Windows xp security

Discussion in 'Computer Security' started by Nowhere, Mar 1, 2006.

  1. Nowhere

    Nowhere Guest

    I'm looking for simple and advanced Win xp security tips, on and off line.
    Maximum protection possible. Not links, but concise, sensible and reliable
    security tips from good users. Thank you.
     
    Nowhere, Mar 1, 2006
    #1
    1. Advertising

  2. Nowhere

    Ron Lopshire Guest

    Nowhere wrote:

    > I'm looking for simple and advanced Win xp security tips, on and off line.
    > Maximum protection possible. Not links, but concise, sensible and reliable
    > security tips from good users. Thank you.


    Start with Safe Hex. Here's that link that you didn't want:

    (http://www.claymania.com/safe-hex.html)

    If you don't want anymore, let me know. I've got tons.

    Ron ;)
     
    Ron Lopshire, Mar 1, 2006
    #2
    1. Advertising

  3. Nowhere

    Nowhere Guest

    "Ron Lopshire" <> wrote in message
    news:...
    > Nowhere wrote:
    >
    > > I'm looking for simple and advanced Win xp security tips, on and off

    line.
    > > Maximum protection possible. Not links, but concise, sensible and

    reliable
    > > security tips from good users. Thank you.

    >
    > Start with Safe Hex. Here's that link that you didn't want:
    >
    > (http://www.claymania.com/safe-hex.html)
    >
    > If you don't want anymore, let me know. I've got tons.
    >
    > Ron ;)


    thank you. i don't want anymore :)
     
    Nowhere, Mar 1, 2006
    #3
  4. Nowhere

    ArtDent Guest

    On 1-Mar-2006, "Nowhere" <> wrote:

    > I'm looking for simple and advanced Win xp security tips, on and off
    > line.
    > Maximum protection possible. Not links, but concise, sensible and
    > reliable
    > security tips from good users. Thank you.


    Use a router unless you are on dial-up.
    Use an _up-to-date_ anti/virus program.
    Use an _up-to-date_ anti/spyware program or two or three.
    Use a software firewall.
    Use common sense when browsing and opening emails.
    Use alternate programs for browsing and email and newsgroups. (no IE or
    Outlook or OE)
    Turn 'sharing' off.
    These should keep _most_ of the 'nasties' at bay.
    HTH
    HAND
    --
    We apologize for the inconvenience
     
    ArtDent, Mar 1, 2006
    #4
  5. Adam W. Montville, Mar 2, 2006
    #5
  6. ArtDent wrote:

    > Use a router unless you are on dial-up.


    Why?

    > Use an _up-to-date_ anti/virus program.


    Usually a good idea, except for maximum protection.

    > Use an _up-to-date_ anti/spyware program or two or three.


    Why? They're all crap.

    > Use a software firewall.


    Why? He does _not_ want the system to get compromised.



    And damn, you don't tell anything about restricted rights.
     
    Sebastian Gottschalk, Mar 2, 2006
    #6
  7. Nowhere wrote:
    > I'm looking for simple and advanced Win xp security tips, on and off line.
    > Maximum protection possible. Not links, but concise, sensible and reliable
    > security tips from good users. Thank you.


    Why don't you read a good pseudo-eBook about Windows first?

    <http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en>

    It contains descriptions about Windows' user rights, Group Policy
    settings and ACLs including recommendations for various cases.
     
    Sebastian Gottschalk, Mar 2, 2006
    #7
  8. Nowhere

    ArtDent Guest

    On 2-Mar-2006, Sebastian Gottschalk <> wrote:

    > ArtDent wrote:
    > > Use a router unless you are on dial-up.

    > Why?
    > > Use an _up-to-date_ anti/virus program.

    > Usually a good idea, except for maximum protection.
    > > Use an _up-to-date_ anti/spyware program or two or three.

    > Why? They're all crap.
    > > Use a software firewall.

    > Why? He does _not_ want the system to get compromised.
    >
    > And damn, you don't tell anything about restricted rights.


