you can enjoy support for web standards right now. Major Australian newspaper The Age's article "Firefox explorers" discusses why supporting standards is so important; it gives as an example Bill Robertson's De Bortoli Wines, who switched 450 workers to Firefox primarily because they wanted to use standards (instead of being locked into any particular vendor's proprietary interfaces).
Oh, and if you’re not using Windows XP, or you haven’t installed XP Service Pack 2, that means that you need to switch from IE to something else even faster. SP2 finally adds some helpful security capabilities, but users of older versions of Windows will not get them without an expensive upgrade (of software and possibly hardware too). And there's no evidence that IE users of Windows versions before XP SP2 will get necessary security updates of IE; Microsoft has only announced that they're working on an IE upgrade for XP SP2. If you're curious, you can try out things like scan-it's browser security scanner (though it's not perfect, it can be interesting). So switch. now.
If you want to use a local program (like Outlook or Outlook Express), consider using Mozilla Thunderbird; this email reader has had many rave reviews (such as a positive review of Thunderbird in PC Magazine, Flexbeta, and Linux Times) and has many interesting extensions. Thunderbird doesn’t have some of the features of Outlook, in particular, as of 2004 Thunderbird's calendar application (a common Thunderbird extension) is not as capable as Outlook's. On the other hand, Thunderbird has lots of wonderful features, such as built-in trainable Bayesian spam filtering, built-in support for the popular news protocols NNTP and RSS, and the ability to view emails in the conversation format (like Gmail). Many home users and small businesses will find Thunderbird works well for them, and without the problems of Outlook (which uses the Internet Explorer display components, and thus is vulnerable to many of the same attacks). A News.com story noted that one company recently installed Thunderbird on 44,000 desktops.
Other options for local email reading include the older Mozilla Mail and Netscape Mail; I use those two currently, since they have a longer history. In fact, there are lots of other email clients; Eudora is still common. Novell's Evolution is probably the best email program available, period, but it hasn't been available for Windows for a while; Shellter's Evolution on Windows is a recent port to Windows. Many people have switched to a web-based email system, such as Yahoo, Google, Runbox, Hotmail, and so on; in those cases, just use your web browser (which should not be Internet Explorer).
The CERT has suggestions such as “Don’t open unknown email attachments”, “Don’t run programs of unknown origin”, “Disable hidden filename extensions”, “Disable Java, JavaScript, and ActiveX if possible”, and “Disable scripting features in email programs”. Switching from Outlook will automatically implement these suggestions, at least in part, without worrying about accidentally making a mistake.
You might also seriously consider disabling HTML mail. HTML mail has nice features, but it’s also often abused for security exploits.
If you want to send a program, don’t send the program itself -- send a URL to a web address. That way, recipients can download it at their own time, and if the maker updates it, recipients can get the update. You shouldn’t just run arbitrary programs you download from the web either, but we’ll get to that.
To get work done, you’ll need to open attachments. Here, try to avoid opening attachments from strangers; at least, look at the message body carefully before taking that risk.
You can reduce your risk greatly by only opening types of attachments that are less risky. To determine its type, just look at the last characters in the filename (yes, it’s more complicated than that, but I can’t go into that here and have a reasonable suggestion for ordinary users). It’s hard to list what can be an executable, since there are many different program formats (.exe, .com, .bat, and so on), and some programs aren’t designed to handle arbitrary data. It’s a lot easier to say what’s safer. A .txt file is generally safe to open (but don’t save and run it!). A .htm or .html file is usually safe, as long as you don’t let Internet Explorer look at it (IE may be fooled into thinking it’s a “local” file, disabling its security; other browsers aren’t so easily fooled). Although office suite files (.doc, .ppt, .xls) can have programs (macros) embedded in them, as long as your office suite doesn’t run macros you’re usually fine. PDF files (.pdf) are designed to be sent safely over the web, and have fairly low risk. Handling any data involves some risk, but these formats have a much lower risk.
Image formats (like .jpg, .png, and .gif) and audio formats (like .mp3 and .ogg) are actually a slightly higher risk in my opinion. Many image and audio formats are passed on to Windows code with a history of failure to protect itself (I suspect the developers had no idea that this was security-relevant, and that they didn’t know how to write secure code anyway). Still, if you know the person they are from, they are usually fine.
If you get an attachment, but do not know what its format is, ask the sender first. Then use search engines (like Google) to find out your risk. Don’t be a victim.
