Many agree that Windows computers need to be protected with a strategy called defense in depth. This is not just for fighting off viruses. Clearly, network security and Internet Explorer also need defense in depth. When Internet Explorer was recently hacked in a public contest, Microsoft respondedthat “…defense in depth techniques aren’t designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability.”
Deb Shinder, a Windows expert, and former law enforcement officer, put it in perspectiverecently:
“Think about your physical security. You might have a high fence, a big dog, deadbolts on the doors and a security alarm system, but if a burglar is absolutely determined – and has enough time – he can climb the fence, shoot the dog, disable the alarm and break a window to get in. Unless you live in a fortress (and even then), your security is not fool-proof. But all those mechanisms do slow him down … So unless he’s motivated to specifically target your house because he knows you have $1 million in cash hidden under the mattress, he’ll probably go elsewhere, where the pickings are easier.”
To me, the term “defense in depth” means my having to do a lot of work. But what work? What steps offer the biggest bang for the buck?
1. To me, the most important thing you can do to protect your computer is to be skeptical. Start with the assumption that you are being lied to. No software can protect someone who lets the bad guys continually scam them.
For example, that email message may not have come from the visible FROM address. Even if it did, the senders email account may have been broken into and the message could be from a scammer. Same for instant messages.
Many tricks can be played with links to make them appear to go one place when they actually go somewhere else, and that was before link shorteners made hiding the true destination even easier. You probably don’t need to install a new codec to see that enticing video. Your computer is probably not infected with 314 viruses. Even notices about updating software to install the latest patch may not be legit.
2. Software-wise, techies are always advising to keep up to date on patches for your installed software. What doesn’t get said often enough is that this is an all but impossible task for Windows users. Thomas Kristensen of security company Secunia reported recently “that in order for the typical home user to stay fully patched, an average of 75 patches from 22 different vendors need to be installed [every year]…” Seventy Five patches/year seems low to me.
Without a standard pipeline through which all these companies can funnel patches, Windows users are forced to deal with many different and inconsistent patch delivery systems. It’s a brutal mess, and one not likely to have a good solution for a very long time.
Secunia offers three patch related products. To me, the best bang for the buck is offered by their free Online Software Inspector. I wrote about this in depth recently (Check (All) Your Windows Patches: Secunia). Their other products check more software, but the online service checks the most popular applications, offers a very simple and easy-to-read report and includes links to the latest software updates.
3. There is surprising resistance to my third suggestion, but it’s a great way to protect yourself when keeping up to date on bug fixes is impossible: run as a limited (Windows XP term) or standard (Windows 7 term) user. I’ve been doing this for a while now on both Windows XP and 7. There is a small annoyance factor, but compared to the extra safety it offers, the tradeoff seems well worth it. The annoyance factor is higher in Windows XP. Much more thought seems to have gone into this in Windows 7.
Here’s my approach. My current Windows userid was typically “Michael” and it was an Administrator. First, I create another Windows user called “MichaelAdmin” with the same password as user “Michael”. Then I log off user “Michael”, log on to user “MichaelAdmin” and drop user “Michael” down to a limited/standard user. From here on in, I continue to use user “Michael”, only logging on as “MichaelAdmin” when necessary to install software or otherwise update the system.
Windows 7 is pretty good about prompting standard user “Michael” for the password to user “MichaelAdmin” when necessary. Hardly ever do I have to actually logon as “MichaelAdmin”. Windows XP often requires limited user “Michael” to switch to user “MichaelAdmin” but at least its a switch, user Michael can remain logged in.
On a new computer, I would start out with users “MichaelRestricted” and “MichaelAdmin”.
4. Windows users should avoid Internet Explorer. You can’t delete it, but you can ignore it. IE suffers both from having a target painted on its back, because it’s so popular, and from Microsoft’s being slow, in general, to issue patches. Plus, it has its fair share of bugs and design flaws. I run Internet Explorer once a month on my XP machine, just for Windows Update. Independent security expert Steve Gibson does this too.
Firefox is my preferred browser, but I also use Chrome. In both cases, I opt for portable versions from portableapps.com. A normally installed copy of Firefox can not be updated by a limited/standard Windows user, but the portable version can.