    I was doing a quick list, the OP seemed to want something simple and
    straightforward.
    I notice that _you_ did not help much here, what exactly was the point of
    your post? Unless you felt the overwhelming need to seem a big smarty
    pants.
    Anyway, to take your comments/complaints one at a time:
    A router will block all unasked for incoming packets. There are a lot of
    compromised 'zombie' machines out there that send packets out looking for
    vulnerable machines, the router keeps these from ever getting to your
    computer.
    An up-to-date anti-virus program is not just a 'good idea', it is pretty
    much 'mandatory' nowadays (there is a thread in one of the 'hacker' ng's
    talking about ISP's _requiring_ you to have an up-to-date anti-virus if
    you are on broadband of any kind) if you do not want your machine crawling
    with trojans and worms.
    While I would not agree that _all_ anti-spyware programs are 'crap' (such
    a technical term, you must be very proud of yourself), I do agree that
    none are 'all-inclusive', which is why I suggested more than one.
    Not all software firewalls 'hurt' your machine, that is just FUD talk,
    they are there to allow you to control what programs you want to allow
    access to the net.
    And, no, I did not talk about restricted rights, but then neither did you,
    except to mention that I did not say anything, well pardon me, but if you
    follow the advice in my first post, then you should not NEED to dumb down
    the poor machine so much.
    I also notice that you totally snipped my advice about not using IE, O, or
    OE, I presume that must mean that you at least agree with that much of
    what I had to say. (I see you posted using Thunderbird)

    To the OP, while I tried to do this without posting a link, this one might
    help if you are that new to all this:
    http://internet101.org
    --
    We apologize for the inconvenience
     
    ArtDent, Mar 2, 2006
    #8
  9. Nowhere

    Nowhere Guest

    "ArtDent" <> wrote in message
    news:FaFNf.6275$...
    >
    > On 2-Mar-2006, Sebastian Gottschalk <> wrote:
    >
    > > ArtDent wrote:
    > > > Use a router unless you are on dial-up.

    > > Why?
    > > > Use an _up-to-date_ anti/virus program.

    > > Usually a good idea, except for maximum protection.
    > > > Use an _up-to-date_ anti/spyware program or two or three.

    > > Why? They're all crap.
    > > > Use a software firewall.

    > > Why? He does _not_ want the system to get compromised.
    > >
    > > And damn, you don't tell anything about restricted rights.

    >
    > I was doing a quick list, the OP seemed to want something simple and
    > straightforward.
    > I notice that _you_ did not help much here, what exactly was the point of
    > your post? Unless you felt the overwhelming need to seem a big smarty
    > pants.
    > Anyway, to take your comments/complaints one at a time:
    > A router will block all unasked for incoming packets. There are a lot of
    > compromised 'zombie' machines out there that send packets out looking for
    > vulnerable machines, the router keeps these from ever getting to your
    > computer.
    > An up-to-date anti-virus program is not just a 'good idea', it is pretty
    > much 'mandatory' nowadays (there is a thread in one of the 'hacker' ng's
    > talking about ISP's _requiring_ you to have an up-to-date anti-virus if
    > you are on broadband of any kind) if you do not want your machine crawling
    > with trojans and worms.
    > While I would not agree that _all_ anti-spyware programs are 'crap' (such
    > a technical term, you must be very proud of yourself), I do agree that
    > none are 'all-inclusive', which is why I suggested more than one.
    > Not all software firewalls 'hurt' your machine, that is just FUD talk,
    > they are there to allow you to control what programs you want to allow
    > access to the net.
    > And, no, I did not talk about restricted rights, but then neither did you,
    > except to mention that I did not say anything, well pardon me, but if you
    > follow the advice in my first post, then you should not NEED to dumb down
    > the poor machine so much.
    > I also notice that you totally snipped my advice about not using IE, O, or
    > OE, I presume that must mean that you at least agree with that much of
    > what I had to say. (I see you posted using Thunderbird)
    >
    > To the OP, while I tried to do this without posting a link, this one might
    > help if you are that new to all this:
    > http://internet101.org
    > --
    > We apologize for the inconvenience


    Thank you
     
    Nowhere, Mar 2, 2006
    #9
  10. ArtDent wrote:
    > On 2-Mar-2006, Sebastian Gottschalk <> wrote:
    >
    >> ArtDent wrote:
    >>> Use a router unless you are on dial-up.

