Secure Your PC

From spam to spyware, the internet is full of malicious content which is constantly trying to invade your personal computer. This page is maintained by the Baldwin Street CRC Tech Committee to inform members of good security practices.

Please note that being "safe" on the internet is like being "safe" in a car - steps can be taken to reduce risk, but there is an element of danger involved which cannot be totally removed. Each of the following steps can be done independently of each other, and will reduce the risk of compromise. We naturally would recommend them all, but you can implement on an a la carte basis and gain some security with each section you employ.

• Web Browsing: Don't use Internet Explorer unless necessary. Download and use Firefox instead.
• Spyware: To remove spyware and protect from future spyware installations, download and install SpyBot.
• Anti-Virus: Use the free version of AVG Anti-Virus.
• Email: Don't use Outlook as your local email client. Use the freely available Thunderbird instead.
• Internet Filtering: Use the freely available K9 Web Protection to filter unwated web sites out.
• Insecure Programs: If you don't use Instant Messaging, disable it. And don't install file sharing applications like Kazaa.
• User Access Security: Limit user access to installing software and changing files - for XP Pro users only.
• Home Network Security: Use a cable or DSL firewalling router as the IP gateway on your home network.
• Wireless Security: Make your new wireless network more secure. Don't use it straight out of the box.
  

The browser used for internet surfing affects the amount of malicious spyware or adware a PC attracts. Some browsers are inherently unsecure, and allow websites to install software on a PC without warning the user. Many malicious software programs recognize this by checking for different browsers, and not even trying to install if a secure browser is used.

• In addition to being widely regarded as insecure, the Microsoft Internet Explorer web browser is also notorious for attracting spyware.
• Sadly, a few websites require this non standards compliant browser, but most sites will render in other browsers without problem.
• We recommend the Mozilla Foundation's Firefox browser. We use the current version on the computers at church.
• You may visit the Firefox download site for the latest version.
• Firefox is faster, less prone to freezing or crashing, and offers helpful features like tabbed browsing.

A good spyware blocker will both remove current spyware infestations and innoculate a PC against new infections. 

• A widely used, freely available anti spyware application if SpyBot
• Download SpyBot here.
• After downloading, run the SpyBot install.  Follow the prompts and don't change any settings.
• SpyBot will run after installation.  First Create a registry backup - this may take a few minutes.
• Next, if you use a web browser proxy, confirm that SpyBot should use it download updates.
• Next, search Updates.  If any are found, click the button to download them.
• Next, click the button to Immunize the system.  This will block thousands of known spyware apps from installing.
• Finally, click the button to start using the application.
• On the left side of the application, click on the "Search and Destroy" button, then click the "Check for Problems" button.
• Your system will be scanned, and a list of problems displayed.  Click the "Fix Problems" to clear spyware from your system.

An anti-virus application monitors all current file activity to trap viruses in open files and keep the PC hard drive free of infected files.

• The committee recommends AVG Anti-virus, and maintains a link to download the free version here.
• Run the AVG installer, and follow the prompts, taking all the default settings.
• AVG will start after install, whereupon updates should be downloaded.  There may be several updates to download, and Windows may need to reboot between downloads, but it is critical that all updates be downloaded.
• AVG will run when your PC starts up, and warn you if any open file contains a virus real time.

A local email client should be impervious to viruses embedded within emails and should never email viruses to one's address book.

• Due to well known security compromises, the Tech Committee strenuously recommends against using Outlook for email.
• All church computers use Thunderbird, an email client from the Mozilla Foundation.
• To use Thunderbird, download the latest version and run the installer.  Accept the default install options
• When Thunderbird is first started, it will run a wizard to configure an emailbox.  NOTE: your email must support POP or IMAP.
  1. Choose "Email Account" on the first wizard page, and click Next.
  2. Enter your name as you want it to appear in the "From" field of emails you send.  Then enter your email address and click Next.
  3. Select IMAP or POP, and enter the name of your incoming AND outgoing email servers.  Check with your ISP if you don't know this server name.  Click Next.
  4. Enter the username given by your ISP and click Next.
  5. Enter a name by which this email account should be identified and click next.
  6. Verify that all entered information is correct and click finish.
• To run the Thunderbird profile manager, click on the start menu, click Run, enter "thunderbird.exe -profilemanager" and click OK.

A good internet filter will accurately block undesired internet content and make circumvention impossible by non administrator computer users.

• The K9 Web Protection filter is recommended
• You may request one free licence for K9 by filling out the registration page, which will generate an email containing a licence number.
• Download the software, and after you have received your license email install it.
• BE SURE to make note of the administrator password - it is needed to override the filter and deinstall it.
• K9 has different levels of filtering; the highest level is recommended.
• Web pages which are unknown are blocked, but can be unblocked temporarily or permanently using the administrator password.
• A log of all internet activity is kept by K9, and can only be viewed or cleared by one using the administrator password.

