PDA

View Full Version : Securing Your Home Computer(s) and Network



genebujold
2005-Nov-29, 10:20 PM
I used to charge thousands of dollars for this kind of information, but what the hey - you're my friends, and I'm currently working on other endeavors.

There are indeed variations, but this is what has worked for me, and I've been testing systems and networks for years. If you follow these procedures, there's very little out there that can harm your system.

1. Buy a NAT-based firewall, such as those from Linksys and Netgear. I prefer Linksys simply because it's a subsidiary of Cisco, and they're the leading provider of networking security technology - if properly configured, of course.

2. Configure your router to "stealth" mode, that is, it will refuse to respond to any pings.

3. Leave the username in your router blank. If your ISP requires a username, fine, but that's rare.

4. Disable the ability to administrate the router from a source external to your network.

5. Change the default password! Use very difficult passwords, including at least two each of uppercase, lowercase, numbers, and extended characters ($#%, etc). Make it at least 8 characters long, but using the maximum allowed by the router is fine. Go ahead and write it down, preferrably on a sticky attached to the router itself. After all, if someone has physical access to your network, you're owned anyway. Better yet, just store it on a floppy. That way you can cut and paste it, if you need to (just don't leave the floppy in your machine on a regular basis).

5. Norton Antivirus (others are good, too). I like Norton because it installs itself at a very deep level within the operating system (with Windows permission), which makes it extremely difficult to bypass.

6. Norton Internet Security isn't a bad fall-back option, particularly if someone inadvertantly introduces a trojan onto one of your other computers.

7. Under Internet Explorer, set Security to Medium and Privacy to Medium High. Keep 0 pages in History.

8. Enable Windows Firewall, but also change the settings to include File and Printer Sharing.

9. If you're using a wireless product, either change the WEP key often, or use Wireless-G with WPA enabled. Use a true, randomly generated key, and distribute it to all wireless computers via a floppy. I find random finger dances on the keyboard combined with a few shuffles via cut and paste into Notepad works very well, and you have a backup copy. Use the same floppy on which you stored your router login password.

10. Subscribe to Windows Update, but unless you, the administrator of your home computers, are going to be away for a long time while your family continues to use them, enable Auto Update but select the option to have it ask you before it actually does the update. Most updates are safe, but can be delayed for a week or two. This allows Microsoft to fix any bugs that weren't caught in the normal development cycle. But if you see security issues in the news, then it's safer to allow the update asap.

11. If you're using XP, use individual logons and passwords. Don't log on as an administrator unless you have to administrate something. Your normal logon should be as a Restricted User. This limits the power of trojans from causing injury to your system. Don't log in as an administrator unless you're fairly certain your computer is free of viruses and trojans! If you're using an 8 character password, change it often. It takes a distributed (grid) computing system very little time to hack it (several days). If you're using a 14 character password, you have a lot more time, but still change it several times a year. Armed with the administrative password, trojans can do some mean things!

12. After all of this is done, download, install, update, configure for automatic update, Spybot search and destroy. It's proven to be better behaved than Adaware, and it's a bit more automatic.

13. Backups! Everyone needs 'em. The easiest way by far is to simply buy a second hard drive and use Cobian Backup (available most freeware/shareware download sites) to copy yours and all other user's Desktop and subfolders to a folder with the same name on the second hard drive. Every once in a while (two to four times per year), I use PKZIP's streaming backup option to a stack of cheap CD ROMS while watching a movie. I'm up to 13GB, so I'll probably use DVD-RWs next time around.

14. Power protection. This is as important as antivirus software. Fortunately, some power conditioning is built into most power supplies these days, but you do need more than that. If you can afford it, go with an UPS. I used to recommend APC, but I've had two meltdowns in the last year and a half, and they did NOT want to back up their product, so I'm now using TrippLite. If you're using an UPS, you do NOT need additional surge protection, and chaining surge protection devices together (an UPS contains surge protection circuitry) can cause electrical problems (essentially conditioning echos). If you won't spring for an UPS, Isobar, available at Home Depot and Lowes is just about the best. These days, surprisingly, the leading runner-up are Belkin products, and they too back up their protection with buku-buck guarantees should their hardware fail to protect your computer. Just remember, that a chain is as strong as it's weakest link. If everything's protected to the hilt except your phone line or Internet connection, you're not protected at all. APC does make some outstanding (and fairly inexpensive) inline CAT-5 lightening protectors in case your UPS or surge protection won't handle CAT-5 connectors, called RJ-45 (most handle phone line connectors, which are called RJ-11).

15. Education. I can't stress this enough. You can implement all of the systems above and if you open up a virus or trojan-laden e-mail, you could still be toast. One of the reasons I love Yahoo! for all my e-mail needs is that it's free. Another is because it has one of the best spam elimination products on the block. A third is because if you're willing to shell out an additional $3 a month, you get better (configurable) spam protection and an ever-growing (and unbelievable) amount of storage space. But there are others out there, so shop around.