    >> Why?
    >>> Use an _up-to-date_ anti/virus program.

    >> Usually a good idea, except for maximum protection.
    >>> Use an _up-to-date_ anti/spyware program or two or three.

    >> Why? They're all crap.
    >>> Use a software firewall.

    >> Why? He does _not_ want the system to get compromised.
    >>
    >> And damn, you don't tell anything about restricted rights.

    >
    > I was doing a quick list, the OP seemed to want something simple and
    > straightforward.


    Your approach is none of those.

    > I notice that _you_ did not help much here,


    And I draw it to the question.

    > A router will block all unasked for incoming packets.


    Wrong. In fact, many consumer routers exactly do the contrary: using
    certain heuristics, including some for typical home users' behaviour, to
    make best-chances choice packet forwarding.
    And damn, why not configuring the computer correctly instead of such
    trials of workarounds?

    > An up-to-date anti-virus program is not just a 'good idea', it is pretty
    > much 'mandatory' nowadays


    Then I wonder why I, and for sure many other people that are posting
    here, are going pretty fine without it.

    > (there is a thread in one of the 'hacker' ng's
    > talking about ISP's _requiring_ you to have an up-to-date anti-virus if
    > you are on broadband of any kind)


    Which one? I'll add them to my braindead ISPs list.

    > While I would not agree that _all_ anti-spyware programs are 'crap' (such
    > a technical term, you must be very proud of yourself),


    So far I didn't find any that even installs without any big quarrels,
    and those which actually run are showing up both a lot of false
    positives and a lot of clear nonsense on a clean system, so I really
    wonder what quality the reports on a compromised system are of.

    > Not all software firewalls 'hurt' your machine, that is just FUD talk,


    No, it's sad reality. Besides that they all open up your machine to
    certain DoS conditions (ICMP flood, UDP flood, IP fragments flood), most
    are easy to tunnel from the outside (f.e. with overlapping IP fragments)
    and most allow privilege escalation. Not to mention such wonderful
    self-DoS capabilities like Auto-Blocking or so-called private data
    protection which actually leads to the contrary. And didn't the Witty
    worm just show that the extra complexity certainly is a serious problem?

    > they are there to allow you to control what programs you want to allow
    > access to the net.


    You'd wish. Volker Birk had a lot of fun with showing trivial
    counter-examples? Which are actually default tricks of common malware.

    And remember that most users are logged on with admin rights. That's
    super-trivial.

    > And, no, I did not talk about restricted rights, but then neither did you,


    Because it's a default consideration.

    > but if you
    > follow the advice in my first post, then you should not NEED to dumb down
    > the poor machine so much.


    Hehe... isn't that exactly what you're suggesting? Wamping down the
    system with all kind of shitty software instead a straight and clean
    approach.

    > I also notice that you totally snipped my advice about not using IE, O, or
    > OE, I presume that must mean that you at least agree with that much of
    > what I had to say.


    For sure, but shouldn't that be common sense? IE is no webbrowser and
    OE/O is known to be totally broken so far.

    > (I see you posted using Thunderbird)


    At least that's what you assume, but I had the same identification
    string with Forte FreeAgent. :)
     
    Sebastian Gottschalk, Mar 2, 2006
    #10
  11. Sebastian Gottschalk wrote:

    >> (there is a thread in one of the 'hacker' ng's talking about ISP's
    >> _requiring_ you to have an up-to-date anti-virus if you are on broadband
    >> of any kind)

    >
    > Which one? I'll add them to my braindead ISPs list.


    What the poster conveniently neglected to mention is that the idea was
    completely shot down with logic, common sense, and fact, save for one
    holdout who has taken that age old position that "I'm right and you're
    wrong" passes for a winning argument.

    That same person also claims that IIS6 is completely bulletproof, by the
    way. <snicker>

    The thread the poster refers to is "No Anti-Virus? No Broadband Access"
    and can be found in the read in the group alt.hacker if you're interested.
     