Buy your programs, or use freely-available alternatives that are legal to copy. I particularly like widely-used open source software, since they can get security reviews worldwide, and they are often free or low cost. One of the more heavily pirated programs is Microsoft Office; instead of copying it illegally, either buy it or use OpenOffice.org instead, which is free and legal to copy (here's a review from 2004 of the two suites). The OpenDisc project (formerly OpenCD) has a nice collection of free open source software for Microsoft Windows that fits on a single CD; it includes OpenOffice.org (office suite), PDFCreator (to create PDF documents), the GIMP (for editing images/photographs), 7-Zip (for creating and unpacking compressed files like the .zip format), and Audacity (for sound editing), along with games and other things. If you don't like to create CDs, you can also buy OpenOffice plus Firefox by buying Linspire's OOoFf! You can suport from various sources; Flexiety sells a boxed version of OpenOffice.org with support; they have deals with various CompUSA stores, and it's also available at tigerdirect.com
Free isn’t necessarily bad; indeed, PCWorld found that the free anti-spyware programs were better than the for-pay ones they evaluated. Cleansoftware.org has a list of no-cost software widely believed to be free of adware, spyware, harmful/intrusive components, and threats to privacy.
Some programs are “open source software”, meaning that anyone can view its blueprints (the “source code”), modify it, and redistribute those changes. The Internet, Email, and World Wide Web have all been based on these kinds of programs. It’s certainly possible to create malicious open source software; people have done it. But since anyone can review its code, if it’s popular, it’s harder to hide malicious code in it, and many of the financial reasons to create malicious code disappear. But don’t just run arbitrary open source software, either!
In the end -- be careful out there. Run a minimum number of programs -- just those you really need -- and check out their reputation first.
Unfortunately, I must admit that the advice of actually reading EULAs is hard to follow. License agreements are notoriously hard to understand; they're often intentionally written so that the most important parts are the hardest to understand. Even when the drafters try to be clear, legal documents are still hard for many people to understand. Many people have a large number of programs on their systems, and asking them to read all that stuff is impractical, even when they're easy to read. To many people, EULAs make no sense in the first place -- they expect the conditions governing shrinkwrap programs they buy to be just like those of a book or a car. In most jurisdictions, typical EULA conditions are on shaky legal ground, making it harder to justify wading through them. At least one lawyer I know (and respect) recommends not reading EULAs, since it’s usually harder for a company to enforce a license if you did not read it.
And let's be honest -- almost no one actually reads EULAs, as a PC Pitstop experiment showed. PC Pitstop included a clause in one of its own EULAs that promised anyone who read it "special consideration", including money. "After four months and more than 3,000 downloads, one person finally wrote in. That person, by the way, got a check for $1,000..." Think about that -- it took 3,000 downloads and four months before one person read the EULA! Clearly, it's very unusual for anyone to actually read a EULA.
This is unfortunate; from a security point of view you should read the EULA, since it might warn you of security problems. After all, many EULAs include dangerous clauses.
If you won't read the whole EULA, try to at least read the first line, because there's one case where reading that one line can substantially lower your risk. Basically, widely-used open source software / Free Software licenses do not include any text to permit spyware or other dangerous activities, and the license text is the same for many different programs. So at least try to read the first line of the EULA to see if the license is the GNU General Public License (GPL), the GNU Lesser General Public License (LGPL), or the MIT license. If the EULA is one of those licenses, your risk is much lower. (Some lawyers would say that these licenses are technically not EULAs, but this is a technicality; in practice they are sometimes displayed during installation just like a EULA.) Unfortunately, every proprietary program generally has its own license, so I can't point to a single widely-used safe EULA that covers many proprietary programs. Indeed, many EULAs of even common proprietary products are rather scary; for example, the Windows XP End-User License Agreement (EULA) requires you to reveal private information to the vendor, it allows the vendor to modify your computer’s software at will, it states that the vendor may collect personal data about you without warning or limitation, and it states that the vendor can terminate the agreement at any time without due process (leaving you without a working version of Windows). And not all spyware programs will reveal what they do in their EULA, anyway.
So whether or not you read the EULA, check the reputation of the company and the product you're considering, as I recommended above.
Don’t trust any email links that send you elsewhere, because there are many ways to be deceptive (www.paypa1.com is different than www.paypal.com because “one” looks like an “l”; http://forbes.com@attacker.com will send you you attacker.com; and many trusted sites can be fooled into resending attacker information if you invoke them oddly). Don’t give any personal information unless you initiated the entire transaction. Don’t provide unrequired information on any web site you visit; required information is usually noted with an asterisk (*).
Obviously, it’s harder to attack a computer that’s turned off. But it may surprise you to know that most of today’s computers can be turned back on, remotely, using a network command! Most systems don’t enable that by default, but yours may, and there’s always the risk that a vendor has a security vulnerability that lets someone turn it on even if you’ve disabled it. The best solution is an external firewall, which you need anyway. Firewalls will generally prevent such remote turn-on commands from entering your network in the first place.