5. The Adobe Reader also best avoided. Like Internet Explorer, the Adobe Reader is extremely popular, so bad guys focus on it. Like Microsoft, Adobe is slow in issuing bug fixes. At least Microsoft issues IE patches monthly, Adobe thinks that every three months is a good idea. You are safer using software that is updated when bugs are found, not when corporate needs dictate.
Among alternatives, the Foxit PDF Reader is probably the most popular. I also like the free and portable Sumatra PDF Reader because it seems to be a low end product. Fewer features means fewer bugs and a smaller attack surface. Plus, by being relatively unpopular, bad guys have no reason to exploit any bugs the Sumatra Reader may have.
Malicious PDFs are very common. If someone sends you a PDF, stranger or not, you are much safer opening it with the Sumatra PDF Reader than with the Adobe Reader.
6. Turn off autorun. The ability to automatically run programs when inserting a CD or USB flash drive was a huge security mistake on the part of Microsoft. Making this worse, in the many years since, they have modified the rules over and over and issued multiple bug fixes to the software enforcing the rules. Anyone who thinks they understand the rules for how autorun works and can explain it to you, doesn’t understand the rules.
The good news is that you can bypass the quicksand of autorun completely. Every variation and iteration of Microsoft’s rules boils down to a file called autorun.inf. There is a simple registry update that tells Windows never, no matter what, ever pay attention to any autorun.inf file. It’s ironclad safety.
7. Protect your WiFi network from snooping. The big issue with securing wireless networks is making sure that good encryption is used for all data traveling over the air. Never use WEP encryption. If that is the only option in your router, buy a new router. WPA encryption is good enough. There have been two holes discovered with it, but experts consider them minor. WPA version 2 (WPA2) is the best encryption and should be your first choice, assuming all your wireless devices support it.
Technically, the last paragraph is not true. What people call WPA encryption really refers to TKIP and what is called WPA2 encryption really refers to AES. I mention this because if you opt for WPA2 and then chose TKIP to use with it your security is the same as WPA.
Another possible problem with WPA, WPA2, TKIP and AES is the password. Bad guys can record WiFi transmissions over the air, and then try to crack the encryption later. If the WiFi password is short, or a word in a dictionary, your private transmissions will no longer be private. Don’t think password, think pass sentence. Since the wireless password is typically entered only once per computer, something over 20 characters would serve you well and not be a constant annoyance. Nothing wrong with writing it on a piece of paper and taping it, face down, to the router.
8. If you have a router, open up the front and close the back.
By open up the front, I mean insuring that you can get into the routers internal website to make changes. To do so, you need to know three things: the IP address of the router and the userid and password for logging into the internal website.
Every computer on the LAN knows the IP address of the router, it’s the default gateway. Windows users can enter the command “ipconfig” from a command prompt to learn the IP address of the default gateway. Enter this IP address into your web browser and you should be prompted for a userid/password. New routers will have the default userid/password somewhere in their documentation. Never use the default password. Like the WiFi password, it’s probably a good idea to write this information on a piece of paper and tape it, face down, to the router.
By closing the back, I was referring to the firewall in the router. You can test how well the firewall is protecting your LAN with Steve Gibson’s Shields Up! service.
9. Use OpenDNS. The system that translates computer names to the underlying IP addresses that computers actually use to transmit data on the Internet is called DNS. DNS is such a critical building block for the Internet that every Internet Service Provider has to maintain at least two computers dedicated to offering their customers DNS services.
Maintaining DNS computers is non-trivial and some ISPs do it better than others. OpenDNS offers a free service that is fast, maintained by specialists and offers a number of advantages over the DNS service from many ISPs. Perhaps the most visible advantage is protection from visiting some malicious websites. No such service can ever be anything close to perfect, but you are safer with it than without it.
There are two ways to get started with OpenDNS, you can either modify a single computer to use their DNS servers (22.214.171.124 and 126.96.36.199) or you can modify the router so that all computers on the LAN use OpenDNS. This is one reason for the previous item, being able to make changes in your router.
10. Finally, the mandated item in every article on this subject: anti-malware software. Rather than re-tread well worn advice, the only point I’ll make here is about the choice between dedicated antivirus/antispyware/antimalware software and a suite of protection software that includes this along with many other types of defensive software. Avoid the suites.