    George Orwell, Mar 2, 2006
    #11
  12. Nowhere

    Guest

    I agree with Sebastian regarding anti-virus software. They are needed
    in a number of crisis situations, but 99% of the time they're not vital
    if you know what you are doing. They are just a bit helpful if you
    don't. And many of them are just terribly irritating since they were
    designed for this category of users, and as such do not offer the
    possibilities needed, not forgetting they consume hell a lot of
    ressources. The IT security concerned individual will also find
    annoying that this kind of software tends to want to delete security
    tools, captured virus archived on the hard disk, etc.

    I tend to think a software firewall if necessary, but it is also right
    that some of them make DOS attacks very easy. As an example there was
    one (I think it was a Symantec) that blocked IPs making a port scan.
    How silly. An attacker could just spoof a port scan from an address he
    wants the target to block(!)
     
    , Mar 3, 2006
    #12
  13. wrote:

    > I tend to think a software firewall if necessary,


    Well, it's not just unnecessary (hint: it's trivial to get an empty
    netstat output even on Windows without breaking anything!), but unlike
    virus scanners doesn't turn out any good in practice.

    > but it is also right that some of them make DOS attacks very easy.


    s/some/almost every/

    > As an example there was
    > one (I think it was a Symantec) that blocked IPs making a port scan.
    > How silly. An attacker could just spoof a port scan from an address he
    > wants the target to block(!)


    Or just enter "startkeylogger" on a IRC chan.
    <http://it.slashdot.org/it/06/03/03/004215.shtml>
    Still ROFL and LMAO.
     
    Sebastian Gottschalk, Mar 3, 2006
    #13
  14. Nowhere

    Winged Guest

    ArtDent wrote:
    > On 1-Mar-2006, "Nowhere" <> wrote:
    >
    >
    >>I'm looking for simple and advanced Win xp security tips, on and off
    >>line.
    >>Maximum protection possible. Not links, but concise, sensible and
    >>reliable
    >>security tips from good users. Thank you.

    >
    >
    > Use a router unless you are on dial-up.
    > Use an _up-to-date_ anti/virus program.
    > Use an _up-to-date_ anti/spyware program or two or three.
    > Use a software firewall.
    > Use common sense when browsing and opening emails.
    > Use alternate programs for browsing and email and newsgroups. (no IE or
    > Outlook or OE)
    > Turn 'sharing' off.
    > These should keep _most_ of the 'nasties' at bay.
    > HTH
    > HAND


    Heh don't forget to hide those machines inbound below port 1024 from the
    Internet unless you really have a good reason to expose server services.
    If you have a requirement, ensure the exposure is limited to the least
    amount of IP's required. This is extremely important on winX machines
    but also applies to NIX environs as well. A stateful firewall will
    automatically block those services however limiting port exposures to
    only what is required is your best safety.

    A good stateful hardware firewall is useful and are almost cheap these
    days. Several can be used as a router/hub and they are useful for
    locking down a wireless node in its own DMZ and reduce exposure of the
    local subnet. I have had a few folks attempt to attack my local home
    network over an exposed wireless NIC. Just can't trust anyone these
    days. Also ensure that the firewall is software upgradable. I have had
    to upgrade my CISCO a few times over the years.

    If you use winX or NIX system ensure only the services you require are
    running. MS has many services running that are not required by most
    people (I still wonder why MS thinks most home users need a message of
    the day service running for example). NIX systems can also
    inadvertantly open services with some packages if you are not careful.

    Know what services are required for your use and check occasionally to
    ensure that the latest patch or some stray software package has not
    turned something on that is not needed. I have had MS turn unneeded
    services back on after I patched even though the services were manually
    disabled. It is nice to have that hardware firewall protect me from
    myself sometimes.

    Winged
     
    Winged, Mar 3, 2006
    #14
  15. Winged wrote:
    >
    > A good stateful hardware firewall is useful and are almost cheap these
    > days.


    Any recommendations? (So far I'm not big on the Cisco's, they seem to be
    charging too much for the name, but Fortinet, Watchguard and SonicWall
    seem quite good too)

    --
    Shane
     
    Shane Petroff, Mar 6, 2006
    #15
  16. Nowhere

    Guest

    There are quite a few and you can see a pretty comprehensive list here:
    http://www.firewall.com/Vendors/

    As for needs and requirements of the average user? It's different. Some
    need stronger anti-virus protection and anti-spyware while others get
    by on Common Sense [tm]. Some good reading on network security issues
    can be found here:
    http://whitepapers.zdnet.co.uk/0,39025945,60153405p-39000388q,00.htm .