The NSA Security Configuration Guides give a lot of information on how to configure some Windows versions; yes, you’re not the Department of Defense, but wouldn’t you like your system to have security more like theirs? Another good source for how to configure systems securely is U.S. National Institute of Standards and Technology (NIST) checklists/information guides, some of which were developed by others and then adopted by NIST. Look specifically at the Desktop Application STIG and checklist, and the various Windows STIGs and checklists.
If you use Windows 2003, take a look at Microsoft’s configuration guide for Windows 2003. Microsoft’s Security Home Page has other useful tips on securing Windows systems (though they often focus on the latest versions of their products, even though you may find no reason to upgrade). Other documents such as Microsoft Windows Security 101 have useful information too. You don’t need to accept every suggestion, but information like this can help you secure your system. Unfortunately, this can be time-consuming; sorry about that.
Some people like to share their wireless access with the world. Feel free to do so (if your ISP allows it), but at that point you need to treat wireless users as potential attackers. Be sure to segregate your open wireless setup from your “internal” machines, at least by placing a firewall between the wireless and wired network. But I feel more comfortable making it hard for anyone else to connect in, and for new wireless users I suggest that as well.
I’ll concentrate on the basics of securing 802.11 based wireless connections, since they’re the most common. Here, you need to configure your wireless hub (access point) and computers so that their wireless connection is more secure. Use the new 802.11i security standard if you can (but few can), otherwise use WPA if you can (though relatively few can), otherwise at least turn on WEP. Unfortunately, WEP is very vulnerable to attackers; for more information, see WEP: Dead Again. Indeed, the FBI demonstrated that a determined attacker can usually break 128-bit WEP (the strongest form of WEP) in 5-10 minutes. On the other hand, WEP is better than than nothing at all (it stops casual attackers, who often move on to an easier target). Set your WEP/WPA key to a nice long unguessable 128-bit key (aka 104-bit); don’t use a default key, and change the key every once in a while. And if your WEP-only components can be freely upgraded to WPA (e.g., through a "firmware upgrade"), please do so.
Disable broadcasting of your Server Set ID (SSID); that way, when no one is using your wireless connection an attacker is less likely to find your equipment. Turn on the configuration setup of your base station, and (re)set every password you can to something only you would know (this would include a configuration password, SNMP password, and so on). Point your base station antenna(s) so that the signals are much weaker where you don’t plan to use it (an attacker can amplify the signal to potentially miles, but many don’t). Some folks recommend using media access control (MAC) address restrictions; I don’t particularly recommend this, because this significantly adds complications without any significant security benefits (attackers can easily work around it), but it won’t hurt if you do.
Ideally, you should segregate your wireless network from your internal wired network, even if you use other mechanisms like WEP, WPA, or 802.11i. This is especially a good idea for WEP users. For many home users this may be excessive, but for small businesses adding an extra firewall between the wired and wireless networks is a cheap measure that improves their security.
You can get more information from resources such as Wireless LAN Security FAQ, Tips for Wireless Security, and the Wireless STIG and checklist available via the set of U.S. National Institute of Standards and Technology (NIST) checklists/information guides.
You might also find CERT/CC’s Home Network Security document very helpful; it also describes the kinds of attacks that homes and small businesses must endure, and how to help defend your system. CERT’s document is slightly older, though; for example, when I reviewed it on December 7, 2004, it didn’t cover spyware or alternative programs. The US-CERT has some useful tips on securing your Windows system, LabMice.net have a nice list of ideas for securing your Windows system, and security expert Bruce Schneier has his own list for “Safe Personal Computing”. Terry Bollinger has a nice Crosstalk article titled How to Secure Windows PCs and Laptops, which also notes how dangerous the current climate has become. Howard Fosdick's "How to Secure Your Windows Computer and Protect Your Privacy - with Free Software: An Easy Guide for the Windows User" has lots of good information; I learned about it after writing this.
Unlike some guidance documents (say from CERT), since this is a personal essay I can give you the real story on how to secure your system, including naming names. For example, many organizations avoid saying that you should replace a program with a bad security record for one with a good record -- and they certainly don’t give you specific alternatives! I understand their restrictions; they don't want to appear to recommend any particular product. However, since this is a personal article, I can suggest applications you should replace to secure your system. Many attacks exploit Internet Explorer and Outlook, so just replacing those programs eliminates many problems. Many lists also fail to warn you about the problems of certain updates, in particular, many people have had problems with XP Service Pack 2 (SP2). Instead of avoiding the issue, I recommend that you try to apply SP2, but I also warn you that you need back up everything first so that you can reload your system (if necessary). I don’t give keystroke-by-keystroke help, but this checklist should be enough to get you started (so you’ll know what to look for). Hopefully you’ll still find this list useful.