Some internet enabled applications, like Instant Messaging clients and P2P file sharing clients are security risks, or gateways for malicious software.  These applications should be disabled or deinstalled if not excplicitly required.

• The Windows Instant Messenger is installed on Windows XP by default, and fully activated.  If you don't use this IM client, click here for instructions on deinstalling it.
• Never install applications like Kazaa, they are known to install or attract spyware.  Furthermore, they are often used to file sharing of a dubious ethical or legal nature.

Windows XP Home doesn't have the ability to disable Simple File Sharing, so this section is only for Windows XP Pro installations.  On each Windows XP Pro computer there should be one user designated as the Administrator, with full privileges on the system.  All other user should be set as "Simple Users", with limited privileges on the system.  Simple Users cannot install or deinstall applications, which prevents malicious software from being installed when browsing the internet.  Follow these steps to set users to "Simple Users":

• Start the Windows Control Panel and double click on "User Accounts".
• Select an account and choose the "Change the Account Type" option.
• Choose "Limited" and click the "Change Account Type" button.
• NOTE: all new software must be installed by the Administrator user; simple users no longer have this ability.

Occasionally it will be necessary to grant a simple user access to certain areas of the file system, as required by certain applications.  For this example, we'll use a hypothetical application named "AnyApp", which installs into the c:\program files\anyapp directory.  Follow these steps to grant access to this directory to any simple user(s):

• Start Windows Explorer and navigate to c:\program files\anyapp. 
• Right click on the "anyapp" folder and choose properties.
• Click on the "Security" tab.
• Select the desired user, or the "Users" group for all simple users, in the "Group or User Names" box (top).
• In the "Permissions for Users" box below, check all boxes in the "Allow" column and click the "OK" button.

Most fast internet "broadband" access is via a cable modem or DSL modem.  While some cable/DSL modems have built in firewalling capability, most do not, which means any computer connected to them is "live" on the internet, and subject to hacker attacks.  Here is a network diagram of an unsafe, yet common hardware configuration:

Note that only one PC can be hooked up to the internet via this configuration - another setback.  The proper way to secure a home network is to run a gateway router with built in firewalling.  This device is live on the internet, but much better prepared to resists attacks than a Windows PC.  Furthermore, most gateway routers have multiple ethernet ports, so the internet connection can be shared with more than one PC.  If wireless internet access is desired, a wireless enabled gateway router will provide firewalling, multiple ethernet ports and wireless access in one device.  Here is a network diagram of a safer home network configuration:

It is sometimes possible to purchase a DSL or Cable Modem that has a firewalling router built in, thus eliminating the need for two devices.  However, such a device must be specified when broadband is ordered, or must be purchased separately from one's Internet Service Provider (ISP).  Here are some devices which will lead to a secure network:

•  Linksys Etherfast Cable/DSL Router BEFSR41
• D-Link EBR-2310 Ethernet Broadband Router
• NETGEAR RP614 4-Port Cable/DSL Web Safe Router with 10/100Mbps Switch
• Linksys Wireless-G Broadband Router WRT54G

Many broadband (cable or DSL) users have WAPs to provide wireless internet access in the home.  The advantage is easy, "anywhere" access to the internet in one's home.  The disadvantage is that most WAPs are highly insecure by default.  Follow these steps to secure your WAP, referencing the owner's manual to implement each step for your particular WAP model:

• Turn SSID Broadcast Off: by turning off the SSID the WAP broadcasts you render it invisible to the casual wireless hacker.  The downside to this step can be interoperability problems between different brands of WAPs and wireless NICs.  Furthermore, you must specify the SSID when setting up the wireless connection in Windows, as opposed to having the NIC find and suggest it.
• Enable WEP encryption: a WEP encryption key is a string of characters used to encryt all data between the WAP and the wireless NIC.  It prevents other clients from capturing and reading that data.  WEP encryption also serves as a password of sorts for clients trying to use the WAP.  Without the key, they cannot connect.
• Implement MAC Address Filtering: each wireless NIC has a unique Machine Address Code (MAC) address.  Setting the WAP  to allow a specified list of MAC addresses prevents unauthorized NICs from using the WAP.

These security measures can be adopted in an a la carte fashion: any combination of them will make your WAP more secure.  Sometimes locking down a WAP can cause interoperability problems between WAPs and NICs of a different brand, so you may have experiment with different settings.  Furthermore, making your WAP highly secure makes it more difficult to use, so friends and family visiting your home have a harder time connecting to the internet.