    The document is directed at small businesses for the most part, but
    gives a pretty good overview of what's out there and what should be
    done about it.
     
    , Mar 7, 2006
    #16
  17. Nowhere

    Winged Guest

    wrote:
    > I agree with Sebastian regarding anti-virus software. They are needed
    > in a number of crisis situations, but 99% of the time they're not vital
    > if you know what you are doing. They are just a bit helpful if you
    > don't. And many of them are just terribly irritating since they were
    > designed for this category of users, and as such do not offer the
    > possibilities needed, not forgetting they consume hell a lot of
    > ressources. The IT security concerned individual will also find
    > annoying that this kind of software tends to want to delete security
    > tools, captured virus archived on the hard disk, etc.
    >
    > I tend to think a software firewall if necessary, but it is also right
    > that some of them make DOS attacks very easy. As an example there was
    > one (I think it was a Symantec) that blocked IPs making a port scan.
    > How silly. An attacker could just spoof a port scan from an address he
    > wants the target to block(!)


    Interesting concept. You would need to know specifically where / when
    target was trying to connect to and also need to know the tcp sequence
    number of the clients outbound request to spoof successfully. Just
    spoofing the IP would not be sufficient to block communication. Packets
    with the proper sequence number response would still reach the client so
    long as the connection was not saturated. I tested your concept a bit
    ago on local network, using a remote mount with a second host spoofing
    only the IP against a symantec CE client. Didn't work for me though it
    did drop the spoofed port scan. The logs showed the scan being dropped
    but it did not interfere (other than node performance) with connection.
    I had to test for the fun of it. I thought that bug was fixed some
    time ago. I did not test UDP communication but suspect it might fail.

    A firewall is necessary on both Linux and Winx systems, if nothing else
    to protect us from ourselves. If you have multiple client nodes, then
    then clients should be firewalled as well as the subnet entry point.

    99% (your number)of the time the AV isn't needed. It's that 1% that
    kills the computer. Even if one is knowledgeable, running without AV
    can be dangerous. It is simple enough to place a virus in a VM isolated
    from the core system to examine and even run the to see the critters
    behavior. With exploits being discovered daily it is not enough to be
    knowledgeable. A hardened system is far more resistant to exploit.

    While it is true AV and firewalls do impact performance somewhat, to
    most modern systems it has negligible impact. Properly configured with
    the symantec client for example using seti processing (pre boink)
    packets I could discern no impact having Symantec when the AV client was
    configured to ignore read writes to the seti file directories. The
    Symantec client allows you to ignore valid processes in several ways.
    If you want NAV to not process communications with a trusted site simply
    put it in the trusted zone.

    While rebuilding a system only takes 45 minutes, I prefer not having to
    go through the process.

    People who run without protection get AIDs...same thing happens to
    computers.



    Winged
     
    Winged, Apr 4, 2006
    #17
  18. Nowhere

    Guest

    Regarding the DoS of the Symantec firewall - you're right, it probably
    involves a properly spoofed TCP port scan. A more trivial (yet less
    awsome) DoS attack example: one machine/user on a LAN could port scan a
    target server that would block the IP of the gateway. This is very easy
    and it would result in DoS for the other machines/users on the same LAN
    that use the same gateway. The evil user is in the house (this can
    happen).

    Anti-virus: it is a bit provocative to say they are useless but
    personally I don't use any. With a good and carefully configured
    firewall, few (identified) doors open, and careful operation, the risk
    to get infected is low, unless you are for some particular reason some
    sort of amazingly attractive target. When you have a doubt about an
    operation that might be risky, you can still do it in a VMware.
     
    , Apr 4, 2006
    #18
  19. Winged wrote:

    > A firewall is necessary on both Linux and Winx systems, if nothing else
    > to protect us from ourselves.


    A firewall can't protect you from yourself.

    > If you have multiple client nodes, then
    > then clients should be firewalled as well as the subnet entry point.


