Additional resources Version history Tell us what you thinkPage 1 Copyright ©2005 CNET Networks, Inc. All rights reserved. For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.htmlMay 18, 2005 Version 1.1 Windows PC: Lock it down in 10 stepsBy Scott Lowe, MCSE Protect against worms and viruses – This step is the most obvious, but it is still one of the most critical. Few things can cause a well-functioning Windows system to become non-functional more quickly than a virus or worm infection. Protect yourself from viruses by installing antivirus software such as Symantec, McAfee, or Trend Micro on all of the Windows systems that you manage. If you have more than 100 systems on your network then make things easier fore yourself by deploying a corporate antivirus solution. Also, be sure to develop a plan to keep your antivirus software current by installing updates and renewing your virus definition subscriptions on a regular basis. Protect against spyware – Spyware has quickly caught up to, and may even surpass, viruses as the leading problem plaguing users and IT department alike. Spyware installed on a system can cause it to slowdown to the point of being unusable, and can open up the system to personal data theft. Most people know how important it is to keep systems protected from viruses, but it's become just as important to protect your system from this new class of assailant as well. For home users, Ad-Aware from Lavasoft is a good start; it's free and easy to install. In this department, though, a single scanner doesn't always do the trick. Another free product, Spybot Search and Destroy, is a great complement to Ad Aware as it can sometimes find spyware missed by Ad Aware, and vice versa. Microsoft has also purchased an anti-spyware product and made the tool freely available to Windows users. Another outstanding product is Sunbelt Software's Counterspy, which was recently selected by PC World as the #1 active spyware scanner on the market. Both the Microsoft anti-spyware product and Counterspy include active spyware defense. That means that they act very much like most antivirus products, providing proactive detection and prevention of spyware infestations. Conversely, Ad-Aware and Spybot are both passive scanners that only clean a machine after it is already infected. For the best protection, I recommend the use of one active scanner - either the Microsoft tool or Counterspy – as well as at least one passive scanner – Ad Aware or Spybot. Enforce strong passwords – Passwords are the cornerstone of security in many applications. As it stands right now, passwords continue to be the primary means by which users authenticate to systems, including Windows systems. Because of their widespread use, and the ease with which passwords are cracked, make sure all Windows users must choose strong passwords with a mixture of symbols, letters, and numbers, and that the passwords are changed regularly. Don't allow (or, at least, limit) unauthorized software – In a business environment, the IT department, with the support of management and a specific policy in place, can mandate that users are now allowed to install software without the express approval of IT. For most companies, it's easy to point out an instance in which unauthorized software has created a significant problem. For example, some users may want to install and use AOL Instant Messenger. However, with AOL Instant Messenger, too many users ignore warnings and click on unsolicited links in messages. These links can lead to less-than-desirable sites that install malicious software on the computer. Further, by not allowing unauthorized software, IT also forces departments to funnel purchases through a single channel. This allows IT the possibility of making bulk purchases or in realizing that a particular software product is in great demand and ramping up for its support instead of having it thrust upon them unexpectedly. For non-corporate users that don't have a central IT group, always be aware of what you're installing; read any agreements for software that you do install and make sure you have both virus and spyware protection in place to help avoid potential problems with unknown installers. Enable automatic updates – Each month, Microsoft releases a series of updates that fix vulnerabilities discovered in Windows and other Microsoft applications. For updates that are rated critical—meaning that the vulnerability can seriously expose the system to outside threat—patches should be applied as soon as possible after release. The easiest way to handle this is to use Automatic Updates in Windows. However, some administrators are wary of Microsoft pushing patches to their machines without intervention. In these cases, consider using WSUS (Windows Server Update Services) to act as an intermediary that allows an administrator to review and approve patches before they are automatically deployed to end-user workstations. 4 3 2 1 5Windows PC: Lock it down in 10 steps Use a software firewall – Windows XP SP2 includes an improved "Windows Firewall" that can greatly enhance the security of the system when enabled. Unless there's a compelling reason to turn it off, always leave the XP firewall enabled on the interface that connects to the Internet. The best reason not to use it is if the workstations on your network already use another desktop firewall such as ZoneAlarm, which can watch all of the traffic flowing from your computer to make sure it's valid. More advanced firewalls can even go so far as to inspect the entire contents of the traffic to make sure that it does not contain something malicious. If, for example, your computer has been compromised by a virus, these more advanced software firewalls can help prevent the virus from spreading by blocking your computer's outgoing communications. Make use of Internet Explorer security features – Among the major improvements in Windows XP SP2 are the new default security settings in Internet Explorer. The fact is that these improvements were sorely needed and much more needs to be done to make the program more secure for the widespread use it enjoys. In fact, as a result of Firefox's popularity, Microsoft is slated to released Internet Explorer 7 sometime this year. Until then, consider upgrading to what has been provided in XP SP2, including the new popup blocker, better protection from malicious ActiveX