And don't this couldn't happen to you! With all my years of experience in networking and computer security, I came about two clicks away from getting phished by someone out there pretending to be PayPal (commonly used on eBay). Fortunately, I noticed the URL wasn't quite what I would expect from PayPal, and I checked the digital security signatures against what I knew PayPal to be, and low and behold - I discovered it was a phishing scam designed to get me to provide them with my credit card information.

16. If you let people use your computer, create a username for them and ensure it's a "restricted user" account.

17. Download and install Analog X's NetStat Live. It's the best means for detecting whether or not programs are sending stuff over the Internet. While something like Zone Alarm will do that, too, you'll very soon tire of Zone Alarm's inability to make intelligent decisions for itself, and a lot of your choices will limit valid programs on your system from accessing the Internet while allowing invalid programs full access. That's why I no longer recommend Zone Alarm, but Norton's Internet Security - it's simply a lot more intelligent, and they have the staff to keep it up to date. But NetStat Live will alert you to any activity that's not from what you're doing (although it doesn't ID the program itself, just that you may have a problem).

18. Movie DVDs have an interesting feature, particularly those from Sony, that would love to install an "Interactive Services" feature on your computer. Don't. After their plot was revealed, Sony appears to halted taking over the world one computer at a time, but one never knows when they'll tackle it from a different angle. Want to know more about a movie? Check out the Special Features or the Internet Movie Database, Yahoo! Movies, or the home website for the movie. The Interactive Services is a scam to load software that you DO NOT want on your system.

19. Limit your purchases, downloads, and installs of software to what's absolutely necessary. There are a lot of "cute" programs out there that, even though they may be benign, are certainly not bug-free, and once installed on your system, may not uninstall correctly, or cause other glitches, headaches, and data loss. Also, stick to known companies (Microsoft, Symantec), if at all possible.

20. Physical care. Most hard drive crashes are caused by physical shock while the hard drive is performing a write. The Windows Operating System is often reading and writing data to the hard drive as time goes by, without your input. That's normal. If you need to physically move your computer, even just a bit, shut it down! Once the read/write heads are parked and the hard drives have spun down, you could probably hit them with a sledge hammer and they would continue to work just fine (I think 100G is the average shock limit). But if they're spinning, and in the process of writing, even a small shock will send the heads flying, usually overwriting data, sometimes critical data, like file allocation tables, registry information, and operating system files.

21. Leave it running. The thermal cycle of turning a computer on and off drastically impacts the physical contacts between the boards, power supply, etc., and moisture is the bane of corrosion, particularly in the presence of dust. Leaving it running means keeping it at roughly the same temperature, which is usually warm and not a magnet for condensation.

22. Buy an air filter. They have some very good models from companies like Holmes and Honeywell. They're not particularly cheap, but they will drastically reduce the accumulation of dust inside your computer case, which will drastically increase the life of your computer! Dust is a demon, often propogating circuitboard paralyzing shocks from higher voltage open contacts to those of lower voltage.

23. Get a professional cleaning at least once every three years. Vacuuming produces static (horsehair or plastic bristles, usually), and static is the enemy of computer chips. Blowing the accumulated dust usually accumulates much of it further where you can't reach it. Professionals use anti-static bristles and only vacuum. Some may even disassemble components and thoroughly clean them using a combination of vacuuming and even vapor deposition degreasing to restore them to factory cleanliness. Fortunately, the way most computer systems go, you should only have to do this once.

Well, this is all I can think of off the top of my head at this time. If others feel quite assured I've missed something, please add.

Thanks!

LurchGS
2005-Nov-29, 10:30 PM
a very comprehensive list! I would add at least two, seriously:

Don't use MSIE, and don't use Outlook. These are both absolutely riddled with security holes, and alternatives are free, and frequently better.

For instance, my company used FireFox as our standard Browser, and Thunderbird as our standard e-mail application.

And one, less serious, but very effective way to reduce system infection: don't use Windows. Grab one of the Linux distributions. There's very little these days that actually requires windows OS.

I'll go away now and irritate somebody else

genebujold
2005-Nov-29, 11:02 PM
LurchGS, appreciate your comments. Most people don't have the wherewithall to do without Windows, but Opera is a fine alternative to Internet Explorer.

I used it when surfing surrepticious sites know to induce viruses and downloads through IE.

LurchGS
2005-Nov-29, 11:50 PM
LurchGS, appreciate your comments. Most people don't have the wherewithall to do without Windows, but Opera is a fine alternative to Internet Explorer.

I used it when surfing surrepticious sites know to induce viruses and downloads through IE.

yeah, that's why it was only semi-serious, though Linux is free - it can be a bit of a learning curve.
I used to use Opera, but find it a little unstable. FireFox works well, and is almost as fast

Gullible Jones
2005-Nov-30, 03:30 AM
Firefox 1.5 is as fast as Opera. For that matter, so is 1.0.x if you set nglayout.initialpaint.delay to zero.

(And 1.5 final was just released today. See ya later, IE.)

There are other browsers too... If you use Linux, and KDE, try out Konqueror, which is a browser as well as a file manager. It's fast, standards-compliant, and very secure.

(I might also add that KDE can do Vista-style transparency and other eyecandy too, but that's beside the point.)