    Wrong point. Host security involves client configuration with is
    supposed host-based packet filtering at the client level obsolete.
    However, you might do so anyway, but please don't call it a firewall as
    it is none.

    > 99% (your number)of the time the AV isn't needed. It's that 1% that
    > kills the computer.


    A virus scanner doesn't protect your computer. However, it can be a
    useful host-based intrusion detection system.

    > Even if one is knowledgeable, running without AV
    > can be dangerous.


    I wonder why I'm doing since years...

    > It is simple enough to place a virus in a VM isolated
    > from the core system to examine and even run the to see the critters
    > behavior.


    No. A virus could detect the presence of a VM and change its behaviour.
    You should never, even after examination, run any untrusted code outside
    a sandbox.

    > With exploits being discovered daily it is not enough to be
    > knowledgeable. A hardened system is far more resistant to exploit.


    Rightout I'm still bragging about my Firefox configuration that made it
    invulnerable against almost any (read: except 1) security problem
    discovered since version 0.8.


    Simple thing: Not running any untrusted executables eliminates the most
    important attack vector

    > While it is true AV and firewalls do impact performance somewhat, to
    > most modern systems it has negligible impact.


    LOL

    > If you want NAV to not process communications with a trusted site simply
    > put it in the trusted zone.


    Why should one want to do so? Exploits are trivial to encode.

    And what is the "trusted zone" anyway? My firefox only knows a
    domain->policy-mapping. Nah, you don't want to misuse IE as a webbrowser.

    > People who run without protection get AIDs...same thing happens to
    > computers.


    Yet another bad comparison. To get it right, your condom would have some
    holes to express how reliable the protection is: Unreliable, and in case
    of doubt it fails miserably.
     
    Sebastian Gottschalk, Apr 4, 2006
    #19
  20. Nowhere

    nemo_outis Guest

    Sebastian Gottschalk <> wrote in news:49f50nFo8ai4U1
    @news.dfncis.de:

    > ...
    > No. A virus could detect the presence of a VM and change its behaviour.
    > You should never, even after examination, run any untrusted code outside
    > a sandbox.

    ....



    I've got news for you: There is virtually no software (especially
    commercial software) which I trust. * That includes most OSs and most
    apps.

    So, with your dictum, you've created a catch-22 that virtually rules out
    all mainstream software, especially the Windows family and the apps which
    run on it, from being used effectively (or even of finding a trustworthy
    sandbox in which to check 'em out).

    Your overstated counsel of perfection results in (near) paralysis.

    So, following that line of thought, one should instead move on to the one
    IT strategy that is known to be completely secure: turn the computer off
    and leave it that way.

    Yes, it's total secure, but there is a bit of a downside in terms of
    productivity:)

    Regards,

    PS This is what I meant in my previous post about grossly overstating the
    case.

    You see, there is always a tension between security, convenience, and
    productivity. Resolving the situation by completely swinging towards any
    one pole - in your case, security - is a poor strategy. Computers are a
    productivity tool, security is merely a housekeeping constraint on the use
    of that tool (albeit an important constraint). Security should not cripple
    the primary purpose: efficient productivity.


    PPS * - More precisely, there are levels of trust, and not much software
    gets above the bottom rungs on my scale.
     
    nemo_outis, Apr 4, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. COMSOLIT Messmer

    IT-Security, Security, e-security

    COMSOLIT Messmer, Sep 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    615
    COMSOLIT Messmer
    Sep 5, 2003
  2. Jerry

    Re: Mac Security vs. Windows Security

    Jerry, Oct 27, 2003, in forum: A+ Certification
    Replies:
    0
    Views:
    428
    Jerry
    Oct 27, 2003
  3. Ghost

    Re: Mac Security vs. Windows Security

    Ghost, Oct 28, 2003, in forum: A+ Certification
    Replies:
    0
    Views:
    436
    Ghost
    Oct 28, 2003
  4. Tony Sivori

    Re: Mac Security vs. Windows Security

    Tony Sivori, Oct 28, 2003, in forum: A+ Certification
    Replies:
    0
    Views:
    512
    Tony Sivori
    Oct 28, 2003
  5. Robert Carnegie
    Replies:
    1
    Views:
    1,485
Loading...

Share This Page