This is not a complete list; there are many other steps you can take. Think of this as a starting point, if you haven’t done anything before. Basically, create a set of layered defenses (like firewalls), don’t add arbitrary programs, replace programs that have a bad security track record (like IE and Outlook), and keep up with patches.
By the way, I say the same thing about other programs that have poor track records. You’re more likely to be secure if you switch to a product with a significantly better security track record. What a surprise. For example, if you have an infrastructure for sending email, I would heartily recommend replacing Sendmail (a common component with a terrible security record) with Postfix or some other common alternative with an excellent security record. (There’s a new Sendmail 10 coming up, which basically tries to reimplement the same approach Postfix uses for security.) Past performance is no guarantee of future results -- but it’s one of the best predictors we have.
If you’re part of a larger organization, in particular, one with your own IT personnel, you need to do more. In fact, you should already have implemented far more. If that describes you, you should be talking about meeting standards like ISO 17799 (or more specific standards for your circumstance), and doing things like devising security policies (including incident response and disaster recovery), doing more formal threat analysis and vulnerability testing, performing active filtering and monitoring of your network (including intrusion detection and scanning for unauthorized modems/wireless nodes), and so on. If you’re actually a direct target (e.g., you’re concerned about economic espionage or a foreign government targeting you), you’ll need to go far, far beyond these steps. Still, these steps might be a useful starting point.
Of course, a completely different option is to switch from Microsoft Windows to a different system that has a better security track record. It’s not that you can’t run Windows relatively securely; I believe that with effort and careful control of your environment (such as by using external firewalls) you can use Microsoft Windows relatively securely. In fact I do use Windows systems myself. But to run Windows securely, you have to think like a full-time system administrator, and stay on top of things with extreme diligence; even a security expert can tire of this. When connecting to the Internet, at home I’ve switched to running Linux instead, from which I do all the typical things people do with computers (such as surf the web, send/receive email, and send/receive common data formats including pdf, doc, ppt, and xls). As a result, I don’t have these kinds of security problems. I'm not alone; in 2008 InformationWeek noted that Linux-based systems have become far more popular and easier to get - Wal-mart couldn't keep them in stock due to high demand. I still end up helping others who need to secure their Windows systems, though, which is why I wrote this article. Microsoft correctly notes that other products have occasional security vulnerabilities, but that’s misleading; I want a good track record compared to the competition, considering both the number and severity of the vulnerabilities. Alternative products like Fedora (the one I use), Red Hat Enterprise, Ubuntu, and Novell SuSE, have much to recommend to first-time users. Fedora even includes buffer overflow protection for all programs and mandatory access controls, both of which help prevent problems in the first place. Experienced people might be happy with products such as FreeBSD, OpenBSD, or Debian. DistroWatch has a summary of the top ten open source distributions. Mac OS X is also relatively strong from a security point-of-view, though that’s not based on general-purpose PC hardware (so you’ll have to buy new hardware to switch). (Mac OS does not include measures like buffer overflow protections using N+X and randomization, nor does it embed mandatory access controls, so in my opinion Fedora and Red Hat Linux have stronger security than Mac OS - but it's not bad.) But many people aren’t willing to switch from whatever they use, no matter what the product does or doesn’t do. Which is too bad; if enough customers will say “we’ll stop buying your products because they’re less secure than the competition”, then market forces would have forced all vendors to have secure products many years ago. I have hopes that the market is just starting to make this happen.
In general, you need to create layers of defense, and/or switch to more secure programs, if you want to keep your computer safe. And complain to Microsoft if you find this unacceptable; they’re already starting to change some things, thankfully. Microsoft Windows XP Service Pack 2 in particular is a significant improvement (although it still features the monolithic design, and insecure technologies like ActiveX, that are the root cause of many security problems). But the more the outcry, the faster Microsoft will work to fix this. They’ve sold products, and later decided to try to secure them, with very predictable results. All products have defects, but the number of serious security defects in their products is shamefully large. It’s not just market share; Apache has twice the market share that Microsoft’s IIS product has, and yet IIS has more security vulnerabilities. It’s a mindset. One that I hope Microsoft is actively trying to change. Let’s help encourage them to change it... and in the meantime, if you choose to use their products, follow steps like these to reduce your risks.
Please feel free to visit my home page.